Fix sonarqube issues introduced by ZipSlip change
Fix major and critical sonarqube issues introduced by ZipSlip change
id I721f3d44b34fe6d242c9537f5a515ce1bb534c9a
Change-Id: I3aa2cd4116936d715baba99a38d43aa40fd62a29
Issue-ID: SDC-1401
Signed-off-by: andre.schmid <andre.schmid@est.tech>
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/AbstractValidationsServlet.java b/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/AbstractValidationsServlet.java
index 514576f..3606b01 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/AbstractValidationsServlet.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/AbstractValidationsServlet.java
@@ -28,7 +28,6 @@
import fj.data.Either;
import java.io.File;
import java.io.FileInputStream;
-import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Type;
@@ -232,15 +231,11 @@
fillToscaTemplateFromZip(yamlStringWrapper, ymlName, file);
}
- private static void fillToscaTemplateFromZip(Wrapper<String> yamlStringWrapper, String payloadName, File file) {
- Map<String, byte[]> unzippedFolder = null;
- try {
- unzippedFolder = ZipUtils.readZip(file, false);
- } catch (final ZipException e) {
- log.info("Failed to unzip file", e);
- }
- byte[] yamlFileInBytes = unzippedFolder.get(payloadName);
- String yamlAsString = new String(yamlFileInBytes, StandardCharsets.UTF_8);
+ private static void fillToscaTemplateFromZip(final Wrapper<String> yamlStringWrapper, final String payloadName,
+ final File file) throws ZipException {
+ final Map<String, byte[]> unzippedFolder = ZipUtils.readZip(file, false);
+ final byte[] yamlFileInBytes = unzippedFolder.get(payloadName);
+ final String yamlAsString = new String(yamlFileInBytes, StandardCharsets.UTF_8);
log.debug("received yaml: {}", yamlAsString);
yamlStringWrapper.setInnerElement(yamlAsString);
}
@@ -521,7 +516,7 @@
}
protected void fillPayload(Wrapper<Response> responseWrapper, Wrapper<UploadResourceInfo> uploadResourceInfoWrapper, Wrapper<String> yamlStringWrapper, User user, String resourceInfoJsonString, ResourceAuthorityTypeEnum resourceAuthorityEnum,
- File file) throws FileNotFoundException {
+ File file) throws ZipException {
if (responseWrapper.isEmpty()) {
if (resourceAuthorityEnum.isBackEndImport()) {
@@ -562,8 +557,11 @@
}
- protected void specificResourceAuthorityValidations(Wrapper<Response> responseWrapper, Wrapper<UploadResourceInfo> uploadResourceInfoWrapper, Wrapper<String> yamlStringWrapper, User user, HttpServletRequest request, String resourceInfoJsonString,
- ResourceAuthorityTypeEnum resourceAuthorityEnum) throws FileNotFoundException {
+ protected void specificResourceAuthorityValidations(final Wrapper<Response> responseWrapper,
+ final Wrapper<UploadResourceInfo> uploadResourceInfoWrapper,
+ final Wrapper<String> yamlStringWrapper, final User user,
+ final HttpServletRequest request, final String resourceInfoJsonString,
+ final ResourceAuthorityTypeEnum resourceAuthorityEnum) {
if (responseWrapper.isEmpty()) {
// UI Only Validation
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/ResourcesServlet.java b/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/ResourcesServlet.java
index 03bed47..fd1fe22 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/ResourcesServlet.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/ResourcesServlet.java
@@ -47,6 +47,7 @@
import org.openecomp.sdc.common.api.Constants;
import org.openecomp.sdc.common.datastructure.Wrapper;
import org.openecomp.sdc.common.log.wrappers.Logger;
+import org.openecomp.sdc.common.zip.exception.ZipException;
import org.openecomp.sdc.exception.ResponseFormat;
import io.swagger.v3.oas.annotations.OpenAPIDefinition;
import io.swagger.v3.oas.annotations.Operation;
@@ -64,7 +65,6 @@
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
-import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.List;
import java.util.Map;
@@ -138,7 +138,7 @@
responseWrapper.setInnerElement(response);
}
return responseWrapper.getInnerElement();
- } catch (IOException e) {
+ } catch (final IOException | ZipException e) {
BeEcompErrorManager.getInstance().logBeRestApiGeneralError("Create Resource");
log.debug("create resource failed with exception", e);
response = buildErrorResponse(getComponentsUtils().getResponseFormat(ActionStatus.GENERAL_ERROR));
@@ -159,8 +159,9 @@
return isUIImport;
}
- private void performUIImport(Wrapper<Response> responseWrapper, String data, final HttpServletRequest request, String userId, String resourceUniqueId) throws FileNotFoundException {
-
+ private void performUIImport(final Wrapper<Response> responseWrapper, final String data,
+ final HttpServletRequest request, final String userId,
+ final String resourceUniqueId) throws ZipException {
Wrapper<User> userWrapper = new Wrapper<>();
Wrapper<UploadResourceInfo> uploadResourceInfoWrapper = new Wrapper<>();
Wrapper<String> yamlStringWrapper = new Wrapper<>();
@@ -509,7 +510,7 @@
responseWrapper.setInnerElement(response);
}
return responseWrapper.getInnerElement();
- } catch (IOException e) {
+ } catch (final IOException | ZipException e) {
BeEcompErrorManager.getInstance().logBeRestApiGeneralError("Update Resource");
log.debug("update resource failed with exception", e);
response = buildErrorResponse(getComponentsUtils().getResponseFormat(ActionStatus.GENERAL_ERROR));
diff --git a/common-app-api/src/main/java/org/openecomp/sdc/common/zip/ZipUtils.java b/common-app-api/src/main/java/org/openecomp/sdc/common/zip/ZipUtils.java
index d90377f..25f85ba 100644
--- a/common-app-api/src/main/java/org/openecomp/sdc/common/zip/ZipUtils.java
+++ b/common-app-api/src/main/java/org/openecomp/sdc/common/zip/ZipUtils.java
@@ -75,8 +75,8 @@
String canonicalPath = null;
try {
canonicalPath = file.getCanonicalPath();
- } catch (final IOException ignored) {
- //ignored
+ } catch (final IOException ex) {
+ LOGGER.debug("Could not get canonical path of file '{}'", file.getPath(), ex);
}
if (canonicalPath != null && !canonicalPath.equals(file.getAbsolutePath())) {
throw new ZipSlipException(filePath.toString());
@@ -170,26 +170,10 @@
final Map<String, byte[]> filePathAndByteMap = new HashMap<>();
try (final ZipInputStream inputZipStream = ZipUtils.getInputStreamFromBytes(zipFileBytes)) {
- byte[] fileByteContent;
- String currentEntryName;
ZipEntry zipEntry;
while ((zipEntry = inputZipStream.getNextEntry()) != null) {
- checkForZipSlipInRead(zipEntry);
- currentEntryName = zipEntry.getName();
- fileByteContent = getBytes(inputZipStream);
- if (zipEntry.isDirectory()) {
- if (hasToIncludeDirectories) {
- filePathAndByteMap.put(normalizeFolder(currentEntryName), null);
- }
- } else {
- if (hasToIncludeDirectories) {
- final Path parentFolderPath = Paths.get(zipEntry.getName()).getParent();
- if (parentFolderPath != null) {
- filePathAndByteMap.putIfAbsent(normalizeFolder(parentFolderPath.toString()), null);
- }
- }
- filePathAndByteMap.put(currentEntryName, fileByteContent);
- }
+ filePathAndByteMap
+ .putAll(processZipEntryInRead(zipEntry, getBytes(inputZipStream), hasToIncludeDirectories));
}
} catch (final IOException e) {
LOGGER.warn("Could not close the zip input stream", e);
@@ -198,6 +182,29 @@
return filePathAndByteMap;
}
+ private static Map<String, byte[]> processZipEntryInRead(final ZipEntry zipEntry,
+ final byte[] inputStreamBytes,
+ final boolean hasToIncludeDirectories) throws ZipException {
+ final Map<String, byte[]> filePathAndByteMap = new HashMap<>();
+ checkForZipSlipInRead(zipEntry);
+ if (zipEntry.isDirectory()) {
+ if (hasToIncludeDirectories) {
+ filePathAndByteMap.put(normalizeFolder(zipEntry.getName()), null);
+ }
+ return filePathAndByteMap;
+ }
+
+ if (hasToIncludeDirectories) {
+ final Path parentFolderPath = Paths.get(zipEntry.getName()).getParent();
+ if (parentFolderPath != null) {
+ filePathAndByteMap.putIfAbsent(normalizeFolder(parentFolderPath.toString()), null);
+ }
+ }
+ filePathAndByteMap.put(zipEntry.getName(), inputStreamBytes);
+
+ return filePathAndByteMap;
+ }
+
/**
* Adds a {@link File#separator} at the end of the folder path if not present.
*
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
index f286dc1..a564928 100644
--- a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
+++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
@@ -20,7 +20,6 @@
package org.openecomp.sdc.common.utils;
import com.google.common.collect.Multimap;
-import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
@@ -30,14 +29,11 @@
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
-import java.util.zip.ZipEntry;
-import java.util.zip.ZipInputStream;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.apache.commons.lang3.tuple.Pair;
import org.openecomp.core.utilities.file.FileContentHandler;
-import org.openecomp.core.utilities.file.FileUtils;
import org.openecomp.core.utilities.orchestration.OnboardingTypesEnum;
import org.openecomp.sdc.common.errors.CoreException;
import org.openecomp.sdc.common.errors.ErrorCategory;