From d5f2233cfceff7fbf5c6503133b3bacb5a3ac5f1 Mon Sep 17 00:00:00 2001 From: "Matteo Franci a.k.a. Fugerit" Date: Fri, 30 Aug 2024 00:31:57 +0200 Subject: [PATCH] Fix Uncontrolled data used in path expression --- fj-doc-playground-quarkus/pom.xml | 4 +++ .../doc/playground/init/ProjectInitInput.java | 15 +++++++- .../java/doc/playground/init/ProjectRest.java | 35 +++++++++---------- .../java/doc/playground/InitRestTest.java | 1 + .../request/payload/init/init_ko_3.json | 1 + 5 files changed, 36 insertions(+), 20 deletions(-) create mode 100644 fj-doc-playground-quarkus/src/test/resources/request/payload/init/init_ko_3.json diff --git a/fj-doc-playground-quarkus/pom.xml b/fj-doc-playground-quarkus/pom.xml index 61a3e123d..32c97a4cb 100644 --- a/fj-doc-playground-quarkus/pom.xml +++ b/fj-doc-playground-quarkus/pom.xml @@ -62,6 +62,10 @@ io.quarkus quarkus-webjars-locator + + io.quarkus + quarkus-hibernate-validator + io.quarkus quarkus-junit5 diff --git a/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/init/ProjectInitInput.java b/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/init/ProjectInitInput.java index 071b743ac..30ab9451d 100644 --- a/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/init/ProjectInitInput.java +++ b/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/init/ProjectInitInput.java @@ -1,5 +1,8 @@ package org.fugerit.java.doc.playground.init; +import jakarta.validation.constraints.Max; +import jakarta.validation.constraints.Min; +import jakarta.validation.constraints.Pattern; import lombok.Getter; import lombok.Setter; @@ -7,11 +10,21 @@ public class ProjectInitInput { + @Pattern( regexp = "[A-Za-z0-9-\\.]+", flags = Pattern.Flag.DOTALL ) @Getter @Setter private String groupId; + + @Pattern( regexp = "[A-Za-z0-9-]+", flags = Pattern.Flag.DOTALL ) @Getter @Setter private String artifactId; + + @Pattern( regexp = "[A-Za-z0-9-\\.]+", flags = Pattern.Flag.DOTALL ) @Getter @Setter private String projectVersion; - @Getter @Setter private String javaVersion; + + @Min( 8 ) @Max( 21 ) + @Getter @Setter private Long javaVersion; + + @Pattern( regexp = "[A-Za-z0-9-\\.]+", flags = Pattern.Flag.DOTALL ) @Getter @Setter private String venusVersion; + @Getter @Setter private List extensionList; } diff --git a/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/init/ProjectRest.java b/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/init/ProjectRest.java index 51fe58ca0..b797d6972 100644 --- a/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/init/ProjectRest.java +++ b/fj-doc-playground-quarkus/src/main/java/org/fugerit/java/doc/playground/init/ProjectRest.java @@ -1,6 +1,7 @@ package org.fugerit.java.doc.playground.init; import jakarta.enterprise.context.ApplicationScoped; +import jakarta.validation.Valid; import jakarta.ws.rs.*; import jakarta.ws.rs.core.MediaType; import jakarta.ws.rs.core.Response; @@ -18,9 +19,7 @@ import org.fugerit.java.doc.project.facade.ModuleFacade; import java.io.*; -import java.nio.file.Files; import java.util.Base64; -import java.util.UUID; import java.util.zip.ZipEntry; import java.util.zip.ZipOutputStream; @@ -54,30 +53,28 @@ private File initConfigWorker( String base ) { @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) @Path("/init") - public Response init( ProjectInitInput input) { + public Response init( @Valid ProjectInitInput data ) { return RestHelper.defaultHandle( () -> { - // check artifact id naming - if ( !input.getArtifactId().matches( "[A-Za-z0-9-]+" ) ) { - return Response.status( Response.Status.BAD_REQUEST ).build(); - } long time = System.currentTimeMillis(); ProjectInitOutput output = new ProjectInitOutput(); + String groupIdData = data.getGroupId(); + String artifactIdData = data.getArtifactId(); try ( ByteArrayOutputStream buffer = new ByteArrayOutputStream() ) { - File projectDir = this.initConfigWorker( input.getArtifactId() ); + File projectDir = this.initConfigWorker( artifactIdData ); checkIfInTempFolder( projectDir ); // security check - File realDir = new File( projectDir, input.getArtifactId() ); + File realDir = new File( projectDir, artifactIdData ); checkIfInTempFolder( realDir ); // security check log.info( "project init folder : {}", realDir.getAbsolutePath() ); MojoInit mojoInit = new MojoInit() { @Override public void execute() throws MojoExecutionException, MojoFailureException { this.baseInitFolder = projectDir.getAbsolutePath(); - this.projectVersion = input.getProjectVersion(); - this.groupId = input.getGroupId(); - this.version = input.getVenusVersion(); - this.artifactId = input.getArtifactId(); - this.javaRelease = input.getJavaVersion(); - this.extensions = StringUtils.concat( ",", input.getExtensionList() ); + this.projectVersion = data.getProjectVersion(); + this.groupId = groupIdData; + this.version = data.getVenusVersion(); + this.artifactId = artifactIdData; + this.javaRelease = String.valueOf( data.getJavaVersion() ); + this.extensions = StringUtils.concat( ",", data.getExtensionList() ); this.addDocFacade = true; this.force = true; this.addVerifyPlugin = true; @@ -86,13 +83,13 @@ public void execute() throws MojoExecutionException, MojoFailureException { }; mojoInit.execute(); zipFolder( realDir, buffer ); - byte[] data = buffer.toByteArray(); - output.setContent( Base64.getEncoder().encodeToString( data ) ); - log.info( "zip size : {}", data.length ); + byte[] byteArray = buffer.toByteArray(); + output.setContent( Base64.getEncoder().encodeToString( byteArray ) ); + log.info( "zip size : {}", byteArray.length ); checkIfInTempFolder( projectDir ); // security check FileUtils.deleteDirectory( projectDir ); output.setMessage( String.format( "Project init OK : %s:%s, time:%s", - input.getGroupId(), input.getArtifactId(), + groupIdData, artifactIdData, CheckpointUtils.formatTimeDiffMillis( time , System.currentTimeMillis() ) ) ); } catch ( Exception e ) { log.warn( "Error generating document : "+e , e ); diff --git a/fj-doc-playground-quarkus/src/test/java/org/fugerit/java/doc/playground/InitRestTest.java b/fj-doc-playground-quarkus/src/test/java/org/fugerit/java/doc/playground/InitRestTest.java index 1157fc37a..f832c0357 100644 --- a/fj-doc-playground-quarkus/src/test/java/org/fugerit/java/doc/playground/InitRestTest.java +++ b/fj-doc-playground-quarkus/src/test/java/org/fugerit/java/doc/playground/InitRestTest.java @@ -45,6 +45,7 @@ void testInit() { this.testWorker( "/project/init", "request/payload/init/init_ok_1.json", 200 ); this.testWorker( "/project/init", "request/payload/init/init_ko_1.json", 200 ); this.testWorker( "/project/init", "request/payload/init/init_ko_2.json", 400 ); + this.testWorker( "/project/init", "request/payload/init/init_ko_3.json", 400 ); Assertions.assertTrue( Boolean.TRUE ); // the condition is actually checked by rest assured } diff --git a/fj-doc-playground-quarkus/src/test/resources/request/payload/init/init_ko_3.json b/fj-doc-playground-quarkus/src/test/resources/request/payload/init/init_ko_3.json new file mode 100644 index 000000000..cf9ebe46d --- /dev/null +++ b/fj-doc-playground-quarkus/src/test/resources/request/payload/init/init_ko_3.json @@ -0,0 +1 @@ +{"groupId":"../org.fugerit.java.demo","artifactId":"fugerit-doc-demo","projectVersion":"1.0.0-SNAPSHOT","javaVersion":"21","venusVersion":"8.7.4"} \ No newline at end of file