Added some file name checks (#2011)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2024-11-12 08:57:18 +02:00
committed by GitHub
parent b03985c887
commit aa4c753ffe
2 changed files with 12 additions and 16 deletions

View File

@@ -75,9 +75,9 @@ public class ArtifactFilesystemRepository extends AbstractArtifactRepository {
@Override
protected AbstractDbArtifact store(final String tenant, final DbArtifactHash base16Hashes, final String contentType, final String tempFile)
throws IOException {
final File file = new File(tempFile);
return renameFileToSHA1Naming(tenant, file,
return renameFileToSHA1Naming(
tenant, file,
new ArtifactFilesystem(file, base16Hashes.getSha1(), base16Hashes, file.length(), contentType));
}
@@ -90,11 +90,16 @@ public class ArtifactFilesystemRepository extends AbstractArtifactRepository {
Files.move(file.toPath(), fileSHA1Naming.toPath());
}
return new ArtifactFilesystem(fileSHA1Naming, artifact.getArtifactId(), artifact.getHashes(),
artifact.getSize(), artifact.getContentType());
return new ArtifactFilesystem(
fileSHA1Naming, artifact.getArtifactId(), artifact.getHashes(), artifact.getSize(), artifact.getContentType());
}
private File getFile(final String tenant, final String sha1) {
// ensure that the sha1 is not a path traversal attack
if (sha1.indexOf('/') >= 0 || sha1.indexOf('\\') >= 0) {
throw new IllegalArgumentException("Invalid sha1 hash: " + sha1);
}
final File aritfactDirectory = getSha1DirectoryPath(tenant, sha1).toFile();
aritfactDirectory.mkdirs();
return new File(aritfactDirectory, sha1);

View File

@@ -783,23 +783,14 @@ public class DdiRootController implements DdiRootControllerRestApi {
* @throws IOException cannot write output stream
*/
private static ResponseEntity<Void> writeMD5FileResponse(
final HttpServletResponse response, final String md5Hash,
final String filename) throws IOException {
final HttpServletResponse response, final String md5Hash, final String filename) throws IOException {
if (md5Hash == null) {
return ResponseEntity.notFound().build();
}
final StringBuilder builder = new StringBuilder();
builder.append(md5Hash);
builder.append(" ");
builder.append(filename);
final byte[] content = builder.toString().getBytes(StandardCharsets.US_ASCII);
final StringBuilder header = new StringBuilder().append("attachment;filename=").append(filename)
.append(ARTIFACT_MD5_DWNL_SUFFIX);
final byte[] content = (md5Hash + " " + filename).getBytes(StandardCharsets.US_ASCII);
response.setContentLength(content.length);
response.setHeader(HttpHeaders.CONTENT_DISPOSITION, header.toString());
response.setHeader(HttpHeaders.CONTENT_DISPOSITION, "attachment;filename=" + filename + ARTIFACT_MD5_DWNL_SUFFIX);
response.getOutputStream().write(content);