fix path traversals for attachments (via #3272)

Author: baev

allure-generator/src/main/java/io/qameta/allure/allure1/Allure1Plugin.java

@@ -49,6 +49,7 @@
 import java.io.InputStream;
 import java.math.BigInteger;
 import java.nio.file.Files;
+import java.nio.file.LinkOption;
 import java.nio.file.Path;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -64,6 +65,7 @@
 import java.util.TreeSet;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -109,6 +111,7 @@ public class Allure1Plugin implements Reader {
     private static final Comparator<Parameter> PARAMETER_COMPARATOR =
             comparing(Parameter::getName, nullsFirst(naturalOrder()))
                     .thenComparing(Parameter::getValue, nullsFirst(naturalOrder()));
+    private static final Pattern ATTACHMENT_SOURCE_PATTERN = Pattern.compile("^[a-zA-Z0-9._-]{1,100}$");
 
     public static final String ENVIRONMENT_BLOCK_NAME = "environment";
     public static final String ALLURE1_RESULTS_FORMAT = "allure1";
@@ -328,8 +331,20 @@ private Parameter convert(final ru.yandex.qatools.allure.model.Parameter paramet
     private Attachment convert(final Path source,
                                final ResultsVisitor visitor,
                                final ru.yandex.qatools.allure.model.Attachment attachment) {
-        final Path attachmentFile = source.resolve(attachment.getSource());
-        if (Files.isRegularFile(attachmentFile)) {
+        final String attachmentSource = attachment.getSource();
+
+        if (!isValidAttachmentFileName(attachmentSource)) {
+            visitor.error("Invalid attachment source is provided: " + attachmentSource);
+            return new Attachment()
+                    .setType(attachment.getType())
+                    .setName(attachment.getTitle())
+                    .setSize(0L);
+        }
+
+        final Path attachmentFile = source.resolve(attachmentSource).normalize();
+
+        if (attachmentFile.startsWith(source)
+            && Files.isRegularFile(attachmentFile, LinkOption.NOFOLLOW_LINKS)) {
             final Attachment found = visitor.visitAttachmentFile(attachmentFile);
             if (Objects.nonNull(attachment.getType())) {
                 found.setType(attachment.getType());
@@ -343,7 +358,7 @@ private Attachment convert(final Path source,
             }
             return found;
         } else {
-            visitor.error("Could not find attachment " + attachment.getSource() + " in directory " + source);
+            visitor.error("Could not find attachment " + attachmentSource + " in directory " + source);
             return new Attachment()
                     .setType(attachment.getType())
                     .setName(attachment.getTitle())
@@ -554,4 +569,9 @@ private Map<String, String> processEnvironmentXml(final Path directory) {
         }
         return items;
     }
+
+    private static boolean isValidAttachmentFileName(final String fileName) {
+        return Objects.nonNull(fileName) && ATTACHMENT_SOURCE_PATTERN.matcher(fileName).matches();
+
+    }
 }

allure-generator/src/main/java/io/qameta/allure/allure2/Allure2Plugin.java

@@ -42,6 +42,7 @@
 import java.io.InputStream;
 import java.nio.file.DirectoryStream;
 import java.nio.file.Files;
+import java.nio.file.LinkOption;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Comparator;
@@ -54,6 +55,7 @@
 import java.util.TreeSet;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Supplier;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;
@@ -87,6 +89,8 @@ public class Allure2Plugin implements Reader {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(Allure2Plugin.class);
 
+    private static final Pattern ATTACHMENT_SOURCE_PATTERN = Pattern.compile("^[a-zA-Z0-9._-]{1,100}$");
+
     private static final Comparator<StageResult> BY_START = comparing(
             StageResult::getTime,
             nullsLast(comparing(Time::getStart, nullsLast(naturalOrder())))
@@ -264,8 +268,19 @@ private Parameter convert(final io.qameta.allure.model.Parameter parameter) {
     private Attachment convert(final Path source,
                                final ResultsVisitor visitor,
                                final io.qameta.allure.model.Attachment attachment) {
-        final Path attachmentFile = source.resolve(attachment.getSource());
-        if (Files.isRegularFile(attachmentFile)) {
+        final String attachmentSource = attachment.getSource();
+        if (!isValidAttachmentFileName(attachmentSource)) {
+            visitor.error("Invalid attachment source is provided: " + attachmentSource);
+            return new Attachment()
+                    .setType(attachment.getType())
+                    .setName(attachment.getName())
+                    .setSize(0L);
+        }
+
+        final Path attachmentFile = source.resolve(attachmentSource).normalize();
+
+        if (attachmentFile.startsWith(source)
+            && Files.isRegularFile(attachmentFile, LinkOption.NOFOLLOW_LINKS)) {
             final Attachment found = visitor.visitAttachmentFile(attachmentFile);
             if (nonNull(attachment.getType())) {
                 found.setType(attachment.getType());
@@ -279,7 +294,7 @@ private Attachment convert(final Path source,
             }
             return found;
         } else {
-            visitor.error("Could not find attachment " + attachment.getSource() + " in directory " + source);
+            visitor.error("Could not find attachment " + attachmentSource + " in directory " + source);
             return new Attachment()
                     .setType(attachment.getType())
                     .setName(attachment.getName())
@@ -420,4 +435,9 @@ private Stream<Path> listFiles(final Path directory, final String glob) {
             return Stream.empty();
         }
     }
+
+    private static boolean isValidAttachmentFileName(final String fileName) {
+        return nonNull(fileName) && ATTACHMENT_SOURCE_PATTERN.matcher(fileName).matches();
+
+    }
 }

allure-generator/src/test/java/io/qameta/allure/allure1/Allure1PluginTest.java

@@ -355,6 +355,61 @@ void shouldPreserveContentTypeFromAttachment() throws IOException {
         assertThat(attachments.get(0).getSource()).endsWith(".txt");
     }
 
+
+    @Test
+    void shouldNotAllowInvalidCharactersInAttachmentSource() throws IOException {
+        final LaunchResults results = process(
+                "allure1/text-attachment-bad-source.xml", generateTestSuiteXmlName(),
+                "allure1/secret-file.txt", "secret-file.txt"
+        );
+
+        assertThat(results.getAttachments())
+                .isEmpty();
+
+    }
+
+    @Test
+    void shouldNotAllowAttachmentSourcePathTraversal() throws IOException {
+        final Path allureResultsDir = directory.resolve("allure-results");
+        Files.createDirectory(allureResultsDir);
+
+        copyFile(allureResultsDir, "allure1/text-attachment-path-traversal.xml", generateTestSuiteXmlName());
+        copyFile(directory, "allure1/secret-file.txt", "secret-file.txt");
+
+        final Allure1Plugin reader = new Allure1Plugin();
+        final Configuration configuration = ConfigurationBuilder.bundled().build();
+        final DefaultResultsVisitor resultsVisitor = new DefaultResultsVisitor(configuration);
+        reader.readResults(configuration, resultsVisitor, allureResultsDir);
+
+        final LaunchResults results = resultsVisitor.getLaunchResults();
+
+        assertThat(results.getAttachments())
+                .isEmpty();
+
+    }
+
+    @Test
+    void shouldNotAllowAttachmentSourceSymbolicLink() throws IOException {
+        final Path allureResultsDir = directory.resolve("allure-results");
+        Files.createDirectory(allureResultsDir);
+
+        copyFile(allureResultsDir, "allure1/text-attachment-link.xml", generateTestSuiteXmlName());
+        copyFile(allureResultsDir, "allure1/secret-file.txt", "secret-file.txt");
+
+        Files.createSymbolicLink(allureResultsDir.resolve("link.txt"), allureResultsDir.resolve("secret-file.txt"));
+
+        final Allure1Plugin reader = new Allure1Plugin();
+        final Configuration configuration = ConfigurationBuilder.bundled().build();
+        final DefaultResultsVisitor resultsVisitor = new DefaultResultsVisitor(configuration);
+        reader.readResults(configuration, resultsVisitor, allureResultsDir);
+
+        final LaunchResults results = resultsVisitor.getLaunchResults();
+
+        assertThat(results.getAttachments())
+                .isEmpty();
+
+    }
+
     private LaunchResults process(String... strings) throws IOException {
         Iterator<String> iterator = Arrays.asList(strings).iterator();
         while (iterator.hasNext()) {

allure-generator/src/test/java/io/qameta/allure/allure2/Allure2PluginTest.java

@@ -341,6 +341,60 @@ void shouldPreserveContentTypeFromAttachment() throws IOException {
         assertThat(attachments.get(0).getSource()).endsWith(".txt");
     }
 
+    @Test
+    void shouldNotAllowInvalidCharactersInAttachmentSource() throws IOException {
+        final LaunchResults results = process(
+                "allure2/text-attachment-bad-source.json", generateTestResultName(),
+                "allure2/secret-file.txt", "secret-file.txt"
+        );
+
+        assertThat(results.getAttachments())
+                .isEmpty();
+
+    }
+
+    @Test
+    void shouldNotAllowAttachmentSourcePathTraversal() throws IOException {
+        final Path allureResultsDir = directory.resolve("allure-results");
+        Files.createDirectory(allureResultsDir);
+
+        copyFile(allureResultsDir, "allure2/text-attachment-path-traversal.json", generateTestResultName());
+        copyFile(directory, "allure2/secret-file.txt", "secret-file.txt");
+
+        final Allure2Plugin reader = new Allure2Plugin();
+        final Configuration configuration = ConfigurationBuilder.bundled().build();
+        final DefaultResultsVisitor resultsVisitor = new DefaultResultsVisitor(configuration);
+        reader.readResults(configuration, resultsVisitor, allureResultsDir);
+
+        final LaunchResults results = resultsVisitor.getLaunchResults();
+
+        assertThat(results.getAttachments())
+                .isEmpty();
+
+    }
+
+    @Test
+    void shouldNotAllowAttachmentSourceSymbolicLink() throws IOException {
+        final Path allureResultsDir = directory.resolve("allure-results");
+        Files.createDirectory(allureResultsDir);
+
+        copyFile(allureResultsDir, "allure2/text-attachment-link.json", generateTestResultName());
+        copyFile(allureResultsDir, "allure2/secret-file.txt", "secret-file.txt");
+
+        Files.createSymbolicLink(allureResultsDir.resolve("link.txt"), allureResultsDir.resolve("secret-file.txt"));
+
+        final Allure2Plugin reader = new Allure2Plugin();
+        final Configuration configuration = ConfigurationBuilder.bundled().build();
+        final DefaultResultsVisitor resultsVisitor = new DefaultResultsVisitor(configuration);
+        reader.readResults(configuration, resultsVisitor, allureResultsDir);
+
+        final LaunchResults results = resultsVisitor.getLaunchResults();
+
+        assertThat(results.getAttachments())
+                .isEmpty();
+
+    }
+
     private LaunchResults process(String... strings) throws IOException {
         Iterator<String> iterator = Arrays.asList(strings).iterator();
         while (iterator.hasNext()) {

allure-generator/src/test/resources/allure1/secret-file.txt

@@ -0,0 +1 @@
+SECRET CONTENTS

allure-generator/src/test/resources/allure1/text-attachment-bad-source.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:test-suite xmlns:ns2="urn:model.allure.qatools.yandex.ru" start="1412949538848" stop="1412949560045" version="1.4.4-SNAPSHOT">
+    <name>my.company.AlwaysPassingTest</name>
+    <test-cases>
+        <test-case start="1412949539363" stop="1412949539730" status="passed">
+            <name>testFour</name>
+            <steps/>
+            <attachments>
+              <attachment title="Attachment 1" source="./secret-file.txt" type="text/plain"/>
+              <attachment title="Attachment 2" source="nested/path/secret-file.txt" type="text/plain"/>
+              <attachment title="Attachment 3" source="     " type="text/plain"/>
+              <attachment title="Attachment 4" source="#####.txt" type="text/plain"/>
+            </attachments>
+        </test-case>
+    </test-cases>
+</ns2:test-suite>

allure-generator/src/test/resources/allure1/text-attachment-link.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:test-suite xmlns:ns2="urn:model.allure.qatools.yandex.ru" start="1412949538848" stop="1412949560045" version="1.4.4-SNAPSHOT">
+    <name>my.company.AlwaysPassingTest</name>
+    <test-cases>
+        <test-case start="1412949539363" stop="1412949539730" status="passed">
+            <name>testFour</name>
+            <steps/>
+            <attachments>
+              <attachment title="String attachment in test" source="link.txt" type="text/plain"/>
+            </attachments>
+        </test-case>
+    </test-cases>
+</ns2:test-suite>

allure-generator/src/test/resources/allure1/text-attachment-path-traversal.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:test-suite xmlns:ns2="urn:model.allure.qatools.yandex.ru" start="1412949538848" stop="1412949560045" version="1.4.4-SNAPSHOT">
+    <name>my.company.AlwaysPassingTest</name>
+    <test-cases>
+        <test-case start="1412949539363" stop="1412949539730" status="passed">
+            <name>testFour</name>
+            <steps/>
+            <attachments>
+              <attachment title="String attachment in test" source="../secret-file.txt" type="text/plain"/>
+            </attachments>
+        </test-case>
+    </test-cases>
+</ns2:test-suite>

allure-generator/src/test/resources/allure2/secret-file.txt

@@ -0,0 +1 @@
+SECRET CONTENTS

allure-generator/src/test/resources/allure2/text-attachment-bad-source.json

@@ -0,0 +1,28 @@
+{
+  "status": "passed",
+  "name": "shouldCreate",
+  "start": 1479552611395,
+  "stop": 1479552611399,
+  "attachments": [
+    {
+      "name": "Attachment 1",
+      "source": "./secret-file.txt",
+      "type": "text/plain"
+    },
+    {
+      "name": "Attachment 2",
+      "source": "nested/path/secret-file.txt",
+      "type": "text/plain"
+    },
+    {
+      "name": "Attachment 3",
+      "source": "     ",
+      "type": "text/plain"
+    },
+    {
+      "name": "Attachment 4",
+      "source": "#####.txt",
+      "type": "text/plain"
+    }
+  ]
+}