Browse code

[security] BM-14264 Fix: Plug vulnerability reported by Synacktiv in contact app

Thomas Cataldo authored on 25/02/2019 13:48:45
Showing 4 changed files
... ...
@@ -19,6 +19,7 @@
19 19
 package net.bluemind.webmodule.uploadhandler;
20 20
 
21 21
 import java.io.File;
22
+import java.util.UUID;
22 23
 
23 24
 import org.vertx.java.core.Handler;
24 25
 import org.vertx.java.core.Vertx;
... ...
@@ -28,27 +29,38 @@ public class TemporaryUploadRepository {
28 29
 	private File rootPath;
29 30
 	private Vertx vertx;
30 31
 
32
+	public static class UniqueFile {
33
+		public final UUID uuid;
34
+		public final File file;
35
+
36
+		public UniqueFile(UUID uuid, File f) {
37
+			this.uuid = uuid;
38
+			this.file = f;
39
+		}
40
+	}
41
+
31 42
 	public TemporaryUploadRepository(Vertx vertx) {
32 43
 		this.vertx = vertx;
33 44
 		rootPath = new File("/tmp/tmpUpload");
34 45
 		rootPath.mkdirs();
35 46
 	}
36 47
 
37
-	public File createTempFile(final String uuid) {
38
-		File tmp = new File(rootPath, uuid);
48
+	public UniqueFile createTempFile() {
49
+		UUID random = UUID.randomUUID();
50
+		File tmp = new File(rootPath, random.toString());
39 51
 		// delete temp files
40 52
 		// duration 10 minutes
41 53
 		vertx.setTimer(1000 * 60 * 10, new Handler<Long>() {
42 54
 
43 55
 			@Override
44 56
 			public void handle(Long arg0) {
45
-				getTempFile(uuid).delete();
57
+				getTempFile(random).delete();
46 58
 			}
47 59
 		});
48
-		return tmp;
60
+		return new UniqueFile(random, tmp);
49 61
 	}
50 62
 
51
-	public File getTempFile(String uuid) {
52
-		return new File(rootPath, uuid);
63
+	public File getTempFile(UUID random) {
64
+		return new File(rootPath, random.toString());
53 65
 	}
54 66
 }
... ...
@@ -43,6 +43,7 @@ import org.vertx.java.core.http.HttpServerResponse;
43 43
 
44 44
 import net.bluemind.webmodule.server.NeedVertx;
45 45
 import net.bluemind.webmodule.uploadhandler.TemporaryUploadRepository;
46
+import net.bluemind.webmodule.uploadhandler.TemporaryUploadRepository.UniqueFile;
46 47
 
47 48
 public class TemporaryImageUploadAndCropHandler implements Handler<HttpServerRequest>, NeedVertx {
48 49
 	Logger logger = LoggerFactory.getLogger(TemporaryImageUploadAndCropHandler.class);
... ...
@@ -54,7 +55,14 @@ public class TemporaryImageUploadAndCropHandler implements Handler<HttpServerReq
54 55
 	public void handle(final HttpServerRequest request) {
55 56
 		request.exceptionHandler(exceptionHandler(request));
56 57
 
57
-		String file = request.params().get("uuid");
58
+		String uuidAsString = request.params().get("uuid");
59
+		UUID parsed = null;
60
+		try {
61
+			parsed = UUID.fromString(uuidAsString);
62
+		} catch (IllegalArgumentException e) {
63
+			request.response().setStatusCode(404).end();
64
+			return;
65
+		}
58 66
 		Integer xs = Integer.parseInt(request.params().get("x"));
59 67
 		Integer ys = Integer.parseInt(request.params().get("y"));
60 68
 		Integer ws = Integer.parseInt(request.params().get("w"));
... ...
@@ -62,7 +70,7 @@ public class TemporaryImageUploadAndCropHandler implements Handler<HttpServerReq
62 70
 
63 71
 		Integer sws = Integer.parseInt(request.params().get("sw"));
64 72
 		Integer shs = Integer.parseInt(request.params().get("sh"));
65
-		File f = repository.getTempFile(file);
73
+		File f = repository.getTempFile(parsed);
66 74
 
67 75
 		if (!f.exists()) {
68 76
 			request.response().setStatusCode(404);
... ...
@@ -90,15 +98,14 @@ public class TemporaryImageUploadAndCropHandler implements Handler<HttpServerReq
90 98
 			g.drawRenderedImage(img, at);
91 99
 			ByteArrayOutputStream ret = new ByteArrayOutputStream();
92 100
 			ImageIO.write(dbi, "png", ret);
93
-			final String randUuid = UUID.randomUUID().toString();
94
-			File rf = repository.createTempFile(randUuid);
95
-			vertx.fileSystem().writeFile(rf.getAbsolutePath(), new Buffer(ret.toByteArray()),
101
+			UniqueFile rf = repository.createTempFile();
102
+			vertx.fileSystem().writeFile(rf.file.getAbsolutePath(), new Buffer(ret.toByteArray()),
96 103
 					new Handler<AsyncResult<Void>>() {
97 104
 
98 105
 						@Override
99 106
 						public void handle(AsyncResult<Void> event) {
100 107
 							request.response().setStatusCode(200);
101
-							request.response().end(randUuid);
108
+							request.response().end(rf.uuid.toString());
102 109
 						}
103 110
 
104 111
 					});
... ...
@@ -46,6 +46,7 @@ import org.vertx.java.core.streams.Pump;
46 46
 
47 47
 import net.bluemind.webmodule.server.NeedVertx;
48 48
 import net.bluemind.webmodule.uploadhandler.TemporaryUploadRepository;
49
+import net.bluemind.webmodule.uploadhandler.TemporaryUploadRepository.UniqueFile;
49 50
 
50 51
 public class TemporaryImageUploadHandler implements Handler<HttpServerRequest>, NeedVertx {
51 52
 	private static final int MAX_WIDTH = 800;
... ...
@@ -60,14 +61,20 @@ public class TemporaryImageUploadHandler implements Handler<HttpServerRequest>,
60 61
 		request.exceptionHandler(exceptionHandler(request));
61 62
 
62 63
 		if (request.method().equals("GET")) {
63
-			String file = request.params().get("uuid");
64
-			File f = repository.getTempFile(file);
64
+			String uuidAsString = request.params().get("uuid");
65
+			UUID parsed = null;
66
+			try {
67
+				parsed = UUID.fromString(uuidAsString);
68
+			} catch (IllegalArgumentException e) {
69
+				request.response().setStatusCode(404).end();
70
+				return;
71
+			}
72
+			File f = repository.getTempFile(parsed);
65 73
 			if (f.exists()) {
66 74
 				request.response().sendFile(f.getAbsolutePath());
67 75
 
68 76
 			} else {
69
-				request.response().setStatusCode(404);
70
-				request.response().end();
77
+				request.response().setStatusCode(404).end();
71 78
 			}
72 79
 
73 80
 		} else {
... ...
@@ -104,16 +111,15 @@ public class TemporaryImageUploadHandler implements Handler<HttpServerRequest>,
104 111
 	}
105 112
 
106 113
 	private void doUpload(final HttpServerRequest request, final HttpServerFileUpload upload) {
107
-		final String randUuid = UUID.randomUUID().toString();
108 114
 
109
-		final File file = repository.createTempFile(randUuid);
115
+		final UniqueFile file = repository.createTempFile();
110 116
 		if (file == null) {
111 117
 			sendError("system error", request.response());
112 118
 			return;
113 119
 		}
114 120
 
115
-		logger.debug("create temp file {}", file.getAbsolutePath());
116
-		vertx.fileSystem().open(repository.getTempFile(randUuid).getPath(), new Handler<AsyncResult<AsyncFile>>() {
121
+		logger.debug("create temp file {}", file.file.getAbsolutePath());
122
+		vertx.fileSystem().open(repository.getTempFile(file.uuid).getPath(), new Handler<AsyncResult<AsyncFile>>() {
117 123
 
118 124
 			@Override
119 125
 			public void handle(AsyncResult<AsyncFile> res) {
... ...
@@ -125,7 +131,7 @@ public class TemporaryImageUploadHandler implements Handler<HttpServerRequest>,
125 131
 
126 132
 					@Override
127 133
 					public void handle(Void arg0) {
128
-						doResize(request, randUuid);
134
+						doResize(request, file.uuid);
129 135
 					}
130 136
 
131 137
 				});
... ...
@@ -137,7 +143,7 @@ public class TemporaryImageUploadHandler implements Handler<HttpServerRequest>,
137 143
 
138 144
 	}
139 145
 
140
-	private void doResize(final HttpServerRequest request, String uuid) {
146
+	private void doResize(final HttpServerRequest request, UUID uuid) {
141 147
 
142 148
 		int maxWidth = MAX_WIDTH;
143 149
 		int maxHeight = MAX_HEIGHT;
... ...
@@ -170,7 +176,7 @@ public class TemporaryImageUploadHandler implements Handler<HttpServerRequest>,
170 176
 				logger.debug("upload succeed, return 200 and uuid {}", uuid);
171 177
 				HttpServerResponse resp = request.response();
172 178
 				resp.setStatusCode(200);
173
-				resp.end(uuid);
179
+				resp.end(uuid.toString());
174 180
 				return;
175 181
 			}
176 182
 
... ...
@@ -195,16 +201,15 @@ public class TemporaryImageUploadHandler implements Handler<HttpServerRequest>,
195 201
 			ByteArrayOutputStream ret = new ByteArrayOutputStream();
196 202
 			ImageIO.write(dbi, "png", ret);
197 203
 
198
-			final String randUuid = UUID.randomUUID().toString();
199
-			File rf = repository.createTempFile(randUuid);
200
-			vertx.fileSystem().writeFile(rf.getAbsolutePath(), new Buffer(ret.toByteArray()),
204
+			UniqueFile rf = repository.createTempFile();
205
+			vertx.fileSystem().writeFile(rf.file.getAbsolutePath(), new Buffer(ret.toByteArray()),
201 206
 					new Handler<AsyncResult<Void>>() {
202 207
 
203 208
 						@Override
204 209
 						public void handle(AsyncResult<Void> event) {
205 210
 							HttpServerResponse resp = request.response();
206 211
 							resp.setStatusCode(200);
207
-							resp.end(randUuid);
212
+							resp.end(rf.uuid.toString());
208 213
 							return;
209 214
 						}
210 215
 
... ...
@@ -36,6 +36,7 @@ import org.vertx.java.core.streams.Pump;
36 36
 import net.bluemind.core.utils.JsonUtils;
37 37
 import net.bluemind.webmodule.server.NeedVertx;
38 38
 import net.bluemind.webmodule.uploadhandler.TemporaryUploadRepository;
39
+import net.bluemind.webmodule.uploadhandler.TemporaryUploadRepository.UniqueFile;
39 40
 
40 41
 public class TemporaryUploadHandler implements Handler<HttpServerRequest>, NeedVertx {
41 42
 	Logger logger = LoggerFactory.getLogger(TemporaryUploadHandler.class);
... ...
@@ -48,8 +49,15 @@ public class TemporaryUploadHandler implements Handler<HttpServerRequest>, NeedV
48 49
 		request.exceptionHandler(exceptionHandler(request));
49 50
 
50 51
 		if (request.method().equals("GET")) {
51
-			String file = request.params().get("uuid");
52
-			File f = repository.getTempFile(file);
52
+			String uuidAsString = request.params().get("uuid");
53
+			UUID parsed = null;
54
+			try {
55
+				parsed = UUID.fromString(uuidAsString);
56
+			} catch (IllegalArgumentException e) {
57
+				request.response().setStatusCode(404).end();
58
+				return;
59
+			}
60
+			File f = repository.getTempFile(parsed);
53 61
 			if (f.exists()) {
54 62
 				sendFile(request, f);
55 63
 			} else {
... ...
@@ -124,16 +132,14 @@ public class TemporaryUploadHandler implements Handler<HttpServerRequest>, NeedV
124 132
 	}
125 133
 
126 134
 	private void doUpload(final HttpServerRequest request, final HttpServerFileUpload upload) {
127
-		final String randUuid = UUID.randomUUID().toString();
128
-
129
-		final File file = repository.createTempFile(randUuid);
135
+		final UniqueFile file = repository.createTempFile();
130 136
 		if (file == null) {
131 137
 			sendError("system error", request.response());
132 138
 			return;
133 139
 		}
134 140
 
135
-		logger.debug("create temp file {}", file.getAbsolutePath());
136
-		vertx.fileSystem().open(repository.getTempFile(randUuid).getPath(), new Handler<AsyncResult<AsyncFile>>() {
141
+		logger.debug("create temp file {}", file.file.getAbsolutePath());
142
+		vertx.fileSystem().open(repository.getTempFile(file.uuid).getPath(), new Handler<AsyncResult<AsyncFile>>() {
137 143
 
138 144
 			@Override
139 145
 			public void handle(AsyncResult<AsyncFile> res) {
... ...
@@ -145,11 +151,11 @@ public class TemporaryUploadHandler implements Handler<HttpServerRequest>, NeedV
145 151
 
146 152
 					@Override
147 153
 					public void handle(Void arg0) {
148
-						doResize(request, randUuid);
149
-						logger.debug("upload succeed, return 200 and uuid {}", randUuid);
154
+						doResize(request, file.uuid);
155
+						logger.debug("upload succeed, return 200 and uuid {}", file.uuid);
150 156
 						HttpServerResponse resp = request.response();
151 157
 						resp.setStatusCode(200);
152
-						resp.end(randUuid);
158
+						resp.end(file.uuid.toString());
153 159
 					}
154 160
 
155 161
 				});
... ...
@@ -161,9 +167,9 @@ public class TemporaryUploadHandler implements Handler<HttpServerRequest>, NeedV
161 167
 
162 168
 	}
163 169
 
164
-	private void doResize(HttpServerRequest request, String randUuid) {
165
-		// TODO Auto-generated method stub
166
-
170
+	@SuppressWarnings("unused")
171
+	private void doResize(HttpServerRequest request, UUID randUuid) {
172
+		// no need to resize
167 173
 	}
168 174
 
169 175
 	private void sendError(String message, HttpServerResponse response) {