From c7184f1bb6080d39a2f6dd5fb53de1e7dde8878f Mon Sep 17 00:00:00 2001
From: Lyn Elisa Goltz <goltz@lat-lon.de>
Date: Wed, 24 Apr 2024 13:23:38 +0200
Subject: [PATCH] XPLANBOX-2613 - fixed more security warnings
---
.../db/domain/XPlanWithFeatureCollection.java | 2 ++
xplan-cli/xplan-transform-cli/pom.xml | 4 +++
.../cli/config/ApplicationContext.java | 2 ++
xplan-core/xplan-core-commons/pom.xml | 4 +++
.../xplan/commons/archive/XPlanArchive.java | 2 ++
.../xplan/commons/archive/XPlanGmlReader.java | 2 ++
.../xplan/commons/feature/XPlanGmlParser.java | 3 +++
.../latlon/xplan/commons/util/XmlUtils.java | 2 --
.../job/validator/memory/GmlImportJob.java | 1 +
.../ServiceMetadataDocumentWriter.java | 2 ++
.../manager/transaction/XPlanEditManager.java | 2 ++
.../evaluation/GdalRasterEvaluation.java | 3 ++-
.../raster/storage/GdalRasterStorage.java | 3 ++-
.../raster/storage/s3/S3RasterStorage.java | 3 ++-
.../report/html/HtmlReportGenerator.java | 2 +-
.../config/ValidatorWmsWorkspaceContext.java | 2 ++
xplan-manager/xplan-manager-web/pom.xml | 4 +++
.../service/ManagerPlanArchiveManager.java | 5 ++--
.../service/rest/ManagerController.java | 27 +++++++++----------
19 files changed, 52 insertions(+), 23 deletions(-)
diff --git a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/db/domain/XPlanWithFeatureCollection.java b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/db/domain/XPlanWithFeatureCollection.java
index 45c7c35684..5410cffb8c 100644
--- a/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/db/domain/XPlanWithFeatureCollection.java
+++ b/xplan-cli/xplan-cli-tools/src/main/java/de/latlon/xplanbox/cli/validate/db/domain/XPlanWithFeatureCollection.java
@@ -23,6 +23,7 @@ package de.latlon.xplanbox.cli.validate.db.domain;
import de.latlon.xplan.commons.XPlanVersion;
import de.latlon.xplan.commons.archive.SemanticValidableXPlanArchive;
import de.latlon.xplan.commons.util.XmlUtils;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -127,6 +128,7 @@ public class XPlanWithFeatureCollection implements SemanticValidableXPlanArchive
}
@Override
+ @SuppressFBWarnings(value = "XXE_XMLSTREAMREADER")
public XMLStreamReader getMainFileXmlReader() {
try {
GZIPInputStream is = new GZIPInputStream(new ByteArrayInputStream(data));
diff --git a/xplan-cli/xplan-transform-cli/pom.xml b/xplan-cli/xplan-transform-cli/pom.xml
index 5d950c6a6b..c3fc33bd17 100644
--- a/xplan-cli/xplan-transform-cli/pom.xml
+++ b/xplan-cli/xplan-transform-cli/pom.xml
@@ -165,6 +165,10 @@
<groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
</dependencies>
</project>
\ No newline at end of file
diff --git a/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/config/ApplicationContext.java b/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/config/ApplicationContext.java
index 8d2ef27e51..7a7dbb17ed 100644
--- a/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/config/ApplicationContext.java
+++ b/xplan-cli/xplan-transform-cli/src/main/java/de/latlon/xplan/transform/cli/config/ApplicationContext.java
@@ -37,6 +37,7 @@ import de.latlon.xplan.manager.transformation.XPlanGmlTransformer;
import de.latlon.xplan.manager.web.shared.ConfigurationException;
import de.latlon.xplan.manager.workspace.WorkspaceException;
import de.latlon.xplan.transform.cli.TransformingValidator;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.commons.config.DeegreeWorkspace;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -134,6 +135,7 @@ public class ApplicationContext {
return new ManagerWorkspaceWrapper(managerWorkspace);
}
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
private Path etcDirectory() {
String path = getClass().getProtectionDomain().getCodeSource().getLocation().getPath();
File jarLocation = new File(path);
diff --git a/xplan-core/xplan-core-commons/pom.xml b/xplan-core/xplan-core-commons/pom.xml
index 4f7e6a0375..939f17f5b6 100644
--- a/xplan-core/xplan-core-commons/pom.xml
+++ b/xplan-core/xplan-core-commons/pom.xml
@@ -73,6 +73,10 @@
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
diff --git a/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/archive/XPlanArchive.java b/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/archive/XPlanArchive.java
index d36995fb7b..fd326094ee 100644
--- a/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/archive/XPlanArchive.java
+++ b/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/archive/XPlanArchive.java
@@ -23,6 +23,7 @@ package de.latlon.xplan.commons.archive;
import de.latlon.xplan.commons.XPlanType;
import de.latlon.xplan.commons.XPlanVersion;
import de.latlon.xplan.commons.util.XmlUtils;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.cs.coordinatesystems.ICRS;
import javax.xml.stream.XMLStreamReader;
@@ -162,6 +163,7 @@ public class XPlanArchive implements XPlanArchiveContentAccess, SemanticValidabl
* @return reader, never <code>null</code>
*/
@Override
+ @SuppressFBWarnings(value = "XXE_XMLSTREAMREADER")
public XMLStreamReader getMainFileXmlReader() {
try {
XMLStreamReader xmlReader = XmlUtils.createXMLInputFactory()
diff --git a/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/archive/XPlanGmlReader.java b/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/archive/XPlanGmlReader.java
index 18fe54983b..ed9a4b5216 100644
--- a/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/archive/XPlanGmlReader.java
+++ b/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/archive/XPlanGmlReader.java
@@ -24,6 +24,7 @@ import de.latlon.xplan.commons.XPlanType;
import de.latlon.xplan.commons.XPlanVersion;
import de.latlon.xplan.commons.util.XPlanVersionUtils;
import de.latlon.xplan.commons.util.XmlUtils;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.commons.utils.Pair;
import org.deegree.cs.coordinatesystems.ICRS;
import org.deegree.cs.persistence.CRSManager;
@@ -123,6 +124,7 @@ public class XPlanGmlReader {
}
}
+ @SuppressFBWarnings(value = "XXE_XMLSTREAMREADER")
private XMLStreamReader createReader(InputStream stream) throws XMLStreamException, FactoryConfigurationError {
XMLStreamReader xmlReader = XmlUtils.createXMLInputFactory().createXMLStreamReader(stream);
skipStartDocument(xmlReader);
diff --git a/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/feature/XPlanGmlParser.java b/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/feature/XPlanGmlParser.java
index a5b229c880..43934d796b 100644
--- a/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/feature/XPlanGmlParser.java
+++ b/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/feature/XPlanGmlParser.java
@@ -25,6 +25,7 @@ import de.latlon.xplan.commons.XPlanType;
import de.latlon.xplan.commons.XPlanVersion;
import de.latlon.xplan.commons.archive.XPlanArchive;
import de.latlon.xplan.commons.util.XmlUtils;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.commons.xml.stax.XMLStreamReaderWrapper;
import org.deegree.cs.coordinatesystems.ICRS;
import org.deegree.cs.exceptions.UnknownCRSException;
@@ -132,6 +133,7 @@ public class XPlanGmlParser {
* @throws XMLStreamException if the plan could not be read
* @throws UnknownCRSException if the CRS of a geometry in the plan is not known
*/
+ @SuppressFBWarnings(value = "XXE_XMLSTREAMREADER")
public XPlanFeatureCollection parseXPlanFeatureCollection(InputStream plan, XPlanVersion version, XPlanType type)
throws XMLStreamException, UnknownCRSException {
XMLStreamReader xmlStreamReader = XmlUtils.createXMLInputFactory().createXMLStreamReader(plan);
@@ -160,6 +162,7 @@ public class XPlanGmlParser {
* @throws XMLStreamException if the plan could not be read
* @throws UnknownCRSException if the CRS of a geometry in the plan is not known
*/
+ @SuppressFBWarnings(value = "XXE_XMLSTREAMREADER")
public FeatureCollection parseFeatureCollection(InputStream plan, XPlanVersion version)
throws XMLStreamException, UnknownCRSException {
XMLStreamReader xmlStreamReader = XmlUtils.createXMLInputFactory().createXMLStreamReader(plan);
diff --git a/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/util/XmlUtils.java b/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/util/XmlUtils.java
index 96e657487b..9efede17ef 100644
--- a/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/util/XmlUtils.java
+++ b/xplan-core/xplan-core-commons/src/main/java/de/latlon/xplan/commons/util/XmlUtils.java
@@ -16,8 +16,6 @@ public final class XmlUtils {
public static XMLInputFactory createXMLInputFactory() {
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
- xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
- xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// This disables DTDs entirely for that factory
xmlInputFactory.setProperty(SUPPORT_DTD, false);
// This causes XMLStreamException to be thrown if external DTDs are accessed.
diff --git a/xplan-core/xplan-core-job/src/main/java/de/latlon/xplan/job/validator/memory/GmlImportJob.java b/xplan-core/xplan-core-job/src/main/java/de/latlon/xplan/job/validator/memory/GmlImportJob.java
index 639eeb9bb2..7e9cc6fc5c 100644
--- a/xplan-core/xplan-core-job/src/main/java/de/latlon/xplan/job/validator/memory/GmlImportJob.java
+++ b/xplan-core/xplan-core-job/src/main/java/de/latlon/xplan/job/validator/memory/GmlImportJob.java
@@ -104,6 +104,7 @@ public class GmlImportJob implements Job {
return insertedFids;
}
+ @SuppressFBWarnings(value = "XXE_XMLSTREAMREADER")
private List<String> importGml(Path p, DeegreeWorkspace workspace) {
LOG.info("Insert {}", p);
XMLStreamReader xmlStreamReader = null;
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/metadata/ServiceMetadataDocumentWriter.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/metadata/ServiceMetadataDocumentWriter.java
index ba8f6b3fba..618fe27b2b 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/metadata/ServiceMetadataDocumentWriter.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/metadata/ServiceMetadataDocumentWriter.java
@@ -21,6 +21,7 @@
package de.latlon.xplan.manager.metadata;
import de.latlon.xplan.commons.util.XmlUtils;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.commons.xml.stax.XMLStreamUtils;
import javax.xml.stream.XMLOutputFactory;
@@ -44,6 +45,7 @@ public class ServiceMetadataDocumentWriter {
this.template = template;
}
+ @SuppressFBWarnings(value = "XXE_XMLSTREAMREADER")
public void writeServiceMetadataDocument(Properties properties, OutputStream out) throws XMLStreamException {
XMLStreamWriter xmlStreamWriter = null;
XMLStreamReader xmlStreamReader = null;
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/XPlanEditManager.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/XPlanEditManager.java
index 4aa16f7387..284fe44205 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/XPlanEditManager.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/transaction/XPlanEditManager.java
@@ -48,6 +48,7 @@ import de.latlon.xplan.manager.web.shared.XPlan;
import de.latlon.xplan.manager.web.shared.edit.XPlanToEdit;
import de.latlon.xplan.manager.wmsconfig.raster.XPlanRasterManager;
import de.latlon.xplan.manager.workspace.WorkspaceReloader;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.cs.exceptions.UnknownCRSException;
import org.deegree.feature.FeatureCollection;
import org.deegree.feature.types.AppSchema;
@@ -239,6 +240,7 @@ public class XPlanEditManager extends XPlanTransactionManager {
return bos.toByteArray();
}
+ @SuppressFBWarnings(value = "XXE_XMLSTREAMREADER")
private FeatureCollection renewFeatureCollection(XPlanVersion version, FeatureCollection modifiedFeatures)
throws Exception {
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/evaluation/GdalRasterEvaluation.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/evaluation/GdalRasterEvaluation.java
index 64bd9fa2a3..72f17a4742 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/evaluation/GdalRasterEvaluation.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/evaluation/GdalRasterEvaluation.java
@@ -24,6 +24,7 @@ import de.latlon.xplan.commons.archive.ArchiveEntry;
import de.latlon.xplan.commons.archive.XPlanArchiveContentAccess;
import de.latlon.xplan.manager.web.shared.RasterEvaluationResult;
import de.latlon.xplan.manager.wmsconfig.raster.access.GdalRasterAdapter;
+import org.apache.commons.io.FilenameUtils;
import org.gdal.osr.SpatialReference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -76,7 +77,7 @@ public class GdalRasterEvaluation implements RasterEvaluation {
private RasterEvaluationResult evaluateRaster(ArchiveEntry zipEntry, File archiveDirectory) {
String entryName = zipEntry.getName();
LOG.info("Rasterdatei mit Namen {} gefunden.", entryName);
- File mainRasterFile = new File(archiveDirectory, entryName);
+ File mainRasterFile = new File(archiveDirectory, FilenameUtils.getName(entryName));
LOG.trace("Raster was copied to {}.", mainRasterFile);
String rasterCrs = rasterAdapter.getRasterCrs(mainRasterFile);
if (rasterCrs != null) {
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/storage/GdalRasterStorage.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/storage/GdalRasterStorage.java
index 48f993db25..cb38d42a7c 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/storage/GdalRasterStorage.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/storage/GdalRasterStorage.java
@@ -25,6 +25,7 @@ import de.latlon.xplan.manager.storage.StorageEvent;
import de.latlon.xplan.manager.storage.filesystem.DeegreeRasterCacheCleaner;
import de.latlon.xplan.manager.wmsconfig.raster.access.GdalRasterAdapter;
import de.latlon.xplan.manager.wmsconfig.raster.evaluation.RasterEvaluation;
+import org.apache.commons.io.FilenameUtils;
import java.io.IOException;
import java.nio.file.Files;
@@ -53,7 +54,7 @@ public class GdalRasterStorage extends FileSystemStorage {
Vector<?> referencedFiles = rasterAdapter.getReferencedFiles(archive, entryName);
if (referencedFiles != null) {
for (Object referencedFile : referencedFiles) {
- Path file = Paths.get(referencedFile.toString());
+ Path file = Paths.get(FilenameUtils.getName(referencedFile.toString()));
String newFileName = createFileName(planId, file.getFileName().toString());
if (!newFileName.equals(rasterFileName)) {
Path target = createTargetFile(newFileName);
diff --git a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/storage/s3/S3RasterStorage.java b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/storage/s3/S3RasterStorage.java
index e78db7b562..ff14eff9f2 100644
--- a/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/storage/s3/S3RasterStorage.java
+++ b/xplan-core/xplan-core-manager/src/main/java/de/latlon/xplan/manager/wmsconfig/raster/storage/s3/S3RasterStorage.java
@@ -28,6 +28,7 @@ import de.latlon.xplan.manager.storage.s3.S3Storage;
import de.latlon.xplan.manager.wmsconfig.raster.access.GdalRasterAdapter;
import de.latlon.xplan.manager.wmsconfig.raster.storage.RasterStorage;
import de.latlon.xplan.manager.wmsconfig.raster.storage.StorageException;
+import org.apache.commons.io.FilenameUtils;
import java.io.IOException;
import java.nio.file.Path;
@@ -58,7 +59,7 @@ public class S3RasterStorage extends S3Storage implements RasterStorage {
Vector<?> referencedFiles = rasterAdapter.getReferencedFiles(archive, entryName);
if (referencedFiles != null) {
for (Object referencedFile : referencedFiles) {
- Path file = Paths.get(referencedFile.toString());
+ Path file = Paths.get(FilenameUtils.getName(referencedFile.toString()));
String newObjectKey = createKey(planId, file.getFileName().toString());
if (!newObjectKey.equals(objectKey)) {
insertObject(newObjectKey, file);
diff --git a/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/report/html/HtmlReportGenerator.java b/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/report/html/HtmlReportGenerator.java
index 62e9f0706b..0d9ccb7e39 100644
--- a/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/report/html/HtmlReportGenerator.java
+++ b/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/report/html/HtmlReportGenerator.java
@@ -56,7 +56,7 @@ public class HtmlReportGenerator {
* @throws ReportGenerationException if the generation of the XML report failed
* @throws IllegalArgumentException if on of the parameters is <code>null</code>
*/
- @SuppressFBWarnings(value = { "XXE_DTD_TRANSFORM_FACTORY", "XXE_XSLT_TRANSFORM_FACTORY" },
+ @SuppressFBWarnings(value = { "XXE_DTD_TRANSFORM_FACTORY", "XXE_XSLT_TRANSFORM_FACTORY", "MALICIOUS_XSLT" },
justification = "XML is generated, does not contain DTDs")
public void generateHtmlReport(ValidatorReport report, OutputStream htmlOut) throws ReportGenerationException {
checkParameters(report, htmlOut);
diff --git a/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/wms/config/ValidatorWmsWorkspaceContext.java b/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/wms/config/ValidatorWmsWorkspaceContext.java
index e74279130e..bc3ef53ffc 100644
--- a/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/wms/config/ValidatorWmsWorkspaceContext.java
+++ b/xplan-core/xplan-core-validator/src/main/java/de/latlon/xplan/validator/wms/config/ValidatorWmsWorkspaceContext.java
@@ -22,6 +22,7 @@ package de.latlon.xplan.validator.wms.config;
import de.latlon.xplan.validator.wms.storage.PlanStorage;
import de.latlon.xplan.validator.wms.storage.WorkspacePlanStorage;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.deegree.commons.config.DeegreeWorkspace;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -44,6 +45,7 @@ public class ValidatorWmsWorkspaceContext {
private static final String XPLAN_GML_WMS_WORKSPACE = "xplan-webservices-validator-wms-memory-workspace";
@Bean
+ @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN")
public PlanStorage planStorage() {
try {
Path workspaceLocation = Paths.get(DeegreeWorkspace.getWorkspaceRoot()).resolve(XPLAN_GML_WMS_WORKSPACE);
diff --git a/xplan-manager/xplan-manager-web/pom.xml b/xplan-manager/xplan-manager-web/pom.xml
index bfa3faac35..e522384d0f 100644
--- a/xplan-manager/xplan-manager-web/pom.xml
+++ b/xplan-manager/xplan-manager-web/pom.xml
@@ -281,6 +281,10 @@
<groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-annotations</artifactId>
+ </dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
diff --git a/xplan-manager/xplan-manager-web/src/main/java/de/latlon/xplan/manager/web/server/service/ManagerPlanArchiveManager.java b/xplan-manager/xplan-manager-web/src/main/java/de/latlon/xplan/manager/web/server/service/ManagerPlanArchiveManager.java
index 310128b1b7..04985cd3d8 100644
--- a/xplan-manager/xplan-manager-web/src/main/java/de/latlon/xplan/manager/web/server/service/ManagerPlanArchiveManager.java
+++ b/xplan-manager/xplan-manager-web/src/main/java/de/latlon/xplan/manager/web/server/service/ManagerPlanArchiveManager.java
@@ -23,6 +23,7 @@ package de.latlon.xplan.manager.web.server.service;
import de.latlon.xplan.commons.util.UnsupportedContentTypeException;
import de.latlon.xplan.manager.web.shared.XPlan;
import de.latlon.xplanbox.core.gwt.commons.shared.ValidationException;
+import org.apache.commons.io.FilenameUtils;
import javax.servlet.http.HttpSession;
import java.io.File;
@@ -63,7 +64,7 @@ public class ManagerPlanArchiveManager {
public File readArchiveFromFilesystem(XPlan plan) throws IOException {
String fileToBeValidated = determineFileNameAndFolder(plan);
- return new File(getUploadFolder(), fileToBeValidated);
+ return new File(getUploadFolder(), FilenameUtils.getName(fileToBeValidated));
}
public String determineFileNameAndFolder(XPlan plan) {
@@ -94,7 +95,7 @@ public class ManagerPlanArchiveManager {
throws IOException, UnsupportedContentTypeException {
checkAndSetSessionAttributeIfRequired(session);
File artefactFolder = (File) session.getAttribute(SESSION_ATTRIBUTE_ARTEFACTS_FOLDER);
- File artefactFile = new File(artefactFolder, fileName);
+ File artefactFile = new File(artefactFolder, FilenameUtils.getName(fileName));
try (FileOutputStream localOutput = new FileOutputStream(artefactFile)) {
write(artefact, localOutput);
}
diff --git a/xplan-manager/xplan-manager-web/src/main/java/de/latlon/xplan/manager/web/server/service/rest/ManagerController.java b/xplan-manager/xplan-manager-web/src/main/java/de/latlon/xplan/manager/web/server/service/rest/ManagerController.java
index 1a1ff5b0dc..71d7351731 100644
--- a/xplan-manager/xplan-manager-web/src/main/java/de/latlon/xplan/manager/web/server/service/rest/ManagerController.java
+++ b/xplan-manager/xplan-manager-web/src/main/java/de/latlon/xplan/manager/web/server/service/rest/ManagerController.java
@@ -35,6 +35,8 @@ import de.latlon.xplan.manager.web.shared.RechtsstandAndPlanStatus;
import de.latlon.xplan.manager.web.shared.XPlan;
import de.latlon.xplan.manager.web.shared.edit.XPlanToEdit;
import de.latlon.xplanbox.core.gwt.commons.shared.InvalidParameterException;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.apache.commons.lang3.StringUtils;
import org.deegree.commons.utils.Pair;
import org.deegree.cs.coordinatesystems.ICRS;
import org.deegree.cs.persistence.CRSManager;
@@ -231,7 +233,7 @@ public class ManagerController {
throws Exception {
// @formatter:on
response.addHeader("Expires", "-1");
- LOG.info("Evaluate uploaded raster of plan with id {}.", id);
+ LOG.info("Evaluate uploaded raster of plan with id {}.", StringUtils.normalizeSpace(id));
try {
HttpSession session = request.getSession();
List<File> uploadedArtefacts = archiveManager.retrieveUploadedArtefacts(session);
@@ -263,7 +265,7 @@ public class ManagerController {
public boolean removePlanFromManager( @PathVariable String planId )
throws Exception {
// @formatter:on
- LOG.info("Try to remove plan with id {}.", planId);
+ LOG.info("Try to remove plan with id {}.", StringUtils.normalizeSpace(planId));
if (planId == null)
return false;
try {
@@ -302,6 +304,7 @@ public class ManagerController {
@RequestMapping(value = "/plan", method = POST, produces = TEXT_HTML_VALUE)
@ResponseBody
// @formatter:off
+ @SuppressFBWarnings(value = "PREDICTABLE_RANDOM")
public void uploadPlan( @RequestParam("planZipFile" ) MultipartFile file, HttpServletRequest request,
HttpServletResponse response) throws IOException, UnsupportedContentTypeException {
// @formatter:on
@@ -340,7 +343,7 @@ public class ManagerController {
// @formatter:on
checkInternalId(internalId);
response.addHeader("Expires", "-1");
- LOG.info("Try to import plan with id {}", planId);
+ LOG.info("Try to import plan with id {}", StringUtils.normalizeSpace(planId));
HttpSession session = request.getSession();
XPlan plan = archiveManager.retrievePlanFromSession(session);
if (planId != null && plan != null) {
@@ -374,7 +377,7 @@ public class ManagerController {
throws Exception {
// @formatter:on
response.addHeader("Expires", "-1");
- LOG.info("Retrieve internal id of plan with id {}.", id);
+ LOG.info("Retrieve internal id of plan with id {}.", StringUtils.normalizeSpace(id));
HttpSession session = request.getSession();
XPlan plan = archiveManager.retrievePlanFromSession(session);
try {
@@ -402,7 +405,7 @@ public class ManagerController {
throws Exception {
// @formatter:on
response.addHeader("Expires", "-1");
- LOG.info("Retrieve crs of plan with id {}.", id);
+ LOG.info("Retrieve crs of plan with id {}.", StringUtils.normalizeSpace(id));
HttpSession session = request.getSession();
XPlan plan = archiveManager.retrievePlanFromSession(session);
try {
@@ -423,7 +426,7 @@ public class ManagerController {
throws Exception {
// @formatter:on
response.addHeader("Expires", "-1");
- LOG.info("Evaluate raster of with id {}.", id);
+ LOG.info("Evaluate raster of with id {}.", StringUtils.normalizeSpace(id));
HttpSession session = request.getSession();
XPlan plan = archiveManager.retrievePlanFromSession(session);
try {
@@ -443,7 +446,7 @@ public class ManagerController {
@PathVariable String status, @Context HttpServletRequest request, @Context HttpServletResponse response)
throws Exception {
response.addHeader("Expires", "-1");
- LOG.info("Evaluate name of plan with id {}.", id);
+ LOG.info("Evaluate name of plan with id {}.", StringUtils.normalizeSpace(id));
HttpSession session = request.getSession();
XPlan plan = archiveManager.retrievePlanFromSession(session);
try {
@@ -467,7 +470,7 @@ public class ManagerController {
throws Exception {
// @formatter:on
response.addHeader("Expires", "-1");
- LOG.info("Evaluate legislation status of plan with id {}.", id);
+ LOG.info("Evaluate legislation status of plan with id {}.", StringUtils.normalizeSpace(id));
HttpSession session = request.getSession();
XPlan plan = archiveManager.retrievePlanFromSession(session);
try {
@@ -490,7 +493,7 @@ public class ManagerController {
throws Exception {
// @formatter:on
response.addHeader("Expires", "-1");
- LOG.info("Publish plan with id {} as INSPIRE dataset.", planId);
+ LOG.info("Publish plan with id {} as INSPIRE dataset.", StringUtils.normalizeSpace(planId));
if (planId == null)
return false;
try {
@@ -583,12 +586,6 @@ public class ManagerController {
return requestedPlan;
}
- private XPlan createAndSavePlan(HttpSession session, String contentType, String fileName) {
- XPlan plan = new XPlan(fileName, toHexString(doubleToLongBits(random())), contentType);
- archiveManager.savePlanInSession(session, plan);
- return plan;
- }
-
private void populateResponse(HttpServletResponse response, long fileSize, String fileName) throws IOException {
String message = BUNDLE.getString("loadedPlan");
message = message.replace("{0}", fileName).replace("{1}", "" + fileSize);
--
GitLab