Merge pull request #222 from sgayangi/master

sgayangi · web-flow · commit c99cde45b095 · 2025-10-29T10:21:45.000+05:30
Add file validation logic
diff --git a/components/jaggery-core/org.jaggeryjs.jaggery.app.mgt/src/main/java/org/jaggeryjs/jaggery/app/mgt/JaggeryAppAdmin.java b/components/jaggery-core/org.jaggeryjs.jaggery.app.mgt/src/main/java/org/jaggeryjs/jaggery/app/mgt/JaggeryAppAdmin.java
@@ -21,6 +21,7 @@
 import org.apache.axis2.engine.AxisConfiguration;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.CarbonException;
 import org.jaggeryjs.jaggery.core.JaggeryCoreConstants;
 import org.wso2.carbon.utils.ArchiveManipulator;
 import org.wso2.carbon.webapp.mgt.SessionsWrapper;
@@ -92,6 +93,12 @@ public boolean uploadWebapp(WebappUploadData[] webappUploadDataList) throws Axis
 
         for (WebappUploadData uploadData : webappUploadDataList) {
             String fName = uploadData.getFileName();
+            try {
+                // validate file name
+                JaggeryDeploymentUtil.validateFileName(fName, jaggeryAppsPath);
+            } catch (CarbonException e) {
+                throw new AxisFault(e.getMessage(), e);
+            }
             if (fName.contains(".")) {
                 fName = fName.split("\\.")[0];
             }
diff --git a/components/jaggery-core/org.jaggeryjs.jaggery.app.mgt/src/main/java/org/jaggeryjs/jaggery/app/mgt/JaggeryDeploymentUtil.java b/components/jaggery-core/org.jaggeryjs.jaggery.app.mgt/src/main/java/org/jaggeryjs/jaggery/app/mgt/JaggeryDeploymentUtil.java
@@ -4,7 +4,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.jaggeryjs.jaggery.core.JaggeryCoreConstants;
-
+import org.wso2.carbon.CarbonException;
 import java.io.*;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
@@ -82,4 +82,94 @@ static void unZip(InputStream is, String destDir) {
             log.error("Could not unzip the Jaggery App Archive", e);
         } 
     }
+
+
+    /**
+     * Generic file validation method that combines all validation logic.
+     * Validates file name, extension, and path security.
+     *
+     * @param fileName          File name to validate
+     * @param baseDirectory     Base directory where files should be contained
+     * @param allowedExtensions Array of allowed file extensions (without dot),
+     *                          e.g., {"csv", "xml"}
+     * @throws CarbonException if validation fails
+     */
+    public static void validateFileName(String fileName, String baseDirectory, String[] allowedExtensions)
+            throws CarbonException {
+        // 1. Basic null/empty validation
+        if (fileName == null || fileName.isEmpty()) {
+            throw new RuntimeException("Invalid file name. File name is not available");
+        }
+
+        fileName = fileName.trim();
+
+        // 2. File extension validation
+        if (allowedExtensions != null && allowedExtensions.length > 0) {
+            boolean validExtension = false;
+            String lowerFileName = fileName.toLowerCase();
+
+            for (String extension : allowedExtensions) {
+                if (lowerFileName.endsWith("." + extension.toLowerCase())) {
+                    validExtension = true;
+
+                    // Ensure filename has content before the extension
+                    int minLength = extension.length() + 1; // extension + dot
+                    if (fileName.length() <= minLength) {
+                        throw new RuntimeException(
+                                "Invalid file name: filename cannot be just an extension. File: " + fileName);
+                    }
+                    break;
+                }
+            }
+
+            if (!validExtension) {
+                String allowedExts = String.join(", ", allowedExtensions);
+                throw new RuntimeException(
+                        "Invalid file type. Only " + allowedExts + " files are allowed. File: " + fileName);
+            }
+        }
+
+        // 3. Path validation
+        if (baseDirectory != null) {
+            try {
+                // Canonical path validation
+                File baseDir = new File(baseDirectory);
+                File targetFile = new File(baseDir, fileName);
+
+                String baseDirCanonical = baseDir.getCanonicalPath();
+                String targetFileCanonical = targetFile.getCanonicalPath();
+
+                // Ensure resolved path stays within base directory
+                if (!targetFileCanonical.startsWith(baseDirCanonical + File.separator) &&
+                        !targetFileCanonical.equals(baseDirCanonical)) {
+                    throw new RuntimeException("File validation failed: Invalid file name: " + fileName);
+                }
+
+            } catch (IOException e) {
+                throw new CarbonException("File validation failed: Invalid file name: " + fileName);
+            }
+        }
+    }
+
+    /**
+     * Convenience method for file validation.
+     * 
+     * @param fileName      File name to validate
+     * @param baseDirectory Base directory where files should be contained
+     * @throws CarbonException if validation fails
+     */
+    public static void validateFileName(String fileName, String baseDirectory) throws CarbonException {
+        validateFileName(fileName, baseDirectory, new String[] { "jag", "zip" });
+    }
+
+    /**
+     * Validate the given fileName and path.
+     *
+     * @param fileName      File name which needs to be validated.
+     * @param baseDirectory Base directory where files should be contained
+     * @throws CarbonException if validation fails
+     */
+    public static void validatePath(String fileName, String baseDirectory) throws CarbonException {
+        validateFileName(fileName, baseDirectory, null);
+    }
 }
