Merge pull request wso2#12328 from piyumaldk/4.2.m2-sec-fixes

Using try-with-resources for closing the Input Stream, Input Stream Reader and Check canonical path of WSDL path
tharikaGitHub · Mar 22, 2024 · 15239a8 · 15239a8
2 parents 806bee1 + 4ff95f8
commit 15239a8
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 9 deletions.
diff --git a/...arbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/SAMLGroupIDExtractorImpl.java b/...arbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/SAMLGroupIDExtractorImpl.java
@@ -36,6 +36,7 @@
 import org.w3c.dom.Element;
 import org.wso2.carbon.apimgt.api.NewPostLoginExecutor;
 import org.wso2.carbon.apimgt.impl.internal.ServiceReferenceHolder;
+import org.wso2.carbon.apimgt.impl.utils.APIUtil;
 import org.wso2.carbon.core.security.AuthenticatorsConfiguration;
 import org.wso2.carbon.user.core.UserRealm;
 import org.wso2.carbon.user.core.UserStoreException;
@@ -74,7 +75,7 @@ public String getGroupingIdentifiers(String loginResponse) {
                 claim = "http://wso2.org/claims/organization";
             }
             samlResponseStream = getByteArrayInputStream(loginResponse);
-            DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory builderFactory = APIUtil.getSecuredDocumentBuilder();
             builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             builderFactory.setNamespaceAware(true);
             docBuilder = builderFactory.newDocumentBuilder();
@@ -253,7 +254,7 @@ public String[] getGroupingIdentifierList(String loginResponse) {
                 claim = "http://wso2.org/claims/organization";
             }
             samlResponseStream = getByteArrayInputStream(loginResponse);
-            DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory builderFactory = APIUtil.getSecuredDocumentBuilder();
             builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             builderFactory.setNamespaceAware(true);
             docBuilder = builderFactory.newDocumentBuilder();

diff --git a/...so2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/lifecycle/LCManager.java b/...so2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/lifecycle/LCManager.java
@@ -91,10 +91,10 @@ public LCManager(String tenantDomain) {
      */
     public static JSONObject getDefaultLCConfigJSON() throws APIManagementException {
 
-        InputStream lcStream = LCManager.class.getClassLoader().getResourceAsStream(API_LIFECYCLE_PATH);
-        JSONParser jsonParser = new JSONParser();
-        try {
-            return (JSONObject) jsonParser.parse(new InputStreamReader(lcStream, StandardCharsets.UTF_8));
+        try (InputStream lcStream = LCManager.class.getClassLoader().getResourceAsStream(API_LIFECYCLE_PATH);
+             InputStreamReader reader = new InputStreamReader(lcStream, StandardCharsets.UTF_8)) {
+            JSONParser jsonParser = new JSONParser();
+            return (JSONObject) jsonParser.parse(reader);
         } catch (IOException | ParseException e) {
             throw new APIManagementException(e);
         }

diff --git a/....carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/wsdl/SequenceGenerator.java b/....carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/wsdl/SequenceGenerator.java
@@ -361,7 +361,7 @@ private static Map<String, String> createPayloadFacXMLForOperation(Map<String, S
                                                                        Map<String, Model> definitions)
             throws APIManagementException {
 
-        DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory docFactory = APIUtil.getSecuredDocumentBuilder();
         TransformerFactory transformerFactory = TransformerFactory.newInstance();
         DocumentBuilder docBuilder;
         StringWriter stringWriter = new StringWriter();
@@ -571,7 +571,7 @@ private static void getArraySequenceElements(org.json.simple.JSONArray array,
      */
     private static String createParameterElements(String jsonPathElement, String type) throws APIManagementException {
 
-        DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory docFactory = APIUtil.getSecuredDocumentBuilder();
         DocumentBuilder docBuilder;
         StringWriter stringWriter = new StringWriter();
         TransformerFactory transformerFactory = TransformerFactory.newInstance();

diff --git a/...c/main/java/org/wso2/carbon/apimgt/rest/api/publisher/v1/common/mappings/ImportUtils.java b/...c/main/java/org/wso2/carbon/apimgt/rest/api/publisher/v1/common/mappings/ImportUtils.java
@@ -1631,7 +1631,13 @@ private static byte[] loadWsdlFile(String pathToArchive, APIDTO apiDto) throws I
         }
 
         if (!StringUtils.isEmpty(pathToWsdl)) {
-            return FileUtils.readFileToByteArray(new File(pathToWsdl));
+            // Check the Canonical paths
+            File file = new File(pathToWsdl);
+            String canonicalPath = file.getCanonicalPath();
+            if (!canonicalPath.startsWith(new File(pathToArchive).getCanonicalPath())) {
+                throw new IOException("Attempt to load invalid Wsdl File. File path is outside target directory");
+            }
+            return FileUtils.readFileToByteArray(file);
         }
         throw new IOException("Missing WSDL file. It should be present.");
     }