Skip to content

Commit

Permalink
Fix Uncontrolled data used in path expression
Browse files Browse the repository at this point in the history
  • Loading branch information
fugerit79 committed Aug 29, 2024
1 parent 03b5927 commit d5f2233
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 20 deletions.
4 changes: 4 additions & 0 deletions fj-doc-playground-quarkus/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@
<groupId>io.quarkus</groupId>
<artifactId>quarkus-webjars-locator</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-hibernate-validator</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-junit5</artifactId>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,17 +1,30 @@
package org.fugerit.java.doc.playground.init;

import jakarta.validation.constraints.Max;
import jakarta.validation.constraints.Min;
import jakarta.validation.constraints.Pattern;
import lombok.Getter;
import lombok.Setter;

import java.util.List;

public class ProjectInitInput {

@Pattern( regexp = "[A-Za-z0-9-\\.]+", flags = Pattern.Flag.DOTALL )
@Getter @Setter private String groupId;

@Pattern( regexp = "[A-Za-z0-9-]+", flags = Pattern.Flag.DOTALL )
@Getter @Setter private String artifactId;

@Pattern( regexp = "[A-Za-z0-9-\\.]+", flags = Pattern.Flag.DOTALL )
@Getter @Setter private String projectVersion;
@Getter @Setter private String javaVersion;

@Min( 8 ) @Max( 21 )
@Getter @Setter private Long javaVersion;

@Pattern( regexp = "[A-Za-z0-9-\\.]+", flags = Pattern.Flag.DOTALL )
@Getter @Setter private String venusVersion;

@Getter @Setter private List<String> extensionList;

}
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package org.fugerit.java.doc.playground.init;

import jakarta.enterprise.context.ApplicationScoped;
import jakarta.validation.Valid;
import jakarta.ws.rs.*;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
Expand All @@ -18,9 +19,7 @@
import org.fugerit.java.doc.project.facade.ModuleFacade;

import java.io.*;
import java.nio.file.Files;
import java.util.Base64;
import java.util.UUID;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;

Expand Down Expand Up @@ -54,30 +53,28 @@ private File initConfigWorker( String base ) {
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path("/init")
public Response init( ProjectInitInput input) {
public Response init( @Valid ProjectInitInput data ) {
return RestHelper.defaultHandle( () -> {
// check artifact id naming
if ( !input.getArtifactId().matches( "[A-Za-z0-9-]+" ) ) {
return Response.status( Response.Status.BAD_REQUEST ).build();
}
long time = System.currentTimeMillis();
ProjectInitOutput output = new ProjectInitOutput();
String groupIdData = data.getGroupId();
String artifactIdData = data.getArtifactId();
try ( ByteArrayOutputStream buffer = new ByteArrayOutputStream() ) {
File projectDir = this.initConfigWorker( input.getArtifactId() );
File projectDir = this.initConfigWorker( artifactIdData );
checkIfInTempFolder( projectDir ); // security check
File realDir = new File( projectDir, input.getArtifactId() );
File realDir = new File( projectDir, artifactIdData );
checkIfInTempFolder( realDir ); // security check
log.info( "project init folder : {}", realDir.getAbsolutePath() );
MojoInit mojoInit = new MojoInit() {
@Override
public void execute() throws MojoExecutionException, MojoFailureException {
this.baseInitFolder = projectDir.getAbsolutePath();
this.projectVersion = input.getProjectVersion();
this.groupId = input.getGroupId();
this.version = input.getVenusVersion();
this.artifactId = input.getArtifactId();
this.javaRelease = input.getJavaVersion();
this.extensions = StringUtils.concat( ",", input.getExtensionList() );
this.projectVersion = data.getProjectVersion();
this.groupId = groupIdData;
this.version = data.getVenusVersion();
this.artifactId = artifactIdData;
this.javaRelease = String.valueOf( data.getJavaVersion() );
this.extensions = StringUtils.concat( ",", data.getExtensionList() );
this.addDocFacade = true;
this.force = true;
this.addVerifyPlugin = true;
Expand All @@ -86,13 +83,13 @@ public void execute() throws MojoExecutionException, MojoFailureException {
};
mojoInit.execute();
zipFolder( realDir, buffer );
byte[] data = buffer.toByteArray();
output.setContent( Base64.getEncoder().encodeToString( data ) );
log.info( "zip size : {}", data.length );
byte[] byteArray = buffer.toByteArray();
output.setContent( Base64.getEncoder().encodeToString( byteArray ) );
log.info( "zip size : {}", byteArray.length );
checkIfInTempFolder( projectDir ); // security check
FileUtils.deleteDirectory( projectDir );
output.setMessage( String.format( "Project init OK : %s:%s, time:%s",
input.getGroupId(), input.getArtifactId(),
groupIdData, artifactIdData,
CheckpointUtils.formatTimeDiffMillis( time , System.currentTimeMillis() ) ) );
} catch ( Exception e ) {
log.warn( "Error generating document : "+e , e );
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ void testInit() {
this.testWorker( "/project/init", "request/payload/init/init_ok_1.json", 200 );
this.testWorker( "/project/init", "request/payload/init/init_ko_1.json", 200 );
this.testWorker( "/project/init", "request/payload/init/init_ko_2.json", 400 );
this.testWorker( "/project/init", "request/payload/init/init_ko_3.json", 400 );
Assertions.assertTrue( Boolean.TRUE ); // the condition is actually checked by rest assured
}

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"groupId":"../org.fugerit.java.demo","artifactId":"fugerit-doc-demo","projectVersion":"1.0.0-SNAPSHOT","javaVersion":"21","venusVersion":"8.7.4"}

0 comments on commit d5f2233

Please sign in to comment.