Fix security hotspots complains

[oam/nf-oam-adopter.git] / ves-nf-oam-adopter / ves-nf-oam-adopter-pm-manager / src / main / java / org / o / ran / oam / nf / oam / adopter / pm / rest / manager / mapper / PerformanceManagementFile2VesMapper.java

diff --git a/ves-nf-oam-adopter/ves-nf-oam-adopter-pm-manager/src/main/java/org/o/ran/oam/nf/oam/adopter/pm/rest/manager/mapper/PerformanceManagementFile2VesMapper.java b/ves-nf-oam-adopter/ves-nf-oam-adopter-pm-manager/src/main/java/org/o/ran/oam/nf/oam/adopter/pm/rest/manager/mapper/PerformanceManagementFile2VesMapper.java
index 6036a93..0d40c7b 100644 (file)
--- a/ves-nf-oam-adopter/ves-nf-oam-adopter-pm-manager/src/main/java/org/o/ran/oam/nf/oam/adopter/pm/rest/manager/mapper/PerformanceManagementFile2VesMapper.java
+++ b/ves-nf-oam-adopter/ves-nf-oam-adopter-pm-manager/src/main/java/org/o/ran/oam/nf/oam/adopter/pm/rest/manager/mapper/PerformanceManagementFile2VesMapper.java
@@ -47,6 +47,9 @@ public class PerformanceManagementFile2VesMapper {
 
     private static final String CSV_EXTENSION = ".csv";
     private final PerformanceManagementMapperConfigProvider pmConfigProvider;
+    private static final int THRESHOLD_SIZE  = 1000000000; // 1 GB
+    private static final int THRESHOLD_RATIO = 10;
+    private static final int THRESHOLD_ENTRIES = 10000;
 
     @Autowired
     public PerformanceManagementFile2VesMapper(final PerformanceManagementMapperConfigProvider pmConfigProvider) {
@@ -65,12 +68,31 @@ public class PerformanceManagementFile2VesMapper {
         LOG.info("Converting ZIP files to VES Message started");
         final List<CommonEventFormat302ONAP> listOfNotifications = new ArrayList<>();
         final CsvSchema schema = CsvSchema.emptySchema().withHeader();
-        final CsvMapper mapper = new CsvMapper();
+        final var mapper = new CsvMapper();
         mapper.configure(JsonParser.Feature.AUTO_CLOSE_SOURCE, false);
         try {
             ZipEntry entry;
-            final VesMappingConfiguration mappingConfiguration = pmConfigProvider.getVesMappingConfiguration();
+            final var mappingConfiguration = pmConfigProvider.getVesMappingConfiguration();
+            var totalSizeEntry = 0;
+            var totalEntryArchive = 0;
             while ((entry = zipInputStream.getNextEntry()) != null) {
+                final var size = entry.getSize();
+                totalEntryArchive++;
+                totalSizeEntry += size;
+                if (totalSizeEntry > THRESHOLD_SIZE || size == -1) {
+                    throw new IllegalStateException("File to be unzipped too big.");
+                }
+
+                final long compressionRatio = totalSizeEntry / entry.getCompressedSize();
+                if (compressionRatio > THRESHOLD_RATIO) {
+                    return Single.error(new Exception("Wrong file type, threshold to high."));
+                }
+
+                if (totalEntryArchive > THRESHOLD_ENTRIES) {
+                    // too much entries in this archive, can lead to inodes exhaustion of the system
+                    return Single.error(new Exception("Too many files"));
+                }
+
                 final String entryName = entry.getName();
                 if (!entryName.endsWith(CSV_EXTENSION)) {
                     return Single.error(new Exception("Wrong file type :" + entryName));
@@ -81,7 +103,7 @@ public class PerformanceManagementFile2VesMapper {
                 final List<List<Event>> mappedEvents = toEvent(mappingConfiguration, hostIp, iterator);
 
                 mappedEvents.forEach(mapped -> {
-                    final CommonEventFormat302ONAP eventFormat = new CommonEventFormat302ONAP();
+                    final var eventFormat = new CommonEventFormat302ONAP();
                     eventFormat.setEventList(mapped);
                     listOfNotifications.add(eventFormat);
                 });
@@ -103,15 +125,15 @@ public class PerformanceManagementFile2VesMapper {
             final Iterator<Map<String, String>> iterator) {
         final List<List<Event>> globalList = new ArrayList<>();
         final int batchSize = mappingConfiguration.getBatchSize();
-        int sequence = 0;
+        var sequence = 0;
         List<Event> events = new ArrayList<>();
         final CsvConfiguration csv = mappingConfiguration.getCsv();
         while (iterator.hasNext()) {
-            final Event event = new Event();
-            final Map<String, String> record = iterator.next();
-            event.setCommonEventHeader(
-                    CommonEventHeaderHandler.toCommonEventHeader(mappingConfiguration, hostIp, csv, record, sequence));
-            event.setMeasurementFields(MeasurementFieldsHandler.toMeasurementFields(mappingConfiguration, record));
+            final var event = new Event();
+            final Map<String, String> recordMap = iterator.next();
+            event.setCommonEventHeader(CommonEventHeaderHandler.toCommonEventHeader(mappingConfiguration, hostIp, csv,
+                recordMap,  sequence));
+            event.setMeasurementFields(MeasurementFieldsHandler.toMeasurementFields(mappingConfiguration, recordMap));
             events.add(event);
             sequence++;
             if (sequence % batchSize == 0) {