From 34c0813624233e8f1e2c6e83088a0269b67de8cc Mon Sep 17 00:00:00 2001 From: Ali Sheikhi Date: Tue, 2 Apr 2024 16:39:17 +0200 Subject: [PATCH 1/3] DD-1459 Fix uncontrolled data used in path expression - Test 4A --- src/main/java/nl/knaw/dans/ingest/core/ImportArea.java | 8 ++++++++ .../nl/knaw/dans/ingest/resources/ImportsResource.java | 3 ++- .../nl/knaw/dans/ingest/resources/MigrationsResource.java | 3 ++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java b/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java index ef5591d8..950813a2 100644 --- a/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java +++ b/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java @@ -108,4 +108,12 @@ private void validateDepositDirectory(Path input) { throw new IllegalArgumentException(String.format("Directory %s does not contain file deposit.properties. Not a valid deposit directory", input)); } } + + public Path getSecurePath(Path path) throws RuntimeException { + Path normalizedPath = path.normalize().toAbsolutePath(); + if (!normalizedPath.startsWith(this.inboxDir)) { + throw new IllegalArgumentException(String.format("InsecurePath %s", normalizedPath)); + } + return normalizedPath; + } } diff --git a/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java b/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java index ee09587e..79ba7d4a 100644 --- a/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java +++ b/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java @@ -47,7 +47,8 @@ public Response startImport(StartImport start) { log.debug("Received command = {}", start); String batchName; try { - batchName = importArea.startImport(start.getInputPath(), start.isBatch(), start.isContinue()); + java.nio.file.Path securePath = importArea.getSecurePath(start.getInputPath()); + batchName = importArea.startImport(securePath, start.isBatch(), start.isContinue()); } catch (IllegalArgumentException e) { throw new BadRequestException(e.getMessage()); diff --git a/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java b/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java index 3ffe3f57..21529651 100644 --- a/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java +++ b/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java @@ -47,7 +47,8 @@ public Response startImport(StartImport start) { log.info("Received command = {}", start); String taskName; try { - taskName = migrationArea.startImport(start.getInputPath(), start.isBatch(), start.isContinue()); + java.nio.file.Path securePath = migrationArea.getSecurePath(start.getInputPath()); + taskName = migrationArea.startImport(securePath, start.isBatch(), start.isContinue()); } catch (IllegalArgumentException e) { throw new BadRequestException(e.getMessage()); From ff0557b0427a4fd88c0c4042107d11b36d5aa0c8 Mon Sep 17 00:00:00 2001 From: Ali Sheikhi Date: Tue, 2 Apr 2024 23:15:17 +0200 Subject: [PATCH 2/3] DD-1459 Fix uncontrolled data used in path expression - Test 4B --- src/main/java/nl/knaw/dans/ingest/core/ImportArea.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java b/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java index 950813a2..33ad3c2b 100644 --- a/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java +++ b/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java @@ -30,7 +30,6 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.util.List; -import java.util.stream.Collectors; import java.util.stream.Stream; public class ImportArea extends AbstractIngestArea { @@ -86,7 +85,7 @@ public String startImport(Path inputPath, boolean isBatch, boolean continuePrevi private void validateBatchDirectory(Path input) { if (Files.isDirectory(input)) { try (Stream subPaths = Files.list(input)) { - List paths = subPaths.collect(Collectors.toList()); + List paths = subPaths.toList(); for (Path f : paths) { validateDepositDirectory(f); } From 900ca2c54e1bdf455daa7b2093fbf3fd48119bd0 Mon Sep 17 00:00:00 2001 From: Ali Sheikhi Date: Tue, 9 Apr 2024 16:54:55 +0200 Subject: [PATCH 3/3] DD-1492 dd-manage-deposits improvemnet and fixes for DD-1419 --- .../java/nl/knaw/dans/ingest/resources/ImportsResource.java | 2 +- .../java/nl/knaw/dans/ingest/resources/MigrationsResource.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java b/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java index 79ba7d4a..074e3827 100644 --- a/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java +++ b/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java @@ -47,7 +47,7 @@ public Response startImport(StartImport start) { log.debug("Received command = {}", start); String batchName; try { - java.nio.file.Path securePath = importArea.getSecurePath(start.getInputPath()); + var securePath = importArea.getSecurePath(start.getInputPath()); batchName = importArea.startImport(securePath, start.isBatch(), start.isContinue()); } catch (IllegalArgumentException e) { diff --git a/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java b/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java index 21529651..341286e9 100644 --- a/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java +++ b/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java @@ -47,7 +47,7 @@ public Response startImport(StartImport start) { log.info("Received command = {}", start); String taskName; try { - java.nio.file.Path securePath = migrationArea.getSecurePath(start.getInputPath()); + var securePath = migrationArea.getSecurePath(start.getInputPath()); taskName = migrationArea.startImport(securePath, start.isBatch(), start.isContinue()); } catch (IllegalArgumentException e) {