From 7f94862a50f552f840cbb2a84ee1c3e20fc3c708 Mon Sep 17 00:00:00 2001
From: "Magnusen, Drew (dm741q)" <dm741q@att.com>
Date: Wed, 10 Jan 2018 14:41:24 -0600
Subject: [PATCH] Restrict file upload size in policy editor

Restrict file upload size in Policy Editory using a configurable value (in
bytes) set in xacml.admin.properties. Default value is 30MB.

Issue-ID: POLICY-538
Change-Id: I4d8539ab33320446aed250ea4fdc51de585d5f2a
Signed-off-by: Magnusen, Drew (dm741q) <dm741q@att.com>
---
 ONAP-SDK-APP/xacml.admin.properties                  |  5 ++++-
 .../org/onap/policy/admin/PolicyManagerServlet.java  | 20 ++++++++++----------
 .../org/onap/policy/controller/PolicyController.java | 18 ++++++++++++++++++
 .../servers/console/bin/xacml.admin.properties       |  5 ++++-
 4 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/ONAP-SDK-APP/xacml.admin.properties b/ONAP-SDK-APP/xacml.admin.properties
index 333da49a5..5628d8dd0 100644
--- a/ONAP-SDK-APP/xacml.admin.properties
+++ b/ONAP-SDK-APP/xacml.admin.properties
@@ -200,4 +200,7 @@ policyAdapter.impl.className = org.onap.policy.admin.PolicyAdapter
 
 #Micro Service Model Properties
 xacml.policy.msOnapName=http://org.onap
-xacml.policy.msPolicyName=http://org.onap.policy
\ No newline at end of file
+xacml.policy.msPolicyName=http://org.onap.policy
+
+#Size limit (in bytes) for file uploads
+file.size.limit=30000000
\ No newline at end of file
diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyManagerServlet.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyManagerServlet.java
index 151d36a33..2c67b451e 100644
--- a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyManagerServlet.java
+++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyManagerServlet.java
@@ -227,24 +227,24 @@ public class PolicyManagerServlet extends HttpServlet {
 				if (!item.isFormField()) {
 					// Process form file field (input type="file").
 					files.put(item.getName(), item.getInputStream());
-					if(item.getName().endsWith(".xls")){
-						OutputStream outputStream = null;
-						try{
-							File file = new File(item.getName());
-							outputStream = new FileOutputStream(file);
+					if(item.getName().endsWith(".xls") && item.getSize() <= PolicyController.getFileSizeLimit()){
+						File file = new File(item.getName());
+						try (OutputStream outputStream = new FileOutputStream(file);)
+						{
 							IOUtils.copy(item.getInputStream(), outputStream);
-							outputStream.close();
 							newFile = file.toString();
 							PolicyExportAndImportController importController = new PolicyExportAndImportController();
 							importController.importRepositoryFile(newFile, request);
 						}catch(Exception e){
 							LOGGER.error("Upload error : " + e);
-						}finally{
-							if(outputStream != null){
-								outputStream.close();
-							}
 						}
 					}
+					else if (!item.getName().endsWith(".xls")) {
+						LOGGER.error("Non .xls filetype uploaded: " + item.getName());
+					} 
+					else { //uploaded file size is greater than allowed 
+						LOGGER.error("Upload file size limit exceeded! File size (Bytes) is: " + item.getSize());
+					}
 				}
 			}
 
diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/PolicyController.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/PolicyController.java
index d244cf528..bd8c8287c 100644
--- a/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/PolicyController.java
+++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/controller/PolicyController.java
@@ -144,6 +144,9 @@ public class PolicyController extends RestrictedBaseController {
 	private static String configHome;
 	private static String actionHome;
 	
+	//File upload size
+	private static long fileSizeLimit;
+	
 	private static boolean jUnit = false;
 	
 
@@ -176,6 +179,8 @@ public class PolicyController extends RestrictedBaseController {
 			}
 			// load a properties file
 			prop.load(input);
+			//file upload size limit property
+			setFileSizeLimit(prop.getProperty("file.size.limit"));
 			//pap url
 			setPapUrl(prop.getProperty("xacml.rest.pap.url"));
 			// get the property values
@@ -716,6 +721,19 @@ public class PolicyController extends RestrictedBaseController {
 		return file;
 	}
 	
+	public static void setFileSizeLimit(String uploadSize) {
+		//Default size limit is 30MB
+		if (uploadSize == null || uploadSize.isEmpty()) {
+			fileSizeLimit = 30000000;
+		}
+		else {
+			fileSizeLimit = Long.parseLong(uploadSize);
+		}
+	}
+	
+	public static long getFileSizeLimit() {
+		return fileSizeLimit;
+	}
 	public String convertDate(String dateTTL) {
 		String formateDate = null;
 		if(dateTTL.contains("-")){
diff --git a/packages/base/src/files/install/servers/console/bin/xacml.admin.properties b/packages/base/src/files/install/servers/console/bin/xacml.admin.properties
index 755d0f28b..e0f760b77 100644
--- a/packages/base/src/files/install/servers/console/bin/xacml.admin.properties
+++ b/packages/base/src/files/install/servers/console/bin/xacml.admin.properties
@@ -207,4 +207,7 @@ onap.dialect = org.hibernate.dialect.MySQLDialect
 
 #Micro Service Model Properties
 xacml.policy.msOnapName=${{policy_msOnapName}}
-xacml.policy.msPolicyName=${{policy_msPolicyName}}
\ No newline at end of file
+xacml.policy.msPolicyName=${{policy_msPolicyName}}
+
+#Size limit (in bytes) for file uploads
+file.size.limit=30000000
\ No newline at end of file
-- 
2.16.6