inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-08 14:51:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.1.N (5.1.1) to HEAD (5.1)

Browse Source 
116289 amukha: ACE-4513: Merged 5.0.N (5.0.3) to 5.1.N (5.1.1)
      116284 amukha: MNT-15091: Merged V4.2-BUG-FIX (4.2.6) to 5.0.N (5.0.3)
         116280 amukha: MNT-15090: Merged DEV to V4.2-BUG-FIX (4.2.6)
            115799: MNT-15075 : [Pentest 121015] ZIP extraction code execution
               Fix and test


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@116583 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alex Mukha
2015-11-09 11:51:52 +00:00
parent b9ad98ba62
commit cdefbd2bf1
4 changed files with 129 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
source/java/org/alfresco/repo/action/executer/ImporterActionExecuter.java
View File

@@ -69,6 +69,7 @@ public class ImporterActionExecuter extends ActionExecuterAbstractBase
public static final String NAME = "import";
public static final String PARAM_ENCODING = "encoding";
public static final String PARAM_DESTINATION_FOLDER = "destination";
public static final String ARCHIVE_CONTAINS_SUSPICIOUS_PATHS_ERROR = "Archive contains suspicious paths. Please review it's contents and make sure it doesn't contain entries with absolute paths or paths containing references to the parent folder (i.e. \"..\")";
private static final int BUFFER_SIZE = 16384;
private static final String TEMP_FILE_PREFIX = "alf";
@@ -348,6 +349,12 @@ public class ImporterActionExecuter extends ActionExecuterAbstractBase
{
fileName = entry.getName();
fileName = fileName.replace('/', File.separatorChar);
if (fileName.startsWith("/") || fileName.indexOf(":" + File.separator) == 1 || fileName.contains(".." + File.separator))
{
throw new AlfrescoRuntimeException(ARCHIVE_CONTAINS_SUSPICIOUS_PATHS_ERROR);
}
destFileName = extractDir + fileName;
File destFile = new File(destFileName);
String parent = destFile.getParent();

4
source/test-java/org/alfresco/repo/action/ActionTestSuite.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2005-2013 Alfresco Software Limited.
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
@@ -25,6 +25,7 @@ import org.alfresco.repo.action.evaluator.IsSubTypeEvaluatorTest;
import org.alfresco.repo.action.executer.AddFeaturesActionExecuterTest;
import org.alfresco.repo.action.executer.ContentMetadataEmbedderTest;
import org.alfresco.repo.action.executer.ContentMetadataExtracterTest;
import org.alfresco.repo.action.executer.ImporterActionExecuterTest;
import org.alfresco.repo.action.executer.MailActionExecuterTest;
import org.alfresco.repo.action.executer.RemoveFeaturesActionExecuterTest;
import org.alfresco.repo.action.executer.SetPropertyValueActionExecuterTest;
@@ -67,6 +68,7 @@ import org.junit.runners.Suite.SuiteClasses;
ActionTrackingServiceImplTest.class, // intermittent - pending ALF-9773 & ALF-9774
MailActionExecuterTest.class,
ActionServiceImpl2Test.class,
ImporterActionExecuterTest.class
})
public class ActionTestSuite
{

119
source/test-java/org/alfresco/repo/action/executer/ImporterActionExecuterTest.java Normal file
View File

@@ -0,0 +1,119 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.repo.action.executer;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.io.File;
import java.io.IOException;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.action.ActionImpl;
import org.alfresco.repo.content.MimetypeMap;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.action.Action;
import org.alfresco.service.cmr.repository.ContentData;
import org.alfresco.service.cmr.repository.ContentService;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.GUID;
import org.alfresco.util.test.junitrules.ApplicationContextInit;
import org.junit.Test;
/**
* This class contains tests for {@link ImporterActionExecuter}.
*
* @author abalmus
*/
public class ImporterActionExecuterTest
{
@Test
public void testImportArchiveWithSuspiciousPaths() throws IOException
{
final ApplicationContextInit applicationContextInit = new ApplicationContextInit();
final ServiceRegistry serviceRegistry = (ServiceRegistry) applicationContextInit.getApplicationContext().getBean(ServiceRegistry.SERVICE_REGISTRY);
final NodeService nodeService = serviceRegistry.getNodeService();
final ContentService contentService = serviceRegistry.getContentService();
final RetryingTransactionHelper retryingTransactionHelper = serviceRegistry.getTransactionService().getRetryingTransactionHelper();
final File file = new File("./source/test-resources/import-archive-test/SuspiciousPathsArchive.zip");
retryingTransactionHelper.doInTransaction(new RetryingTransactionCallback<Void>()
{
public Void execute()
{
AuthenticationUtil.setRunAsUserSystem();
StoreRef storeRef = nodeService.createStore(StoreRef.PROTOCOL_WORKSPACE, "Test_" + System.nanoTime());
NodeRef rootNodeRef = nodeService.getRootNode(storeRef);
NodeRef zipFileNodeRef = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN,
QName.createQName("http://www.alfresco.org/test/ImporterActionExecuterTest", "testAssocQName1"),
ContentModel.TYPE_CONTENT).getChildRef();
NodeRef targetFolderNodeRef = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN,
QName.createQName("http://www.alfresco.org/test/ImporterActionExecuterTest", "testAssocQName2"),
ContentModel.TYPE_FOLDER).getChildRef();
contentService.getWriter(zipFileNodeRef, ContentModel.PROP_CONTENT, true).putContent(file);
ContentData contentData = (ContentData) nodeService.getProperty(zipFileNodeRef, ContentModel.PROP_CONTENT);
ContentData newContentData = ContentData.setMimetype(contentData, MimetypeMap.MIMETYPE_ZIP);
nodeService.setProperty(zipFileNodeRef, ContentModel.PROP_CONTENT, newContentData);
Action action = new ActionImpl(zipFileNodeRef, GUID.generate(), "ImporterActionExecuterTestActionDefinition");
action.setParameterValue(ImporterActionExecuter.PARAM_DESTINATION_FOLDER, targetFolderNodeRef);
action.setParameterValue(ImporterActionExecuter.PARAM_ENCODING, "UTF-8");
ImporterActionExecuter executer = new ImporterActionExecuter();
executer.setNodeService(nodeService);
executer.setContentService(contentService);
try
{
executer.execute(action, zipFileNodeRef);
fail("An AlfrescoRuntimeException should have occured.");
}
catch (AlfrescoRuntimeException e)
{
assertTrue(e.getMessage().contains(ImporterActionExecuter.ARCHIVE_CONTAINS_SUSPICIOUS_PATHS_ERROR));
}
finally
{
nodeService.deleteNode(targetFolderNodeRef);
nodeService.deleteNode(zipFileNodeRef);
nodeService.deleteStore(storeRef);
AuthenticationUtil.clearCurrentSecurityContext();
}
return null;
}
});
}
}

BIN
source/test-resources/import-archive-test/SuspiciousPathsArchive.zip Normal file
View File

Binary file not shown.