Security hotspot on zipinputstream using apache-compress library.
Issue-ID: NONRTRIC-910
Signed-off-by: aravind.est <aravindhan.a@est.tech>
Change-Id: I6a5725816f7ed3a97ab4a2c1c62098da8defd5bf
<slf4j.version>2.0.7</slf4j.version>
<apache.httpcore.version>4.3.2</apache.httpcore.version>
<exec-maven-plugin.version>3.1.0</exec-maven-plugin.version>
<slf4j.version>2.0.7</slf4j.version>
<apache.httpcore.version>4.3.2</apache.httpcore.version>
<exec-maven-plugin.version>3.1.0</exec-maven-plugin.version>
+ <apache.compress.version>1.22</apache.compress.version>
</properties>
<build>
<plugins>
</properties>
<build>
<plugins>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-compress</artifactId>
+ <version>${apache.compress.version}</version>
+ </dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
import java.util.function.Predicate;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
import java.util.function.Predicate;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
-import java.util.zip.ZipInputStream;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
}
boolean isFileExistsInCsar(MultipartFile multipartFile, String fileLocation) {
}
boolean isFileExistsInCsar(MultipartFile multipartFile, String fileLocation) {
- try (ZipInputStream zipInputStream = new ZipInputStream(multipartFile.getInputStream())) {
- ZipEntry zipEntry;
- while ((zipEntry = zipInputStream.getNextEntry()) != null) {
+ try (ZipArchiveInputStream zipArchiveInputStream = new ZipArchiveInputStream(multipartFile.getInputStream())) {
+ ArchiveEntry zipEntry;
+ while ((zipEntry = zipArchiveInputStream.getNextEntry()) != null) {
if (zipEntry.getName().matches(fileLocation)) {
return Boolean.TRUE;
}
if (zipEntry.getName().matches(fileLocation)) {
return Boolean.TRUE;
}
ByteArrayOutputStream getFileFromCsar(File csarFile, String fileLocation) {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
try (FileInputStream fileInputStream = new FileInputStream(csarFile);
ByteArrayOutputStream getFileFromCsar(File csarFile, String fileLocation) {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
try (FileInputStream fileInputStream = new FileInputStream(csarFile);
- ZipInputStream zipInputStream = new ZipInputStream(fileInputStream)) {
- ZipEntry entry;
- while ((entry = zipInputStream.getNextEntry()) != null) {
+ ZipArchiveInputStream zipArchiveInputStream = new ZipArchiveInputStream(fileInputStream)) {
+ ArchiveEntry entry;
+ while ((entry = zipArchiveInputStream.getNextEntry()) != null) {
if (!entry.isDirectory() && entry.getName().equals(fileLocation)) {
byte[] buffer = new byte[1024];
int bytesRead;
if (!entry.isDirectory() && entry.getName().equals(fileLocation)) {
byte[] buffer = new byte[1024];
int bytesRead;
- while ((bytesRead = zipInputStream.read(buffer)) != -1) {
+ while ((bytesRead = zipArchiveInputStream.read(buffer)) != -1) {
byteArrayOutputStream.write(buffer, 0, bytesRead);
}
}
byteArrayOutputStream.write(buffer, 0, bytesRead);
}
}
File csarFile = getCsarFile(rapp);
if (csarFile.exists()) {
rappResources.setAcm(RappResources.ACMResources.builder().compositionDefinitions(
File csarFile = getCsarFile(rapp);
if (csarFile.exists()) {
rappResources.setAcm(RappResources.ACMResources.builder().compositionDefinitions(
- getFileListFromCsar(csarFile, ACM_DEFINITION_LOCATION).get(0))
- .compositionInstances(getFileListFromCsar(csarFile, ACM_INSTANCES_LOCATION))
- .build());
- rappResources.setSme(RappResources.SMEResources.builder()
- .providerFunctions(getFileListFromCsar(csarFile,
- SME_PROVIDER_FUNCS_LOCATION))
+ getFileListFromCsar(csarFile, ACM_DEFINITION_LOCATION).get(0)).compositionInstances(
+ getFileListFromCsar(csarFile, ACM_INSTANCES_LOCATION)).build());
+ rappResources.setSme(RappResources.SMEResources.builder().providerFunctions(
+ getFileListFromCsar(csarFile, SME_PROVIDER_FUNCS_LOCATION))
.serviceApis(getFileListFromCsar(csarFile, SME_SERVICE_APIS_LOCATION))
.invokers(getFileListFromCsar(csarFile, SME_INVOKERS_LOCATION)).build());
}
.serviceApis(getFileListFromCsar(csarFile, SME_SERVICE_APIS_LOCATION))
.invokers(getFileListFromCsar(csarFile, SME_INVOKERS_LOCATION)).build());
}