From 43524ffb147e67d731297fcad738b641d7d19d7c Mon Sep 17 00:00:00 2001 From: Russ Poetker Date: Wed, 18 Dec 2024 15:04:11 -0500 Subject: [PATCH 1/2] Cleanse fileId for logging --- .../eclipse/pass/file/service/storage/FileStorageService.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java b/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java index 811539f9..7e070c23 100644 --- a/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java +++ b/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java @@ -172,7 +172,9 @@ public ByteArrayResource getFile(String fileId) throws IOException { } // the output path for getObject must not exist, hence temp dir is created on the fly ocflRepository.getObject(ObjectVersionId.head(fileId), tempLoadDir); - LOG.debug("File Service: File with ID " + fileId + " was loaded from the repo"); + if (LOG.isDebugEnabled()) { + LOG.debug("File Service: File with ID {} was loaded from the repo", StringUtils.normalizeSpace(fileId)); + } Path fileNamePath = Objects.requireNonNull(tempLoadDir.toFile().listFiles())[0].toPath(); loadedResource = new ByteArrayResource(Files.readAllBytes(fileNamePath)); From 9c73e065921e4b96c0cb32583abd93f8a2fdcc1c Mon Sep 17 00:00:00 2001 From: Russ Poetker Date: Wed, 18 Dec 2024 15:38:34 -0500 Subject: [PATCH 2/2] Cleanse API input params --- .../pass/file/service/PassFileServiceController.java | 9 +++++++-- .../pass/file/service/storage/FileStorageService.java | 4 +--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/PassFileServiceController.java b/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/PassFileServiceController.java index 72561233..b34ee328 100644 --- a/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/PassFileServiceController.java +++ b/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/PassFileServiceController.java @@ -103,11 +103,14 @@ public ResponseEntity fileUpload(@RequestParam("file") MultipartFile file, Pr @ResponseBody public ResponseEntity getFileById(@PathVariable("uuid") String uuid, @PathVariable("origFileName") String origFileName) { - String fileId = uuid + "/" + origFileName; if (StringUtils.isEmpty(uuid) || StringUtils.isEmpty(origFileName)) { LOG.error("File ID not provided to get a file."); return ResponseEntity.badRequest().body("File ID not provided to get a file."); } + String cleansedUuid = StringUtils.normalizeSpace(uuid); + String cleansedOrigFileName = StringUtils.normalizeSpace(origFileName); + String fileId = cleansedUuid + "/" + cleansedOrigFileName; + ByteArrayResource fileResource; String contentType = ""; @@ -141,7 +144,9 @@ public ResponseEntity deleteFileById(@PathVariable("uuid") String uuid, @PathVariable("origFileName") String origFileName, Principal principal, HttpServletRequest request) { String principalName = principal.getName(); - String fileId = uuid + "/" + origFileName; + String cleansedUuid = StringUtils.normalizeSpace(uuid); + String cleansedOrigFileName = StringUtils.normalizeSpace(origFileName); + String fileId = cleansedUuid + "/" + cleansedOrigFileName; //Get the file, check that it exists, and then check if current user has permissions to delete try { diff --git a/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java b/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java index 7e070c23..c85323bb 100644 --- a/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java +++ b/pass-core-file-service/src/main/java/org/eclipse/pass/file/service/storage/FileStorageService.java @@ -172,9 +172,7 @@ public ByteArrayResource getFile(String fileId) throws IOException { } // the output path for getObject must not exist, hence temp dir is created on the fly ocflRepository.getObject(ObjectVersionId.head(fileId), tempLoadDir); - if (LOG.isDebugEnabled()) { - LOG.debug("File Service: File with ID {} was loaded from the repo", StringUtils.normalizeSpace(fileId)); - } + LOG.debug("File Service: File with ID {} was loaded from the repo", fileId); Path fileNamePath = Objects.requireNonNull(tempLoadDir.toFile().listFiles())[0].toPath(); loadedResource = new ByteArrayResource(Files.readAllBytes(fileNamePath));