FUND-2081 - Improvements regarding Polaris scan (#95)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: MartKazak

src/OneGround.ZGW.Common/Helpers/TempFileHelper.cs

@@ -5,21 +5,22 @@ namespace OneGround.ZGW.Common.Helpers;
 
 public static class TempFileHelper
 {
-    // Note: Attempt to fix issue 'Filesystem path, filename, or URI manipulation'
-    public static void AssureNotTampered(string fullFileName)
+    public static string GetValidatedPath(string fullFileName)
     {
         if (fullFileName == null)
-            return;
+            return null;
 
         if (fullFileName.Contains(".."))
             throw new SecurityException("Full file name contains not allowed characters.");
 
         var directory = Path.GetDirectoryName(fullFileName);
 
         if (directory == null)
-            return;
+            return null;
 
         if (!directory.StartsWith(Path.GetTempPath().TrimEnd(Path.DirectorySeparatorChar)))
-            throw new SecurityException("Temporary file does not contains the temporary folder which should be.");
+            throw new SecurityException("Temporary file does not contain the temporary folder which should be.");
+
+        return fullFileName;
     }
 }

src/OneGround.ZGW.Documenten.Services.Ceph/CephDocumentServices.cs

@@ -28,9 +28,7 @@ public class CephDocumentServices : IDocumentService
     public CephDocumentServices(ILogger<CephDocumentServices> logger, IConfiguration configuration)
     {
         _logger = logger;
-
         _lazySettings = new Lazy<CephDocumentServicesSettings>(() => GetSettings(configuration));
-
         _lazyClient = new Lazy<AmazonS3Client>(GetClient);
     }
 
@@ -58,23 +56,30 @@ public async Task<Document> AddDocumentAsync(
         if (metadata == null || string.IsNullOrEmpty(metadata.Rsin))
             throw new InvalidOperationException("Rsin is required to be filled in metadata");
 
-        TempFileHelper.AssureNotTampered(contentFile);
+        var validatedContentFile = TempFileHelper.GetValidatedPath(contentFile);
 
-        if (!File.Exists(contentFile))
-            throw new InvalidOperationException($"Content file '{contentFile}' does not exist.");
+        if (!File.Exists(validatedContentFile))
+            throw new InvalidOperationException($"Content file '{validatedContentFile}' does not exist.");
 
-        string bucket = GetOrGenerateBucketName(metadata.Rsin);
+        var bucket = GetOrGenerateBucketName(metadata.Rsin);
 
         await EnsureBucketExistsAsync(bucket, cancellationToken);
 
         var key = $"{Guid.NewGuid()}";
 
         try
         {
-            using FileStream content = new FileStream(contentFile, FileMode.Open, FileAccess.Read, FileShare.Read, bufferSize, useAsync: true); // When using 'useAsync: true' you get better performance with buffers much larger than the default 4096 bytes.
-            long documentSize = content.Length;
-
-            _logger.LogDebug("Streaming data from {contentFile} to AmazonS3 object using key {key}...", contentFile, key);
+            await using var content = new FileStream(
+                validatedContentFile,
+                FileMode.Open,
+                FileAccess.Read,
+                FileShare.Read,
+                bufferSize,
+                useAsync: true
+            ); // When using 'useAsync: true' you get better performance with buffers much larger than the default 4096 bytes.
+            var documentSize = content.Length;
+
+            _logger.LogDebug("Streaming data from {validatedContentFile} to AmazonS3 object using key {key}...", validatedContentFile, key);
 
             var request = new PutObjectRequest
             {
@@ -85,7 +90,7 @@ public async Task<Document> AddDocumentAsync(
 
             request.Metadata.Add(metadata, documentName);
 
-            using (request.InputStream = content)
+            await using (request.InputStream = content)
             {
                 _logger.LogDebug("Writing document '{documentName}' to bucket '{bucket}'...", documentName, bucket);
 
@@ -104,7 +109,7 @@ public async Task<Document> AddDocumentAsync(
         {
             if (deleteContentFile)
             {
-                File.Delete(contentFile);
+                File.Delete(validatedContentFile);
             }
         }
     }
@@ -125,13 +130,13 @@ public async Task<Document> AddDocumentAsync(
         if (metadata == null || string.IsNullOrEmpty(metadata.Rsin))
             throw new InvalidOperationException("Rsin is required to be filled in metadata");
 
-        string bucket = GetOrGenerateBucketName(metadata.Rsin);
+        var bucket = GetOrGenerateBucketName(metadata.Rsin);
 
         await EnsureBucketExistsAsync(bucket, cancellationToken);
 
         var key = $"{Guid.NewGuid()}";
 
-        long length = content.Length;
+        var length = content.Length;
 
         var request = new PutObjectRequest
         {
@@ -160,7 +165,7 @@ public async Task DeleteDocumentAsync(DocumentUrn urn, CancellationToken cancell
 
         if (await DocumentExistsAsync(urn, cancellationToken))
         {
-            DeleteObjectRequest request = new DeleteObjectRequest { BucketName = urn.Name, Key = urn.ObjectId };
+            var request = new DeleteObjectRequest { BucketName = urn.Name, Key = urn.ObjectId };
 
             await Client.DeleteObjectAsync(request, cancellationToken);
         }
@@ -213,7 +218,7 @@ public async Task<MultiPartDocument> InitiateMultipartUploadAsync(
         if (metadata == null || string.IsNullOrEmpty(metadata.Rsin))
             throw new InvalidOperationException("Rsin is required to be filled in metadata");
 
-        string bucket = GetOrGenerateBucketName(metadata.Rsin);
+        var bucket = GetOrGenerateBucketName(metadata.Rsin);
 
         await EnsureBucketExistsAsync(bucket, cancellationToken);
 
@@ -230,7 +235,7 @@ public async Task<MultiPartDocument> InitiateMultipartUploadAsync(
 
         var response = await Client.InitiateMultipartUploadAsync(request, cancellationToken);
 
-        InternalMultiPartDocument internalMultiPartDocument = new InternalMultiPartDocument(response.UploadId, bucket, key);
+        var internalMultiPartDocument = new InternalMultiPartDocument(response.UploadId, bucket, key);
 
         return ToContext(internalMultiPartDocument);
     }
@@ -245,7 +250,7 @@ public async Task<IUploadPart> TryUploadPartAsync(
     {
         LastError = ("", DocumentError.None);
 
-        InternalMultiPartDocument internalMultiPartDocument = FromContext(multipPartDocument);
+        var internalMultiPartDocument = FromContext(multipPartDocument);
 
         if (content.Length != size)
         {
@@ -282,7 +287,7 @@ public async Task<Document> CompleteMultipartUploadAsync(
     {
         LastError = ("", DocumentError.None);
 
-        InternalMultiPartDocument internalMultiPartDocument = FromContext(multipPartDocument);
+        var internalMultiPartDocument = FromContext(multipPartDocument);
 
         var parts = uploadparts.Select(MapUploadPart).ToList();
 
@@ -300,7 +305,7 @@ public async Task<Document> CompleteMultipartUploadAsync(
 
         var documentUrn = new DocumentUrn(ProviderPrefix, internalMultiPartDocument.Name, internalMultiPartDocument.Key);
 
-        long length = parts.Sum(p => p.Size);
+        var length = parts.Sum(p => p.Size);
 
         return new Document(documentUrn, length);
     }
@@ -311,7 +316,7 @@ public async Task<bool> AbortMultipartUploadAsync(IMultiPartDocument multipPartD
 
         try
         {
-            InternalMultiPartDocument internalMultiPartDocument = FromContext(multipPartDocument);
+            var internalMultiPartDocument = FromContext(multipPartDocument);
 
             var request = new AbortMultipartUploadRequest
             {
@@ -429,20 +434,20 @@ private AmazonS3Client GetClient()
 
     private string GetOrGenerateBucketName(string rsin)
     {
-        string buckettemplate = Settings.Bucket ?? "{yyyyMM}"; // Note: When not specified default is: store buckets per year+month
+        var buckettemplate = Settings.Bucket ?? "{yyyyMM}"; // Note: When not specified default is: store buckets per year+month
 
         buckettemplate = buckettemplate.Replace("{rsin}", rsin);
 
-        int posTmplL = buckettemplate.IndexOf('{');
-        int posTmplR = buckettemplate.IndexOf('}');
+        var posTmplL = buckettemplate.IndexOf('{');
+        var posTmplR = buckettemplate.IndexOf('}');
 
         string bucket;
         if (posTmplL > -1 && posTmplR > -1 && posTmplL < posTmplR)
         {
             var template = buckettemplate.Substring(posTmplL + 1, posTmplR - posTmplL - 1);
 
-            string leftPart = buckettemplate.Substring(0, posTmplL);
-            string rightPart = buckettemplate.Substring(posTmplR + 1);
+            var leftPart = buckettemplate.Substring(0, posTmplL);
+            var rightPart = buckettemplate.Substring(posTmplR + 1);
 
             bucket = leftPart + DateTime.UtcNow.ToString(template) + rightPart;
         }
@@ -462,7 +467,7 @@ private string GetOrGenerateBucketName(string rsin)
 
     private static CephDocumentServicesSettings GetSettings(IConfiguration configuration)
     {
-        string key = "CephDocumentServicesSettings";
+        var key = "CephDocumentServicesSettings";
 
         var settings =
             configuration.GetSection(key).Get<CephDocumentServicesSettings>()

src/Tests/OneGround.ZGW.Catalogi.WebApi.UnitTests/BusinessRulesTests/ConceptBusinessRulesTest.cs

@@ -6,7 +6,6 @@
 using Moq;
 using OneGround.ZGW.Catalogi.DataModel;
 using OneGround.ZGW.Catalogi.Web.BusinessRules;
-using OneGround.ZGW.Common.Contracts.v1;
 using OneGround.ZGW.Common.Web.Services.UriServices;
 using Xunit;
 
@@ -96,11 +95,7 @@ public void BesluitTypeRelationsValidator_Add_New_Relation_With_Missing_Original
     {
         // Setup
 
-        var existingZaakTypeGuids = new List<Guid>
-        {
-            new Guid("16ee54a6-5578-16e0-014d-2ee79069bb55"),
-            new Guid("835827db-e46d-4d84-a41c-ccd80c3f9e4a"),
-        };
+        var existingZaakTypeGuids = new List<Guid> { new("16ee54a6-5578-16e0-014d-2ee79069bb55"), new("835827db-e46d-4d84-a41c-ccd80c3f9e4a") };
 
         var patchZaakTypeUrls = new List<string>
         {
@@ -110,7 +105,7 @@ public void BesluitTypeRelationsValidator_Add_New_Relation_With_Missing_Original
         };
 
         // Act
-        bool validated = _besluitTypeRelationsValidator.Validate(existingZaakTypeGuids, patchZaakTypeUrls);
+        var validated = _besluitTypeRelationsValidator.Validate(existingZaakTypeGuids, patchZaakTypeUrls);
 
         // Assert
         Assert.False(validated);
@@ -121,11 +116,7 @@ public void BesluitTypeRelationsValidator_Add_New_Relation_With_Original_Relatio
     {
         // Setup
 
-        var existingZaakTypeGuids = new List<Guid>
-        {
-            new Guid("f6d279e0-3bcb-4263-9585-6448a3690a39"),
-            new Guid("835827db-e46d-4d84-a41c-ccd80c3f9e4a"),
-        };
+        var existingZaakTypeGuids = new List<Guid> { new("f6d279e0-3bcb-4263-9585-6448a3690a39"), new("835827db-e46d-4d84-a41c-ccd80c3f9e4a") };
 
         var patchZaakTypeUrls = new List<string>
         {
@@ -139,7 +130,7 @@ public void BesluitTypeRelationsValidator_Add_New_Relation_With_Original_Relatio
         _mockedUriService.Setup(m => m.GetId(patchZaakTypeUrls[2])).Returns(Guid.Parse(patchZaakTypeUrls[2].Split('/').Last()));
 
         // Act
-        bool validated = _besluitTypeRelationsValidator.Validate(existingZaakTypeGuids, patchZaakTypeUrls);
+        var validated = _besluitTypeRelationsValidator.Validate(existingZaakTypeGuids, patchZaakTypeUrls);
 
         // Assert
         Assert.True(validated);
@@ -150,11 +141,7 @@ public void BesluitTypeRelationsValidator_Add_New_Relation_With_Original_Relatio
     {
         // Setup
 
-        var existingZaakTypeGuids = new List<Guid>
-        {
-            new Guid("f6d279e0-3bcb-4263-9585-6448a3690a39"),
-            new Guid("835827db-e46d-4d84-a41c-ccd80c3f9e4a"),
-        };
+        var existingZaakTypeGuids = new List<Guid> { new("f6d279e0-3bcb-4263-9585-6448a3690a39"), new("835827db-e46d-4d84-a41c-ccd80c3f9e4a") };
 
         var patchZaakTypeUrls = new List<string>
         {
@@ -168,7 +155,7 @@ public void BesluitTypeRelationsValidator_Add_New_Relation_With_Original_Relatio
         _mockedUriService.Setup(m => m.GetId(patchZaakTypeUrls[2])).Returns(Guid.Parse(patchZaakTypeUrls[2].Split('/').Last()));
 
         // Act
-        bool validated = _besluitTypeRelationsValidator.Validate(existingZaakTypeGuids, patchZaakTypeUrls);
+        var validated = _besluitTypeRelationsValidator.Validate(existingZaakTypeGuids, patchZaakTypeUrls);
 
         // Assert
         Assert.True(validated);

src/Tests/OneGround.ZGW.Common.UnitTests/TempFileHelperTests.cs

@@ -18,7 +18,7 @@ public void AssureNotTampered_With_An_Valid_Temp_File_Should_Return()
         // Act
         var ex = Record.Exception(() =>
         {
-            TempFileHelper.AssureNotTampered(fullFileName: fullFileName);
+            TempFileHelper.GetValidatedPath(fullFileName: fullFileName);
         });
 
         // Assert
@@ -34,7 +34,7 @@ public void AssureNotTampered_With_An_Tampered_File_Should_Throw_An_Exception()
         // Act
         var ex = Record.Exception(() =>
         {
-            TempFileHelper.AssureNotTampered(fullFileName: @"c:\windows\system32\kernel32.dll");
+            TempFileHelper.GetValidatedPath(fullFileName: @"c:\windows\system32\kernel32.dll");
         });
 
         // Assert
@@ -54,7 +54,7 @@ public void AssureNotTampered_With_An_Tampered_Path_Should_Throw_An_Exception()
         // Act
         var ex = Record.Exception(() =>
         {
-            TempFileHelper.AssureNotTampered(fullFileName: fullFileName);
+            TempFileHelper.GetValidatedPath(fullFileName: fullFileName);
         });
 
         // Assert