Check types for solution handler upload

Author: vcarluer

api/src/main/resources/application.yml

@@ -101,6 +101,7 @@ csm:
       authorized-mime-types:
         workspaces:
           - application/zip
+          - application/xml
           - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
           - application/x-tika-ooxml
           - text/csv
@@ -111,6 +112,7 @@ csm:
           - application/x-sh
           - text/x-python
           - text/plain
+          - text/x-yaml
     vendor: azure
     azure:
       appIdUri: "http://dev.api.cosmotech.com"

build.gradle.kts

@@ -49,7 +49,6 @@ allprojects {
   apply(plugin = "io.gitlab.arturbosch.detekt")
 
   repositories {
-    mavenLocal()
     maven {
       name = "GitHubPackages"
       url = uri("https://maven.pkg.github.com/Cosmo-Tech/cosmotech-api-common")

solution/src/main/kotlin/com/cosmotech/solution/azure/SolutionServiceImpl.kt

@@ -12,6 +12,7 @@ import com.cosmotech.api.events.OrganizationRegistered
 import com.cosmotech.api.events.OrganizationUnregistered
 import com.cosmotech.api.exceptions.CsmAccessForbiddenException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
+import com.cosmotech.api.utils.ResourceScanner
 import com.cosmotech.api.utils.changed
 import com.cosmotech.api.utils.compareToAndMutateIfNeeded
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
@@ -37,6 +38,7 @@ import org.springframework.stereotype.Service
 internal class SolutionServiceImpl(
     private val resourceLoader: ResourceLoader,
     private val azureStorageBlobServiceClient: BlobServiceClient,
+    private val resourceScanner: ResourceScanner,
 ) : CsmAzureService(), SolutionApiService {
 
   override fun findAllSolutions(organizationId: String) =
@@ -243,9 +245,6 @@ internal class SolutionServiceImpl(
         solution.name,
         solution.version)
 
-    // Security checks
-    // TODO Security-wise, we should also check the content of the archive for potential attack
-    // vectors, like upload of malicious files, zip bombing, path traversal attacks, ...
     try {
       val archiverType = ArchiveStreamFactory.detect(body.inputStream.buffered())
       if (ArchiveStreamFactory.ZIP != archiverType) {
@@ -256,6 +255,8 @@ internal class SolutionServiceImpl(
       throw IllegalArgumentException("A Zip Archive is expected.", ae)
     }
 
+    resourceScanner.scanMimeTypes(body, csmPlatformProperties.upload.authorizedMimeTypes.handlers)
+
     azureStorageBlobServiceClient
         .getBlobContainerClient(organizationId.sanitizeForAzureStorage())
         .getBlobClient(

workspace/src/test/kotlin/com/cosmotech/workspace/azure/WorkspaceServiceImplTests.kt

@@ -73,6 +73,7 @@ class WorkspaceServiceImplTests {
     every { csmPlatformPropertiesAuthorizedMimeTypes.workspaces } returns
         listOf(
             "application/zip",
+            "application/xml",
             "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
             "application/x-tika-ooxml",
             "text/csv",