Merge pull request #73 from reportportal/EPMRPP-94930-security-fix

EPMRPP-94930 security fix
reportportal · Dec 17, 2024 · d07dabd · d07dabd
2 parents 8839492 + d3f83dd
commit d07dabd
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 10 deletions.
diff --git a/build.gradle b/build.gradle
@@ -122,7 +122,8 @@ shadowJar {
         include(dependency("org.glassfish.jersey.core:jersey-server:.*"))
         include(dependency("org.glassfish.jersey.core:jersey-common:.*"))
         include(dependency("jakarta.ws.rs:jakarta.ws.rs-api:.*"))
-        include(dependency("jakarta.annotation:jakarta.annotation-api:.*"))
+        //include(dependency("jakarta.annotation:jakarta.annotation-api:.*"))
+        include(dependency("org.apache.tomcat:tomcat-annotations-api:.*"))
         include(dependency("org.glassfish.hk2.external:jakarta.inject:.*"))
         include(dependency("org.glassfish.hk2:osgi-resource-locator:.*"))
         include(dependency("org.glassfish.jaxb:jaxb-runtime:.*"))

diff --git a/src/main/java/com/epam/reportportal/extension/jira/CloudJiraExtension.java b/src/main/java/com/epam/reportportal/extension/jira/CloudJiraExtension.java
@@ -168,7 +168,6 @@ protected ObjectMapper configureObjectMapper() {
     params.put(ALLOWED_COMMANDS, new ArrayList<>(pluginCommandMapping.get().keySet()));
     params.put(DOCUMENTATION_LINK_FIELD, DOCUMENTATION_LINK);
     params.put(COMMON_COMMANDS, new ArrayList<>(commonPluginCommandMapping.get().keySet()));
-    initListeners();
     return params;
   }
 
@@ -187,10 +186,10 @@ public IntegrationGroupEnum getIntegrationGroup() {
     return IntegrationGroupEnum.BTS;
   }
 
-//  @PostConstruct
-//  public void createIntegration() {
-//    initListeners();
-//  }
+  @PostConstruct
+  public void createIntegration() {
+    initListeners();
+  }
 
   private void initListeners() {
     ApplicationEventMulticaster applicationEventMulticaster = applicationContext.getBean(

diff --git a/...n/java/com/epam/reportportal/extension/jira/command/connection/TestConnectionCommand.java b/...n/java/com/epam/reportportal/extension/jira/command/connection/TestConnectionCommand.java
@@ -22,16 +22,15 @@
 import com.epam.reportportal.extension.PluginCommand;
 import com.epam.reportportal.extension.jira.command.utils.CloudJiraClientProvider;
 import com.epam.reportportal.extension.jira.command.utils.CloudJiraProperties;
+import com.epam.reportportal.extension.jira.utils.IntegrationValidator;
+import com.epam.reportportal.rules.exception.ErrorType;
+import com.epam.reportportal.rules.exception.ReportPortalException;
 import com.epam.ta.reportportal.entity.integration.Integration;
 import com.epam.ta.reportportal.entity.integration.IntegrationParams;
-import com.epam.reportportal.rules.exception.ReportPortalException;
-import com.epam.reportportal.rules.exception.ErrorType;
 import java.util.Map;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import static java.util.Optional.ofNullable;
-
 /**
  * @author <a href="mailto:[email protected]">Pavel Bortnik</a>
  */
@@ -60,6 +59,7 @@ public Boolean executeCommand(Integration integration, Map<String, Object> param
         () -> new ReportPortalException(ErrorType.UNABLE_INTERACT_WITH_INTEGRATION,
             "Project key is not specified."
         ));
+    IntegrationValidator.validateThirdPartyUrl(integration);
 
     try (JiraRestClient restClient = cloudJiraClientProvider.get(integrationParams)) {
       return restClient.getProjectClient().getProject(project).claim() != null;

diff --git a/src/main/java/com/epam/reportportal/extension/jira/utils/IntegrationValidator.java b/src/main/java/com/epam/reportportal/extension/jira/utils/IntegrationValidator.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2024 EPAM Systems
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.epam.reportportal.extension.jira.utils;
+
+import com.epam.reportportal.rules.commons.validation.BusinessRule;
+import com.epam.reportportal.rules.commons.validation.Suppliers;
+import com.epam.reportportal.rules.exception.ErrorType;
+import com.epam.ta.reportportal.commons.Predicates;
+import com.epam.ta.reportportal.entity.integration.Integration;
+import java.util.regex.Pattern;
+
+/**
+ * @author <a href="mailto:[email protected]">Siarhei Hrabko</a>
+ */
+public final class IntegrationValidator {
+
+  private static final String JIRA_URL_PATTERN = "https://[^?]*\\.atlassian\\.(com|net).*";
+
+  private IntegrationValidator() {
+    //static only
+  }
+
+
+  /**
+   * Validates Validates Rally server url.
+   *
+   * @param integration {@link Integration}
+   */
+  public static void validateThirdPartyUrl(Integration integration) {
+    var valid = Pattern.matches(JIRA_URL_PATTERN,
+        String.valueOf(integration.getParams().getParams().get("url")));
+
+    BusinessRule.expect(valid, Predicates.equalTo(true))
+        .verify(ErrorType.BAD_REQUEST_ERROR,
+            Suppliers.formattedSupplier("Integration url is not acceptable")
+        );
+  }
+}
diff --git a/src/test/java/com/epam/reportportal/extension/jira/utils/IntegrationValidatorTest.java b/src/test/java/com/epam/reportportal/extension/jira/utils/IntegrationValidatorTest.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2024 EPAM Systems
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.epam.reportportal.extension.jira.utils;
+
+import com.epam.reportportal.rules.exception.ReportPortalException;
+import com.epam.ta.reportportal.entity.integration.Integration;
+import com.epam.ta.reportportal.entity.integration.IntegrationParams;
+import java.util.HashMap;
+import java.util.Map;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+
+class IntegrationValidatorTest {
+
+  @ParameterizedTest
+  @CsvSource(value = {
+      "https://jira.atlassian.com",
+      "https://random.atlassian.com/",
+      "https://jira.atlassian.net",
+      "https://another.atlassian.net/",
+  }, delimiter = ',')
+  void validateThirdPartyUrl(String url) {
+    Assertions.assertDoesNotThrow(() ->
+        IntegrationValidator.validateThirdPartyUrl(getIntegration(url)));
+  }
+
+  @ParameterizedTest
+  @CsvSource(value = {
+      "https://atlassian.com/",
+      "https://jiraatlassian.com/",
+      "https://zloi.hacker.com?jira=fake.atlassian.com",
+  }, delimiter = ',')
+  void validateThirdPartyUrlFailed(String url) {
+    Assertions.assertThrows(ReportPortalException.class, () ->
+        IntegrationValidator.validateThirdPartyUrl(getIntegration(url)));
+  }
+
+  private static Integration getIntegration(String url) {
+    Map<String, Object> params = new HashMap<>();
+    params.put("url", url);
+
+    IntegrationParams integrationParams = new IntegrationParams();
+    integrationParams.setParams(params);
+
+    Integration integration = new Integration();
+    integration.setParams(integrationParams);
+
+    return integration;
+  }
+
+}