diff --git a/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/environmentloader/CompleteEnvironment.java b/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/environmentloader/CompleteEnvironment.java index 87d4bba5f..2e75dad9d 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/environmentloader/CompleteEnvironment.java +++ b/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/environmentloader/CompleteEnvironment.java @@ -38,6 +38,7 @@ import org.eclipse.digitaltwin.aas4j.v3.dataformat.json.JsonDeserializer; import org.eclipse.digitaltwin.aas4j.v3.dataformat.xml.XmlDeserializer; import org.eclipse.digitaltwin.aas4j.v3.model.Environment; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; /** * Represents an environment and its relatedFiles @@ -92,11 +93,11 @@ public List getRelatedFiles() { return relatedFiles; } - public static CompleteEnvironment fromFile(File file) throws DeserializationException, InvalidFormatException, IOException { + public static CompleteEnvironment fromFile(File file) throws DeserializationException, InvalidFormatException, IOException, ZipBombException { return fromInputStream(new FileInputStream(file), EnvironmentType.getFromFilePath(file.getPath())); } - public static CompleteEnvironment fromInputStream(InputStream inputStream, EnvironmentType envType) throws DeserializationException, InvalidFormatException, IOException { + public static CompleteEnvironment fromInputStream(InputStream inputStream, EnvironmentType envType) throws DeserializationException, InvalidFormatException, IOException, ZipBombException { Environment environment = null; List relatedFiles = null; @@ -109,9 +110,16 @@ public static CompleteEnvironment fromInputStream(InputStream inputStream, Envir environment = deserializer.read(inputStream); } if(envType == EnvironmentType.AASX) { - AASXDeserializer deserializer = new AASXDeserializer(inputStream); - relatedFiles = deserializer.getRelatedFiles(); - environment = deserializer.read(); + try { + AASXDeserializer deserializer = new AASXDeserializer(inputStream); + relatedFiles = deserializer.getRelatedFiles(); + environment = deserializer.read(); + } catch (Exception e) { + if (e.getMessage().startsWith("Zip bomb")) { + throw new ZipBombException(e); + } + throw e; + } } return new CompleteEnvironment(environment, relatedFiles); diff --git a/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/AasEnvironmentPreconfigurationLoader.java b/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/AasEnvironmentPreconfigurationLoader.java index 0a19055c2..53840a225 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/AasEnvironmentPreconfigurationLoader.java +++ b/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/AasEnvironmentPreconfigurationLoader.java @@ -42,6 +42,7 @@ import org.eclipse.digitaltwin.basyx.aasenvironment.environmentloader.CompleteEnvironment; import org.eclipse.digitaltwin.basyx.aasenvironment.environmentloader.CompleteEnvironment.EnvironmentType; import org.eclipse.digitaltwin.basyx.authorization.CommonAuthorizationProperties; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -77,7 +78,7 @@ public boolean shouldLoadPreconfiguredEnvironment() { } public void loadPreconfiguredEnvironments(AasEnvironment aasEnvironment) - throws IOException, DeserializationException, InvalidFormatException { + throws IOException, DeserializationException, InvalidFormatException, ZipBombException { List files = scanForEnvironments(pathsToLoad); if (files.isEmpty()) diff --git a/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/PreconfigurationLoaderInitializer.java b/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/PreconfigurationLoaderInitializer.java index e2a354679..b17963d30 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/PreconfigurationLoaderInitializer.java +++ b/basyx.aasenvironment/basyx.aasenvironment-core/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/preconfiguration/PreconfigurationLoaderInitializer.java @@ -30,6 +30,7 @@ import org.apache.poi.openxml4j.exceptions.InvalidFormatException; import org.eclipse.digitaltwin.aas4j.v3.dataformat.core.DeserializationException; import org.eclipse.digitaltwin.basyx.aasenvironment.AasEnvironment; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -60,7 +61,7 @@ public void afterPropertiesSet() throws Exception { loadPreconfiguredEnvironment(); } - private void loadPreconfiguredEnvironment() throws IOException, InvalidFormatException, DeserializationException { + private void loadPreconfiguredEnvironment() throws IOException, InvalidFormatException, DeserializationException, ZipBombException { if (!preconfigurationLoader.shouldLoadPreconfiguredEnvironment()) { return; } diff --git a/basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/AasEnvironmentLoaderTest.java b/basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/AasEnvironmentLoaderTest.java index 136e14dd0..5526c6dec 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/AasEnvironmentLoaderTest.java +++ b/basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/AasEnvironmentLoaderTest.java @@ -36,6 +36,7 @@ import org.eclipse.digitaltwin.basyx.conceptdescriptionrepository.backend.CrudConceptDescriptionRepositoryFactory; import org.eclipse.digitaltwin.basyx.conceptdescriptionrepository.backend.InMemoryConceptDescriptionBackend; import org.eclipse.digitaltwin.basyx.core.exceptions.CollidingIdentifierException; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; import org.eclipse.digitaltwin.basyx.core.filerepository.InMemoryFileRepository; import org.eclipse.digitaltwin.basyx.core.pagination.PaginationInfo; import org.eclipse.digitaltwin.basyx.submodelrepository.SubmodelRepository; @@ -79,7 +80,7 @@ public void setUp() { conceptDescriptionRepository = Mockito.spy(CrudConceptDescriptionRepositoryFactory.builder().backend(new InMemoryConceptDescriptionBackend()).create()); } - protected void loadRepositories(List pathsToLoad) throws IOException, DeserializationException, InvalidFormatException { + protected void loadRepositories(List pathsToLoad) throws IOException, DeserializationException, InvalidFormatException, ZipBombException { DefaultAASEnvironment envLoader = new DefaultAASEnvironment(aasRepository, submodelRepository, conceptDescriptionRepository); for (String path: pathsToLoad) { @@ -89,7 +90,7 @@ protected void loadRepositories(List pathsToLoad) throws IOException, De } @Test - public void testWithResourceFile_AllElementsAreDeployed() throws InvalidFormatException, IOException, DeserializationException { + public void testWithResourceFile_AllElementsAreDeployed() throws InvalidFormatException, IOException, DeserializationException, ZipBombException { loadRepositories(List.of(TEST_ENVIRONMENT_JSON)); Assert.assertEquals(2, aasRepository.getAllAas(null, null, PaginationInfo.NO_LIMIT).getResult().size()); @@ -98,7 +99,7 @@ public void testWithResourceFile_AllElementsAreDeployed() throws InvalidFormatEx } @Test - public void testDeployedTwiceNoVersion_AllDeployedButNotOverriden() throws InvalidFormatException, IOException, DeserializationException { + public void testDeployedTwiceNoVersion_AllDeployedButNotOverriden() throws InvalidFormatException, IOException, DeserializationException, ZipBombException { loadRepositories(List.of(TEST_ENVIRONMENT_JSON)); loadRepositories(List.of(TEST_ENVIRONMENT_JSON)); @@ -114,7 +115,7 @@ public void testDeployedTwiceNoVersion_AllDeployedButNotOverriden() throws Inval } @Test - public void testDeployedTwiceWithSameVersion_AllDeployedButNotOverriden() throws InvalidFormatException, IOException, DeserializationException { + public void testDeployedTwiceWithSameVersion_AllDeployedButNotOverriden() throws InvalidFormatException, IOException, DeserializationException, ZipBombException { loadRepositories(List.of(TEST_ENVIRONMENT_VERSION_ON_SECOND_JSON)); loadRepositories(List.of(TEST_ENVIRONMENT_VERSION_ON_SECOND_JSON)); @@ -130,7 +131,7 @@ public void testDeployedTwiceWithSameVersion_AllDeployedButNotOverriden() throws } @Test - public void testDeployedTwiceNewRevision_ElementsAreOverriden() throws InvalidFormatException, IOException, DeserializationException { + public void testDeployedTwiceNewRevision_ElementsAreOverriden() throws InvalidFormatException, IOException, DeserializationException, ZipBombException { loadRepositories(List.of(TEST_ENVIRONMENT_VERSION_ON_SECOND_JSON)); loadRepositories(List.of(TEST_ENVIRONMENT_VERSION_AND_REVISION_ON_SECOND_JSON)); @@ -159,7 +160,7 @@ public void testDuplicateShellIdsInEnvironments_ExceptionIsThrown() { } @Test - public void testWithResourceFile_NoExceptionsWhenReuploadAfterElementsAreRemoved() throws InvalidFormatException, IOException, DeserializationException { + public void testWithResourceFile_NoExceptionsWhenReuploadAfterElementsAreRemoved() throws InvalidFormatException, IOException, DeserializationException, ZipBombException { AasEnvironment envLoader = new DefaultAASEnvironment(aasRepository, submodelRepository, conceptDescriptionRepository); loadRepositoriesWithEnvironment(List.of(TEST_ENVIRONMENT_JSON), envLoader); @@ -178,7 +179,7 @@ public void testWithResourceFile_NoExceptionsWhenReuploadAfterElementsAreRemoved } @Test - public void testWithResourceFile_ExceptionIsThrownWhenReuploadWithExistingElements() throws InvalidFormatException, IOException, DeserializationException { + public void testWithResourceFile_ExceptionIsThrownWhenReuploadWithExistingElements() throws InvalidFormatException, IOException, DeserializationException, ZipBombException { AasEnvironment envLoader = new DefaultAASEnvironment(aasRepository, submodelRepository, conceptDescriptionRepository); loadRepositoriesWithEnvironment(List.of(TEST_ENVIRONMENT_JSON), envLoader); @@ -191,7 +192,7 @@ public void testWithResourceFile_ExceptionIsThrownWhenReuploadWithExistingElemen Assert.assertThrows(expectedMsg, CollidingIdentifierException.class, () -> loadRepositoriesWithEnvironment(List.of(TEST_ENVIRONMENT_JSON), envLoader)); } - private void loadRepositoriesWithEnvironment(List pathsToLoad, AasEnvironment aasEnvironment) throws IOException, DeserializationException, InvalidFormatException { + private void loadRepositoriesWithEnvironment(List pathsToLoad, AasEnvironment aasEnvironment) throws IOException, DeserializationException, InvalidFormatException, ZipBombException { for (String path: pathsToLoad) { File file = rLoader.getResource(path).getFile(); diff --git a/basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/PreconfigurationLoaderTextualResourceTest.java b/basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/PreconfigurationLoaderTextualResourceTest.java index f06e29e94..ecd16bbf5 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/PreconfigurationLoaderTextualResourceTest.java +++ b/basyx.aasenvironment/basyx.aasenvironment-core/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/PreconfigurationLoaderTextualResourceTest.java @@ -31,6 +31,7 @@ import org.eclipse.digitaltwin.aas4j.v3.dataformat.core.DeserializationException; import org.eclipse.digitaltwin.basyx.aasenvironment.base.DefaultAASEnvironment; import org.eclipse.digitaltwin.basyx.aasenvironment.preconfiguration.AasEnvironmentPreconfigurationLoader; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; import org.eclipse.digitaltwin.basyx.core.pagination.PaginationInfo; import org.junit.Assert; import org.junit.Test; @@ -45,13 +46,13 @@ public class PreconfigurationLoaderTextualResourceTest extends AasEnvironmentLoaderTest { @Override - protected void loadRepositories(List pathsToLoad) throws IOException, InvalidFormatException, DeserializationException { + protected void loadRepositories(List pathsToLoad) throws IOException, InvalidFormatException, DeserializationException, ZipBombException { AasEnvironmentPreconfigurationLoader envLoader = new AasEnvironmentPreconfigurationLoader(rLoader, pathsToLoad); envLoader.loadPreconfiguredEnvironments(new DefaultAASEnvironment(aasRepository, submodelRepository, conceptDescriptionRepository)); } @Test - public void testWithEmptyResource_NoElementsAreDeployed() throws InvalidFormatException, IOException, DeserializationException { + public void testWithEmptyResource_NoElementsAreDeployed() throws InvalidFormatException, IOException, DeserializationException, ZipBombException { loadRepositories(List.of()); Assert.assertTrue(aasRepository.getAllAas(null, null, PaginationInfo.NO_LIMIT).getResult().isEmpty()); Assert.assertTrue(submodelRepository.getAllSubmodels(PaginationInfo.NO_LIMIT).getResult().isEmpty()); diff --git a/basyx.aasenvironment/basyx.aasenvironment-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/feature/authorization/AuthorizedAASEnvironmentPreconfigurationLoader.java b/basyx.aasenvironment/basyx.aasenvironment-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/feature/authorization/AuthorizedAASEnvironmentPreconfigurationLoader.java index c8b2c5aa5..ea327d987 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/feature/authorization/AuthorizedAASEnvironmentPreconfigurationLoader.java +++ b/basyx.aasenvironment/basyx.aasenvironment-feature-authorization/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/feature/authorization/AuthorizedAASEnvironmentPreconfigurationLoader.java @@ -35,6 +35,7 @@ import org.eclipse.digitaltwin.basyx.client.internal.authorization.TokenManager; import org.eclipse.digitaltwin.basyx.client.internal.authorization.grant.AccessTokenProvider; import org.eclipse.digitaltwin.basyx.client.internal.authorization.grant.GrantType; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; @@ -104,7 +105,7 @@ public AuthorizedAASEnvironmentPreconfigurationLoader(ResourceLoader resourceLoa @Override public void loadPreconfiguredEnvironments(AasEnvironment aasEnvironment) - throws IOException, InvalidFormatException, DeserializationException { + throws IOException, InvalidFormatException, DeserializationException, ZipBombException { if (isEnvironmentSet()) { setUpTokenProvider(); configureSecurityContext(); diff --git a/basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AASEnvironmentHTTPApi.java b/basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AASEnvironmentHTTPApi.java index 6604b5ace..3d6b855b1 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AASEnvironmentHTTPApi.java +++ b/basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AASEnvironmentHTTPApi.java @@ -31,6 +31,7 @@ import org.apache.poi.openxml4j.exceptions.InvalidFormatException; import org.eclipse.digitaltwin.aas4j.v3.dataformat.core.DeserializationException; import org.eclipse.digitaltwin.aas4j.v3.model.Result; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; import org.springframework.core.io.Resource; import org.springframework.http.ResponseEntity; import org.springframework.validation.annotation.Validated; @@ -83,5 +84,5 @@ ResponseEntity uploadEnvironment( @Parameter(description = "An environment file (XML, JSON, AASX)") @Valid @RequestParam("file") MultipartFile envFile, @Parameter(description = "Flag to indicate if already existing Ids should be ignored when reuploading an environment (default: false)", schema = @Schema(defaultValue = "false")) @RequestParam(value = "ignore-duplicates", required = false, defaultValue = "false") boolean ignoreDuplicates - ) throws IOException, InvalidFormatException, DeserializationException; + ) throws IOException, InvalidFormatException, DeserializationException, ZipBombException; } diff --git a/basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AasEnvironmentApiHTTPController.java b/basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AasEnvironmentApiHTTPController.java index eab1bf96d..118ef4960 100644 --- a/basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AasEnvironmentApiHTTPController.java +++ b/basyx.aasenvironment/basyx.aasenvironment-http/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/http/AasEnvironmentApiHTTPController.java @@ -36,6 +36,7 @@ import org.eclipse.digitaltwin.basyx.aasenvironment.environmentloader.CompleteEnvironment; import org.eclipse.digitaltwin.basyx.aasenvironment.environmentloader.CompleteEnvironment.EnvironmentType; import org.eclipse.digitaltwin.basyx.core.exceptions.ElementDoesNotExistException; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; import org.eclipse.digitaltwin.basyx.http.Base64UrlEncodedIdentifier; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.io.ByteArrayResource; @@ -104,7 +105,7 @@ public ResponseEntity generateSerializationByIds( @Override public ResponseEntity uploadEnvironment( @RequestParam(value = "file") MultipartFile envFile, - @RequestParam(value = "ignore-duplicates", required = false, defaultValue = "false") boolean ignoreDuplicates) throws IOException, InvalidFormatException, DeserializationException { + @RequestParam(value = "ignore-duplicates", required = false, defaultValue = "false") boolean ignoreDuplicates) throws IOException, InvalidFormatException, DeserializationException, ZipBombException { EnvironmentType envType = EnvironmentType.getFromMimeType(envFile.getContentType()); if (envType == null) diff --git a/basyx.aasenvironment/basyx.aasenvironment.component/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/AasEnvironmentConfiguration.java b/basyx.aasenvironment/basyx.aasenvironment.component/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/AasEnvironmentConfiguration.java index 550d87430..0017471d8 100644 --- a/basyx.aasenvironment/basyx.aasenvironment.component/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/AasEnvironmentConfiguration.java +++ b/basyx.aasenvironment/basyx.aasenvironment.component/src/main/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/AasEnvironmentConfiguration.java @@ -27,11 +27,13 @@ import java.util.List; +import org.apache.poi.openxml4j.util.ZipSecureFile; import org.eclipse.digitaltwin.basyx.aasenvironment.AasEnvironment; import org.eclipse.digitaltwin.basyx.aasenvironment.AasEnvironmentFactory; import org.eclipse.digitaltwin.basyx.aasenvironment.feature.AasEnvironmentFeature; import org.eclipse.digitaltwin.basyx.aasenvironment.feature.DecoratedAasEnvironmentFactory; import org.eclipse.digitaltwin.basyx.aasenvironment.preconfiguration.AasEnvironmentPreconfigurationLoader; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -48,7 +50,8 @@ public class AasEnvironmentConfiguration { @Bean @ConditionalOnMissingBean - public static AasEnvironment getAasEnvironment(AasEnvironmentFactory aasEnvironmentFactory, List features) { + public static AasEnvironment getAasEnvironment(AasEnvironmentFactory aasEnvironmentFactory, List features, @Value("${basyx.aasenvironment.minInflateRatio:0.1}") double minInflateRatio) { + ZipSecureFile.setMinInflateRatio(minInflateRatio); return new DecoratedAasEnvironmentFactory(aasEnvironmentFactory, features).create(); } diff --git a/basyx.aasenvironment/basyx.aasenvironment.component/src/main/resources/application.properties b/basyx.aasenvironment/basyx.aasenvironment.component/src/main/resources/application.properties index ced620283..3585470f4 100644 --- a/basyx.aasenvironment/basyx.aasenvironment.component/src/main/resources/application.properties +++ b/basyx.aasenvironment/basyx.aasenvironment.component/src/main/resources/application.properties @@ -20,6 +20,8 @@ basyx.backend = InMemory # basyx.cors.allowed-origins=http://localhost:3000, http://localhost:4000 # basyx.cors.allowed-methods=GET,POST,PATCH,DELETE,PUT,OPTIONS,HEAD +# basyx.aasenvironment.minInflateRatio=0.00001 + #################################################################################### # Preconfiguring the Environment; #################################################################################### diff --git a/basyx.aasenvironment/basyx.aasenvironment.component/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/TestEnvironmentWithRegistryIntegration.java b/basyx.aasenvironment/basyx.aasenvironment.component/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/TestEnvironmentWithRegistryIntegration.java index 47c69bad9..d9f256b25 100644 --- a/basyx.aasenvironment/basyx.aasenvironment.component/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/TestEnvironmentWithRegistryIntegration.java +++ b/basyx.aasenvironment/basyx.aasenvironment.component/src/test/java/org/eclipse/digitaltwin/basyx/aasenvironment/component/TestEnvironmentWithRegistryIntegration.java @@ -41,6 +41,7 @@ import org.eclipse.digitaltwin.basyx.aasrepository.AasRepository; import org.eclipse.digitaltwin.basyx.aasrepository.feature.registry.integration.AasRepositoryRegistryLink; import org.eclipse.digitaltwin.basyx.core.exceptions.RepositoryRegistryLinkException; +import org.eclipse.digitaltwin.basyx.core.exceptions.ZipBombException; import org.eclipse.digitaltwin.basyx.core.pagination.PaginationInfo; import org.eclipse.digitaltwin.basyx.submodelrepository.SubmodelRepository; import org.eclipse.digitaltwin.basyx.submodelrepository.feature.registry.integration.SubmodelRepositoryRegistryLink; @@ -95,7 +96,7 @@ public static void clearRegistries() throws Exception { } @Test - public void whenUploadDescriptorToRegistryFails_thenNoAasOrSmAreAddedToRepository() throws InvalidFormatException, DeserializationException, IOException, ApiException { + public void whenUploadDescriptorToRegistryFails_thenNoAasOrSmAreAddedToRepository() throws InvalidFormatException, DeserializationException, IOException, ApiException, ZipBombException { // simulate descriptor already being in registry aasRepositoryRegistryLink.getRegistryApi().postAssetAdministrationShellDescriptor(buildTestAasDescriptor()); diff --git a/basyx.common/basyx.core/src/main/java/org/eclipse/digitaltwin/basyx/core/exceptions/ZipBombException.java b/basyx.common/basyx.core/src/main/java/org/eclipse/digitaltwin/basyx/core/exceptions/ZipBombException.java new file mode 100644 index 000000000..5936c4aeb --- /dev/null +++ b/basyx.common/basyx.core/src/main/java/org/eclipse/digitaltwin/basyx/core/exceptions/ZipBombException.java @@ -0,0 +1,7 @@ +package org.eclipse.digitaltwin.basyx.core.exceptions; + +public class ZipBombException extends Exception{ + public ZipBombException(Throwable th) { + super(th); + } +} diff --git a/basyx.common/basyx.http/src/main/java/org/eclipse/digitaltwin/basyx/http/BaSyxExceptionHandler.java b/basyx.common/basyx.http/src/main/java/org/eclipse/digitaltwin/basyx/http/BaSyxExceptionHandler.java index e0f9c64b5..2dd2513bb 100644 --- a/basyx.common/basyx.http/src/main/java/org/eclipse/digitaltwin/basyx/http/BaSyxExceptionHandler.java +++ b/basyx.common/basyx.http/src/main/java/org/eclipse/digitaltwin/basyx/http/BaSyxExceptionHandler.java @@ -169,4 +169,9 @@ public ResponseEntity handleInvalidFormatException(InvalidFormatExceptio return buildResponse(exception.getMessage(), HttpStatus.BAD_REQUEST, exception); } + @ExceptionHandler(ZipBombException.class) + public ResponseEntity handleZipBombException(ZipBombException exception) { + return buildResponse("Zip bomb detected! The file would exceed the max. ratio of compressed file size to the size of the expanded data.\\nThis may indicate that the file is used to inflate memory usage and thus could pose a security risk.\\nYou can adjust this limit via basyx.aasenvironment.minInflateRatio in the AAS Environment configuration if you need to work with files which exceed this limit.", HttpStatus.BAD_REQUEST, exception); + } + }