Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the policy file extension validation for the rest apis #11162

Closed
wants to merge 1 commit into from
Closed

Add the policy file extension validation for the rest apis #11162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion ...t/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2871,14 +2871,20 @@ public enum ConfigType {
public static final String OPERATION_SEQUENCE_TYPE_FAULT = "fault";
public static final String SYNAPSE_POLICY_DEFINITION_EXTENSION = ".j2";
public static final String CC_POLICY_DEFINITION_EXTENSION = ".gotmpl";
public static final String YAML_CONTENT_TYPE = "text/yaml";
public static final String COMMON_OPERATION_POLICY_SPECIFICATIONS_LOCATION = "repository" + File.separator
+ "resources" + File.separator + "operation_policies" + File.separator + "specifications";
public static final String COMMON_OPERATION_POLICY_DEFINITIONS_LOCATION = "repository" + File.separator
+ "resources" + File.separator + "operation_policies" + File.separator + "definitions";
public static final String OPERATION_POLICY_SUPPORTED_GATEWAY_SYNAPSE = "Synapse";
public static final String OPERATION_POLICY_SUPPORTED_API_TYPE_HTTP = "HTTP";
public static final String DEFAULT_POLICY_VERSION = "v1";
public static final Set<String> ALLOWED_POLICY_SPEC_EXTENSIONS = new HashSet<String>(
Arrays.asList("json", "yaml"));
public static final Set<String> ALLOWED_SYNAPSE_POLICY_DEFINITION_EXTENSIONS = new HashSet<String>(
Arrays.asList("xml", "j2"));
public static final Set<String> ALLOWED_CC_POLICY_DEFINITION_EXTENSIONS = new HashSet<String>(
Arrays.asList("gotmpl"));
public static final String YAML_FILE_EXTENSION_TYPE = "yaml";


public static final String WSO2_GATEWAY_ENVIRONMENT = "wso2";
Expand Down
42 changes: 26 additions & 16 deletions ...1/src/main/java/org/wso2/carbon/apimgt/rest/api/publisher/v1/impl/ApisApiServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,9 +51,7 @@
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONTokener;
import org.json.XML;
import org.json.simple.JSONObject;
import org.json.simple.parser.JSONParser;
import org.json.simple.parser.ParseException;
Expand Down Expand Up @@ -86,7 +84,6 @@
import org.wso2.carbon.apimgt.api.model.Documentation;
import org.wso2.carbon.apimgt.api.model.DocumentationContent;
import org.wso2.carbon.apimgt.api.model.Environment;
import org.wso2.carbon.apimgt.api.model.Mediation;
import org.wso2.carbon.apimgt.api.model.Monetization;
import org.wso2.carbon.apimgt.api.model.OperationPolicyData;
import org.wso2.carbon.apimgt.api.model.OperationPolicyDefinition;
Expand Down Expand Up @@ -2331,33 +2328,39 @@ public Response addAPISpecificOperationPolicy(String apiId, InputStream policySp

//validate if api exists
validateAPIExistence(apiId);
String jsonContent = "";
OperationPolicyDefinition synapseDefinition = null;
OperationPolicyDefinition ccPolicyDefinition = null;
OperationPolicySpecification policySpecification;
if (policySpecFileInputStream != null) {
jsonContent = RestApiPublisherUtils.readInputStream(policySpecFileInputStream, policySpecFileDetail);

String fileName = policySpecFileDetail.getDataHandler().getName();
String fileContentType = URLConnection.guessContentTypeFromName(fileName);
if (org.apache.commons.lang3.StringUtils.isBlank(fileContentType)) {
fileContentType = policySpecFileDetail.getContentType().toString();
String specFileName = policySpecFileDetail.getDataHandler().getName();
String specExtension = FilenameUtils.getExtension(specFileName);
if (!APIConstants.ALLOWED_POLICY_SPEC_EXTENSIONS.contains(specExtension)) {
RestApiUtil.handleBadRequest("Unsupported Policy specification File Extension. " +
"Supported extensions are " +
APIConstants.ALLOWED_POLICY_SPEC_EXTENSIONS.toArray().toString(), log);
}
if (APIConstants.YAML_CONTENT_TYPE.equals(fileContentType)) {
jsonContent = CommonUtil.yamlToJson(jsonContent);
String policySpecContent = RestApiPublisherUtils.readInputStream(policySpecFileInputStream);
if (APIConstants.YAML_FILE_EXTENSION_TYPE.equals(specExtension)) {
policySpecContent = CommonUtil.yamlToJson(policySpecContent);
}

policySpecification = APIUtil.getValidatedOperationPolicySpecification(jsonContent);
policySpecification = APIUtil.getValidatedOperationPolicySpecification(policySpecContent);

OperationPolicyData operationPolicyData = new OperationPolicyData();
operationPolicyData.setOrganization(organization);
operationPolicyData.setApiUUID(apiId);
operationPolicyData.setSpecification(policySpecification);

if (synapsePolicyDefinitionFileInputStream != null) {
String synapseDefFileName = synapsePolicyDefinitionFileDetail.getDataHandler().getName();
String synapseDefExtension = FilenameUtils.getExtension(synapseDefFileName);
if (!APIConstants.ALLOWED_SYNAPSE_POLICY_DEFINITION_EXTENSIONS.contains(synapseDefExtension)) {
RestApiUtil.handleBadRequest("Unsupported Synapse Policy Definition File Extension. " +
"Supported extensions are " +
APIConstants.ALLOWED_SYNAPSE_POLICY_DEFINITION_EXTENSIONS.toArray().toString(), log);
}
String synapsePolicyDefinition =
RestApiPublisherUtils.readInputStream(synapsePolicyDefinitionFileInputStream,
synapsePolicyDefinitionFileDetail);
RestApiPublisherUtils.readInputStream(synapsePolicyDefinitionFileInputStream);
synapseDefinition = new OperationPolicyDefinition();
synapseDefinition.setContent(synapsePolicyDefinition);
synapseDefinition.setGatewayType(OperationPolicyDefinition.GatewayType.Synapse);
Expand All @@ -2366,8 +2369,15 @@ public Response addAPISpecificOperationPolicy(String apiId, InputStream policySp
}

if (ccPolicyDefinitionFileInputStream != null) {
String ccDefFileName = ccPolicyDefinitionFileDetail.getDataHandler().getName();
String ccDefExtension = FilenameUtils.getExtension(ccDefFileName);
if (!APIConstants.ALLOWED_CC_POLICY_DEFINITION_EXTENSIONS.contains(ccDefExtension)) {
RestApiUtil.handleBadRequest("Unsupported Choreo Connect Policy Definition File Extension. " +
"Supported extensions are " +
APIConstants.ALLOWED_CC_POLICY_DEFINITION_EXTENSIONS.toArray().toString(), log);
}
String choreoConnectPolicyDefinition = RestApiPublisherUtils
.readInputStream(ccPolicyDefinitionFileInputStream, ccPolicyDefinitionFileDetail);
.readInputStream(ccPolicyDefinitionFileInputStream);
ccPolicyDefinition = new OperationPolicyDefinition();
ccPolicyDefinition.setContent(choreoConnectPolicyDefinition);
ccPolicyDefinition.setGatewayType(OperationPolicyDefinition.GatewayType.ChoreoConnect);
Expand Down
43 changes: 29 additions & 14 deletions ...va/org/wso2/carbon/apimgt/rest/api/publisher/v1/impl/OperationPoliciesApiServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@

package org.wso2.carbon.apimgt.rest.api.publisher.v1.impl;

import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.jaxrs.ext.MessageContext;
Expand All @@ -44,7 +46,6 @@
import java.io.File;
import java.io.InputStream;
import java.net.URI;
import java.net.URLConnection;
import java.util.List;

import javax.ws.rs.core.Response;
Expand Down Expand Up @@ -81,27 +82,34 @@ public Response addCommonOperationPolicy(InputStream policySpecFileInputStream,
String organization = RestApiUtil.getValidatedOrganization(messageContext);

if (policySpecFileInputStream != null) {
String jsonContent = "";
jsonContent = RestApiPublisherUtils.readInputStream(policySpecFileInputStream, policySpecFileDetail);

String fileName = policySpecFileDetail.getDataHandler().getName();
String fileContentType = URLConnection.guessContentTypeFromName(fileName);
if (org.apache.commons.lang3.StringUtils.isBlank(fileContentType)) {
fileContentType = policySpecFileDetail.getContentType().toString();
String specFileName = policySpecFileDetail.getDataHandler().getName();
String specExtension = FilenameUtils.getExtension(specFileName);
if (!APIConstants.ALLOWED_POLICY_SPEC_EXTENSIONS.contains(specExtension)) {
RestApiUtil.handleBadRequest("Unsupported Policy specification File Extension. " +
"Supported extensions are " +
APIConstants.ALLOWED_POLICY_SPEC_EXTENSIONS.toArray().toString(), log);
}
if (APIConstants.YAML_CONTENT_TYPE.equals(fileContentType)) {
jsonContent = CommonUtil.yamlToJson(jsonContent);

String policySpecContent = RestApiPublisherUtils.readInputStream(policySpecFileInputStream);
if (APIConstants.YAML_FILE_EXTENSION_TYPE.equals(specExtension)) {
policySpecContent = CommonUtil.yamlToJson(policySpecContent);
}
policySpecification = APIUtil.getValidatedOperationPolicySpecification(jsonContent);
policySpecification = APIUtil.getValidatedOperationPolicySpecification(policySpecContent);

OperationPolicyData operationPolicyData = new OperationPolicyData();
operationPolicyData.setOrganization(organization);
operationPolicyData.setSpecification(policySpecification);

if (synapsePolicyDefinitionFileInputStream != null) {
String synapseDefFileName = synapsePolicyDefinitionFileDetail.getDataHandler().getName();
String synapseDefExtension = FilenameUtils.getExtension(synapseDefFileName);
if (!APIConstants.ALLOWED_SYNAPSE_POLICY_DEFINITION_EXTENSIONS.contains(synapseDefExtension)) {
RestApiUtil.handleBadRequest("Unsupported Synapse Policy Definition File Extension. " +
"Supported extensions are " +
APIConstants.ALLOWED_SYNAPSE_POLICY_DEFINITION_EXTENSIONS.toArray().toString(), log);
}
String synapsePolicyDefinition =
RestApiPublisherUtils.readInputStream(synapsePolicyDefinitionFileInputStream,
synapsePolicyDefinitionFileDetail);
RestApiPublisherUtils.readInputStream(synapsePolicyDefinitionFileInputStream);
synapseDefinition = new OperationPolicyDefinition();
synapseDefinition.setContent(synapsePolicyDefinition);
synapseDefinition.setGatewayType(OperationPolicyDefinition.GatewayType.Synapse);
Expand All @@ -110,8 +118,15 @@ public Response addCommonOperationPolicy(InputStream policySpecFileInputStream,
}

if (ccPolicyDefinitionFileInputStream != null) {
String ccDefFileName = ccPolicyDefinitionFileDetail.getDataHandler().getName();
String ccDefExtension = FilenameUtils.getExtension(ccDefFileName);
if (!APIConstants.ALLOWED_CC_POLICY_DEFINITION_EXTENSIONS.contains(ccDefExtension)) {
RestApiUtil.handleBadRequest("Unsupported Choreo Connect Policy Definition File Extension. " +
"Supported extensions are " +
APIConstants.ALLOWED_CC_POLICY_DEFINITION_EXTENSIONS.toArray().toString(), log);
}
String choreoConnectPolicyDefinition = RestApiPublisherUtils
.readInputStream(ccPolicyDefinitionFileInputStream, ccPolicyDefinitionFileDetail);
.readInputStream(ccPolicyDefinitionFileInputStream);
ccPolicyDefinition = new OperationPolicyDefinition();
ccPolicyDefinition.setContent(choreoConnectPolicyDefinition);
ccPolicyDefinition.setGatewayType(OperationPolicyDefinition.GatewayType.ChoreoConnect);
Expand Down
20 changes: 2 additions & 18 deletions ...c/main/java/org/wso2/carbon/apimgt/rest/api/publisher/v1/utils/RestApiPublisherUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
package org.wso2.carbon.apimgt.rest.api.publisher.v1.utils;

import org.apache.commons.io.FileUtils;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
Expand Down Expand Up @@ -233,17 +234,10 @@ public static String getSOAPOperation() {
* @return String
* @throws IOException
* */
public static String readInputStream (InputStream fileInputStream, Attachment fileDetail) throws IOException {
public static String readInputStream (InputStream fileInputStream) throws IOException {

String content = null;
if (fileInputStream != null) {
String fileName = fileDetail.getDataHandler().getName();

String fileContentType = URLConnection.guessContentTypeFromName(fileName);

if (org.apache.commons.lang3.StringUtils.isBlank(fileContentType)) {
fileContentType = fileDetail.getContentType().toString();
}
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
IOUtils.copy(fileInputStream, outputStream);
byte[] sequenceBytes = outputStream.toByteArray();
Expand All @@ -253,16 +247,6 @@ public static String readInputStream (InputStream fileInputStream, Attachment fi
return content;
}

public static String getContentType(Attachment fileDetail) {
String fileName = fileDetail.getDataHandler().getName();
String fileContentType = URLConnection.guessContentTypeFromName(fileName);

if (org.apache.commons.lang3.StringUtils.isBlank(fileContentType)) {
fileContentType = fileDetail.getContentType().toString();
}
return fileContentType;
}

public static File exportOperationPolicyData(OperationPolicyData policyData)
throws APIManagementException {

Expand Down