[DSD-4199] #329

JanardhanBS-SyncByte · 2024-01-24T07:42:21Z

No description provided.

#325) * [DSD-4267] removed mock-sdk-jpeg-extractor functionality from mosip-mock-services repo Signed-off-by: techno-467 <[email protected]> * [DSD-4267] removed mock-sdk-jpeg-extractor functionality from mosip-mock-services repo Signed-off-by: techno-467 <[email protected]> * [DSD-4267] removed mock-sdk-jpeg-extractor functionality from mosip-mock-services repo Signed-off-by: techno-467 <[email protected]> --------- Signed-off-by: techno-467 <[email protected]>

…e floating point numbers Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[MOSIP-31258] The attributes requestedScore and qualityScore should be floating point numbers

…e floating point numbers with return type String Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Signed-off-by: Sowmya Ujjappa Banakar <[email protected]>

MOSIP-31498 code fix

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

MOSIP-31977

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

MOSIP-31977

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

…iometricsdk.version Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[MOSIP-33587] Merge develop from develop-java21

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Signed-off-by: Chandra Keshav Mishra <[email protected]>

[DSD-5620] Update README.md

[MOSIP-33587] Merge develop from develop-java21

Signed-off-by: ckm007 <[email protected]>

[MOSIP-34233]

Signed-off-by: GitHub <[email protected]> Co-authored-by: Prafulrakhade <[email protected]>

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Signed-off-by: JanardhanBS-SyncByte <[email protected]> Co-authored-by: JanardhanBS-SyncByte <[email protected]>

…lob/master/deployment/v3/utils/copy_cm_func.sh to https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh Signed-off-by: techno-467 <[email protected]>

Signed-off-by: Praful Rakhade <[email protected]>

[MOSIP-35160] Updated URL from https://github.com/mosip/mosip-infra/b…

Signed-off-by: Rakshithb1 <[email protected]>

[MOSIP-35892] Updated helm charts to add range

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

…ip-mock-services into develop

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[MOSIP-37359]Update readme

mock-abis/src/main/java/io/mosip/proxy/abis/controller/ProxyAbisConfigController.java

+	 * Constructs the controller with the provided ProxyAbisConfigService instance.
+	 *
+	 * @param proxyAbisConfigService The service instance to be used by this
+	 *                               controller.


To fix the cross-site scripting vulnerability, we need to ensure that any user-provided data is properly sanitized or encoded before being included in the response. The best way to fix this issue is to use a library that provides HTML encoding to escape any potentially harmful characters.

In this case, we can use the StringEscapeUtils class from the Apache Commons Text library to encode the expectation.getId() value before including it in the response.

mock-abis/src/main/java/io/mosip/proxy/abis/service/impl/ProxyAbisInsertServiceImpl.java

-			logger.info("Fetching CBEFF for reference URL-" + CBEFF_URL);
-			ResponseEntity<String> cbeffResp = restTemplate.exchange(CBEFF_URL, HttpMethod.GET, null, String.class);
+			logger.info("Fetching CBEFF for reference URL-" + cbeffURL);
+			ResponseEntity<String> cbeffResp = restTemplate.exchange(cbeffURL, HttpMethod.GET, null, String.class);


To fix the SSRF vulnerability, we need to ensure that the user-provided URL is validated against a list of authorized URLs or restricted to a particular host or URL prefix. This can be achieved by maintaining a list of valid URLs and checking the user input against this list before making the HTTP request.

Create a list of authorized URLs.

Validate the user-provided URL against this list.

If the URL is not in the list, throw an exception or handle the error appropriately.

mock-abis/src/main/java/io/mosip/proxy/abis/service/impl/ProxyAbisInsertServiceImpl.java

@@ -312,28 +509,44 @@
 		return hexString.toString();
 	}

+	/**
+	 * Finds potential duplicate biometric data based on the provided
+	 * IdentityRequest.


To fix the problem, we need to validate the user-provided filename to ensure it does not contain any path traversal characters or sequences. This can be done by checking for the presence of "..", "/", or "\" in the filename. If any of these characters or sequences are found, we should reject the input.

The best way to fix the problem without changing existing functionality is to add a validation step before using the filename to construct the file path. This validation will ensure that the filename is safe to use.

mock-abis/src/main/java/io/mosip/proxy/abis/service/impl/ProxyAbisInsertServiceImpl.java

@@ -312,28 +509,44 @@
 		return hexString.toString();
 	}

+	/**
+	 * Finds potential duplicate biometric data based on the provided
+	 * IdentityRequest.


To fix the problem, we need to validate the user-provided filename to ensure it does not contain any path traversal sequences or invalid characters. We can achieve this by checking for the presence of "..", "/", and "\" in the filename and rejecting the input if any of these are found. Additionally, we should ensure that the filename is a single path component and does not contain any directory separators.

Steps to fix:

Validate the uploadedFile.getOriginalFilename() to ensure it does not contain any path traversal sequences or invalid characters.

Reject the input if the validation fails and throw an appropriate exception.

mock-abis/src/main/java/io/mosip/proxy/abis/service/impl/ProxyAbisInsertServiceImpl.java

@@ -514,33 +794,32 @@
 			if (parent != null && !parent.exists() && !parent.mkdirs()) {
 				throw new IllegalStateException("Couldn't create dir: " + parent);
 			}
-			keyFile.createNewFile();
+			boolean fileCreated = keyFile.createNewFile();


To fix the problem, we need to validate the filename obtained from uploadedFile.getOriginalFilename() to ensure it does not contain any path separators or parent directory references. This can be done by checking for the presence of characters like /, \, or .. in the filename. If any of these characters are found, we should reject the input and throw an exception.

mock-mv/src/main/java/io/mosip/mock/mv/controller/MockMvConfigController.java

-		} catch (RuntimeException exp) {
-			logger.error(String.format("Exception while getting expectation: %s",request));
-			throw exp;
+			return new ResponseEntity<>("Successfully inserted expectation " + expectation.getRId(), HttpStatus.OK);


To fix the problem, we need to ensure that any user-provided data included in the HTTP response is properly sanitized or encoded to prevent XSS attacks. In this case, we can use the HtmlUtils.htmlEscape method from the org.springframework.web.util package to escape the expectation.getRId() value before including it in the response.

mock-mv/src/main/java/io/mosip/mock/mv/controller/MockMvConfigController.java

+			if (expectation.getRId() != null)
+				return new ResponseEntity<>(mockMvDecisionService.getExpectation(rid).toString(), HttpStatus.OK);
+			else {
+				return new ResponseEntity<>("No expectation set for given rid:" + rid, HttpStatus.OK);


To fix the cross-site scripting vulnerability, we need to ensure that any user-provided input is properly sanitized or encoded before being included in the response. In this case, we can use the StringEscapeUtils class from the Apache Commons Text library to escape the rid parameter before including it in the response.

Add the necessary import for StringEscapeUtils.

Escape the rid parameter before including it in the response.

mock-mv/src/main/java/io/mosip/mock/mv/controller/MockMvConfigController.java

+		logger.info("Delete expectation: {}", rid);
+		try {
+			mockMvDecisionService.deleteExpectation(rid);
+			return new ResponseEntity<>("Successfully deleted expectation " + rid, HttpStatus.OK);


To fix the cross-site scripting vulnerability, we need to ensure that any user-provided input is properly sanitized or encoded before being included in the response. In this case, we can use the HtmlUtils.htmlEscape method from the org.springframework.web.util package to escape the rid parameter before including it in the response.

* [MOSIP-37853]added skip for deployment in pom Signed-off-by: JanardhanBS-SyncByte <[email protected]> * [MOSIP-37853]added skip for deployment in pom Signed-off-by: JanardhanBS-SyncByte <[email protected]> --------- Signed-off-by: JanardhanBS-SyncByte <[email protected]> Co-authored-by: JanardhanBS-SyncByte <[email protected]>

Prafulrakhade and others added 30 commits January 22, 2024 11:42

[MOSIP-31258] The attributes requestedScore and qualityScore should b…

e5acd7e

…e floating point numbers Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Merge pull request #328 from JanardhanBS-SyncByte/develop

3c26168

[MOSIP-31258] The attributes requestedScore and qualityScore should be floating point numbers

[MOSIP-31258] The attributes requestedScore and qualityScore should b…

9fa282d

…e floating point numbers with return type String Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Merge pull request #330 from JanardhanBS-SyncByte/develop

56ad941

MOSIP-31498 code fix

a4d67fa

Signed-off-by: Sowmya Ujjappa Banakar <[email protected]>

Merge pull request #334 from sowmya695/MOSIP-31498_develop

4860f05

MOSIP-31498 code fix

Merge branch 'develop' into release-1.2.0.1

817db7c

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Update pom.xml

6e1a0c0

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Update pom.xml

29a4259

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Update pom.xml

f55ed48

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Update pom.xml

bdf1a00

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Merge branch 'develop' into release-1.2.0.1

a41661e

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Merge pull request #1 from JanardhanBS-SyncByte/release-1.2.0.1

60d48d1

MOSIP-31977

Update push-trigger.yml

25f5783

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Update push-trigger.yml

0acb584

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Merge pull request #342 from JanardhanBS-SyncByte/develop

171e2dd

MOSIP-31977

version changed build failure

ced974d

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

version changed build failure

66035a8

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Bug fixes and Pom.xml changes from 0.9 version to latest for kernel.b…

5fa4c6d

…iometricsdk.version Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Bug fixes and Pom.xml changes

72a2ce7

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

MOSIP-26119

7735e69

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

MOSIP-24276

a401303

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Added mvn repo to pom

5e5d4d9

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[DSD-2180] updating pom for release

353cdc5

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[DSD-2180] updating pom for release

3f044d6

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Update pom.xml

659a968

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Update pom.xml

44c23f2

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Update pom.xml

ee6ce7a

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[DSD-2081]

a1c0293

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

JanardhanBS-SyncByte and others added 28 commits July 9, 2024 16:00

[MOSIP-33587] Merge develop from develop-java21

a328c1f

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Merge pull request #379 from JanardhanBS-SyncByte/develop

fa3780f

[MOSIP-33587] Merge develop from develop-java21

[MOSIP-33587] Merge develop from develop-java21

3719ca9

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[DSD-5620] Update README.md

9c6cce6

Signed-off-by: Chandra Keshav Mishra <[email protected]>

Merge pull request #380 from mosip/ckm007-patch-1

19ffc82

[DSD-5620] Update README.md

Merge pull request #381 from JanardhanBS-SyncByte/develop

1dd2445

[MOSIP-33587] Merge develop from develop-java21

[MOSIP-34233] added helm lint and publish workflow

9304a71

Signed-off-by: ckm007 <[email protected]>

[MOSIP-34233] added deployment script

d318d7b

Signed-off-by: ckm007 <[email protected]>

[MOSIP-34233] added helm for abis and mv

362f231

Signed-off-by: ckm007 <[email protected]>

Merge pull request #385 from ckm007/develop

5fcf440

[MOSIP-34233]

Updated Pom versions for release changes (#392)

3878de3

Signed-off-by: GitHub <[email protected]> Co-authored-by: Prafulrakhade <[email protected]>

[MOSIP-35428]

809ab9e

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[MOSIP-35428] (#393)

0694bec

Signed-off-by: JanardhanBS-SyncByte <[email protected]> Co-authored-by: JanardhanBS-SyncByte <[email protected]>

[MOSIP-35160] Updated URL from https://github.com/mosip/mosip-infra/b…

044d80c

…lob/master/deployment/v3/utils/copy_cm_func.sh to https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh Signed-off-by: techno-467 <[email protected]>

[MOSIP-35160] Updated URL from https://github.com/mosip/mosip-infra/b…

7f5ba20

…lob/master/deployment/v3/utils/copy_cm_func.sh to https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh Signed-off-by: techno-467 <[email protected]>

Update copy_cm.sh

75dc54d

Signed-off-by: Praful Rakhade <[email protected]>

Update copy_cm.sh

7783cfa

Signed-off-by: Praful Rakhade <[email protected]>

Merge pull request #395 from Prafulrakhade/release-1.3.x

5bafa9f

[MOSIP-35160] Updated URL from https://github.com/mosip/mosip-infra/b…

Merge pull request #394 from Prafulrakhade/develop

3bc337a

[MOSIP-35160] Updated URL from https://github.com/mosip/mosip-infra/b…

[MOSIP-35892] Updated helm charts to add range

9c03342

Signed-off-by: Rakshithb1 <[email protected]>

Merge pull request #396 from Rakshithb1/develop

dceaa1d

[MOSIP-35892] Updated helm charts to add range

Merge remote-tracking branch 'upstream/release-1.3.x' into develop

dc2236a

Merge branch 'mosip:develop' into develop

ff6375b

[MOSIP-37359]Update readme

f9390b3

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

[MOSIP-37359]Update readme

af38436

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Merge branch 'develop' of https://github.com/JanardhanBS-SyncByte/mos…

d9d7c0a

…ip-mock-services into develop

[MOSIP-37359]Update readme

88ffd23

Signed-off-by: JanardhanBS-SyncByte <[email protected]>

Merge pull request #403 from JanardhanBS-SyncByte/develop

de2d8a7

[MOSIP-37359]Update readme

github-advanced-security bot found potential problems Nov 26, 2024

View reviewed changes

@@ -24,2 +24,3 @@
             import java.util.Map;
+            import org.apache.commons.text.StringEscapeUtils;
@@ -70,3 +71,4 @@
             			proxyAbisConfigService.setExpectation(expectation);
-            			return new ResponseEntity<>("Successfully inserted expectation " + expectation.getId(), HttpStatus.OK);
+            			String safeExpectationId = StringEscapeUtils.escapeHtml4(expectation.getId());
+            			return new ResponseEntity<>("Successfully inserted expectation " + safeExpectationId, HttpStatus.OK);
             		} catch (Exception exp) {

@@ -68,2 +68,7 @@
             	<dependencies>
+            	<dependency>
+            	<groupId>org.apache.commons</groupId>
+            	<artifactId>commons-text</artifactId>
+            	<version>1.12.0</version>
+            	</dependency>
             		<dependency>

Package	Version	Security advisories
org.apache.commons:commons-text (maven)	1.12.0	None

@@ -1,2 +1,6 @@
-            package io.mosip.proxy.abis.service.impl;
+            package io.mosip.proxy.abis.service.impl;
+            import java.util.Arrays;
+            import java.util.List;
+            import java.net.MalformedURLException;
+            import java.net.URL;
@@ -134,3 +138,3 @@
             			}
-            			cbeffURL = ire.getReferenceURL();
+            			cbeffURL = validateURL(ire.getReferenceURL());
             			InsertEntity ie = new InsertEntity(ire.getId(), ire.getVersion(), ire.getRequestId(), ire.getRequesttime(),
@@ -166,3 +170,27 @@
             		}
-            	}
+            	}
+            	/**
+            	 * Validates the given URL against a list of authorized URLs.
+            	 *
+            	 * @param url the URL to validate
+            	 * @return the validated URL if it is authorized
+            	 * @throws RequestException if the URL is not authorized
+            	 */
+            	private String validateURL(String url) throws RequestException {
+            		List<String> authorizedURLs = Arrays.asList(
+            			"http://example.com/valid1",
+            			"http://example.com/valid2"
+            		);
+            		try {
+            			URL parsedURL = new URL(url);
+            			if (authorizedURLs.contains(parsedURL.toString())) {
+            				return url;
+            			} else {
+            				throw new RequestException(FailureReasonsConstants.UNAUTHORIZED_URL);
+            			}
+            		} catch (MalformedURLException e) {
+            			throw new RequestException(FailureReasonsConstants.INVALID_URL_FORMAT);
+            		}
+            	}

@@ -789,9 +789,13 @@
             			byte[] bytes = uploadedFile.getBytes();
-            			Path path = Paths.get(keystoreFilePath.toString(), uploadedFile.getOriginalFilename());
-            			File keyFile = new File(path.toString());
-            			File parent = keyFile.getParentFile();
-            			if (parent != null && !parent.exists() && !parent.mkdirs()) {
-            				throw new IllegalStateException("Couldn't create dir: " + parent);
-            			}
+            			String originalFilename = uploadedFile.getOriginalFilename();
+            			if (originalFilename.contains("..") || originalFilename.contains("/") || originalFilename.contains("\\")) {
+            				throw new IllegalArgumentException("Invalid filename");
+            			}
+            			Path path = Paths.get(keystoreFilePath.toString(), originalFilename);
+            			File keyFile = new File(path.toString());
+            			File parent = keyFile.getParentFile();
+            			if (parent != null && !parent.exists() && !parent.mkdirs()) {
+            				throw new IllegalStateException("Couldn't create dir: " + parent);
+            			}
             			boolean fileCreated = keyFile.createNewFile();

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DSD-4199] #329

[DSD-4199] #329

JanardhanBS-SyncByte commented Jan 24, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

@@ -1,2 +1,3 @@
             package io.mosip.mock.mv.controller;
+            import org.springframework.web.util.HtmlUtils;
@@ -136,3 +137,4 @@
             			mockMvDecisionService.setExpectation(expectation);
-            			return new ResponseEntity<>("Successfully inserted expectation " + expectation.getRId(), HttpStatus.OK);
+            			String escapedRId = HtmlUtils.htmlEscape(expectation.getRId());
+            			return new ResponseEntity<>("Successfully inserted expectation " + escapedRId, HttpStatus.OK);
             		} catch (Exception exp) {

@@ -32,2 +32,3 @@
             import jakarta.validation.Valid;
+            import org.apache.commons.text.StringEscapeUtils;
@@ -184,3 +185,3 @@
             			else {
-            				return new ResponseEntity<>("No expectation set for given rid:" + rid, HttpStatus.OK);
+            				return new ResponseEntity<>("No expectation set for given rid:" + StringEscapeUtils.escapeHtml4(rid), HttpStatus.OK);
             			}

[DSD-4199] #329

Are you sure you want to change the base?

[DSD-4199] #329

Conversation

JanardhanBS-SyncByte commented Jan 24, 2024