Merging develop into Master (HUB-1395, HUB-1397, HUB-1394) (#1393)

* Added encoder in line no:105 (#1374) * Sanitized input data for checking Encode html (#1376) Co-authored-by: dasarih0 <dasarih0@b2b.regn.net> * Sanitized input channelName data (#1377) * Sanitized input channelName data for checking Encode html * formatted code * cleanup the code --------- Co-authored-by: dasarih0 <dasarih0@b2b.regn.net> * Hub 1406 check marx fix (#1378) * Sanitized input channelName data for checking Encode html * formatted code * cleanup the code * cleanup the code --------- Co-authored-by: dasarih0 <dasarih0@b2b.regn.net> * Cleanup the code (#1379) Co-authored-by: dasarih0 <dasarih0@b2b.regn.net> * Added HSTS header (#1381) * Hub 1475 system tests (#1382) * Modified implementation to compile to fix the System and unit Tetsts * Updated the Jasmine version to fix the tests * Updated the testCompile to testImplementation --------- Co-authored-by: dasarih0 <dasarih0@b2b.regn.net> * fixing client privacy violation (#1390) * Fixing privacy_violation for HUB-1397 (#1391) * Fixing client_privacy_violation * Modified exception e to e.getMessage() * added path traversal check (#1392) Co-authored-by: dasarih0 <dasarih0@b2b.regn.net> --------- Co-authored-by: harinadh-dasari <152592880+harinadh-dasari@users.noreply.github.com> Co-authored-by: dasarih0 <dasarih0@b2b.regn.net>
flightstats · Jun 4, 2024 · 41769f2 · 41769f2
1 parent 87182b3
commit 41769f2
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 8 deletions.
diff --git a/src/main/java/com/flightstats/hub/config/properties/PropertiesLoader.java b/src/main/java/com/flightstats/hub/config/properties/PropertiesLoader.java
@@ -7,6 +7,7 @@
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Objects;
 import java.util.Properties;
 
 @Slf4j
@@ -50,7 +51,11 @@ public void load(String file) {
 
         URL resource = null;
         try {
-            resource = new File(file).toURI().toURL();
+            if (Objects.nonNull(file) && sanitizePathTraversal(file)) {
+                log.error("Path traversal detected in input file ", file);
+            } else {
+                resource = new File(file).toURI().toURL();
+            }
         } catch (MalformedURLException e) {
             log.warn("Problem loading file {}", file, e);
         }
@@ -78,6 +83,10 @@ public void load(String file) {
         }
     }
 
+    private boolean sanitizePathTraversal(String file) {
+        return file.contains("../") || file.contains("%");
+    }
+
     private void ensureReadOnlyPropertiesAreSet() {
         properties.put("webhook.leadership.enabled", "false");
         properties.put("replication.enabled", "false");

diff --git a/src/main/java/com/flightstats/hub/dao/aws/AwsConnectorFactory.java b/src/main/java/com/flightstats/hub/dao/aws/AwsConnectorFactory.java
@@ -93,15 +93,16 @@ public AmazonDynamoDB getDynamoClient() {
     private AWSCredentialsProviderChain getAwsCredentials() {
         return new AWSCredentialsProviderChain(
                 new DefaultAWSCredentialsProviderChain(),
-                new AWSStaticCredentialsProvider(loadTestCredentials(awsProperties.getCredentialsFile())));
+                new AWSStaticCredentialsProvider(loadTestCredentials(awsProperties.getCredentialsFile()))
+        );
     }
 
     private AWSCredentials loadTestCredentials(String credentialsPath) {
-        log.info("loading test credentials " + credentialsPath);
+        log.debug("loading test credentials from file."); //Changed log level to debug and removed the file path
         try {
             return new PropertiesCredentials(new File(credentialsPath));
         } catch (Exception e) {
-            log.warn("unable to load test credentials " + credentialsPath + " " + e.getMessage());
+            log.warn("unable to load test credentials from file.", e.getMessage()); //Removed the file path and logging the exception message separately
             return new BasicAWSCredentials("noKey", "noSecret");
         }
     }

diff --git a/src/test/javascript/lib/helpers/hub-client.js b/src/test/javascript/lib/helpers/hub-client.js
@@ -186,10 +186,29 @@ const followRedirectIfPresent = async (response, headers = {}) => {
     const redirectCode = isRedirect(statusCode);
     console.log('redirecting to location: ', location);
     if (redirectCode && !!location) {
-        const newResponse = await hubClientGet(location, headers);
-        return newResponse;
-    } else {
-        return response;
+        try {
+                    // Parse and sanitize the URL
+                    const url = new URL(location);
+
+                    // If there are user-specific query parameters, remove them
+                    // Here we assume 'user' is a sensitive query parameter, adjust accordingly
+                    url.searchParams.delete('user');
+
+                    const sanitizedLocation = url.toString();
+                    console.log('Sanitized location: ', sanitizedLocation);
+
+                    // Clone and filter out sensitive headers
+                    const safeHeaders = { ...headers };
+                    delete safeHeaders['user'];  // Remove any sensitive user information
+
+                    const newResponse = await hubClientGet(sanitizedLocation, safeHeaders);
+                    return newResponse;
+                } catch (ex) {
+                    console.log(`Error parsing location URL: ${location} ::: ${ex}`);
+                    return response;
+                }
+            } else {
+                return response;
     }
 };