Marmelator/persistence-service
1
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases 1.1k Wiki Activity

RED-8175 - fixed path traversal issue #310

Merged
timo.bejan.ext merged 1 commits from RED-8175 into master 2024-01-16 16:07:11 +01:00
Conversation 7 Commits 1 Files Changed 3 +26 -2
3 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/ReportTemplateController.java vendored
View File

@ -13,6 +13,8 @@ import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import com.iqser.red.service.persistence.management.v1.processor.service.persistence.DossierTemplatePersistenceService;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.springframework.core.io.InputStreamResource;
import org.springframework.http.HttpHeaders;
@ -66,6 +68,7 @@ public class ReportTemplateController implements ReportTemplateResource {
private final PlaceholderClient placeholderClient;
private final AuditPersistenceService auditPersistenceService;
private final DossierAttributeConfigPersistenceService dossierAttributeConfigPersistenceService;
private final DossierTemplatePersistenceService dossierTemplatePersistenceService;
private final FileAttributeConfigPersistenceService fileAttributeConfigPersistenceService;
private final StorageService storageService;
private final ReportTemplatePersistenceService reportTemplatePersistenceService;
@ -96,9 +99,12 @@ public class ReportTemplateController implements ReportTemplateResource {
try {
if (file.getOriginalFilename() != null) {
dossierTemplatePersistenceService.checkDossierTemplateExistsOrElseThrow404(dossierTemplateId);
var cleanupName = FilenameUtils.getName(file.getOriginalFilename());
ReportTemplateUploadRequest reportTemplateUploadRequest = ReportTemplateUploadRequest.builder()
.template(file.getBytes())
.fileName(file.getOriginalFilename())
.fileName(cleanupName)
.dossierTemplateId(dossierTemplateId)
.activeByDefault(activeByDefault)
.multiFileReport(multiFileReport)

14
persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/persistence/DossierTemplatePersistenceService.java
View File

@ -7,6 +7,7 @@ import java.util.Optional;
import java.util.UUID;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
@ -104,6 +105,7 @@ public class DossierTemplatePersistenceService {
}
}
public void validateDossierTemplate(String name, String description) {
if (!StringUtils.isEmpty(name) && name.length() > MAX_NAME_LENGTH) {
@ -123,6 +125,7 @@ public class DossierTemplatePersistenceService {
return dossierTemplateRepository.existsByNameAndIdNot(templateName, dossierTemplateIdToIgnore);
}
@Transactional
public boolean isDossierTemplateNameNotUnique(String templateName) {
@ -150,7 +153,8 @@ public class DossierTemplatePersistenceService {
}
var now = OffsetDateTime.now();
boolean isNotInRange = !now.isAfter(dossierTemplate.getValidFrom() != null ? dossierTemplate.getValidFrom() : OffsetDateTime.MIN) || !now.isBefore(dossierTemplate.getValidTo() != null ? dossierTemplate.getValidTo() : OffsetDateTime.MAX);
boolean isNotInRange = !now.isAfter(dossierTemplate.getValidFrom() != null ? dossierTemplate.getValidFrom() : OffsetDateTime.MIN) ||
!now.isBefore(dossierTemplate.getValidTo() != null ? dossierTemplate.getValidTo() : OffsetDateTime.MAX);
if (isNotInRange) {
return DossierTemplateStatus.INACTIVE;
}
@ -180,6 +184,14 @@ public class DossierTemplatePersistenceService {
}
public void checkDossierTemplateExistsOrElseThrow404(String dossierTemplateId) {
if (!dossierTemplateRepository.existsByIdAndNotDeleted(dossierTemplateId)) {
throw new NotFoundException(String.format(DOSSIER_TEMPLATE_NOT_FOUND_MESSAGE, dossierTemplateId));
}
}
@Transactional
public List<TypeEntity> getTypesForDossierTemplate(String dossierTemplateId) {

6
persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/persistence/repository/DossierTemplateRepository.java
View File

@ -18,8 +18,14 @@ public interface DossierTemplateRepository extends JpaRepository<DossierTemplate
@Query("select d from DossierTemplateEntity d where d.id = :dossierTemplateId and d.softDeleteTime is null")
Optional<DossierTemplateEntity> findByIdAndNotDeleted(@Param("dossierTemplateId") String dossierTemplateId);
@Query("select case when exists (select 1 from DossierTemplateEntity d where d.id = :dossierTemplateId and d.softDeleteTime is null) then true else false end")
boolean existsByIdAndNotDeleted(@Param("dossierTemplateId") String dossierTemplateId);
boolean existsByName(String name);
boolean existsByNameAndIdNot(String name, String id);
}