You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oodt.apache.org by ri...@apache.org on 2013/10/23 23:30:51 UTC
svn commit: r1535189 - in /oodt/trunk/product/src:
main/java/org/apache/oodt/product/handlers/ofsn/
main/java/org/apache/oodt/product/handlers/ofsn/util/
test/org/apache/oodt/product/ test/org/apache/oodt/product/handlers/
test/org/apache/oodt/product/...
Author: riverma
Date: Wed Oct 23 21:30:50 2013
New Revision: 1535189
URL: http://svn.apache.org/r1535189
Log:
OODT-657 : Security vulnerability in web-grid allows the listing and downloading of any file on system
Added:
oodt/trunk/product/src/test/org/apache/oodt/product/
oodt/trunk/product/src/test/org/apache/oodt/product/handlers/
oodt/trunk/product/src/test/org/apache/oodt/product/handlers/ofsn/
oodt/trunk/product/src/test/org/apache/oodt/product/handlers/ofsn/util/
oodt/trunk/product/src/test/org/apache/oodt/product/handlers/ofsn/util/OFSNUtilsTest.java
Modified:
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListNonRecursiveHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListRecursiveHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListNonRecursiveHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListRecursiveHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/MD5GetHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/RawSizeListHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleFileListHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleZipFileListHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/StdOFSNGetHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/URLGetHandler.java
oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/util/OFSNUtils.java
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListNonRecursiveHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListNonRecursiveHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListNonRecursiveHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListNonRecursiveHandler.java Wed Oct 23 21:30:50 2013
@@ -24,6 +24,7 @@ import java.util.Properties;
//OODT imports
import org.apache.oodt.product.ProductException;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
*
@@ -43,7 +44,10 @@ public class DirListNonRecursiveHandler
* .lang.String)
*/
public File[] getListing(String ofsn) throws ProductException {
- return crawlFiles(new File(ofsn), false, true);
+ if (OFSNUtils.validateOFSN(ofsn))
+ return crawlFiles(new File(ofsn), false, true);
+ else
+ throw new ProductException("OFSN is invalid");
}
/*
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListRecursiveHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListRecursiveHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListRecursiveHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/DirListRecursiveHandler.java Wed Oct 23 21:30:50 2013
@@ -24,6 +24,7 @@ import java.util.Properties;
//OODT imports
import org.apache.oodt.product.ProductException;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
*
@@ -57,7 +58,10 @@ public class DirListRecursiveHandler ext
*/
@Override
public File[] getListing(String ofsn) throws ProductException {
- return crawlFiles(new File(ofsn), true, true);
+ if (OFSNUtils.validateOFSN(ofsn))
+ return crawlFiles(new File(ofsn), true, true);
+ else
+ throw new ProductException("OFSN is invalid");
}
}
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListNonRecursiveHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListNonRecursiveHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListNonRecursiveHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListNonRecursiveHandler.java Wed Oct 23 21:30:50 2013
@@ -24,6 +24,7 @@ import java.util.Properties;
//OODT imports
import org.apache.oodt.product.ProductException;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
*
@@ -50,7 +51,10 @@ public class FileListNonRecursiveHandler
*/
@Override
public File[] getListing(String ofsn) throws ProductException {
- return crawlFiles(new File(ofsn), false, false);
+ if (OFSNUtils.validateOFSN(ofsn))
+ return crawlFiles(new File(ofsn), false, false);
+ else
+ throw new ProductException("OFSN is invalid");
}
}
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListRecursiveHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListRecursiveHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListRecursiveHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/FileListRecursiveHandler.java Wed Oct 23 21:30:50 2013
@@ -24,6 +24,7 @@ import java.util.Properties;
//OODT imports
import org.apache.oodt.product.ProductException;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
*
@@ -49,7 +50,10 @@ public class FileListRecursiveHandler ex
*/
@Override
public File[] getListing(String ofsn) throws ProductException {
- return crawlFiles(new File(ofsn), true, false);
+ if (OFSNUtils.validateOFSN(ofsn))
+ return crawlFiles(new File(ofsn), true, false);
+ else
+ throw new ProductException("OFSN is invalid");
}
}
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/MD5GetHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/MD5GetHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/MD5GetHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/MD5GetHandler.java Wed Oct 23 21:30:50 2013
@@ -32,6 +32,7 @@ import org.apache.commons.io.FileUtils;
//OODT imports
import org.apache.oodt.product.ProductException;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
*
@@ -75,6 +76,11 @@ public class MD5GetHandler implements OF
*/
public byte[] retrieveChunk(String filepath, long offset, int length)
throws ProductException {
+
+ if (!OFSNUtils.validateOFSN(filepath)) {
+ throw new ProductException("OFSN is invalid");
+ }
+
try {
String hash = this.hashData(FileUtils.readFileToByteArray(new File(
filepath)));
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/RawSizeListHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/RawSizeListHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/RawSizeListHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/RawSizeListHandler.java Wed Oct 23 21:30:50 2013
@@ -24,6 +24,7 @@ import java.util.Properties;
//OODT imports
import org.apache.oodt.product.ProductException;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
*
@@ -51,10 +52,14 @@ public class RawSizeListHandler implemen
*/
public File[] getListing(String ofsn) throws ProductException {
if (!new File(ofsn).exists()) {
- throw new ProductException("file: [" + ofsn
+ throw new ProductException("file: [" + ofsn
+ "] does not exist!");
- }
- return new File[] { new File(ofsn) };
+ } else if (!OFSNUtils.validateOFSN(ofsn)) {
+ throw new ProductException("OFSN is invalid");
+ } else {
+ return new File[] { new File(ofsn) };
+ }
+
}
}
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleFileListHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleFileListHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleFileListHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleFileListHandler.java Wed Oct 23 21:30:50 2013
@@ -23,6 +23,7 @@ import java.io.File;
import java.util.Properties;
import org.apache.oodt.product.ProductException;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
*
@@ -57,8 +58,11 @@ public class SingleFileListHandler imple
public File[] getListing(String ofsn) throws ProductException {
if (!new File(ofsn).exists()) {
throw new ProductException("file: [" + ofsn + "] does not exist!");
+ } else if (!OFSNUtils.validateOFSN(ofsn)) {
+ throw new ProductException("OFSN is invalid");
+ } else {
+ return new File[] { new File(ofsn) };
}
- return new File[] { new File(ofsn) };
}
}
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleZipFileListHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleZipFileListHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleZipFileListHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/SingleZipFileListHandler.java Wed Oct 23 21:30:50 2013
@@ -72,6 +72,8 @@ public class SingleZipFileListHandler im
public File[] getListing(String ofsn) throws ProductException {
if (!new File(ofsn).exists()) {
throw new ProductException("file: [" + ofsn + "] does not exist!");
+ } else if (!OFSNUtils.validateOFSN(ofsn)) {
+ throw new ProductException("OFSN is invalid");
}
String zipFilePath = this.cacheRoot + new File(ofsn).getName() + ".zip";
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/StdOFSNGetHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/StdOFSNGetHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/StdOFSNGetHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/StdOFSNGetHandler.java Wed Oct 23 21:30:50 2013
@@ -27,6 +27,7 @@ import java.util.Properties;
//OODT imports
import org.apache.oodt.product.ProductException;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
*
@@ -48,6 +49,11 @@ public class StdOFSNGetHandler implement
*/
public byte[] retrieveChunk(String filepath, long offset, int length)
throws ProductException {
+
+ if (!OFSNUtils.validateOFSN(filepath)) {
+ throw new ProductException("OFSN is invalid");
+ }
+
InputStream in = null;
byte[] buf = null;
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/URLGetHandler.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/URLGetHandler.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/URLGetHandler.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/URLGetHandler.java Wed Oct 23 21:30:50 2013
@@ -30,6 +30,7 @@ import java.util.logging.Logger;
import org.apache.oodt.product.ProductException;
import org.apache.oodt.product.handlers.ofsn.AbstractCrawlLister;
import org.apache.oodt.product.handlers.ofsn.OFSNGetHandler;
+import org.apache.oodt.product.handlers.ofsn.util.OFSNUtils;
/**
* A {@link OFSNGetHandler} for returning a URL listing pointing to files within an OFSN
@@ -130,6 +131,10 @@ public class URLGetHandler extends Abstr
public byte[] retrieveChunk(String filepath, long offset, int length)
throws ProductException {
+ if (!OFSNUtils.validateOFSN(filepath)) {
+ throw new ProductException("OFSN is invalid");
+ }
+
LOG.info("Retrieving chunk of URL listing for path: ["+filepath+"] at offset "
+ offset+" for "+length+" bytes");
Modified: oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/util/OFSNUtils.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/util/OFSNUtils.java?rev=1535189&r1=1535188&r2=1535189&view=diff
==============================================================================
--- oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/util/OFSNUtils.java (original)
+++ oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/util/OFSNUtils.java Wed Oct 23 21:30:50 2013
@@ -171,6 +171,14 @@ public final class OFSNUtils implements
}
+ public static boolean validateOFSN(String ofsn) {
+ if (ofsn == null) {
+ return false;
+ } else {
+ return !ofsn.equals("") && !ofsn.matches(".*\\.\\..*");
+ }
+ }
+
private static String toOFSN(String absolutePath, String productRootPath) {
if (absolutePath.startsWith(productRootPath)) {
return absolutePath.substring(productRootPath.length());
Added: oodt/trunk/product/src/test/org/apache/oodt/product/handlers/ofsn/util/OFSNUtilsTest.java
URL: http://svn.apache.org/viewvc/oodt/trunk/product/src/test/org/apache/oodt/product/handlers/ofsn/util/OFSNUtilsTest.java?rev=1535189&view=auto
==============================================================================
--- oodt/trunk/product/src/test/org/apache/oodt/product/handlers/ofsn/util/OFSNUtilsTest.java (added)
+++ oodt/trunk/product/src/test/org/apache/oodt/product/handlers/ofsn/util/OFSNUtilsTest.java Wed Oct 23 21:30:50 2013
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.oodt.product.handlers.ofsn.util;
+
+import junit.framework.TestCase;
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import java.util.Collections;
+
+/**
+ * Unit test for {@link OFSNUtils}.
+ *
+ * @author riverma
+ */
+public class OFSNUtilsTest extends TestCase {
+ public OFSNUtilsTest(String id) {
+ super(id);
+ }
+
+ public void testValidateOFSN() {
+
+ assertTrue(OFSNUtils.validateOFSN("/dataset/dir1"));
+ assertTrue(OFSNUtils.validateOFSN("/dataset/dir1/"));
+ assertTrue(OFSNUtils.validateOFSN("/dataset/dir1/file1.h5"));
+ assertFalse(OFSNUtils.validateOFSN("/dataset/../../../../../../etc/passwd"));
+
+ }
+}