Fix Security Hotspot

Fix for https://sonarcloud.io/project/security_hotspots?id=onap_sdc&hotspots=AXrLK9lDm75TRpHZ3DAu

Change-Id: I6427d02bb76618a4b7383e427ce9f762adf73e97
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Issue-ID: SDC-3657

diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarPackageReducerConfiguration.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarPackageReducerConfiguration.java
index a14222a..08049b4 100644 (file)
--- a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarPackageReducerConfiguration.java
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarPackageReducerConfiguration.java
@@ -29,5 +29,6 @@ public class CsarPackageReducerConfiguration implements PackageSizeReducerConfig
 
     private final Set<Path> foldersToStrip;
     private final long sizeLimit;
+    private final int thresholdEntries;
 
 }

diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducer.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducer.java
index 1fef373..822acc0 100644 (file)
--- a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducer.java
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducer.java
@@ -30,6 +30,7 @@ import java.util.List;
 import java.util.Set;
 import java.util.UUID;
 import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
 import java.util.zip.ZipEntry;
@@ -100,9 +101,16 @@ public class CsarSizeReducer implements PackageSizeReducer {
     }
 
     private Consumer<ZipEntry> signedZipProcessingConsumer(final Path csarPackagePath, final ZipFile zf, final ZipOutputStream zos) {
+        final var thresholdEntries = configuration.getThresholdEntries();
+        final var totalEntryArchive = new AtomicInteger(0);
         return zipEntry -> {
             final var entryName = zipEntry.getName();
             try {
+                if (totalEntryArchive.getAndIncrement() > thresholdEntries) {
+                    // too much entries in this archive, can lead to inodes exhaustion of the system
+                    final var errorMsg = String.format("Failed to extract '%s' from zip '%s'", entryName, csarPackagePath);
+                    throw new CsarSizeReducerException(errorMsg);
+                }
                 zos.putNextEntry(new ZipEntry(entryName));
                 if (!zipEntry.isDirectory()) {
                     if (entryName.toLowerCase().endsWith(CSAR_EXTENSION)) {
@@ -123,8 +131,15 @@ public class CsarSizeReducer implements PackageSizeReducer {
     }
 
     private Consumer<ZipEntry> unsignedZipProcessingConsumer(final Path csarPackagePath, final ZipFile zf, final ZipOutputStream zos) {
+        final var thresholdEntries = configuration.getThresholdEntries();
+        final var totalEntryArchive = new AtomicInteger(0);
         return zipEntry -> {
             final var entryName = zipEntry.getName();
+            if (totalEntryArchive.getAndIncrement() > thresholdEntries) {
+                // too much entries in this archive, can lead to inodes exhaustion of the system
+                final var errorMsg = String.format("Failed to extract '%s' from zip '%s'", entryName, csarPackagePath);
+                throw new CsarSizeReducerException(errorMsg);
+            }
             try {
                 zos.putNextEntry(new ZipEntry(entryName));
                 if (!zipEntry.isDirectory()) {

diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/exception/CsarSizeReducerException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/exception/CsarSizeReducerException.java
index f57666a..806a415 100644 (file)
--- a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/exception/CsarSizeReducerException.java
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/exception/CsarSizeReducerException.java
@@ -27,4 +27,8 @@ public class CsarSizeReducerException extends BusinessException {
     public CsarSizeReducerException(final String message, final Throwable cause) {
         super(message, cause);
     }
+
+    public CsarSizeReducerException(final String message) {
+        super(message);
+    }
 }

diff --git a/common-be/src/test/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducerTest.java b/common-be/src/test/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducerTest.java
index eaa5ffe..e9748f0 100644 (file)
--- a/common-be/src/test/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducerTest.java
+++ b/common-be/src/test/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducerTest.java
@@ -62,6 +62,7 @@ class CsarSizeReducerTest {
         final var sizeLimit = 150000L;
         when(csarPackageReducerConfiguration.getSizeLimit()).thenReturn(sizeLimit);
         when(csarPackageReducerConfiguration.getFoldersToStrip()).thenReturn(Set.of(pathToReduce1, pathToReduce2));
+        when(csarPackageReducerConfiguration.getThresholdEntries()).thenReturn(10000);
 
         final var csarPath = Path.of("src/test/resources/csarSizeReducer/" + fileName);
 

diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java
index 19f2c5d..eb78bf0 100644 (file)
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java
@@ -132,9 +132,10 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate
         final var commonConfigurationManager = CommonConfigurationManager.getInstance();
         final List<String> foldersToStrip = commonConfigurationManager.getConfigValue(EXTERNAL_CSAR_STORE, "foldersToStrip", new ArrayList<>());
         final int sizeLimit = commonConfigurationManager.getConfigValue(EXTERNAL_CSAR_STORE, "sizeLimit", 1000000);
+        final int thresholdEntries = commonConfigurationManager.getConfigValue(EXTERNAL_CSAR_STORE, "thresholdEntries", 10000);
         LOGGER.info("Folders to strip: '{}'", String.join(", ", foldersToStrip));
         final Set<Path> foldersToStripPathSet = foldersToStrip.stream().map(Path::of).collect(Collectors.toSet());
-        return new CsarPackageReducerConfiguration(foldersToStripPathSet, sizeLimit);
+        return new CsarPackageReducerConfiguration(foldersToStripPathSet, sizeLimit, thresholdEntries);
     }
 
     private ArtifactStorageConfig readArtifactStorageConfiguration() {
@@ -173,7 +174,7 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate
                 fileToUploadBytes = packageSizeReducer.reduce(artifactInfo.getPath());
             } catch (final BusinessException e) {
                 return Response.status(INTERNAL_SERVER_ERROR).entity(buildUploadResponseWithError(
-                    new ErrorMessage(ErrorLevel.ERROR, ERROR_HAS_OCCURRED_WHILE_REDUCING_THE_ARTIFACT_SIZE.formatMessage(artifactInfo.getPath()))))
+                        new ErrorMessage(ErrorLevel.ERROR, ERROR_HAS_OCCURRED_WHILE_REDUCING_THE_ARTIFACT_SIZE.formatMessage(artifactInfo.getPath()))))
                     .build();
             }
         } else {
@@ -189,7 +190,8 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate
         if (onboardPackageInfo == null) {
             final UploadFileResponseDto uploadFileResponseDto = buildUploadResponseWithError(
                 new ErrorMessage(ErrorLevel.ERROR, PACKAGE_PROCESS_ERROR.formatMessage(filename)));
-            return Response.ok(uploadFileResponseDto).build();
+            return Response.ok(uploadFileResponseDto)
+                .build();
         }
         final var version = new Version(ValidationUtils.sanitizeInputString(versionId));
         final var vspDetails = new VspDetails(ValidationUtils.sanitizeInputString(vspId), version);

diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
index 5695137..d2c3d10 100644 (file)
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
@@ -59,4 +59,5 @@ externalCsarStore:
   fullPath: "/home/onap/temp/"
   foldersToStrip:
     - Files/images
-  sizeLimit: 10000000
\ No newline at end of file
+  sizeLimit: 10000000
+  thresholdEntries: 10000
\ No newline at end of file