Merge remote-tracking branch 'origin/master'

fedon · Jun 30, 2017 · ed855c6 · ed855c6
2 parents a8304da + 74165f5
commit ed855c6
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 41 deletions.
diff --git a/...min-gui/src/main/java/com/evolveum/midpoint/gui/impl/util/ReportPeerQueryInterceptor.java b/...min-gui/src/main/java/com/evolveum/midpoint/gui/impl/util/ReportPeerQueryInterceptor.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package com.evolveum.midpoint.gui.impl.util;
 
 import com.evolveum.midpoint.prism.PrismObject;
@@ -46,28 +62,27 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
         String userAgent = request.getHeader("User-Agent");
         String remoteName = request.getRemoteHost();
+        String fileName = request.getParameter(FILENAMEPARAMETER);
+        fileName = URLDecoder.decode(fileName, URLENCODING);
         if (!HEADER_USERAGENT.equals(userAgent)) {
             LOGGER.debug("Invalid user-agent: {}", userAgent);
             response.setStatus(HttpServletResponse.SC_FORBIDDEN);
         } else if (!isKnownNode(remoteName, "File retrieval")) {
             LOGGER.debug("Unknown node, host: {} ", remoteName);
             response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        } else if (containsProhibitedQueryString(fileName)) {
+            LOGGER.debug("Query parameter containst a probited character sequence. The parameter: {} ", fileName);
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
         } else {
-            String fileName = request.getParameter(FILENAMEPARAMETER);
-            fileName = URLDecoder.decode(fileName, URLENCODING);
             StringBuilder buildfilePath = new StringBuilder(EXPORT_DIR).append(fileName);
             String filePath = buildfilePath.toString();
 
             File loadedFile = new File(filePath);
             if (!loadedFile.exists()) {
-                StringBuilder errorBuilder = new StringBuilder("Download operation not successful. The file: ")
-                        .append(fileName).append(" was not found on the filesystem");
-                LOGGER.warn(errorBuilder.toString());
+                LOGGER.warn("Download operation not successful. The file: {} was not found on the filesystem", fileName);
                 response.setStatus(HttpServletResponse.SC_NOT_FOUND);
             } else if (loadedFile.isDirectory()) {
-                StringBuilder errorBuilder = new StringBuilder("Download operation not successful. Attempt to download a directory with the name:  ")
-                        .append(fileName).append(" this operation is prohibited.");
-                LOGGER.warn(errorBuilder.toString());
+                LOGGER.warn("Download operation not successful. Attempt to download a directory with the name: {} this operation is prohibited", fileName);
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
             } else {
                 FileInputStream fileInputStream = new FileInputStream(filePath);
@@ -118,15 +133,11 @@ protected void doDelete(HttpServletRequest request, HttpServletResponse response
             String filePath = buildfilePath.toString();
             File reportFile = new File(filePath);
             if (!reportFile.exists()) {
-                StringBuilder errorBuilder = new StringBuilder("Delete operation not successful. The file: ").append(fileName)
-                        .append(" was not found on the filesystem.");
-                LOGGER.warn(errorBuilder.toString());
+                LOGGER.warn("Delete operation not successful. The file: {} was not found on the filesystem.", fileName);
                 response.sendError(HttpServletResponse.SC_NOT_FOUND);
 
             } else if (reportFile.isDirectory()) {
-                StringBuilder errorBuilder = new StringBuilder("Delete operation not successful. Attempt to Delete a directory with the name:  ")
-                        .append(fileName).append(" This operation is prohibited.");
-                LOGGER.warn(errorBuilder.toString());
+                LOGGER.warn("Delete operation not successful. Attempt to Delete a directory with the name: {}. This operation is prohibited.", fileName);
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
             } else {
                 reportFile.delete();
@@ -170,4 +181,12 @@ protected Boolean isKnownNode(String remoteName, String operation) {
         return false;
     }
 
+    protected Boolean containsProhibitedQueryString(String queryParameter) {
+
+        if (queryParameter.contains("/../")) {
+            return true;
+        }
+        return false;
+    }
+
 }
diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportNodeUtils.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportNodeUtils.java
@@ -1,4 +1,21 @@
+/*
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package com.evolveum.midpoint.report.impl;
+
 import java.io.*;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -12,7 +29,6 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang.math.NumberUtils;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpStatus;
 import org.apache.http.client.ClientProtocolException;
@@ -30,44 +46,26 @@ public class ReportNodeUtils {
     private static final Trace LOGGER = TraceManager.getTrace(ReportNodeUtils.class);
     private static final String SPACE = "%20";
     private static final String HEADER_USERAGENT = "mp-cluser-peer-client";
-    private static final String ENDPOINTURIPATH = "midpoint/report";
+    private static final String ENDPOINTURIPATH = "/report";
     private static String URLENCODING = "UTF-8";
     private static String FILENAMEPARAMETER = "fname";
     private static final Integer DEFAULTPORT = 80;
 
     public InputStream executeOperation(String host, String fileName, String intraClusterHttpUrlPattern, String operation) throws CommunicationException, SecurityViolationException, ObjectNotFoundException, ConfigurationException, IOException {
         fileName = fileName.replaceAll("\\s", SPACE);
-        StringBuilder path = new StringBuilder(ENDPOINTURIPATH);
         InputStream inputStream = null;
         InputStream entityContent = null;
         LOGGER.trace("About to initiate connection with {}", host);
         try {
             if (intraClusterHttpUrlPattern != null && !(intraClusterHttpUrlPattern.isEmpty())) {
-                LOGGER.trace("The cluster uri pattern: {} ", intraClusterHttpUrlPattern.toString());
-                String[] splitted = intraClusterHttpUrlPattern.split("/");
-                if (!(splitted.length > 3)) { // https://$host/midpoint
-                    StringBuilder errorBuilder = new StringBuilder("Non valid IntraClusterHttpUrlPattern parameter value: ").append(intraClusterHttpUrlPattern);
-                    throw new ConfigurationException(errorBuilder.toString());
-                }
-                URIBuilder ubilder = new URIBuilder();
-                String scheme = splitted[0].substring(0, splitted[0].length() - 1);
-                ubilder.setScheme(scheme).setHost(host);
-                String hostPart = splitted[2];
-
-                String[] hostAndPort = hostPart.split("\\:");//host:port
-                if (hostAndPort.length > 1) {
-                    String port = hostAndPort[1];
-                    if (NumberUtils.isDigits(port)) {
-                        ubilder.setPort(Integer.parseInt(port));
-                    }
-                } else {
-                    ubilder.setPort(DEFAULTPORT);
-                }
-                ubilder.setPath(path.toString()).setParameter(FILENAMEPARAMETER,
-                        fileName);
+                LOGGER.trace("The cluster uri pattern: {} ", intraClusterHttpUrlPattern);
+
+                String path = intraClusterHttpUrlPattern.replace("$host", host) + ENDPOINTURIPATH;
+                URIBuilder ubilder = new URIBuilder(path);
+                ubilder.setParameter(FILENAMEPARAMETER, fileName);
                 URI requestUri = ubilder.build();
                 fileName = URLDecoder.decode(fileName, URLENCODING);
-                LOGGER.debug("Sending request to the following uri: {} ", requestUri.toString());
+                LOGGER.debug("Sending request to the following uri: {} ", requestUri);
                 HttpRequestBase httpRequest = buildHttpRequest(operation);
                 httpRequest.setURI(requestUri);
                 httpRequest.setHeader("User-Agent", HEADER_USERAGENT);
@@ -99,7 +97,6 @@ public InputStream executeOperation(String host, String fileName, String intraCl
                         StringBuilder errorBuilder = new StringBuilder("The access to the report ").append(fileName)
                                 .append(" is forbidden.");
                         LOGGER.error("The access to the report with the name {} is forbidden.", fileName);
-
                         throw new SecurityViolationException(errorBuilder.toString());
                     } else if (statusCode == HttpStatus.SC_NOT_FOUND) {
                         StringBuilder errorBuilder = new StringBuilder("The report file ").append(fileName)
@@ -112,6 +109,9 @@ public InputStream executeOperation(String host, String fileName, String intraCl
                             .append(e.getLocalizedMessage());
                     throw new CommunicationException(errorBuilder.toString());
                 }
+            } else {
+                LOGGER.error("Cluster pattern parameters is empty, please refer to the documentation and set up the parameter value accordingly");
+                throw new ConfigurationException("Cluster pattern parameters is empty, please refer to the documentation and set up the parameter value accordingly");
             }
         } catch (URISyntaxException e1) {
             StringBuilder errorBuilder = new StringBuilder("Invalid uri syntax: ").append(e1.getLocalizedMessage());
@@ -122,6 +122,7 @@ public InputStream executeOperation(String host, String fileName, String intraCl
         } finally {
             IOUtils.closeQuietly(entityContent);
         }
+
         return inputStream;
     }