Validates name, profile and path

Author: spencergibb

spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/encryption/EncryptionController.java

@@ -26,6 +26,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import org.springframework.cloud.config.server.environment.InvalidEnvironmentRequestException;
 import org.springframework.cloud.context.encrypt.KeyFormatException;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -43,6 +44,9 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import static org.springframework.cloud.config.server.support.PathUtils.isInvalidEncodedLocation;
+import static org.springframework.cloud.config.server.support.PathUtils.isInvalidProfiles;
+
 /**
  * @author Dave Syer
  * @author Tim Ysewyn
@@ -144,6 +148,13 @@ public String decrypt(@PathVariable String name, @PathVariable String profiles,
 	}
 
 	private TextEncryptor getEncryptor(String name, String profiles, String data) {
+		if (isInvalidEncodedLocation(name)) {
+			throw new InvalidEnvironmentRequestException("Invalid request");
+		}
+		if (isInvalidProfiles(profiles)) {
+			throw new InvalidEnvironmentRequestException("Invalid request");
+		}
+
 		if (encryptorLocator == null) {
 			if (logger.isDebugEnabled()) {
 				logger.debug("Text encryptorLocator is null.");

spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/environment/EnvironmentController.java

@@ -51,6 +51,7 @@
 import static org.springframework.cloud.config.server.support.EnvironmentPropertySource.prepareEnvironment;
 import static org.springframework.cloud.config.server.support.EnvironmentPropertySource.resolvePlaceholders;
 import static org.springframework.cloud.config.server.support.PathUtils.isInvalidEncodedLocation;
+import static org.springframework.cloud.config.server.support.PathUtils.isInvalidProfiles;
 
 /**
  * @author Dave Syer
@@ -131,7 +132,7 @@ public Environment getEnvironment(String name, String profiles, String label, bo
 		try {
 			name = normalize(name);
 			label = normalize(label);
-			if (isInvalidEncodedLocation(profiles)) {
+			if (isInvalidProfiles(profiles)) {
 				throw new InvalidEnvironmentRequestException("Invalid request");
 			}
 			Environment environment = this.repository.findOne(name, profiles, label, includeOrigin);

spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/resource/ResourceController.java

@@ -50,6 +50,7 @@
 import static org.springframework.cloud.config.server.support.EnvironmentPropertySource.prepareEnvironment;
 import static org.springframework.cloud.config.server.support.EnvironmentPropertySource.resolvePlaceholders;
 import static org.springframework.cloud.config.server.support.PathUtils.isInvalidEncodedLocation;
+import static org.springframework.cloud.config.server.support.PathUtils.isInvalidProfiles;
 
 /**
  * An HTTP endpoint for serving up templated plain text resources from an underlying
@@ -144,9 +145,10 @@ synchronized String retrieve(ServletWebRequest request, String name, String prof
 			boolean resolvePlaceholders, String acceptedCharset) throws IOException {
 		name = normalize(name);
 		label = normalize(label);
-		if (isInvalidEncodedLocation(profile)) {
+		if (isInvalidProfiles(profile)) {
 			throw new InvalidEnvironmentRequestException("Invalid request");
 		}
+		path = normalize(path);
 		Resource resource = this.resourceRepository.findOne(name, profile, label, path);
 		if (checkNotModified(request, resource)) {
 			// Content was not modified. Just return.
@@ -225,9 +227,10 @@ private synchronized byte[] binary(ServletWebRequest request, String name, Strin
 			String path) throws IOException {
 		name = normalize(name);
 		label = normalize(label);
-		if (isInvalidEncodedLocation(profile)) {
+		if (isInvalidProfiles(profile)) {
 			throw new InvalidEnvironmentRequestException("Invalid request");
 		}
+		path = normalize(path);
 		Resource resource = this.resourceRepository.findOne(name, profile, label, path);
 		if (checkNotModified(request, resource)) {
 			// Content was not modified. Just return.

spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/support/PathUtils.java

@@ -20,14 +20,20 @@
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import org.springframework.cloud.config.environment.Environment;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.UrlResource;
+import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
 import org.springframework.util.ResourceUtils;
 import org.springframework.util.StringUtils;
@@ -36,9 +42,53 @@ public abstract class PathUtils {
 
 	private static final Log logger = LogFactory.getLog(PathUtils.class);
 
+	private static final String PROFILE_ALLOWED_CHARS = "-_.+@";
+
 	private PathUtils() {
 	}
 
+	public static boolean isInvalidProfiles(String profiles) {
+		if (ObjectUtils.isEmpty(profiles)) {
+			return false;
+		}
+		try {
+			if (profiles.contains(",")) {
+				validateProfile(StringUtils.commaDelimitedListToSet(profiles));
+			}
+			else {
+				validateProfile(profiles);
+			}
+		}
+		catch (IllegalStateException ex) {
+			return true;
+		}
+		return isInvalidEncodedLocation(profiles);
+	}
+
+	private static void validateProfile(Object value) {
+		if (value instanceof Collection<?> list) {
+			list.forEach(PathUtils::validateProfile);
+			return;
+		}
+		if (value instanceof Map<?, ?> map) {
+			map.forEach((k, v) -> validateProfile(v));
+			return;
+		}
+		String profile = (value != null) ? value.toString() : null;
+		Assert.state(StringUtils.hasText(profile), "Invalid empty profile");
+		for (int i = 0; i < profile.length(); i++) {
+			int codePoint = profile.codePointAt(i);
+			boolean isAllowedChar = PROFILE_ALLOWED_CHARS.indexOf(codePoint) != -1;
+			Assert.state(isAllowedChar || Character.isLetterOrDigit(codePoint),
+					() -> "Profile '%s' must contain a letter, digit or allowed char (%s)".formatted(profile,
+							Arrays.stream(PROFILE_ALLOWED_CHARS.split(""))
+								.collect(Collectors.joining("', '", "'", "'"))));
+			Assert.state((i > 0 && i < profile.length() - 1) || Character.isLetterOrDigit(codePoint),
+					() -> "Profile '%s' must start and end with a letter or digit".formatted(profile));
+		}
+
+	}
+
 	/**
 	 * Check whether the given location contains invalid escape sequences.
 	 * @param location the location to validate
@@ -80,6 +130,13 @@ private static boolean isInvalidLocation(String location) {
 				logger.warn("Location contains \"#\"");
 			}
 		}
+		if (!isInvalid) {
+			// locations can't start with slash
+			isInvalid = location.startsWith(Environment.SLASH_PLACEHOLDER);
+			if (isInvalid && logger.isWarnEnabled()) {
+				logger.warn("Location starts with \"/\"");
+			}
+		}
 
 		return isInvalid;
 	}

spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/encryption/EncryptionControllerTests.java

@@ -21,12 +21,14 @@
 import org.junit.jupiter.api.Test;
 import org.mockito.ArgumentCaptor;
 
+import org.springframework.cloud.config.server.environment.InvalidEnvironmentRequestException;
 import org.springframework.http.MediaType;
 import org.springframework.security.crypto.encrypt.Encryptors;
 import org.springframework.security.crypto.encrypt.RsaSecretEncryptor;
 import org.springframework.security.crypto.encrypt.TextEncryptor;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.assertj.core.api.AssertionsForClassTypes.assertThatExceptionOfType;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.atLeastOnce;
@@ -158,4 +160,52 @@ public TextEncryptor locate(Map<String, String> keys) {
 		assertThat(decrypt).as("Wrong decrypted plaintext: " + decrypt).isEqualTo("foo bar");
 	}
 
+	@Test
+	public void getPublicKeyNameWithDotDot() {
+		this.controller = new EncryptionController(new SingleTextEncryptorLocator(new RsaSecretEncryptor()));
+		assertThatThrownBy(() -> this.controller.getPublicKey("../app", "default"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
+	@Test
+	public void getPublicKeyProfilesWithDotDot() {
+		this.controller = new EncryptionController(new SingleTextEncryptorLocator(new RsaSecretEncryptor()));
+		assertThatThrownBy(() -> this.controller.getPublicKey("app", "../default"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
+	@Test
+	public void decryptNameWithDotDot() {
+		this.controller = new EncryptionController(new SingleTextEncryptorLocator(new RsaSecretEncryptor()));
+		assertThatThrownBy(() -> this.controller.decrypt("../app", "default", "hello", MediaType.TEXT_PLAIN))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
+	@Test
+	public void decryptProfilesWithDotDot() {
+		this.controller = new EncryptionController(new SingleTextEncryptorLocator(new RsaSecretEncryptor()));
+		assertThatThrownBy(() -> this.controller.decrypt("app", "../default", "hello", MediaType.TEXT_PLAIN))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
+	@Test
+	public void encryptNameWithDotDot() {
+		this.controller = new EncryptionController(new SingleTextEncryptorLocator(new RsaSecretEncryptor()));
+		assertThatThrownBy(() -> this.controller.encrypt("../app", "default", "hello", MediaType.TEXT_PLAIN))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
+	@Test
+	public void encryptProfilesWithDotDot() {
+		this.controller = new EncryptionController(new SingleTextEncryptorLocator(new RsaSecretEncryptor()));
+		assertThatThrownBy(() -> this.controller.encrypt("app", "../default", "hello", MediaType.TEXT_PLAIN))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
 }

spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/environment/EnvironmentControllerTests.java

@@ -524,12 +524,24 @@ private void whenPlaceholdersSystemPropsWithDefault() {
 		when(this.repository.findOne("foo", "bar", null, false)).thenReturn(this.environment);
 	}
 
+	@Test
+	public void nameStartsWithSlash() {
+		assertThatThrownBy(() -> this.controller.labelled("(_)spam", "bar", null))
+			.isInstanceOf(InvalidEnvironmentRequestException.class);
+	}
+
 	@Test
 	public void labelWithPreviousDirectory() {
 		assertThatThrownBy(() -> this.controller.labelled("foo", "bar", "..(_).."))
 			.isInstanceOf(InvalidEnvironmentRequestException.class);
 	}
 
+	@Test
+	public void labelStartsWithSlash() {
+		assertThatThrownBy(() -> this.controller.labelled("foo", "bar", "(_)spam"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class);
+	}
+
 	@Test
 	public void labelWithPreviousDirectoryEncodedParenthesis() {
 		assertThatThrownBy(() -> this.controller.labelled("foo", "bar", "..%28_%29.."))
@@ -564,6 +576,8 @@ public void invalidProfileTests() {
 			.isInstanceOf(InvalidEnvironmentRequestException.class);
 		assertThatThrownBy(() -> this.controller.labelled("application", "bar,%2e%2e,foo", "label"))
 			.isInstanceOf(InvalidEnvironmentRequestException.class);
+		assertThatThrownBy(() -> this.controller.labelled("application", "bar%2Ffoo", "label"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class);
 	}
 
 	abstract class MockMvcTestCases {

spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/resource/ResourceControllerTests.java

@@ -148,6 +148,14 @@ public void applicationPlaceholderWithSlashNullLabel() throws Exception {
 		assertThat(resource).isEqualToIgnoringNewLines("foo: dev_bar/spam");
 	}
 
+	@Test
+	public void applicationPlaceholderStartsWithSlash() {
+		this.environmentRepository.setSearchLocations("classpath:/test/{label}");
+		assertThatThrownBy(() -> this.controller.retrieve("(_)dev", "bar", null, "foo.txt", true, "UTF-8"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
 	@Test
 	public void labelPlaceholderWithSlash() throws Exception {
 		this.environmentRepository.setSearchLocations("classpath:/test/{label}");
@@ -163,6 +171,22 @@ public void labelPlaceholderWithSlashAndDotDot() {
 			.hasMessageContaining("Invalid request");
 	}
 
+	@Test
+	public void labelPlaceholderStartsWithSlash() {
+		this.environmentRepository.setSearchLocations("classpath:/test/{label}");
+		assertThatThrownBy(() -> this.controller.retrieve("dev", "bar", "(_)spam", "foo.txt", true, "UTF-8"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
+	@Test
+	public void pathWithSlashAndDotDot() {
+		this.environmentRepository.setSearchLocations("classpath:/test/{label}");
+		assertThatThrownBy(() -> this.controller.retrieve("dev", "bar", "dev", "../foo.txt", true, "UTF-8"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
 	@Test
 	public void profilePlaceholderNullLabel() throws Exception {
 		this.environmentRepository.setSearchLocations("classpath:/test/{profile}");
@@ -268,6 +292,14 @@ public void applicationPlaceholderWithSlashForBinaryNullLabel() throws Exception
 		assertThat(new String(resource)).isEqualToIgnoringNewLines("foo: dev_bar/spam");
 	}
 
+	@Test
+	public void applicationPlaceholderStartsWithSlashBinary() {
+		this.environmentRepository.setSearchLocations("classpath:/test/{label}");
+		assertThatThrownBy(() -> this.controller.binary("(_)spam", "bar", null, "foo.txt"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
 	@Test
 	public void labelPlaceholderWithSlashForBinary() throws Exception {
 		this.environmentRepository.setSearchLocations("classpath:/test/{label}");
@@ -283,6 +315,22 @@ public void labelPlaceholderWithSlashForBinaryAndDotDot() throws Exception {
 			.hasMessageContaining("Invalid request");
 	}
 
+	@Test
+	public void labelPlaceholderStartsWithSlashBinary() {
+		this.environmentRepository.setSearchLocations("classpath:/test/{label}");
+		assertThatThrownBy(() -> this.controller.binary("dev", "bar", "(_)spam", "foo.txt"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
+	@Test
+	public void pathWithSlashAndDotDotForBinary() throws Exception {
+		this.environmentRepository.setSearchLocations("classpath:/test/{label}");
+		assertThatThrownBy(() -> this.controller.binary("dev", "bar", "dev", "../foo.txt"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class)
+			.hasMessageContaining("Invalid request");
+	}
+
 	@Test
 	public void profilePlaceholderForBinaryNullLabel() throws Exception {
 		this.environmentRepository.setSearchLocations("classpath:/test/{profile}");
@@ -407,6 +455,11 @@ public void invalidProfileTests() {
 			.isInstanceOf(InvalidEnvironmentRequestException.class);
 		assertThatThrownBy(() -> this.controller.binary("application", "bar,%2e%2e,foo", "label", "template.json"))
 			.isInstanceOf(InvalidEnvironmentRequestException.class);
+		assertThatThrownBy(
+				() -> this.controller.retrieve("application", "bar%2ffoo", "label", "template.json", true, "UTF-8"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class);
+		assertThatThrownBy(() -> this.controller.binary("application", "bar%2ffoo", "label", "template.json"))
+			.isInstanceOf(InvalidEnvironmentRequestException.class);
 	}
 
 }