Skip to content

Commit

Permalink
ENTESB-6558 - Implement a filter to prevent arbitrary file upload to …
Browse files Browse the repository at this point in the history
…hawtio
  • Loading branch information
hoomanb1 authored and tadayosi committed Oct 4, 2017
1 parent 3e9abef commit 8cf6848
Show file tree
Hide file tree
Showing 13 changed files with 881 additions and 44 deletions.
54 changes: 44 additions & 10 deletions hawtio-system/src/main/java/io/hawt/web/GitServlet.java
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,27 @@
*/
package io.hawt.web;

import io.hawt.git.*;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import io.hawt.git.GitFileManager;
import io.hawt.git.GitFacade;
import io.hawt.git.WriteCallback;
import io.hawt.git.WriteContext;
import io.hawt.git.GitHelper;
import io.hawt.util.Files;
import io.hawt.util.Function;
import io.hawt.util.Strings;
import io.hawt.util.Zips;
import org.apache.commons.fileupload.FileUploadBase;
import org.apache.commons.fileupload.FileUploadException;
import org.eclipse.jgit.api.errors.GitAPIException;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;
Expand All @@ -30,24 +46,18 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.File;
import java.io.IOException;
import java.util.List;

/**
*/
public class GitServlet extends UploadServlet implements ServiceTrackerCustomizer {
private static final transient Logger LOG = LoggerFactory.getLogger(GitServlet.class);

private static final int DEFAULT_BUFFER_SIZE = 10240; // 10KB.
private static final String GIT_FILE_UPLOAD_PROPNAME = "hawtio.upload.git.filter";

private BundleContext bundleContext;
private ServiceTracker serviceTracker;
private GitFileManager gitFacade;
private List<GlobalFileUploadFilter.MagicNumberFileFilter> gitFileUploadFilters;

@Override
public void init(ServletConfig config) throws ServletException {
Expand Down Expand Up @@ -160,7 +170,11 @@ public Object apply(WriteContext context) throws IOException, GitAPIException {
}
List<File> uploadedFiles = null;
try {
uploadedFiles = uploadFiles(req, resp, file);
if (isFileUploadFilterConfigured() && !(file.length() <= GlobalFileUploadFilter.getMaxFileSizeAllowed(gitFileUploadFilters))) {
throw new FileUploadBase.FileUploadIOException(
new FileUploadException("File exceeds its maximum permitted size of bytes."));
}
uploadedFiles = uploadFiles(req, resp, file, gitFileUploadFilters);
} catch (ServletException e) {
throw new IOException(e);
}
Expand Down Expand Up @@ -245,4 +259,24 @@ public String getPath() {
return path;
}
}

private boolean isFileUploadFilterConfigured() {
boolean configured = false;
String config = System.getProperty(GIT_FILE_UPLOAD_PROPNAME);
try {
if (config != null) {
configured = true;
gitFileUploadFilters = GlobalFileUploadFilter.constructFilters(config, new ArrayList<>());
} else {
configured = false;
if (gitFileUploadFilters == null || gitFileUploadFilters.isEmpty()) {
gitFileUploadFilters = new ArrayList<>();
}
}
} catch (RuntimeException e) {
LOG.warn("Error configuring filter {}", config);
}

return configured;
}
}
Loading

0 comments on commit 8cf6848

Please sign in to comment.