OCT REM: 1. 增加输入路径合法性校验
This commit is contained in:
HuangXin
parent
c763477a31
commit
a3d43ab03c
6
pom.xml
6
pom.xml
|
|
@ -237,6 +237,12 @@
|
|||
<groupId>org.jacoco</groupId>
|
||||
<artifactId>jacoco-maven-plugin</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.owasp.esapi</groupId>
|
||||
<artifactId>esapi</artifactId>
|
||||
<version>2.6.0.0</version>
|
||||
<classifier>jakarta</classifier>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springdoc</groupId>
|
||||
<artifactId>springdoc-openapi-starter-webmvc-api</artifactId>
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ package com.cmcc.magent.pojo.po;
|
|||
import com.cmcc.magent.validation.group.ValidGroups;
|
||||
import io.swagger.v3.oas.annotations.media.Schema;
|
||||
import jakarta.validation.constraints.NotBlank;
|
||||
import jakarta.validation.constraints.Pattern;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Builder;
|
||||
import lombok.Data;
|
||||
|
|
@ -34,7 +33,6 @@ public class RemoteFileDetails {
|
|||
* 配置文件名。
|
||||
*/
|
||||
@NotBlank(message = "fileName Not Blank", groups = {ValidGroups.MiddlewareDeploymentReqValid.class})
|
||||
@Pattern(regexp = "^[a-zA-Z0-9_\\-./]+$", groups = {ValidGroups.MiddlewareDeploymentReqValid.class})
|
||||
public String fileName;
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@ import com.cmcc.magent.service.PlatformApiService;
|
|||
import com.fasterxml.jackson.core.JsonProcessingException;
|
||||
import jakarta.annotation.Resource;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.esapi.ESAPI;
|
||||
import org.owasp.esapi.errors.ValidationException;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
import java.io.File;
|
||||
|
|
@ -227,26 +229,30 @@ public class MiddlewareManagerServiceImpl implements MiddlewareManagerService {
|
|||
private MulReturnType<ErrorCode, String> downloadAndValidateFiles(String workDir, List<RemoteFileDetails> configFiles) {
|
||||
for (RemoteFileDetails file : configFiles) {
|
||||
try {
|
||||
Path path = Paths.get(workDir + File.separator + file.getFileName());
|
||||
String saveName = path.normalize().toString();
|
||||
Path path = Paths.get(workDir + File.separator + file.getFileName());
|
||||
String validDirectoryPath = ESAPI.validator().getValidDirectoryPath("Save Directory",
|
||||
path.getParent().normalize().toString(),
|
||||
new File(commonConfigure.getDataRootDirectory()),
|
||||
false);
|
||||
if (validDirectoryPath.startsWith(workDir)) {
|
||||
String savePahtName = path.normalize().toString();
|
||||
/* Http Download Usage: new FileDownloader(file.getUrl(), saveName).downloadFile(); */
|
||||
OssService service = ossFactory.getOssService();
|
||||
service.download(new URL(file.getUrl()), new File(savePahtName));
|
||||
|
||||
if (!saveName.startsWith(workDir + File.separator)) {
|
||||
return new MulReturnType<>(ErrorCode.ERR_INPUTFORMAT, file.fileName);
|
||||
}
|
||||
|
||||
/* Http Download Usage: new FileDownloader(file.getUrl(), saveName).downloadFile(); */
|
||||
OssService service = ossFactory.getOssService();
|
||||
service.download(new URL(file.getUrl()), new File(saveName));
|
||||
|
||||
if (HelperUtils.stringNotEmptyOrNull(file.getChecksum())) {
|
||||
if (!file.getChecksum().equals(CryptoHelper.md5FileEncryption(saveName))) {
|
||||
return new MulReturnType<>(ErrorCode.ERR_FILE_CHECKSUM, file.getUrl());
|
||||
if (HelperUtils.stringNotEmptyOrNull(file.getChecksum())) {
|
||||
if (!file.getChecksum().equals(CryptoHelper.md5FileEncryption(savePahtName))) {
|
||||
return new MulReturnType<>(ErrorCode.ERR_FILE_CHECKSUM, file.getUrl());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
} catch (IOException e) {
|
||||
return new MulReturnType<>(ErrorCode.ERR_FILE_DOWNLOAD, file.getUrl());
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
return new MulReturnType<>(ErrorCode.ERR_SYSTEMEXCEPTION, file.getUrl());
|
||||
} catch (ValidationException e) {
|
||||
return new MulReturnType<>(ErrorCode.ERR_INPUTFORMAT, file.getFileName());
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,150 @@
|
|||
#
|
||||
# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
|
||||
#
|
||||
# This file is part of the Open Worldwide Application Security Project (OWASP)
|
||||
# Enterprise Security API (ESAPI) project. For details, please see
|
||||
# https://owasp.org/www-project-enterprise-security-api/
|
||||
#
|
||||
# Copyright (c) 2008,2009 - The OWASP Foundation
|
||||
#
|
||||
# DISCUSS: This may cause a major backwards compatibility issue, etc. but
|
||||
# from a name space perspective, we probably should have prefaced
|
||||
# all the property names with ESAPI or at least OWASP. Otherwise
|
||||
# there could be problems is someone loads this properties file into
|
||||
# the System properties. We could also put this file into the
|
||||
# esapi.jar file (perhaps as a ResourceBundle) and then allow an external
|
||||
# ESAPI properties be defined that would overwrite these defaults.
|
||||
# That keeps the application's properties relatively simple as usually
|
||||
# they will only want to override a few properties. If looks like we
|
||||
# already support multiple override levels of this in the
|
||||
# DefaultSecurityConfiguration class, but I'm suggesting placing the
|
||||
# defaults in the esapi.jar itself. That way, if the jar is signed,
|
||||
# we could detect if those properties had been tampered with. (The
|
||||
# code to check the jar signatures is pretty simple... maybe 70-90 LOC,
|
||||
# but off course there is an execution penalty (similar to the way
|
||||
# that the separate sunjce.jar used to be when a class from it was
|
||||
# first loaded). Thoughts?
|
||||
###############################################################################
|
||||
#
|
||||
# WARNING: Operating system protection should be used to lock down the .esapi
|
||||
# resources directory and all the files inside and all the directories all the
|
||||
# way up to the root directory of the file system. Note that if you are using
|
||||
# file-based implementations, that some files may need to be read-write as they
|
||||
# get updated dynamically.
|
||||
#
|
||||
#===========================================================================
|
||||
# ESAPI Configuration
|
||||
#
|
||||
# If true, then print all the ESAPI properties set here when they are loaded.
|
||||
# If false, they are not printed. Useful to reduce output when running JUnit tests.
|
||||
# If you need to troubleshoot a properties related problem, turning this on may help.
|
||||
# This is 'false' in the src/test/resources/.esapi version. It is 'true' by
|
||||
# default for reasons of backward compatibility with earlier ESAPI versions.
|
||||
ESAPI.printProperties=true
|
||||
|
||||
# ESAPI is designed to be easily extensible. You can use the reference implementation
|
||||
# or implement your own providers to take advantage of your enterprise's security
|
||||
# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
|
||||
#
|
||||
# String ciphertext =
|
||||
# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0
|
||||
# CipherText cipherText =
|
||||
# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
|
||||
#
|
||||
# Below you can specify the classname for the provider that you wish to use in your
|
||||
# application. The only requirement is that it implement the appropriate ESAPI interface.
|
||||
# This allows you to switch security implementations in the future without rewriting the
|
||||
# entire application.
|
||||
#
|
||||
# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
|
||||
|
||||
ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
|
||||
# To use the new SLF4J logger in ESAPI (see GitHub issue #129), set
|
||||
# ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
|
||||
# and do whatever other normal SLF4J configuration that you normally would do for your application.
|
||||
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
|
||||
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Logging
|
||||
# Set the application name if these logs are combined with other applications
|
||||
Logger.ApplicationName=ExampleApplication
|
||||
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
|
||||
Logger.LogEncodingRequired=false
|
||||
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
|
||||
Logger.LogApplicationName=true
|
||||
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
|
||||
Logger.LogServerIP=true
|
||||
# Determines whether ESAPI should log the user info.
|
||||
Logger.UserInfo=true
|
||||
# Determines whether ESAPI should log the session id and client IP.
|
||||
Logger.ClientInfo=true
|
||||
|
||||
# Determines whether ESAPI should log the prefix of [EVENT_TYPE - APPLICATION NAME].
|
||||
# If all above Logger entries are set to false, as well as LogPrefix, then the output would be the same as if no ESAPI was used
|
||||
Logger.LogPrefix=true
|
||||
|
||||
#===========================================================================
|
||||
# ESAPI Validation
|
||||
#
|
||||
# The ESAPI Validator works on regular expressions with defined names. You can define names
|
||||
# either here, or you may define application specific patterns in a separate file defined below.
|
||||
# This allows enterprises to specify both organizational standards as well as application specific
|
||||
# validation rules.
|
||||
#
|
||||
# Use '\p{L}' (without the quotes) within the character class to match
|
||||
# any Unicode LETTER. You can also use a range, like: \u00C0-\u017F
|
||||
# You can also use any of the regex flags as documented at
|
||||
# https://docs.oracle.com/javase/tutorial/essential/regex/pattern.html, e.g. (?u)
|
||||
#
|
||||
Validator.ConfigurationFile=validation.properties
|
||||
|
||||
# Validation of file related input
|
||||
Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
|
||||
Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
|
||||
|
||||
# Validation of dates. Controls whether 'lenient' dates are accepted.
|
||||
# See DataFormat.setLenient(boolean flag) for further details.
|
||||
Validator.AcceptLenientDates=false
|
||||
|
||||
# ~~~~~ Important Note ~~~~~
|
||||
# This is a workaround to make sure that a commit to address GitHub issue #509
|
||||
# doesn't accidentally break someone's production code. So essentially what we
|
||||
# are doing is to reverting back to the previous possibly buggy (by
|
||||
# documentation intent at least), but, by now, expected legacy behavior.
|
||||
# Prior to the code changes for issue #509, if invalid / malicious HTML input was
|
||||
# observed, AntiSamy would simply attempt to sanitize (cleanse) it and it would
|
||||
# only be logged. However, the code change made ESAPI comply with its
|
||||
# documentation, which stated that a ValidationException should be thrown in
|
||||
# such cases. Unfortunately, changing this behavior--especially when no one is
|
||||
# 100% certain that the documentation was correct--could break existing code
|
||||
# using ESAPI so after a lot of debate, issue #521 was created to restore the
|
||||
# previous behavior, but still allow the documented behavior. (We did this
|
||||
# because it wasn't really causing an security issues since AntiSamy would clean
|
||||
# it up anyway and we value backward compatibility as long as it doesn't clearly
|
||||
# present security vulnerabilities.)
|
||||
# More defaults about this are written up under GitHub issue #521 and
|
||||
# the pull request it references. Future major releases of ESAPI (e.g., ESAPI 3.x)
|
||||
# will not support this previous behavior, but it will remain for ESAPI 2.x.
|
||||
# Set this to 'throw' if you want the originally intended behavior of throwing
|
||||
# that was fixed via issue #509. Set to 'clean' if you want want the HTML input
|
||||
# sanitized instead.
|
||||
#
|
||||
# Possible values:
|
||||
# clean -- Use the legacy behavior where unsafe HTML input is logged and the
|
||||
# sanitized (i.e., clean) input as determined by AntiSamy and your
|
||||
# AntiSamy rules is returned. This is the default behavior if this
|
||||
# new property is not found.
|
||||
# throw -- The new, presumably correct and originally intended behavior where
|
||||
# a ValidationException is thrown when unsafe HTML input is
|
||||
# encountered.
|
||||
#
|
||||
#Validator.HtmlValidationAction=clean
|
||||
Validator.HtmlValidationAction=throw
|
||||
|
||||
# With the fix for #310 to enable loading antisamy-esapi.xml from the classpath
|
||||
# also an enhancement was made to be able to use a different filename for the configuration.
|
||||
# You don't have to configure the filename here, but in that case the code will keep looking for antisamy-esapi.xml.
|
||||
# This is the default behaviour of ESAPI.
|
||||
#
|
||||
#Validator.HtmlValidationConfigurationFile=antisamy-esapi.xml
|
||||
Loading…
Reference in New Issue