Merge pull request from GHSA-4m48-49h7-f3c4

fix(sec): API fix duplicates GHSA-4m48-49h7-f3c4 (2.6)

bbb-common-web/build.sbt

@@ -112,5 +112,7 @@ libraryDependencies ++= Seq(
   "com.zaxxer" % "HikariCP" % "4.0.3",
   "commons-validator" % "commons-validator" % "1.7",
   "org.apache.tika" % "tika-core" % "2.8.0",
-  "org.apache.tika" % "tika-parsers-standard-package" % "2.8.0"
+  "org.apache.tika" % "tika-parsers-standard-package" % "2.8.0",
+  "org.scala-lang.modules" %% "scala-xml" % "2.2.0",
+  "jakarta.ws.rs" % "jakarta.ws.rs-api" % "3.1.0"
 )

bbb-common-web/src/main/java/org/bigbluebutton/api/model/constraint/PostChecksumConstraint.java → bbb-common-web/src/main/java/org/bigbluebutton/api/model/constraint/ContentTypeConstraint.java

@@ -1,22 +1,22 @@
-package org.bigbluebutton.api.model.constraint;
-
-import org.bigbluebutton.api.model.validator.PostChecksumValidator;
-
-import javax.validation.Constraint;
-import javax.validation.Payload;
-import java.lang.annotation.Retention;
-import java.lang.annotation.Target;
-
-import static java.lang.annotation.ElementType.TYPE;
-import static java.lang.annotation.RetentionPolicy.RUNTIME;
-
-@Constraint(validatedBy = PostChecksumValidator.class)
-@Target(TYPE)
-@Retention(RUNTIME)
-public @interface PostChecksumConstraint {
-
-    String key() default "checksumError";
-    String message() default "Checksums do not match";
-    Class<?>[] groups() default {};
-    Class<? extends Payload>[] payload() default {};
-}
+package org.bigbluebutton.api.model.constraint;
+
+import org.bigbluebutton.api.model.validator.ContentTypeValidator;
+
+import javax.validation.Constraint;
+import javax.validation.Payload;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+@Constraint(validatedBy = ContentTypeValidator.class)
+@Target(TYPE)
+@Retention(RUNTIME)
+public @interface ContentTypeConstraint {
+
+    String key() default "unsupportedContentType";
+    String message() default "POST request Content-Type is missing or unsupported";
+    Class<?>[] groups() default {};
+    Class<? extends Payload>[] payload() default {};
+}

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/CreateMeeting.java

@@ -1,12 +1,16 @@
 package org.bigbluebutton.api.model.request;
 
+import jakarta.ws.rs.core.MediaType;
 import org.bigbluebutton.api.model.constraint.*;
 import org.bigbluebutton.api.model.shared.Checksum;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
 import java.util.Map;
+import java.util.Set;
 
+@ContentTypeConstraint
 public class CreateMeeting extends RequestWithChecksum<CreateMeeting.Params> {
 
     public enum Params implements RequestParameters {
@@ -51,8 +55,8 @@ public enum Params implements RequestParameters {
     private String recordString;
     private Boolean record;
 
-    public CreateMeeting(Checksum checksum) {
-        super(checksum);
+    public CreateMeeting(Checksum checksum, HttpServletRequest servletRequest) {
+        super(checksum, servletRequest);
     }
 
     public String getName() {
@@ -138,4 +142,9 @@ public void convertParamsFromString() {
         isBreakoutRoom = Boolean.parseBoolean(isBreakoutRoomString);
         record = Boolean.parseBoolean(recordString);
     }
+
+    @Override
+    public Set<String> getSupportedContentTypes() {
+        return Set.of(MediaType.APPLICATION_FORM_URLENCODED, MediaType.MULTIPART_FORM_DATA, MediaType.APPLICATION_XML, MediaType.TEXT_XML);
+    }
 }

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/EndMeeting.java

@@ -1,16 +1,16 @@
 package org.bigbluebutton.api.model.request;
 
-import org.bigbluebutton.api.model.constraint.MeetingExistsConstraint;
-import org.bigbluebutton.api.model.constraint.MeetingIDConstraint;
-import org.bigbluebutton.api.model.constraint.NotEmpty;
-import org.bigbluebutton.api.model.constraint.PasswordConstraint;
+import org.bigbluebutton.api.model.constraint.*;
 import org.bigbluebutton.api.model.shared.Checksum;
 import org.bigbluebutton.api.model.shared.ModeratorPassword;
 import org.bigbluebutton.api.model.shared.Password;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.Valid;
 import java.util.Map;
+import java.util.Set;
 
+@ContentTypeConstraint
 public class EndMeeting extends RequestWithChecksum<EndMeeting.Params> {
 
     public enum Params implements RequestParameters {
@@ -34,8 +34,8 @@ public enum Params implements RequestParameters {
     @Valid
     private Password moderatorPassword;
 
-    public EndMeeting(Checksum checksum) {
-        super(checksum);
+    public EndMeeting(Checksum checksum, HttpServletRequest servletRequest) {
+        super(checksum, servletRequest);
         moderatorPassword = new ModeratorPassword();
     }
 

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/Enter.java

@@ -1,11 +1,16 @@
 package org.bigbluebutton.api.model.request;
 
+import jakarta.ws.rs.core.MediaType;
 import org.bigbluebutton.api.model.constraint.*;
 import org.bigbluebutton.api.service.SessionService;
+
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.constraints.NotNull;
 import java.util.Map;
+import java.util.Set;
 
-public class Enter implements Request<Enter.Params> {
+@ContentTypeConstraint
+public class Enter extends RequestWithSession<Enter.Params>{
 
     public enum Params implements RequestParameters {
         SESSION_TOKEN("sessionToken");
@@ -27,7 +32,8 @@ public enum Params implements RequestParameters {
 
     private SessionService sessionService;
 
-    public Enter() {
+    public Enter(HttpServletRequest servletRequest) {
+        super(servletRequest);
         sessionService = new SessionService();
     }
 

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/GetJoinUrl.java

@@ -2,9 +2,10 @@
 
 import org.bigbluebutton.api.model.constraint.UserSessionConstraint;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
 
-public class GetJoinUrl implements Request<GetJoinUrl.Params> {
+public class GetJoinUrl extends RequestWithSession<GetJoinUrl.Params> {
 
     public enum Params implements RequestParameters {
         SESSION_TOKEN("sessionToken");
@@ -19,6 +20,10 @@ public enum Params implements RequestParameters {
     @UserSessionConstraint
     private String sessionToken;
 
+    public GetJoinUrl(HttpServletRequest servletRequest) {
+        super(servletRequest);
+    }
+
     public String getSessionToken() {
         return sessionToken;
     }

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/GuestWait.java

@@ -1,14 +1,17 @@
 package org.bigbluebutton.api.model.request;
 
+import org.bigbluebutton.api.model.constraint.ContentTypeConstraint;
 import org.bigbluebutton.api.model.constraint.MeetingEndedConstraint;
 import org.bigbluebutton.api.model.constraint.MeetingExistsConstraint;
 import org.bigbluebutton.api.model.constraint.UserSessionConstraint;
 import org.bigbluebutton.api.service.SessionService;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.constraints.NotNull;
 import java.util.Map;
 
-public class GuestWait implements Request<GuestWait.Params> {
+@ContentTypeConstraint
+public class GuestWait extends RequestWithSession<GuestWait.Params>{
 
     public enum Params implements RequestParameters {
         SESSION_TOKEN("sessionToken");
@@ -29,7 +32,8 @@ public enum Params implements RequestParameters {
 
     private SessionService sessionService;
 
-    public GuestWait() {
+    public GuestWait(HttpServletRequest servletRequest) {
+        super(servletRequest);
         sessionService = new SessionService();
     }
 

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/InsertDocument.java

@@ -1,11 +1,14 @@
 package org.bigbluebutton.api.model.request;
 
+import jakarta.ws.rs.core.MediaType;
 import org.bigbluebutton.api.model.constraint.*;
 import org.bigbluebutton.api.model.shared.Checksum;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
+import java.util.Set;
 
-
+@ContentTypeConstraint
 public class InsertDocument extends RequestWithChecksum<InsertDocument.Params> {
 
     public enum Params implements RequestParameters {
@@ -21,8 +24,8 @@ public enum Params implements RequestParameters {
     @MeetingIDConstraint
     private String meetingID;
 
-    public InsertDocument(Checksum checksum) {
-        super(checksum);
+    public InsertDocument(Checksum checksum, HttpServletRequest servletRequest) {
+        super(checksum, servletRequest);
     }
 
     public String getMeetingID() {
@@ -37,4 +40,9 @@ public void setMeetingID(String meetingID) {
     public void populateFromParamsMap(Map<String, String[]> params) {
         if(params.containsKey(Params.MEETING_ID.getValue())) setMeetingID(params.get(Params.MEETING_ID.getValue())[0]);
     }
+
+    @Override
+    public Set<String> getSupportedContentTypes() {
+        return Set.of(MediaType.APPLICATION_XML, MediaType.TEXT_XML);
+    }
 }

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/JoinMeeting.java

@@ -5,9 +5,11 @@
 import org.bigbluebutton.api.model.shared.JoinPassword;
 import org.bigbluebutton.api.model.shared.Password;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.Valid;
 import java.util.Map;
 
+@ContentTypeConstraint
 public class JoinMeeting extends RequestWithChecksum<JoinMeeting.Params> {
 
     public enum Params implements RequestParameters {
@@ -57,8 +59,8 @@ public enum Params implements RequestParameters {
     @Valid
     private Password joinPassword;
 
-    public JoinMeeting(Checksum checksum) {
-        super(checksum);
+    public JoinMeeting(Checksum checksum, HttpServletRequest servletRequest) {
+        super(checksum, servletRequest);
         joinPassword = new JoinPassword();
     }
 

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/LearningDashboard.java

@@ -2,10 +2,11 @@
 
 import org.bigbluebutton.api.model.constraint.UserSessionConstraint;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.constraints.NotNull;
 import java.util.Map;
 
-public class LearningDashboard implements Request<LearningDashboard.Params> {
+public class LearningDashboard extends RequestWithSession<LearningDashboard.Params> {
 
     public enum Params implements RequestParameters {
         SESSION_TOKEN("sessionToken");
@@ -20,6 +21,10 @@ public enum Params implements RequestParameters {
     @UserSessionConstraint
     private String sessionToken;
 
+    public LearningDashboard(HttpServletRequest servletRequest) {
+        super(servletRequest);
+    }
+
     public String getSessionToken() {
         return sessionToken;
     }

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/MeetingInfo.java

@@ -1,11 +1,14 @@
 package org.bigbluebutton.api.model.request;
 
+import org.bigbluebutton.api.model.constraint.ContentTypeConstraint;
 import org.bigbluebutton.api.model.constraint.MeetingExistsConstraint;
 import org.bigbluebutton.api.model.constraint.MeetingIDConstraint;
 import org.bigbluebutton.api.model.shared.Checksum;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
 
+@ContentTypeConstraint
 public class MeetingInfo extends RequestWithChecksum<MeetingInfo.Params> {
 
     public enum Params implements RequestParameters {
@@ -22,8 +25,8 @@ public enum Params implements RequestParameters {
     @MeetingExistsConstraint
     private String meetingID;
 
-    public MeetingInfo(Checksum checksum) {
-        super(checksum);
+    public MeetingInfo(Checksum checksum, HttpServletRequest servletRequest) {
+        super(checksum, servletRequest);
     }
 
     public String getMeetingID() {

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/MeetingRunning.java

@@ -1,10 +1,13 @@
 package org.bigbluebutton.api.model.request;
 
+import org.bigbluebutton.api.model.constraint.ContentTypeConstraint;
 import org.bigbluebutton.api.model.constraint.MeetingIDConstraint;
 import org.bigbluebutton.api.model.shared.Checksum;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
 
+@ContentTypeConstraint
 public class MeetingRunning extends RequestWithChecksum<MeetingRunning.Params> {
 
     public enum Params implements RequestParameters {
@@ -20,8 +23,8 @@ public enum Params implements RequestParameters {
     @MeetingIDConstraint
     private String meetingID;
 
-    public MeetingRunning(Checksum checksum) {
-        super(checksum);
+    public MeetingRunning(Checksum checksum, HttpServletRequest servletRequest) {
+        super(checksum, servletRequest);
     }
 
     public String getMeetingID() {

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/Request.java

@@ -1,9 +1,13 @@
 package org.bigbluebutton.api.model.request;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
+import java.util.Set;
 
 public interface Request<P extends Enum<P> & RequestParameters> {
 
     void populateFromParamsMap(Map<String, String[]> params);
     void convertParamsFromString();
+    Set<String> getSupportedContentTypes();
+    HttpServletRequest getServletRequest();
 }

bbb-common-web/src/main/java/org/bigbluebutton/api/model/request/RequestWithChecksum.java

@@ -1,17 +1,23 @@
 package org.bigbluebutton.api.model.request;
 
+import jakarta.ws.rs.core.MediaType;
 import org.bigbluebutton.api.model.shared.Checksum;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.Valid;
 import java.util.Map;
+import java.util.Set;
 
 public abstract class RequestWithChecksum<P extends Enum<P> & RequestParameters> implements Request<P> {
 
     @Valid
     protected Checksum checksum;
 
-    protected RequestWithChecksum(Checksum checksum) {
+    protected HttpServletRequest servletRequest;
+
+    protected RequestWithChecksum(Checksum checksum, HttpServletRequest servletRequest) {
         this.checksum = checksum;
+        this.servletRequest = servletRequest;
     }
 
     public Checksum getChecksum() {
@@ -27,4 +33,14 @@ public void setChecksum(Checksum checksum) {
     public void convertParamsFromString() {
 
     }
+
+    @Override
+    public Set<String> getSupportedContentTypes() {
+        return Set.of(MediaType.APPLICATION_FORM_URLENCODED, MediaType.MULTIPART_FORM_DATA);
+    }
+
+    @Override
+    public HttpServletRequest getServletRequest() {
+        return servletRequest;
+    }
 }