Skip to content

Commit

Permalink
Restrict protocols available at project creation. Closes #4918. (#4919)
Browse files Browse the repository at this point in the history
  • Loading branch information
@wetneb
wetneb committed Jun 6, 2022
1 parent 3342bc2 commit 8cb2fec
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 0 deletions.
7 changes: 7 additions & 0 deletions main/src/com/google/refine/importing/ImportingUtilities.java
View file
Expand Up @@ -48,6 +48,7 @@ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
import java.nio.file.Path;
import java.text.NumberFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
Expand Down Expand Up @@ -96,6 +97,8 @@ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
public class ImportingUtilities {
final static protected Logger logger = LoggerFactory.getLogger("importing-utilities");

final public static List<String> allowedProtocols = Arrays.asList("http", "https", "ftp", "sftp");

static public interface Progress {
public void setProgress(String message, int percent);
public boolean isCanceled();
Expand Down Expand Up @@ -262,6 +265,10 @@ public void update(long bytesRead, long contentLength, int itemCount) {
String urlString = Streams.asString(stream);
URL url = new URL(urlString);

if (!allowedProtocols.contains(url.getProtocol().toLowerCase())) {
throw new IOException("Unsupported protocol: " + url.getProtocol());
}

ObjectNode fileRecord = ParsingUtilities.mapper.createObjectNode();
JSONUtilities.safePut(fileRecord, "origin", "download");
JSONUtilities.safePut(fileRecord, "url", urlString);
Expand Down
49 changes: 49 additions & 0 deletions main/tests/server/src/com/google/refine/importing/ImportingUtilitiesTests.java
View file
Expand Up @@ -170,6 +170,55 @@ public boolean isCanceled() {
}
}

@Test
public void urlImportingInvalidProtocol() throws IOException {

String url = "file:///etc/passwd";
String message = "Unsupported protocol: file";

MultipartEntityBuilder builder = MultipartEntityBuilder.create();
StringBody stringBody = new StringBody(url.toString(), ContentType.MULTIPART_FORM_DATA);
builder = builder.addPart("download", stringBody);
HttpEntity entity = builder.build();

ByteArrayOutputStream os = new ByteArrayOutputStream();
entity.writeTo(os);
ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray());

HttpServletRequest req = mock(HttpServletRequest.class);
when(req.getContentType()).thenReturn(entity.getContentType());
when(req.getParameter("download")).thenReturn(url.toString());
when(req.getMethod()).thenReturn("POST");
when(req.getContentLength()).thenReturn((int) entity.getContentLength());
when(req.getInputStream()).thenReturn(new MockServletInputStream(is));

ImportingJob job = ImportingManager.createJob();
Properties parameters = ParsingUtilities.parseUrlParameters(req);
ObjectNode retrievalRecord = ParsingUtilities.mapper.createObjectNode();
ObjectNode progress = ParsingUtilities.mapper.createObjectNode();
try {
ImportingUtilities.retrieveContentFromPostRequest(req, parameters, job.getRawDataDir(), retrievalRecord,
new ImportingUtilities.Progress() {

@Override
public void setProgress(String message, int percent) {
if (message != null) {
JSONUtilities.safePut(progress, "message", message);
}
JSONUtilities.safePut(progress, "percent", percent);
}

@Override
public boolean isCanceled() {
return job.canceled;
}
});
fail("No Exception was thrown");
} catch (Exception exception) {
assertEquals(exception.getMessage(), message);
}
}

public static class MockServletInputStream extends ServletInputStream {

private final InputStream delegate;
Expand Down

0 comments on commit 8cb2fec

Please sign in to comment.