github-advanced-security[bot] commented on code in PR #2889:
URL:
https://github.com/apache/incubator-hugegraph/pull/2889#discussion_r2463387340
##########
hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java:
##########
@@ -388,10 +360,152 @@
RolePermission rolePerm = RolePermission.fromJson(role);
return rolePerm.contains(grant);
}
+
+ @SuppressWarnings({"unchecked", "rawtypes"})
+ public static RolePerm fromJson(Object role) {
+ RolePermission table = RolePermission.fromJson(role);
+ return new RolePerm((Map) table.map());
+ }
+
+ private boolean matchOwner(String graphSpace, String owner) {
+ if (graphSpace == null && owner == null) {
+ return true;
+ }
+
+ return this.roles.containsKey(graphSpace) &&
+ this.roles.get(graphSpace).containsKey(owner);
+ }
+
+ private boolean matchSpace(String graphSpace, String requiredRole) {
+ if (graphSpace == null) {
+ return true;
+ }
+
+ if (!this.roles.containsKey(graphSpace)) {
+ return false;
+ }
+
+ Map<String, Map<HugePermission, Object>> graphPermissions =
+ this.roles.get(graphSpace);
+
+ for (Map<HugePermission, Object> permissions :
graphPermissions.values()) {
+ if (permissions == null) {
+ continue;
+ }
+
+ if (permissions.containsKey(HugePermission.SPACE)) {
+ return true;
+ }
+
+ if ("space_member".equals(requiredRole) &&
+ permissions.containsKey(HugePermission.SPACE_MEMBER)) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ private boolean matchResource(HugePermission requiredAction,
+ ResourceObject<?> requiredResource) {
+ E.checkNotNull(requiredResource, "resource object");
+
+ /*
+ * Is resource allowed to access by anyone?
+ * TODO: only allowed resource of related type(USER/TASK/VAR),
+ * such as role VAR is allowed to access '~variables' label
+ */
+ if (HugeResource.allowed(requiredResource)) {
+ return true;
+ }
+
+ Map<String, Map<HugePermission, Object>> innerRoles =
+ this.roles.get(requiredResource.graphSpace());
+ if (innerRoles == null) {
+ return false;
+ }
+
+ // * or {graph}
+ String owner = requiredResource.graph();
+ for (Map.Entry<String, Map<HugePermission, Object>> e :
+ innerRoles.entrySet()) {
+ if (!matchedPrefix(e.getKey(), owner)) {
+ continue;
+ }
+ Map<HugePermission, Object> permissions = e.getValue();
+ if (permissions == null) {
+ permissions = innerRoles.get(GENERAL_PATTERN);
+ if (permissions == null) {
+ continue;
+ }
+ }
+
+ Object permission = matchedAction(requiredAction, permissions);
+ if (permission == null) {
+ continue;
+ }
+
+ Map<String, List<HugeResource>> ressMap = (Map<String,
+ List<HugeResource>>) permission;
+
+ ResourceType requiredType = requiredResource.type();
+ for (Map.Entry<String, List<HugeResource>> entry :
+ ressMap.entrySet()) {
+ String[] typeLabel = entry.getKey().split(POUND_SEPARATOR);
+ ResourceType type = ResourceType.valueOf(typeLabel[0]);
+ /* assert one type can match but not equal to other only
+ * when it is related to schema and data
+ */
+ if (!type.match(requiredType)) {
+ continue;
+ } else if (type != requiredType) {
+ return true;
+ }
+
+ // check label
+ String requiredLabel = null;
+ if (requiredType.isSchema()) {
+ requiredLabel =
+ ((Nameable)
requiredResource.operated()).name();
+ } else if (requiredType.isGraph()) {
+ if (requiredResource.operated() instanceof
HugeElement) {
+ requiredLabel =
+ ((HugeElement)
requiredResource.operated()).label();
+ } else {
+ requiredLabel =
+ ((Nameable)
requiredResource.operated()).name();
+
+ }
+ } else {
+ return true;
+ }
+ String label = typeLabel[1];
+ if (!(ANY.equals(label) || "null".equals(label)
+ || requiredLabel.matches(label))) {
Review Comment:
## Regular expression injection
This regular expression is constructed from a [user-provided value](1).
[Show more
details](https://github.com/apache/incubator-hugegraph/security/code-scanning/86)
##########
hugegraph-store/hg-store-core/src/main/java/org/apache/hugegraph/store/util/ZipUtils.java:
##########
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hugegraph.store.util;
+
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.Paths;
+import java.util.zip.CheckedInputStream;
+import java.util.zip.CheckedOutputStream;
+import java.util.zip.Checksum;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipInputStream;
+import java.util.zip.ZipOutputStream;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.output.NullOutputStream;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public final class ZipUtils {
+
+ public static void compress(final String rootDir, final String sourceDir,
+ final String outputFile, final Checksum
checksum) throws
+
IOException {
+ if (rootDir == null || sourceDir == null || outputFile == null ||
checksum == null) {
+ throw new IllegalArgumentException("Parameters cannot be null");
+ }
+ if (!new File(Paths.get(rootDir, sourceDir).toString()).exists()) {
+ throw new IOException(
+ "Source directory does not exist: " + Paths.get(rootDir,
sourceDir));
+ }
+ try (final FileOutputStream fos = new FileOutputStream(outputFile);
+ final CheckedOutputStream cos = new CheckedOutputStream(fos,
checksum);
+ final ZipOutputStream zos = new ZipOutputStream(new
BufferedOutputStream(cos))) {
+ ZipUtils.compressDirectoryToZipFile(rootDir, sourceDir, zos);
+ zos.flush();
+ fos.getFD().sync();
+ }
+ }
+
+ private static void compressDirectoryToZipFile(final String rootDir, final
String sourceDir,
+ final ZipOutputStream zos)
throws IOException {
+ final String dir = Paths.get(rootDir, sourceDir).toString();
+ final File[] files = new File(dir).listFiles();
+ if (files == null) {
+ throw new IOException("Cannot list files in directory: " + dir);
+ }
+ for (final File file : files) {
+ final String child = Paths.get(sourceDir,
file.getName()).toString();
+ if (file.isDirectory()) {
+ compressDirectoryToZipFile(rootDir, child, zos);
+ } else {
+ zos.putNextEntry(new ZipEntry(child));
+ try (final FileInputStream fis = new FileInputStream(file);
+ final BufferedInputStream bis = new
BufferedInputStream(fis)) {
+ IOUtils.copy(bis, zos);
+ }
+ }
+ }
+ }
+
+ public static void decompress(final String sourceFile, final String
outputDir,
+ final Checksum checksum) throws IOException {
+ if (sourceFile == null || outputDir == null || checksum == null) {
+ throw new IllegalArgumentException("Parameters cannot be null");
+ }
+ if (!new File(sourceFile).exists()) {
+ throw new IOException("Source file does not exist: " + sourceFile);
+ }
+ try (final FileInputStream fis = new FileInputStream(sourceFile);
+ final CheckedInputStream cis = new CheckedInputStream(fis,
checksum);
+ final ZipInputStream zis = new ZipInputStream(new
BufferedInputStream(cis))) {
+ ZipEntry entry;
+ while ((entry = zis.getNextEntry()) != null) {
+ final String fileName = entry.getName();
Review Comment:
## Arbitrary file access during archive extraction ("Zip Slip")
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](1).
Unsanitized archive entry, which may contain '..', is used in a [file system
operation](2).
[Show more
details](https://github.com/apache/incubator-hugegraph/security/code-scanning/82)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
