Merge pull request #327 from adorsys/185-more-restrictive-api-for-str…

…ing-arguments 185 more restrictive api for string arguments
adorsys · Jul 15, 2024 · 5edf83e · 5edf83e
2 parents bcf23f5 + ca6d4b1
commit 5edf83e
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 56 deletions.
diff --git a/...t-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/AuthenticateController.java b/...t-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/AuthenticateController.java
@@ -15,6 +15,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.User;
+import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RestController;
@@ -31,7 +32,7 @@ public class AuthenticateController {
  private final AuthenticationManager authenticationManager;
 
  @PostMapping(SecurityConstants.AUTH_LOGIN_URL)
- public void authenticate(@RequestBody UserDTO credentialsDTO, HttpServletResponse response) {
+ public void authenticate(@RequestBody @Validated UserDTO credentialsDTO, HttpServletResponse response) {
  String username = credentialsDTO.getUserName();
  String password = credentialsDTO.getPassword();
  UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);

diff --git a/...-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/DocumentController.java b/...-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/DocumentController.java
@@ -12,6 +12,8 @@
 import de.adorsys.datasafe.types.api.resource.PrivateResource;
 import de.adorsys.datasafe.types.api.resource.StorageIdentifier;
 import jakarta.servlet.http.HttpServletResponse;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
@@ -49,11 +51,16 @@ public class DocumentController {
  */
  @SneakyThrows
  @GetMapping(value = "/document/{*path}", produces = APPLICATION_OCTET_STREAM_VALUE)
- public void readDocument(@RequestHeader String user,
- @RequestHeader String password,
+ public void readDocument(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @RequestHeader(defaultValue = StorageIdentifier.DEFAULT_ID) String storageId,
- @PathVariable String path,
+ @PathVariable @NotBlank String path,
  HttpServletResponse response) {
+ // Validate and sanitize path
+ if (path.contains("..")) {
+ throw new IllegalArgumentException("Invalid path");
+ }
+
  UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
  ReadRequest<UserIDAuth, PrivateResource> request =
  ReadRequest.forPrivate(userIDAuth, new StorageIdentifier(storageId), path);
@@ -72,11 +79,16 @@ public void readDocument(@RequestHeader String user,
  */
  @SneakyThrows
  @PutMapping(value = "/document/{*path}", consumes = MULTIPART_FORM_DATA_VALUE)
- public void writeDocument(@RequestHeader String user,
- @RequestHeader String password,
+ public void writeDocument(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @RequestHeader(defaultValue = StorageIdentifier.DEFAULT_ID) String storageId,
  @PathVariable String path,
- @RequestParam("file") MultipartFile file) {
+ @RequestParam("file") @NotNull MultipartFile file) {
+ // Validate and sanitize path
+ if (path.contains("..")) {
+ throw new IllegalArgumentException("Invalid path");
+ }
+
  UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
  WriteRequest<UserIDAuth, PrivateResource> request =
  WriteRequest.forPrivate(userIDAuth, new StorageIdentifier(storageId), path);
@@ -91,14 +103,20 @@ public void writeDocument(@RequestHeader String user,
  * lists files in user's private space.
  */
  @GetMapping("/documents/{*path}")
- public List<String> listDocuments(@RequestHeader String user,
- @RequestHeader String password,
+ public List<String> listDocuments(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @RequestHeader(defaultValue = StorageIdentifier.DEFAULT_ID) String storageId,
  @PathVariable(required = false) String path) {
  UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
  path = Optional.ofNullable(path)
  .map(it -> it.replaceAll("^\\.$", ""))
  .orElse("./");
+
+ // Validate and sanitize path
+ if (path.contains("..")) {
+ throw new IllegalArgumentException("Invalid path");
+ }
+
  try {
  List<String> documentList = datasafeService.privateService().list(
  ListRequest.forPrivate(userIDAuth, new StorageIdentifier(storageId), path))
@@ -115,10 +133,16 @@ public List<String> listDocuments(@RequestHeader String user,
  * deletes files from user's private space.
  */
  @DeleteMapping("/document/{*path}")
- public void removeDocument(@RequestHeader String user,
- @RequestHeader String password,
+ public void removeDocument(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @RequestHeader(defaultValue = StorageIdentifier.DEFAULT_ID) String storageId,
- @PathVariable String path) {
+ @PathVariable @NotBlank String path) {
+
+ // Validate and sanitize path
+ if (path.contains("..")) {
+ throw new IllegalArgumentException("Invalid path");
+ }
+
  UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
  RemoveRequest<UserIDAuth, PrivateResource> request =
  RemoveRequest.forPrivate(userIDAuth, new StorageIdentifier(storageId), path);

diff --git a/...afe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/InboxController.java b/...afe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/InboxController.java
@@ -12,6 +12,8 @@
 import de.adorsys.datasafe.types.api.resource.BasePrivateResource;
 import de.adorsys.datasafe.types.api.resource.PrivateResource;
 import jakarta.servlet.http.HttpServletResponse;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
@@ -52,10 +54,10 @@ public class InboxController {
  */
  @SneakyThrows
  @PutMapping(value = "/inbox/document/{*path}", consumes = MULTIPART_FORM_DATA_VALUE)
- public void writeToInbox(@RequestHeader String user,
- @RequestHeader String password,
- @RequestHeader Set<String> recipients,
- @PathVariable String path,
+ public void writeToInbox(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
+ @RequestHeader Set<@NotBlank String> recipients,
+ @PathVariable @NotBlank String path,
  @RequestParam("file") MultipartFile file) {
  UserIDAuth fromUser = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
  Set<UserID> toUsers = recipients.stream().map(UserID::new).collect(Collectors.toSet());
@@ -72,9 +74,9 @@ public void writeToInbox(@RequestHeader String user,
  */
  @SneakyThrows
  @GetMapping(value = "/inbox/document/{*path}", produces = APPLICATION_OCTET_STREAM_VALUE)
- public void readFromInbox(@RequestHeader String user,
- @RequestHeader String password,
- @PathVariable String path,
+ public void readFromInbox(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
+ @PathVariable @NotBlank String path,
  HttpServletResponse response) {
  path = path.replaceAll("^/", "");
  UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
@@ -93,9 +95,9 @@ public void readFromInbox(@RequestHeader String user,
  * Deletes file from users' INBOX.
  */
  @DeleteMapping("/inbox/document/{*path}")
- public void deleteFromInbox(@RequestHeader String user,
- @RequestHeader String password,
- @PathVariable String path) {
+ public void deleteFromInbox(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
+ @PathVariable @NotBlank String path) {
  path = path.replaceAll("^/", "");
  UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
  PrivateResource resource = BasePrivateResource.forPrivate(path);
@@ -108,8 +110,8 @@ public void deleteFromInbox(@RequestHeader String user,
  * list files in users' INBOX.
  */
  @GetMapping(value = "/inbox/documents/{*path}", produces = APPLICATION_JSON_VALUE)
- public List<String> listInbox(@RequestHeader String user,
- @RequestHeader String password,
+ public List<String> listInbox(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @PathVariable(required = false) String path) {
  path = path.replaceAll("^/", "");
  UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));

diff --git a/...safe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/UserController.java b/...safe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/UserController.java
@@ -14,6 +14,7 @@
 import de.adorsys.datasafe.rest.impl.exceptions.UserExistsException;
 import de.adorsys.datasafe.types.api.resource.StorageIdentifier;
 import de.adorsys.datasafe.types.api.types.ReadKeyPassword;
+import jakarta.validation.constraints.NotBlank;
 import lombok.RequiredArgsConstructor;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -61,51 +62,51 @@ public void createUser(@Validated @RequestBody UserDTO userDTO) {
  }
 
  @PostMapping("/password")
- public void changePassword(@RequestHeader String user,
- @RequestHeader String password,
+ public void changePassword(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @Validated @RequestBody NewPasswordDTO newPassword) {
  ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
  UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
  dataSafeService.userProfile().updateReadKeyPassword(auth, ReadKeyPasswordHelper.getForString(newPassword.getNewPassword()));
  }
 
  @GetMapping("/publicProfile")
- public UserPublicProfileDTO getPublicProfile(@RequestHeader String user,
- @RequestHeader String password) {
+ public UserPublicProfileDTO getPublicProfile(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password) {
  ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
  UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
  return UserPublicProfileDTO.from(dataSafeService.userProfile().publicProfile(auth.getUserID()));
  }
 
  @GetMapping("/privateProfile")
- public UserPrivateProfileDTO getPrivateProfile(@RequestHeader String user,
- @RequestHeader String password) {
+ public UserPrivateProfileDTO getPrivateProfile(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password) {
  ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
  UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
  return UserPrivateProfileDTO.from(dataSafeService.userProfile().privateProfile(auth));
  }
 
  @PostMapping("/publicProfile")
- public void updatePublicProfile(@RequestHeader String user,
- @RequestHeader String password,
+ public void updatePublicProfile(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @Validated @RequestBody UserPublicProfileDTO profileDto) {
  ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
  UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
  dataSafeService.userProfile().updatePublicProfile(auth, profileDto.toProfile());
  }
 
  @PostMapping("/privateProfile")
- public void updatePrivateProfile(@RequestHeader String user,
- @RequestHeader String password,
+ public void updatePrivateProfile(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @Validated @RequestBody UserPrivateProfileDTO profileDto) {
  ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
  UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
  dataSafeService.userProfile().updatePrivateProfile(auth, profileDto.toProfile());
  }
 
  @PostMapping("/storages")
- public void addStorageCredentials(@RequestHeader String user,
- @RequestHeader String password,
+ public void addStorageCredentials(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
  @Validated @RequestBody StorageCredsDTO creds) {
  ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
  UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
@@ -117,9 +118,9 @@ public void addStorageCredentials(@RequestHeader String user,
  }
 
  @DeleteMapping("/storages")
- public void removeStorageCredentials(@RequestHeader String user,
- @RequestHeader String password,
- @RequestHeader String storageId) {
+ public void removeStorageCredentials(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password,
+ @RequestHeader @NotBlank String storageId) {
  ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
  UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
  dataSafeService.userProfile().deregisterStorageCredentials(auth, new StorageIdentifier(storageId));
@@ -132,8 +133,8 @@ public void removeStorageCredentials(@RequestHeader String user,
  * @param password user password.
  */
  @DeleteMapping
- public void deleteUser(@RequestHeader String user,
- @RequestHeader String password) {
+ public void deleteUser(@RequestHeader @NotBlank String user,
+ @RequestHeader @NotBlank String password) {
  UserIDAuth auth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
  if (!dataSafeService.userProfile().userExists(auth.getUserID())) {
  throw new UserDoesNotExistsException("user '" + auth.getUserID().getValue() + "' does not exists");