Resolve Security Exploits

normalize all file paths before using them

Change-Id: I67aaa00d7218b95dde96f3679efe92c3c0cd33f9
Issue-ID: SO-1275
Signed-off-by: Smokowski, Steve (ss835w) <ss835w@us.att.com>

diff --git a/adapters/mso-openstack-adapters/src/main/java/db/migration/R__CloudConfigMigration.java b/adapters/mso-openstack-adapters/src/main/java/db/migration/R__CloudConfigMigration.java
index 10dbbf1..6339616 100644 (file)
--- a/adapters/mso-openstack-adapters/src/main/java/db/migration/R__CloudConfigMigration.java
+++ b/adapters/mso-openstack-adapters/src/main/java/db/migration/R__CloudConfigMigration.java
@@ -36,6 +36,7 @@ import org.onap.so.logger.MsoLogger;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Paths;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
@@ -68,9 +69,11 @@ public class R__CloudConfigMigration implements JdbcMigration , MigrationInfoPro
         // Try the override file
         String configLocation = System.getProperty("spring.config.location");
         if (configLocation != null) {
-            try (InputStream stream = new FileInputStream(configLocation)) {
+            try (InputStream stream = new FileInputStream(Paths.get(configLocation).normalize().toString())) {
                 cloudConfig = loadCloudConfig(stream);
-            }
+            }catch(Exception e){
+               LOGGER.warnSimple("Error Loading override.yaml",e);
+            } 
         }
         
         if (cloudConfig == null) {

diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java b/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
index 0321247..9a1392b 100644 (file)
--- a/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
@@ -26,6 +26,7 @@ import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.nio.file.Paths;
 import java.util.List;
 
 import org.onap.sdc.api.IDistributionClient;
@@ -355,7 +356,7 @@ public class ASDCController {
                        + artifact.getArtifactUUID ()
                        + ")");
        
-       String filePath = System.getProperty("mso.config.path") + "/ASDC" + "/" + artifact.getArtifactVersion() + "/" + artifact.getArtifactName();
+        String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC",  artifact.getArtifactVersion(), artifact.getArtifactName()).normalize().toString();
        // make parent directory
        File file = new File(filePath);         
        File fileParent = file.getParentFile();

diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java b/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
index 0300351..72aa3c7 100644 (file)
--- a/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
@@ -21,6 +21,7 @@
 package org.onap.so.asdc.installer;
 
 import java.io.File;
+import java.nio.file.Paths;
 import java.util.List;
 
 import org.onap.sdc.api.notification.IArtifactInfo;
@@ -126,7 +127,7 @@ public class ToscaResourceStructure {
                        
                        LOGGER.debug("MSO config path is: " + System.getProperty("mso.config.path"));
                        
-                       String filePath = System.getProperty("mso.config.path") + "/ASDC/" + artifact.getArtifactVersion() + "/" + artifact.getArtifactName();
+                       String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC",  artifact.getArtifactVersion(), artifact.getArtifactName()).normalize().toString();
 
                        File spoolFile = new File(filePath);
  

diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java b/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
index f5215e9..e4a4c7c 100644 (file)
--- a/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
@@ -20,10 +20,15 @@
 
 package org.onap.so.asdc.installer.bpmn;
 
-import java.io.*;
+import java.io.BufferedOutputStream;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.net.URI;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.zip.*;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipInputStream;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpEntity;
@@ -32,14 +37,13 @@ import org.apache.http.client.HttpClient;
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.entity.ContentType;
-import org.apache.http.impl.client.HttpClientBuilder;
-
-import org.onap.so.logger.MessageEnum;
-import org.onap.so.logger.MsoLogger;
+import org.apache.http.entity.mime.FormBodyPartBuilder;
 import org.apache.http.entity.mime.MultipartEntityBuilder;
 import org.apache.http.entity.mime.content.ByteArrayBody;
 import org.apache.http.entity.mime.content.StringBody;
-import org.apache.http.entity.mime.FormBodyPartBuilder;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.onap.so.logger.MessageEnum;
+import org.onap.so.logger.MsoLogger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.env.Environment;
 import org.springframework.stereotype.Component;
@@ -57,7 +61,7 @@ public class BpmnInstaller {
        public void installBpmn(String csarFilePath) {
                LOGGER.info("Deploying BPMN files from " + csarFilePath);               
                try {                   
-                       ZipInputStream csarFile = new ZipInputStream(new FileInputStream(csarFilePath));
+                       ZipInputStream csarFile = new ZipInputStream(new FileInputStream(Paths.get(csarFilePath).normalize().toString()));
                        ZipEntry entry = csarFile.getNextEntry();               
         
                        while (entry != null) {                         
@@ -101,28 +105,28 @@ public class BpmnInstaller {
                                csarFilePath,
                                "",
                                "",
-                               ex.getMessage(), "", "", MsoLogger.ErrorCode.DataError, "ASDC reading CSAR with workflows failed");             
+                               ex.getMessage(), "", "", MsoLogger.ErrorCode.DataError, "ASDC reading CSAR with workflows failed");
                }
                return;
        }       
        
-       protected HttpResponse sendDeploymentRequest(String bpmnFileName) throws Exception {                                    
+       protected HttpResponse sendDeploymentRequest(String bpmnFileName) throws Exception {
                HttpClient client = HttpClientBuilder.create().build(); 
-               String deploymentUri = this.env.getProperty(CAMUNDA_URL) + CREATE_DEPLOYMENT_PATH;
+               URI deploymentUri = new URI(this.env.getProperty(CAMUNDA_URL) + CREATE_DEPLOYMENT_PATH);
                HttpPost post = new HttpPost(deploymentUri);
                RequestConfig requestConfig =
                                RequestConfig.custom().setSocketTimeout(1000000).setConnectTimeout(1000).setConnectionRequestTimeout(1000).build();
                post.setConfig(requestConfig);        
-               HttpEntity requestEntity = buildMimeMultipart(bpmnFileName);        
+               HttpEntity requestEntity = buildMimeMultipart(bpmnFileName);
                post.setEntity(requestEntity);
                return client.execute(post);
        }
        
        protected HttpEntity buildMimeMultipart(String bpmnFileName) throws Exception {
-               FileInputStream bpmnFileStream = new FileInputStream (System.getProperty("mso.config.path") + "/ASDC" + "/" + bpmnFileName);
+               FileInputStream bpmnFileStream = new FileInputStream (Paths.get(System.getProperty("mso.config.path"),"ASDC", bpmnFileName).normalize().toString());
 
                byte[] bytesToSend = IOUtils.toByteArray(bpmnFileStream);
-               HttpEntity requestEntity = MultipartEntityBuilder.create()                
+               HttpEntity requestEntity = MultipartEntityBuilder.create()
                                .addPart(FormBodyPartBuilder.create()
                                                .setName("deployment-name")
                                                .setBody(new StringBody("MSO Sample 1", ContentType.TEXT_PLAIN))
@@ -155,7 +159,7 @@ public class BpmnInstaller {
        }
        
        protected void extractBpmnFileFromCsar(ZipInputStream zipIn, String fileName) throws IOException {
-               String filePath = System.getProperty("mso.config.path") + "/ASDC" + "/" + fileName;
+               String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC", fileName).normalize().toString();
                BufferedOutputStream outputStream = new BufferedOutputStream(new FileOutputStream(filePath));
                byte[] bytesIn = new byte[4096];
                int read = 0;

diff --git a/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java b/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
index 1989ca8..1531e4d 100644 (file)
--- a/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
+++ b/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
@@ -22,6 +22,7 @@ package org.onap.so.bpmn.common.resource;
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
@@ -266,7 +267,7 @@ public class ResourceRequestBuilder {
 
         HashMap<String, String> map = new Gson().fromJson(value, new TypeToken<HashMap<String, String>>() {}.getType());
 
-        String filePath = System.getProperty("mso.config.path") + "/ASDC/" +  map.get("version") + "/" + map.get("name");
+        String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC",  map.get("version"), map.get("name")).normalize().toString();
 
         File csarFile = new File(filePath);
 

diff --git a/common/src/main/java/org/onap/so/client/RestClientSSL.java b/common/src/main/java/org/onap/so/client/RestClientSSL.java
index ac4a8d1..8369eba 100644 (file)
--- a/common/src/main/java/org/onap/so/client/RestClientSSL.java
+++ b/common/src/main/java/org/onap/so/client/RestClientSSL.java
@@ -22,6 +22,7 @@ package org.onap.so.client;
 
 import java.io.FileInputStream;
 import java.net.URI;
+import java.nio.file.Paths;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
 import java.util.Optional;
@@ -72,7 +73,7 @@ public abstract class RestClientSSL extends RestClient {
        private KeyStore getKeyStore() {
                KeyStore ks = null;
            char[] password = System.getProperty(RestClientSSL.SSL_KEY_STORE_PASSWORD_KEY).toCharArray();
-           try(FileInputStream fis = new FileInputStream(System.getProperty(RestClientSSL.SSL_KEY_STORE_KEY))) {
+           try(FileInputStream fis = new FileInputStream(Paths.get(System.getProperty(RestClientSSL.SSL_KEY_STORE_KEY)).normalize().toString())) {
                ks = KeyStore.getInstance(KeyStore.getDefaultType());
                
                ks.load(fis, password);