(cherry picked from commit 29e40eae69)

5 years ago · c347ee5541
--- a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
+++ b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
@@ -108,6 +108,8 @@ public class DefaultFileUploadService

    private List<ChecksumAlgorithm> algorithms = Arrays.asList( ChecksumAlgorithm.SHA1, ChecksumAlgorithm.MD5 );

    private final String FS = FileSystems.getDefault().getSeparator();

    @Inject
    @Named(value = "archivaTaskScheduler#repository")
    private ArchivaTaskScheduler<RepositoryTask> scheduler;
@@ -137,6 +139,14 @@ public class DefaultFileUploadService

            //Content-Disposition: form-data; name="files[]"; filename="org.apache.karaf.features.command-2.2.2.jar"
            String fileName = file.getContentDisposition().getParameter( "filename" );
            Path fileNamePath = Paths.get(fileName);
            if (!fileName.equals(fileNamePath.getFileName().toString())) {
                ArchivaRestServiceException e = new ArchivaRestServiceException("Bad filename in upload content: " + fileName + " - File traversal chars (..|/) are not allowed"
                        , null);
                e.setHttpErrorCode(422);
                e.setErrorKey("error.upload.malformed.filename");
                throw e;
            }

            Path tmpFile = Files.createTempFile( "upload-artifact", ".tmp" );
            tmpFile.toFile().deleteOnExit();
@@ -227,6 +237,29 @@ public class DefaultFileUploadService
        return fileMetadatas == null ? Collections.<FileMetadata>emptyList() : fileMetadatas;
    }

    private boolean hasValidChars(String checkString) {
        if (checkString.contains(FS)) {
            return false;
        }
        if (checkString.contains("../")) {
            return false;
        }
        if (checkString.contains("/..")) {
            return false;
        }
        return true;
    }

    private void checkParamChars(String param, String value) throws ArchivaRestServiceException {
        if (!hasValidChars(value)) {
            ArchivaRestServiceException e = new ArchivaRestServiceException("Bad characters in " + param, null);
            e.setHttpErrorCode(422);
            e.setErrorKey("error.upload.malformed.param." + param);
            e.setFieldName(param);
            throw e;
        }
    }

    @Override
    public Boolean save( String repositoryId, String groupId, String artifactId, String version, String packaging,
                         boolean generatePom )
@@ -238,6 +271,11 @@ public class DefaultFileUploadService
        version = StringUtils.trim( version );
        packaging = StringUtils.trim( packaging );

        checkParamChars("repositoryId", repositoryId);
        checkParamChars("groupId", groupId);
        checkParamChars("artifactId", artifactId);
        checkParamChars("packaging", packaging);

        List<FileMetadata> fileMetadatas = getSessionFilesList();
        if ( fileMetadatas == null || fileMetadatas.isEmpty() )
        {
--- a/archiva-modules/archiva-web/archiva-web-common/src/test/java/org/apache/archiva/upload/UploadArtifactsTest.java
+++ b/archiva-modules/archiva-web/archiva-web-common/src/test/java/org/apache/archiva/upload/UploadArtifactsTest.java
@@ -35,7 +35,7 @@ import org.apache.cxf.jaxrs.ext.multipart.MultipartBody;
 import org.apache.cxf.message.Message;
 import org.junit.Test;
 import org.junit.runner.RunWith;

 import javax.ws.rs.ClientErrorException;
 import java.io.IOException;
 import java.net.URLEncoder;
 import java.nio.file.Files;
@@ -130,9 +130,9 @@ public class UploadArtifactsTest
                service.post( body );
                fail( "FileNames with path contents should not be allowed." );
            }
            catch ( ArchivaRestServiceException e )
            catch ( ClientErrorException e )
            {
                // OK
                assertEquals(422, e.getResponse().getStatus());
            }
        }
        finally
@@ -241,15 +241,15 @@ public class UploadArtifactsTest
            log.debug( "Metadata {}", meta.toString( ) );
            assertTrue( service.save( "internal", "org.archiva", "archiva-model", "1.2", "jar", true ) );

            fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"/../TestFile.FileExt\"; name=\"files[]\"" ) ).build( );
            fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"TestFile.FileExt\"; name=\"files[]\"" ) ).build( );
            body = new MultipartBody( fileAttachment );
            meta = service.post( body );
            log.debug( "Metadata {}", meta.toString( ) );
            try {
                service.save("internal", "org", URLEncoder.encode("../../../test", "UTF-8"), URLEncoder.encode("testSave", "UTF-8"), "4", true);
                fail("Error expected, if the content contains bad characters.");
            } catch (ArchivaRestServiceException e) {
                // OK
            } catch (ClientErrorException e) {
                assertEquals(422, e.getResponse().getStatus());
            }
            assertFalse( Files.exists( Paths.get( "target/test-testSave.4" ) ) );
        }
--- a/archiva-modules/archiva-web/archiva-web-common/src/test/resources/spring-context-test-upload.xml
+++ b/archiva-modules/archiva-web/archiva-web-common/src/test/resources/spring-context-test-upload.xml
@@ -81,8 +81,6 @@
    <property name="queue" ref="taskQueue#repository-scanning"/>
  </bean>



  <alias name="repositorySessionFactory#jcr" alias="repositorySessionFactory"/>
  <alias name="userConfiguration#archiva" alias="userConfiguration#default"/>
  <alias name="authorizer#rbac" alias="authorizer#default"/>
@@ -120,4 +118,4 @@
        End of JPA settings
        *** -->

 </beans>
 </beans>