Knowage 8043

knowage-core/src/main/java/it/eng/spagobi/analiticalmodel/document/service/ManagePreviewFileAction.java

@@ -30,6 +30,7 @@
 import org.json.JSONException;
 import org.json.JSONObject;
 
+import it.eng.knowage.commons.security.PathTraversalChecker;
 import it.eng.spagobi.commons.SingletonConfig;
 import it.eng.spagobi.commons.bo.UserProfile;
 import it.eng.spagobi.commons.services.AbstractSpagoBIAction;
@@ -107,7 +108,7 @@ public void doService() {
 	// checks for path traversal attacks
 	private void checkRequiredFile(String fileName) {
 		File targetDirectory = GeneralUtilities.getPreviewFilesStorageDirectoryPath();
-		FileUtils.checkPathTraversalAttack(fileName, targetDirectory);
+		PathTraversalChecker.get(fileName, targetDirectory.getName());
 	}
 
 	private JSONObject uploadFile() throws Exception {

knowage-core/src/main/java/it/eng/spagobi/api/DossierActivityResource.java

@@ -20,7 +20,6 @@
 import java.io.File;
 import java.io.FileOutputStream;
 import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Calendar;
@@ -131,16 +130,15 @@ public Response getresourcePath(@QueryParam("templateName") String fileName, @Qu
 		String separator = File.separator;
 		if (fileName.endsWith("?"))
 			fileName = fileName.substring(0, fileName.length() - 1);
-
-		java.nio.file.Path outputPath = Paths.get(SpagoBIUtilities.getResourcePath(), "dossier", String.valueOf(documentId), fileName);
-		File file = outputPath.toFile();
+		String safeDirectory = SpagoBIUtilities.getResourcePath() + separator + "dossier" + separator + documentId;
+		PathTraversalChecker.get(safeDirectory, fileName);
+		String outPath = safeDirectory + separator + fileName;
 		ResponseBuilder responseBuilder = null;
-
+		File file = new File(outPath);
 		JSONObject response = new JSONObject();
 		File dossierDir = new File(SpagoBIUtilities.getResourcePath() + separator + "dossier" + separator + documentId + separator);
 		try {
-			PathTraversalChecker.isValidFileName(fileName);
-			PathTraversalChecker.preventPathTraversalAttack(file, dossierDir);
+			PathTraversalChecker.get(fileName, dossierDir.getName());
 			byte[] bytes = Files.readAllBytes(file.toPath());
 			responseBuilder = Response.ok(bytes);
 			responseBuilder.header("Content-Disposition", "attachment; filename=" + fileName);
@@ -171,8 +169,7 @@ public Response checkPathFile(@QueryParam("templateName") String fileName, @Quer
 		File dossierDir = new File(SpagoBIUtilities.getResourcePath() + separator + "dossier" + separator + documentId + separator);
 		JSONObject response = new JSONObject();
 		try {
-			PathTraversalChecker.isValidFileName(fileName);
-			PathTraversalChecker.preventPathTraversalAttack(file, dossierDir);
+			PathTraversalChecker.get(fileName, dossierDir.getName());
 			Files.readAllBytes(file.toPath());
 			response.put("STATUS", "OK");
 		} catch (Exception e) {

knowage-core/src/main/java/it/eng/spagobi/api/SelfServiceDataSetCRUD.java

@@ -1621,9 +1621,12 @@ private void renameAndMoveDatasetFile(String originalFileName, String newFileNam
 		String filePath = resourcePath + File.separatorChar + "dataset" + File.separatorChar + "files" + File.separatorChar + "temp" + File.separatorChar;
 		String fileNewPath = resourcePath + File.separatorChar + "dataset" + File.separatorChar + "files" + File.separatorChar;
 
+		PathTraversalChecker.get(filePath, originalFileName);
 		File originalDatasetFile = new File(filePath + originalFileName);
+		PathTraversalChecker.get(fileNewPath, newFileName + "." + fileType.toLowerCase());
 		File newDatasetFile = new File(fileNewPath + newFileName + "." + fileType.toLowerCase());
-		if (originalDatasetFile.exists()) {
+
+		if (newDatasetFile != null && originalDatasetFile != null && originalDatasetFile.exists()) {
 			/*
 			 * This method copies the contents of the specified source file to the specified destination file. The directory holding the destination file is
 			 * created if it does not exist. If the destination file exists, then this method will overwrite it.
@@ -1741,8 +1744,10 @@ private JSONObject getCkanDataSetConfig(SelfServiceDataSetDTO selfServiceDataSet
 	private void deleteDatasetFile(String fileName, String resourcePath, String fileType) {
 		String filePath = resourcePath + File.separatorChar + "dataset" + File.separatorChar + "files" + File.separatorChar + "temp" + File.separatorChar;
 
+		PathTraversalChecker.get(filePath, fileName);
 		File datasetFile = new File(filePath + fileName);
-		if (datasetFile.exists()) {
+
+		if (datasetFile != null && datasetFile.exists()) {
 			datasetFile.delete();
 		}
 	}
@@ -1796,10 +1801,7 @@ private Integer getCategoryCode(String category) {
 
 			try {
 				ICategoryDAO categoryDao = DAOFactory.getCategoryDAO();
-				categories = categoryDao.getCategoriesForDataset()
-					.stream()
-					.map(Domain::fromCategory)
-					.collect(toList());
+				categories = categoryDao.getCategoriesForDataset().stream().map(Domain::fromCategory).collect(toList());
 			} catch (Throwable t) {
 				throw new SpagoBIRuntimeException("An unexpected error occured while loading categories types from database", t);
 			}
@@ -2174,10 +2176,7 @@ protected List<Integer> getCategories(IEngUserProfile profile) {
 			ICategoryDAO categoryDao = DAOFactory.getCategoryDAO();
 
 			// TODO : Makes sense?
-			List<Domain> dialects = categoryDao.getCategoriesForDataset()
-					.stream()
-					.map(Domain::fromCategory)
-					.collect(toList());
+			List<Domain> dialects = categoryDao.getCategoriesForDataset().stream().map(Domain::fromCategory).collect(toList());
 			if (dialects == null || dialects.size() == 0) {
 				return null;
 			}
@@ -2191,10 +2190,7 @@ protected List<Integer> getCategories(IEngUserProfile profile) {
 
 				List<RoleMetaModelCategory> aRoleCategories = roledao.getMetaModelCategoriesForRole(role.getId());
 				List<RoleMetaModelCategory> resp = new ArrayList<>();
-				List<Domain> array = categoryDao.getCategoriesForDataset()
-						.stream()
-						.map(Domain::fromCategory)
-						.collect(toList());
+				List<Domain> array = categoryDao.getCategoriesForDataset().stream().map(Domain::fromCategory).collect(toList());
 				for (RoleMetaModelCategory r : aRoleCategories) {
 					for (Domain dom : array) {
 						if (r.getCategoryId().equals(dom.getValueId())) {

knowage-core/src/main/java/it/eng/spagobi/sdk/utilities/SDKObjectsConverter.java

@@ -34,6 +34,7 @@
 import org.apache.log4j.Logger;
 import org.json.JSONObject;
 
+import it.eng.knowage.commons.security.PathTraversalChecker;
 import it.eng.qbe.dataset.QbeDataSet;
 import it.eng.spago.base.SourceBean;
 import it.eng.spago.base.SourceBeanException;
@@ -228,8 +229,11 @@ public ObjTemplate fromSDKTemplateToObjTemplate(SDKTemplate sdkTemplate) {
 			}
 			if (dh != null && dh.getName() != null) {
 				LOGGER.debug("Deleting attachment file ...");
-				File attachment = new File(dh.getName());
-				if (attachment.exists() && attachment.isFile()) {
+				String fileName = dh.getName();
+				PathTraversalChecker.isValidFileName(fileName);
+				File attachment = new File(fileName);
+
+				if (attachment != null && attachment.exists() && attachment.isFile()) {
 					boolean attachmentFileDeleted;
 					try {
 						attachmentFileDeleted = Files.deleteIfExists(attachment.toPath());

knowagebirtreportengine/src/main/java/it/eng/spagobi/engines/birt/BirtImageServlet.java

@@ -35,6 +35,7 @@
 
 import org.apache.log4j.Logger;
 
+import it.eng.knowage.commons.security.PathTraversalChecker;
 import it.eng.spago.security.IEngUserProfile;
 import it.eng.spagobi.services.proxy.DocumentExecuteServiceProxy;
 import it.eng.spagobi.utilities.mime.MimeUtils;
@@ -78,16 +79,9 @@ public void service(HttpServletRequest request, HttpServletResponse response) {
 			imageFile = new File(completeImageFileName);
 
 			File parent = imageFile.getParentFile();
-			// Prevent directory traversal (path traversal) attacks
-			if (!imageTmpDir.equals(parent)) {
-				logger.error("Trying to access the file [" + imageFile.getAbsolutePath() + "] that is not inside ${java.io.tmpdir}/birt!!!");
-				throw new SecurityException("Trying to access the file [" + imageFile.getAbsolutePath() + "] that is not inside ${java.io.tmpdir}/birt!!!");
-			}
+			String fileName = imageFile.toString();
 
-			if (!imageFile.exists()) {
-				logger.error("File " + imageFile.getPath() + " not found");
-				return;
-			}
+			PathTraversalChecker.get(parent.toString(), fileName);
 
 			try {
 				fis = new FileInputStream(imageFile);

knowagebirtreportengine/src/main/java/it/eng/spagobi/engines/birt/utilities/Utils.java

@@ -27,6 +27,7 @@
 
 import org.apache.log4j.Logger;
 
+import it.eng.knowage.commons.security.PathTraversalChecker;
 import it.eng.spagobi.engines.birt.BirtReportServlet;
 
 public class Utils {
@@ -36,8 +37,7 @@ public class Utils {
 	/**
 	 * Resolve system properties.
 	 *
-	 * @param logDir
-	 *            the log dir
+	 * @param logDir the log dir
 	 *
 	 * @return the string
 	 */
@@ -54,10 +54,8 @@ public static String resolveSystemProperties(String logDir) {
 	/**
 	 * Resolve system properties.
 	 *
-	 * @param logDir
-	 *            the log dir
-	 * @param startIndex
-	 *            the start index
+	 * @param logDir     the log dir
+	 * @param startIndex the start index
 	 *
 	 * @return the string
 	 */
@@ -89,14 +87,10 @@ public static void sendPage(HttpServletResponse response, int pageNumber, String
 		String completeImageFileName = null;
 		String mimeType = "text/html";
 
-		htmlFile = new File(BirtReportServlet.OUTPUT_FOLDER + File.separator + reportExecutionId, BirtReportServlet.PAGE_FILE_NAME + pageNumber + ".html");
-
-		// file path traversal security check
-		if (!((htmlFile.getParentFile().getParent() + File.separator).equals(BirtReportServlet.OUTPUT_FOLDER))) {
-			logger.error("Security exception: parent folder " + htmlFile.getParent() + " is not equal to expected folder " + BirtReportServlet.OUTPUT_FOLDER);
-			throw new RuntimeException(
-					"Security exception: parent folder " + htmlFile.getParent() + " is not equal to expected folder " + BirtReportServlet.OUTPUT_FOLDER);
-		}
+		String directory = BirtReportServlet.OUTPUT_FOLDER + File.separator + reportExecutionId;
+		String fileName = BirtReportServlet.PAGE_FILE_NAME + pageNumber + ".html";
+		PathTraversalChecker.get(fileName, directory);
+		htmlFile = new File(directory, fileName);
 
 		try (InputStream fis = new FileInputStream(htmlFile);) {
 			writeToOutput(response, mimeType, fis);

knowagecockpitengine/src/main/java/it/eng/knowage/engine/cockpit/api/export/excel/ExcelExporter.java

@@ -53,6 +53,7 @@
 
 import com.google.gson.Gson;
 
+import it.eng.knowage.commons.security.PathTraversalChecker;
 import it.eng.knowage.engine.cockpit.api.export.AbstractFormatExporter;
 import it.eng.knowage.engine.cockpit.api.export.ExporterClient;
 import it.eng.knowage.engine.cockpit.api.export.excel.exporters.IWidgetExporter;
@@ -149,7 +150,11 @@ public byte[] getBinaryData(String documentLabel) throws IOException, Interrupte
 	}
 
 	private byte[] getByteArrayFromFile(Path excelFile, Path outputDir) {
-		try (FileInputStream fis = new FileInputStream(excelFile.toString()); ByteArrayOutputStream bos = new ByteArrayOutputStream()) {
+		String fileName = excelFile.toString();
+
+		PathTraversalChecker.isValidFileName(fileName);
+
+		try (FileInputStream fis = new FileInputStream(fileName); ByteArrayOutputStream bos = new ByteArrayOutputStream()) {
 			byte[] buf = new byte[1024];
 			for (int readNum; (readNum = fis.read(buf)) != -1;) {
 				// Writes len bytes from the specified byte array starting at offset off to this byte array output stream

knowagecommonjengine/src/main/java/it/eng/spagobi/engines/commonj/runtime/WorksRepository.java

@@ -21,6 +21,8 @@
 
 import org.apache.log4j.Logger;
 
+import it.eng.knowage.commons.security.PathTraversalChecker;
+
 public class WorksRepository {
 	private static final Logger LOGGER = Logger.getLogger(WorksRepository.class);
 
@@ -68,7 +70,6 @@ public File getExecutableWorkProjectDir(CommonjWork work) {
 		return worksDir;
 	}
 
-
 	/**
 	 * Gets the executable work dir.
 	 *
@@ -78,12 +79,15 @@ public File getExecutableWorkProjectDir(CommonjWork work) {
 	 */
 	public File getExecutableWorkDir(CommonjWork work) {
 		LOGGER.debug("IN");
-		File workDir = new File(rootDir, work.getWorkName());
+
+		String fileName = work.getWorkName();
+		PathTraversalChecker.get(rootDir.getName(), fileName);
+		File workDir = new File(rootDir, fileName);
+
 		LOGGER.debug("OUT");
 		return workDir;
 	}
 
-
 	/**
 	 * Gets the executable work file.
 	 *
@@ -103,9 +107,12 @@ public File getExecutableWorkFile(CommonjWork work) {
 	 * @return true, if successful
 	 */
 	public boolean containsWork(CommonjWork work) {
+		String fileName = work.getWorkName();
+
+		PathTraversalChecker.get(rootDir.getName(), fileName);
+		File workFolder = new File(rootDir, fileName);
 
-		File workFolder=new File(rootDir, work.getWorkName());
-		return workFolder.exists();
+		return workFolder != null && workFolder.exists();
 	}
 
 }