Adding parameter checks

This commit is contained in:
Martin Stockhammer 2019-02-27 17:54:39 +01:00
parent 0151aeded5
commit 29e40eae69
3 changed files with 45 additions and 15 deletions

View File

@ -69,9 +69,7 @@ import java.io.File;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.FileWriter; import java.io.FileWriter;
import java.io.IOException; import java.io.IOException;
import java.nio.file.Files; import java.nio.file.*;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.ArrayList; import java.util.ArrayList;
@ -107,6 +105,8 @@ public class DefaultFileUploadService
private ChecksumAlgorithm[] algorithms = new ChecksumAlgorithm[]{ ChecksumAlgorithm.SHA1, ChecksumAlgorithm.MD5 }; private ChecksumAlgorithm[] algorithms = new ChecksumAlgorithm[]{ ChecksumAlgorithm.SHA1, ChecksumAlgorithm.MD5 };
private final String FS = FileSystems.getDefault().getSeparator();
@Inject @Inject
@Named(value = "archivaTaskScheduler#repository") @Named(value = "archivaTaskScheduler#repository")
private ArchivaTaskScheduler scheduler; private ArchivaTaskScheduler scheduler;
@ -136,6 +136,14 @@ public class DefaultFileUploadService
//Content-Disposition: form-data; name="files[]"; filename="org.apache.karaf.features.command-2.2.2.jar" //Content-Disposition: form-data; name="files[]"; filename="org.apache.karaf.features.command-2.2.2.jar"
String fileName = file.getContentDisposition().getParameter( "filename" ); String fileName = file.getContentDisposition().getParameter( "filename" );
Path fileNamePath = Paths.get(fileName);
if (!fileName.equals(fileNamePath.getFileName().toString())) {
ArchivaRestServiceException e = new ArchivaRestServiceException("Bad filename in upload content: " + fileName + " - File traversal chars (..|/) are not allowed"
, null);
e.setHttpErrorCode(422);
e.setErrorKey("error.upload.malformed.filename");
throw e;
}
File tmpFile = File.createTempFile( "upload-artifact", ".tmp" ); File tmpFile = File.createTempFile( "upload-artifact", ".tmp" );
tmpFile.deleteOnExit(); tmpFile.deleteOnExit();
@ -224,6 +232,29 @@ public class DefaultFileUploadService
return fileMetadatas == null ? Collections.<FileMetadata>emptyList() : fileMetadatas; return fileMetadatas == null ? Collections.<FileMetadata>emptyList() : fileMetadatas;
} }
private boolean hasValidChars(String checkString) {
if (checkString.contains(FS)) {
return false;
}
if (checkString.contains("../")) {
return false;
}
if (checkString.contains("/..")) {
return false;
}
return true;
}
private void checkParamChars(String param, String value) throws ArchivaRestServiceException {
if (!hasValidChars(value)) {
ArchivaRestServiceException e = new ArchivaRestServiceException("Bad characters in " + param, null);
e.setHttpErrorCode(422);
e.setErrorKey("error.upload.malformed.param." + param);
e.setFieldName(param);
throw e;
}
}
@Override @Override
public Boolean save( String repositoryId, String groupId, String artifactId, String version, String packaging, public Boolean save( String repositoryId, String groupId, String artifactId, String version, String packaging,
boolean generatePom ) boolean generatePom )
@ -235,6 +266,11 @@ public class DefaultFileUploadService
version = StringUtils.trim( version ); version = StringUtils.trim( version );
packaging = StringUtils.trim( packaging ); packaging = StringUtils.trim( packaging );
checkParamChars("repositoryId", repositoryId);
checkParamChars("groupId", groupId);
checkParamChars("artifactId", artifactId);
checkParamChars("packaging", packaging);
List<FileMetadata> fileMetadatas = getSessionFilesList(); List<FileMetadata> fileMetadatas = getSessionFilesList();
if ( fileMetadatas == null || fileMetadatas.isEmpty() ) if ( fileMetadatas == null || fileMetadatas.isEmpty() )
{ {

View File

@ -68,6 +68,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.ClientErrorException;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.net.URLEncoder; import java.net.URLEncoder;
@ -238,9 +239,9 @@ public class UploadArtifactsTest
service.post( body ); service.post( body );
fail( "FileNames with path contents should not be allowed." ); fail( "FileNames with path contents should not be allowed." );
} }
catch ( ArchivaRestServiceException e ) catch ( ClientErrorException e )
{ {
// OK assertEquals(422, e.getResponse().getStatus());
} }
} }
finally finally
@ -349,15 +350,15 @@ public class UploadArtifactsTest
log.debug( "Metadata {}", meta.toString( ) ); log.debug( "Metadata {}", meta.toString( ) );
assertTrue( service.save( "internal", "org.archiva", "archiva-model", "1.2", "jar", true ) ); assertTrue( service.save( "internal", "org.archiva", "archiva-model", "1.2", "jar", true ) );
fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"/../TestFile.FileExt\"; name=\"files[]\"" ) ).build( ); fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"TestFile.FileExt\"; name=\"files[]\"" ) ).build( );
body = new MultipartBody( fileAttachment ); body = new MultipartBody( fileAttachment );
meta = service.post( body ); meta = service.post( body );
log.debug( "Metadata {}", meta.toString( ) ); log.debug( "Metadata {}", meta.toString( ) );
try { try {
service.save("internal", "org", URLEncoder.encode("../../../test", "UTF-8"), URLEncoder.encode("testSave", "UTF-8"), "4", true); service.save("internal", "org", URLEncoder.encode("../../../test", "UTF-8"), URLEncoder.encode("testSave", "UTF-8"), "4", true);
fail("Error expected, if the content contains bad characters."); fail("Error expected, if the content contains bad characters.");
} catch (ArchivaRestServiceException e) { } catch (ClientErrorException e) {
// OK assertEquals(422, e.getResponse().getStatus());
} }
assertFalse( Files.exists( Paths.get( "target/test-testSave.4" ) ) ); assertFalse( Files.exists( Paths.get( "target/test-testSave.4" ) ) );
} }

View File

@ -72,13 +72,6 @@
</constructor-arg> </constructor-arg>
</bean> </bean>
<bean name="taskQueueExecutor#repository-scanning"
class="org.apache.archiva.redback.components.taskqueue.execution.ThreadedTaskQueueExecutor" lazy-init="false">
<property name="name" value="repository-scanning"/>
<property name="executor" ref="taskExecutor#repository-scanning"/>
<property name="queue" ref="taskQueue#repository-scanning"/>
</bean>
<bean id="repository" class="org.apache.jackrabbit.core.RepositoryImpl" destroy-method="shutdown"> <bean id="repository" class="org.apache.jackrabbit.core.RepositoryImpl" destroy-method="shutdown">
<constructor-arg ref="config"/> <constructor-arg ref="config"/>
</bean> </bean>