Skip to content

Commit e61bd46

Browse files
committed
fix sonar vulnerabilities
1 parent d1c9126 commit e61bd46

3 files changed

Lines changed: 59 additions & 24 deletions

File tree

knowage-api/src/main/java/it/eng/knowage/logmanager/resource/LogsResource.java

Lines changed: 19 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -83,12 +83,7 @@ public List<LogFileDTO> getLogs(@PathParam("folder") String folder) throws Knowa
8383
SpagoBIUserProfile profile = businessContext.getUserProfile();
8484
try {
8585
LOGGER.debug("getLogs raw folder: " + folder);
86-
if (folder == null) {
87-
folder = "";
88-
} else {
89-
folder = URLDecoder.decode(folder, StandardCharsets.UTF_8.name());
90-
folder = folder.replaceAll("^/+", "").replaceAll("/+$", "");
91-
}
86+
folder = getFileName(folder);
9287

9388
List<LogFileDTO> result = logManagerAPIservice.getListOfLogs(folder, profile);
9489

@@ -121,19 +116,9 @@ public String viewLog(@PathParam("folder") String folder, @PathParam("fileName")
121116
try {
122117
LOGGER.debug("viewLog raw folder: " + folder + ", raw log name: " + fileName);
123118

124-
if (folder == null){
125-
folder = "";
126-
} else {
127-
folder = URLDecoder.decode(folder, StandardCharsets.UTF_8.name());
128-
folder = folder.replaceAll("^/+", "").replaceAll("/+$", "");
129-
}
119+
folder = getFileName(folder);
130120

131-
if (fileName == null) {
132-
fileName = "";
133-
} else {
134-
fileName = URLDecoder.decode(fileName, StandardCharsets.UTF_8.name());
135-
fileName = fileName.replaceAll("^/+", "").replaceAll("/+$", "");
136-
}
121+
fileName = getFileName(fileName);
137122

138123
combined = folder.isEmpty() ? fileName : folder + "/" + fileName;
139124
return logManagerAPIservice.getLogContent(combined, profile);
@@ -143,11 +128,25 @@ public String viewLog(@PathParam("folder") String folder, @PathParam("fileName")
143128
}
144129
}
145130

131+
private String getFileName(String fileName) {
132+
if (fileName == null) {
133+
fileName = "";
134+
} else {
135+
fileName = URLDecoder.decode(fileName, StandardCharsets.UTF_8);
136+
int start = 0;
137+
int end = fileName.length();
138+
while (start < end && fileName.charAt(start) == '/') start++;
139+
while (end > start && fileName.charAt(end - 1) == '/') end--;
140+
fileName = fileName.substring(start, end);
141+
}
142+
return fileName;
143+
}
144+
146145
// List files in the root folder (workDir).
147146
@GET
148147
@Path("/root")
149148
@Produces(MediaType.APPLICATION_JSON)
150-
public List<LogFileDTO> getRootLogs() throws KnowageBusinessException {
149+
public List<LogFileDTO> getRootLogs() {
151150
SpagoBIUserProfile profile = businessContext.getUserProfile();
152151
try {
153152
return logManagerAPIservice.getListOfLogs("", profile);
@@ -186,7 +185,7 @@ public Response downloadLogs(@Valid DownloadLogFilesDTO dto, @Context HttpServle
186185
}
187186

188187
SpagoBIUserProfile profile = businessContext.getUserProfile();
189-
java.nio.file.Path zipPath = null;
188+
java.nio.file.Path zipPath;
190189
try {
191190
// Service returns a path to a temp zip, service must ensure log files are permitted.
192191
zipPath = logManagerAPIservice.getDownloadLogFilePath(dto.getSelectedLogsNames(), profile);

knowage-api/src/main/java/it/eng/knowage/logmanager/service/impl/LogManagerAPIImpl.java

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
import it.eng.knowage.logmanager.service.LogManagerAPI;
1010
import it.eng.spagobi.services.security.SpagoBIUserProfile;
1111
import org.apache.commons.io.FileUtils;
12+
import org.apache.commons.lang3.SystemUtils;
1213
import org.apache.log4j.Logger;
1314
import org.springframework.beans.factory.annotation.Autowired;
1415
import org.springframework.stereotype.Component;
@@ -17,6 +18,9 @@
1718
import java.nio.file.Files;
1819
import java.nio.file.Path;
1920
import java.nio.file.Paths;
21+
import java.nio.file.attribute.FileAttribute;
22+
import java.nio.file.attribute.PosixFilePermission;
23+
import java.nio.file.attribute.PosixFilePermissions;
2024
import java.util.*;
2125
import java.util.function.Predicate;
2226
import java.util.stream.Stream;
@@ -267,8 +271,25 @@ public Path getTotalPath(String path, SpagoBIUserProfile profile) throws IOExcep
267271
public Path createZipFileOfLogs(List<String> fullPaths, SpagoBIUserProfile profile) {
268272

269273
try {
270-
Path tempDirectory = Files.createTempDirectory("knowage-zip");
271-
Path tempLog = Files.createTempFile("knowage-zip", ".zip");
274+
Path tempDirectory;
275+
Path tempLog;
276+
277+
if (SystemUtils.IS_OS_UNIX) {
278+
FileAttribute<Set<PosixFilePermission>> attr = PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"));
279+
tempDirectory = Files.createTempDirectory("knowage-logmanager-", attr);
280+
tempLog = Files.createTempFile("knowage-logmanager-", ".zip", attr);
281+
} else {
282+
File directory = Files.createTempDirectory("knowage-logmanager-").toFile();
283+
File file = Files.createTempFile("knowage-logmanager-", ".zip").toFile();
284+
directory.setReadable(true);
285+
directory.setWritable(true);
286+
directory.setExecutable(true);
287+
file.setReadable(true);
288+
file.setWritable(true);
289+
file.setExecutable(true);
290+
tempDirectory = directory.toPath();
291+
tempLog = file.toPath();
292+
}
272293

273294
Path workDir = getWorkDirectory(profile).normalize();
274295

knowage-export/src/main/java/it/eng/knowage/engine/api/export/dashboard/excel/DashboardExcelExporter.java

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
import lombok.Getter;
1212
import org.apache.commons.codec.binary.Base64;
1313
import org.apache.commons.lang3.StringUtils;
14+
import org.apache.commons.lang3.SystemUtils;
1415
import org.apache.logging.log4j.LogManager;
1516
import org.apache.logging.log4j.Logger;
1617
import org.apache.poi.ss.usermodel.*;
@@ -31,6 +32,9 @@
3132
import java.nio.file.Files;
3233
import java.nio.file.Path;
3334
import java.nio.file.Paths;
35+
import java.nio.file.attribute.FileAttribute;
36+
import java.nio.file.attribute.PosixFilePermission;
37+
import java.nio.file.attribute.PosixFilePermissions;
3438
import java.text.DateFormat;
3539
import java.text.SimpleDateFormat;
3640
import java.util.*;
@@ -80,8 +84,19 @@ public DashboardExcelExporter(JSONObject body, String role, String requestUrl, S
8084

8185
public byte[] getScheduledBinaryData(String documentLabel) throws IOException, InterruptedException {
8286
try {
83-
final Path outputDir = Files.createTempDirectory("knowage-xls-exporter-");
84-
87+
Path outputDir;
88+
if (SystemUtils.IS_OS_UNIX) {
89+
FileAttribute<Set<PosixFilePermission>> attr =
90+
PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"));
91+
outputDir = Files.createTempDirectory("knowage-xls-exporter-", attr);
92+
} else {
93+
File dir = Files.createTempDirectory("knowage-xls-exporter-").toFile();
94+
// try to restrict to owner where supported; second param ensures owner-only on platforms honoring it
95+
dir.setReadable(true, true);
96+
dir.setWritable(true, true);
97+
dir.setExecutable(true, true);
98+
outputDir = dir.toPath();
99+
}
85100
String encodedUserId = Base64.encodeBase64String(getUserUniqueIdentifier().getBytes(UTF_8));
86101
// Script
87102
String cockpitExportScriptPath = SingletonConfig.getInstance()

0 commit comments

Comments
 (0)