mirror of https://github.com/apache/archiva.git
Adding parameter checks
This commit is contained in:
parent
0151aeded5
commit
29e40eae69
|
@ -69,9 +69,7 @@ import java.io.File;
|
||||||
import java.io.FileOutputStream;
|
import java.io.FileOutputStream;
|
||||||
import java.io.FileWriter;
|
import java.io.FileWriter;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.nio.file.Files;
|
import java.nio.file.*;
|
||||||
import java.nio.file.Paths;
|
|
||||||
import java.nio.file.StandardCopyOption;
|
|
||||||
import java.text.DateFormat;
|
import java.text.DateFormat;
|
||||||
import java.text.SimpleDateFormat;
|
import java.text.SimpleDateFormat;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
@ -107,6 +105,8 @@ public class DefaultFileUploadService
|
||||||
|
|
||||||
private ChecksumAlgorithm[] algorithms = new ChecksumAlgorithm[]{ ChecksumAlgorithm.SHA1, ChecksumAlgorithm.MD5 };
|
private ChecksumAlgorithm[] algorithms = new ChecksumAlgorithm[]{ ChecksumAlgorithm.SHA1, ChecksumAlgorithm.MD5 };
|
||||||
|
|
||||||
|
private final String FS = FileSystems.getDefault().getSeparator();
|
||||||
|
|
||||||
@Inject
|
@Inject
|
||||||
@Named(value = "archivaTaskScheduler#repository")
|
@Named(value = "archivaTaskScheduler#repository")
|
||||||
private ArchivaTaskScheduler scheduler;
|
private ArchivaTaskScheduler scheduler;
|
||||||
|
@ -136,6 +136,14 @@ public class DefaultFileUploadService
|
||||||
|
|
||||||
//Content-Disposition: form-data; name="files[]"; filename="org.apache.karaf.features.command-2.2.2.jar"
|
//Content-Disposition: form-data; name="files[]"; filename="org.apache.karaf.features.command-2.2.2.jar"
|
||||||
String fileName = file.getContentDisposition().getParameter( "filename" );
|
String fileName = file.getContentDisposition().getParameter( "filename" );
|
||||||
|
Path fileNamePath = Paths.get(fileName);
|
||||||
|
if (!fileName.equals(fileNamePath.getFileName().toString())) {
|
||||||
|
ArchivaRestServiceException e = new ArchivaRestServiceException("Bad filename in upload content: " + fileName + " - File traversal chars (..|/) are not allowed"
|
||||||
|
, null);
|
||||||
|
e.setHttpErrorCode(422);
|
||||||
|
e.setErrorKey("error.upload.malformed.filename");
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
|
|
||||||
File tmpFile = File.createTempFile( "upload-artifact", ".tmp" );
|
File tmpFile = File.createTempFile( "upload-artifact", ".tmp" );
|
||||||
tmpFile.deleteOnExit();
|
tmpFile.deleteOnExit();
|
||||||
|
@ -224,6 +232,29 @@ public class DefaultFileUploadService
|
||||||
return fileMetadatas == null ? Collections.<FileMetadata>emptyList() : fileMetadatas;
|
return fileMetadatas == null ? Collections.<FileMetadata>emptyList() : fileMetadatas;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private boolean hasValidChars(String checkString) {
|
||||||
|
if (checkString.contains(FS)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (checkString.contains("../")) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (checkString.contains("/..")) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
private void checkParamChars(String param, String value) throws ArchivaRestServiceException {
|
||||||
|
if (!hasValidChars(value)) {
|
||||||
|
ArchivaRestServiceException e = new ArchivaRestServiceException("Bad characters in " + param, null);
|
||||||
|
e.setHttpErrorCode(422);
|
||||||
|
e.setErrorKey("error.upload.malformed.param." + param);
|
||||||
|
e.setFieldName(param);
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Boolean save( String repositoryId, String groupId, String artifactId, String version, String packaging,
|
public Boolean save( String repositoryId, String groupId, String artifactId, String version, String packaging,
|
||||||
boolean generatePom )
|
boolean generatePom )
|
||||||
|
@ -235,6 +266,11 @@ public class DefaultFileUploadService
|
||||||
version = StringUtils.trim( version );
|
version = StringUtils.trim( version );
|
||||||
packaging = StringUtils.trim( packaging );
|
packaging = StringUtils.trim( packaging );
|
||||||
|
|
||||||
|
checkParamChars("repositoryId", repositoryId);
|
||||||
|
checkParamChars("groupId", groupId);
|
||||||
|
checkParamChars("artifactId", artifactId);
|
||||||
|
checkParamChars("packaging", packaging);
|
||||||
|
|
||||||
List<FileMetadata> fileMetadatas = getSessionFilesList();
|
List<FileMetadata> fileMetadatas = getSessionFilesList();
|
||||||
if ( fileMetadatas == null || fileMetadatas.isEmpty() )
|
if ( fileMetadatas == null || fileMetadatas.isEmpty() )
|
||||||
{
|
{
|
||||||
|
|
|
@ -68,6 +68,7 @@ import javax.servlet.ServletException;
|
||||||
import javax.servlet.http.HttpServlet;
|
import javax.servlet.http.HttpServlet;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
import javax.ws.rs.ClientErrorException;
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.URLEncoder;
|
import java.net.URLEncoder;
|
||||||
|
@ -238,9 +239,9 @@ public class UploadArtifactsTest
|
||||||
service.post( body );
|
service.post( body );
|
||||||
fail( "FileNames with path contents should not be allowed." );
|
fail( "FileNames with path contents should not be allowed." );
|
||||||
}
|
}
|
||||||
catch ( ArchivaRestServiceException e )
|
catch ( ClientErrorException e )
|
||||||
{
|
{
|
||||||
// OK
|
assertEquals(422, e.getResponse().getStatus());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
finally
|
finally
|
||||||
|
@ -349,15 +350,15 @@ public class UploadArtifactsTest
|
||||||
log.debug( "Metadata {}", meta.toString( ) );
|
log.debug( "Metadata {}", meta.toString( ) );
|
||||||
assertTrue( service.save( "internal", "org.archiva", "archiva-model", "1.2", "jar", true ) );
|
assertTrue( service.save( "internal", "org.archiva", "archiva-model", "1.2", "jar", true ) );
|
||||||
|
|
||||||
fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"/../TestFile.FileExt\"; name=\"files[]\"" ) ).build( );
|
fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"TestFile.FileExt\"; name=\"files[]\"" ) ).build( );
|
||||||
body = new MultipartBody( fileAttachment );
|
body = new MultipartBody( fileAttachment );
|
||||||
meta = service.post( body );
|
meta = service.post( body );
|
||||||
log.debug( "Metadata {}", meta.toString( ) );
|
log.debug( "Metadata {}", meta.toString( ) );
|
||||||
try {
|
try {
|
||||||
service.save("internal", "org", URLEncoder.encode("../../../test", "UTF-8"), URLEncoder.encode("testSave", "UTF-8"), "4", true);
|
service.save("internal", "org", URLEncoder.encode("../../../test", "UTF-8"), URLEncoder.encode("testSave", "UTF-8"), "4", true);
|
||||||
fail("Error expected, if the content contains bad characters.");
|
fail("Error expected, if the content contains bad characters.");
|
||||||
} catch (ArchivaRestServiceException e) {
|
} catch (ClientErrorException e) {
|
||||||
// OK
|
assertEquals(422, e.getResponse().getStatus());
|
||||||
}
|
}
|
||||||
assertFalse( Files.exists( Paths.get( "target/test-testSave.4" ) ) );
|
assertFalse( Files.exists( Paths.get( "target/test-testSave.4" ) ) );
|
||||||
}
|
}
|
||||||
|
|
|
@ -72,13 +72,6 @@
|
||||||
</constructor-arg>
|
</constructor-arg>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean name="taskQueueExecutor#repository-scanning"
|
|
||||||
class="org.apache.archiva.redback.components.taskqueue.execution.ThreadedTaskQueueExecutor" lazy-init="false">
|
|
||||||
<property name="name" value="repository-scanning"/>
|
|
||||||
<property name="executor" ref="taskExecutor#repository-scanning"/>
|
|
||||||
<property name="queue" ref="taskQueue#repository-scanning"/>
|
|
||||||
</bean>
|
|
||||||
|
|
||||||
<bean id="repository" class="org.apache.jackrabbit.core.RepositoryImpl" destroy-method="shutdown">
|
<bean id="repository" class="org.apache.jackrabbit.core.RepositoryImpl" destroy-method="shutdown">
|
||||||
<constructor-arg ref="config"/>
|
<constructor-arg ref="config"/>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
Loading…
Reference in New Issue