Add code to validate path names.

author Dan Timoney <dtimoney@att.com>

Fri, 16 Oct 2020 15:22:11 +0000 (11:22 -0400)

committer Dan Timoney <dtimoney@att.com>

Fri, 16 Oct 2020 19:17:17 +0000 (15:17 -0400)
author Dan Timoney <dtimoney@att.com>
Fri, 16 Oct 2020 15:22:11 +0000 (11:22 -0400)
committer Dan Timoney <dtimoney@att.com>
Fri, 16 Oct 2020 19:17:17 +0000 (15:17 -0400)
diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java

index d6ad074..2f1f466 100644 (file)
--- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java
+++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java
@@ -21,6 +21,7 @@
  
  package org.onap.ccsdk.sli.core.sli;
  
+
  import java.io.IOException;
  import java.nio.file.Files;
  import java.nio.file.Paths;
@@ -32,6 +33,9 @@ import javax.xml.bind.DatatypeConverter;
  public class CheckSumHelper {
  
    public static String md5SumFromFile(String pathToFile) throws NoSuchAlgorithmException, IOException {
+    if (!PathValidator.isValidXmlPath(pathToFile)) {
+      throw new IOException("Invalid XML file name");
+    }
      byte[] b = Files.readAllBytes(Paths.get(pathToFile));
      return md5SumFromByteArray(b);
    }
diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java

new file mode 100644 (file)

index 0000000..511dbca
--- /dev/null
+++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java
@@ -0,0 +1,18 @@
+package org.onap.ccsdk.sli.core.sli;
+
+import java.util.regex.Pattern;
+
+public class PathValidator {
+    public static boolean isValidXmlPath(String path) {
+        Pattern allowList = Pattern.compile("[-\\w/\\/]+\\.xml$");
+        return (allowList.matcher(path).matches());
+    }
+    public static boolean isValidPropertiesPath(String path) {
+        Pattern allowList = Pattern.compile("[-\\w/\\/]+\\.properties$");
+        return (allowList.matcher(path).matches());
+    }
+    public static boolean isValidFilePath(String path) {
+        Pattern allowList = Pattern.compile("[-\\w/\\/]+");
+        return (allowList.matcher(path).matches());
+    }
+}
diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java

index 5cb7ac5..cb78ac2 100644 (file)
--- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
+++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
@@ -33,10 +33,7 @@ import javax.xml.validation.Schema;
  import javax.xml.validation.SchemaFactory;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
-import org.xml.sax.Attributes;
-import org.xml.sax.Locator;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXParseException;
+import org.xml.sax.*;
  import org.xml.sax.helpers.DefaultHandler;
  
  /**
@@ -62,7 +59,7 @@ public class SvcLogicParser {
      private static final String SVCLOGIC_XSD = "/svclogic.xsd";
      private SAXParser saxParser;
  
-    private class SvcLogicHandler extends DefaultHandler {
+    private class SvcLogicHandler extends DefaultHandler  {
          private Locator locator = null;
          private String module = null;
          private String version = null;
@@ -82,7 +79,7 @@ public class SvcLogicParser {
              this.curNodeId = 1;
              this.outcomeValue = null;
          }
-
+        
          @Override
          public void setDocumentLocator(Locator locator) {
              this.locator = locator;
@@ -450,6 +447,9 @@ public class SvcLogicParser {
  
  
      public static void load(String xmlfile, SvcLogicStore store) throws SvcLogicException {
+        if (!PathValidator.isValidXmlPath(xmlfile)) {
+            throw new ConfigurationException("Invalid xml file name ("+ xmlfile + ")");
+        }
          File xmlFile = new File(xmlfile);
          if (!xmlFile.canRead()) {
              throw new ConfigurationException("Cannot read xml file (" + xmlfile + ")");
@@ -482,6 +482,9 @@ public class SvcLogicParser {
      }
  
      public static void validate(String xmlfile, SvcLogicStore store) throws SvcLogicException {
+        if (!PathValidator.isValidXmlPath(xmlfile)) {
+            throw new ConfigurationException("Invalid xml file name ("+ xmlfile + ")");
+        }
          File xmlFile = new File(xmlfile);
          if (!xmlFile.canRead()) {
              throw new ConfigurationException("Cannot read xml file (" + xmlfile + ")");
@@ -601,7 +604,7 @@ public class SvcLogicParser {
          }
  
          SAXParser saxParser = factory.newSAXParser();
-        if (saxParser.isValidating()) {
+         if (saxParser.isValidating()) {
              LOGGER.info("Parser configured to validate XML {}", (xsdUrl != null ? xsdUrl.getPath() : null));
          }
          return saxParser;
diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java

index b73925d..f682bb5 100644 (file)
--- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java
+++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java
@@ -35,6 +35,9 @@ public class SvcLogicStoreFactory {
  
         public static SvcLogicStore getSvcLogicStore(String propfile)
                         throws SvcLogicException {
+               if (!PathValidator.isValidPropertiesPath(propfile)) {
+                       throw new ConfigurationException("Invalid property file name ("+propfile+")");
+               }
                 File propFile = new File(propfile);
                 if (!propFile.canRead()) {
                         throw new ConfigurationException("Cannot read property file "
diff --git a/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java b/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java

index 37e4fe8..ab6f8bc 100644 (file)
--- a/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java
+++ b/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java
@@ -33,6 +33,7 @@ import java.util.Map;
  import java.util.TimeZone;
  
  import org.onap.ccsdk.sli.core.sli.ConfigurationException;
+import org.onap.ccsdk.sli.core.sli.PathValidator;
  import org.onap.ccsdk.sli.core.sli.SvcLogicException;
  import org.onap.ccsdk.sli.core.sli.SvcLogicRecorder;
  
@@ -47,6 +48,10 @@ public class FileRecorder implements SvcLogicRecorder {
                 {
                         throw new ConfigurationException("No file parameter specified");
                 }
+
+               if (!PathValidator.isValidFilePath(fileName)) {
+                       throw new ConfigurationException("Invalid file name ("+fileName+")");
+               }
                 
                 String record = parmMap.get("record");
                 if (record == null)
author	Dan Timoney <dtimoney@att.com>
	Fri, 16 Oct 2020 15:22:11 +0000 (11:22 -0400)
committer	Dan Timoney <dtimoney@att.com>
	Fri, 16 Oct 2020 19:17:17 +0000 (15:17 -0400)
sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java		patch \| blob \| history
sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java	[new file with mode: 0644]	patch \| blob
sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java		patch \| blob \| history
sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java		patch \| blob \| history
sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java		patch \| blob \| history