From d0ae12a167d62edfb32aacf41f6516cb00bf5384 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 27 Jul 2015 06:53:50 -0400 Subject: [PATCH] working patch for issue #285 --- .../java/org/owasp/dependencycheck/App.java | 104 +++++++++++++----- .../org/owasp/dependencycheck/AppTest.java | 73 ++++++++++++ 2 files changed, 152 insertions(+), 25 deletions(-) create mode 100644 dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 4527e33daa9..480cf3f96aa 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -38,6 +38,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import ch.qos.logback.core.FileAppender; +import java.util.logging.Level; import org.slf4j.impl.StaticLoggerBinder; /** @@ -127,45 +128,47 @@ private void runScan(String reportDirectory, String outputFormat, String applica try { engine = new Engine(); List antStylePaths = new ArrayList(); - //removed and treating everything as an ant style path to ensure sym links are handled correctly. -// if (excludes == null || excludes.length == 0) { -// for (String file : files) { -// if (file.contains("*") || file.contains("?")) { -// antStylePaths.add(file); -// } else { -// engine.scan(file); -// } + //TODO remove and treating everything as an ant style path to ensure sym links are handled correctly. +// for (String file : files) { +// if (file.contains("*") || file.contains("?")) { +// antStylePaths.add(file); +// } else { +// engine.scan(file); // } -// } else { - antStylePaths = Arrays.asList(files); // } + for (String file : files) { + File f = new File(file); + if (f.exists() && f.isFile()) { + engine.scan(f); + } else { + String antPath = ensureCanonicalPath(file); + antStylePaths.add(antPath); + } + } final Set paths = new HashSet(); for (String file : antStylePaths) { + LOGGER.debug("Scanning {}", file); final DirectoryScanner scanner = new DirectoryScanner(); String include = file.replace('\\', '/'); File baseDir; if (include.startsWith("//")) { throw new InvalidScanPathException("Unable to scan paths specified by //"); - } else if (include.startsWith("./")) { - baseDir = new File("."); - include = include.substring(2); - } else if (include.startsWith("/")) { - baseDir = new File("/"); - include = include.substring(1); - } else if (include.contains("/")) { - final int pos = include.indexOf('/'); - final String tmp = include.substring(0, pos); - if (tmp.contains("*") || tmp.contains("?")) { - baseDir = new File("."); + } else { + final int pos = getLastFileSeparator(include); + final String tmpBase = include.substring(0, pos); + final String tmpInclude = include.substring(pos + 1); + if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0) { + baseDir = new File(tmpBase); + include = tmpInclude; } else { - baseDir = new File(tmp); - include = include.substring(pos + 1); + baseDir = new File(tmpBase, tmpInclude); + include = "**/*"; } - } else { //no path info - must just be a file in the working directory - baseDir = new File("."); } + //LOGGER.debug("baseDir: {}", baseDir); + //LOGGER.debug("include: {}", include); scanner.setBasedir(baseDir); scanner.setIncludes(include); scanner.setMaxLevelsOfSymlinks(symLinkDepth); @@ -176,6 +179,7 @@ private void runScan(String reportDirectory, String outputFormat, String applica if (scanner.getIncludedFilesCount() > 0) { for (String s : scanner.getIncludedFiles()) { final File f = new File(baseDir, s); + LOGGER.debug("Found file {}", f.toString()); paths.add(f); } } @@ -397,4 +401,54 @@ private void prepareLogger(String verboseLog) { final ch.qos.logback.classic.Logger rootLogger = context.getLogger(ch.qos.logback.classic.Logger.ROOT_LOGGER_NAME); rootLogger.addAppender(fa); } + + protected String ensureCanonicalPath(String path) { + String basePath = null; + String wildCards = null; + String file = path.replace('\\', '/'); + if (file.contains("*") || file.contains("?")) { + + int pos = getLastFileSeparator(file); + if (pos < 0) { + return file; + } + pos += 1; + basePath = file.substring(0, pos); + wildCards = file.substring(pos); + } else { + basePath = file; + } + + File f = new File(basePath); + try { + f = f.getCanonicalFile(); + if (wildCards != null) { + f = new File(f, wildCards); + } + } catch (IOException ex) { + LOGGER.warn("Invalid path '{}' was provided.", path); + LOGGER.debug("Invalid path provided", ex); + } + return f.getAbsolutePath().replace('\\', '/'); + } + + /** + * Returns the position of the last file separator. + * + * @param file a file path + * @return the position of the last file separator + */ + private int getLastFileSeparator(String file) { + if (file.contains("*") || file.contains("?")) { + int p1 = file.indexOf('*'); + int p2 = file.indexOf('?'); + p1 = p1 > 0 ? p1 : file.length(); + p2 = p2 > 0 ? p2 : file.length(); + int pos = p1 < p2 ? p1 : p2; + pos = file.lastIndexOf('/', pos); + return pos; + } else { + return file.lastIndexOf('/'); + } + } } diff --git a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java new file mode 100644 index 00000000000..c5ad2a2114e --- /dev/null +++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java @@ -0,0 +1,73 @@ +/* + * Copyright 2015 OWASP. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.owasp.dependencycheck; + +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import static org.junit.Assert.*; + +/** + * + * @author jeremy + */ +public class AppTest { + + public AppTest() { + } + + @BeforeClass + public static void setUpClass() { + } + + @AfterClass + public static void tearDownClass() { + } + + @Before + public void setUp() { + } + + @After + public void tearDown() { + } + + /** + * Test of ensureCanonicalPath method, of class App. + */ + @Test + public void testEnsureCanonicalPath() { + String file = "../*.jar"; + App instance = new App(); + String result = instance.ensureCanonicalPath(file); + assertFalse(result.contains("..")); + assertTrue(result.endsWith("*.jar")); + } + + /** + * Test of ensureCanonicalPath method, of class App. + */ + @Test + public void testEnsureCanonicalPath2() { + String file = "../some/skip/../path/file.txt"; + App instance = new App(); + String expResult = "/some/path/file.txt"; + String result = instance.ensureCanonicalPath(file); + assertTrue("result=" + result, result.endsWith(expResult)); + } +}