Skip to content

Commit 114e91b

Browse files
bowringbowring
authored
Fixed issues #672 and #674 (#675)
* Fixed #674 * Fixed path traversal vulnerability noted by https://app.snyk.io/org/bowring/project/7dd848fc-362b-4514-a91c-3c04628633ac * Fixed path traversal vulnerability noted by https://app.snyk.io/org/bowring/project/7dd848fc-362b-4514-a91c-3c04628633ac * Fixed typos * Updated test files due to issue #672 * updated dependencies
1 parent cb19ef8 commit 114e91b

23 files changed

+577
-613
lines changed

squidApp/src/main/java/org/cirdles/squid/gui/ProjectManagerController.java

+2
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,7 @@ public void changed(ObservableValue<? extends String> observable, String oldValu
253253
squidProject.setExtPErrU(newValue);
254254
SquidProject.setProjectChanged(true);
255255
task.setExtPErrU(newValue);
256+
task.setChanged(true);
256257
});
257258

258259
SpinnerValueFactory<Double> valueFactoryTh
@@ -263,6 +264,7 @@ public void changed(ObservableValue<? extends String> observable, String oldValu
263264
squidProject.setExtPErrTh(newValue);
264265
SquidProject.setProjectChanged(true);
265266
task.setExtPErrTh(newValue);
267+
task.setChanged(true);
266268
});
267269
}
268270

squidApp/src/main/java/org/cirdles/squid/gui/SquidUIController.java

+4
Original file line numberDiff line numberDiff line change
@@ -1825,6 +1825,10 @@ private void synchronizeTaskLabDataAndSquidVersion() throws SquidException {
18251825

18261826

18271827
if (SquidProject.isProjectChanged()) {
1828+
// dec 2021 for issue #674
1829+
task.setExtPErrU(squidProject.getExtPErrU());
1830+
task.setExtPErrTh(squidProject.getExtPErrTh());
1831+
18281832
// next two lines make sure 15-digit rounding is used by reprocessing data
18291833
task.setChanged(true);
18301834
task.setupSquidSessionSpecsAndReduceAndReport(true);

squidCore/build.gradle

+2-1
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,8 @@ dependencies {
3434
// https://mvnrepository.com/artifact/org.apache.poi/poi
3535
implementation group: 'org.apache.poi', name: 'poi', version: '5.0.0'
3636

37-
implementation group: 'org.jdom', name: 'jdom2', version: '2.0.6'
37+
// https://mvnrepository.com/artifact/org.jdom/jdom2
38+
implementation group: 'org.jdom', name: 'jdom2', version: '2.0.6.1'
3839

3940
implementation 'com.github.opencollab.jlatexmath:jlatexmath:1.0.7'
4041
implementation group: 'com.openhtmltopdf', name: 'openhtmltopdf-pdfbox', version: '1.0.10'

squidCore/src/main/java/org/cirdles/squid/core/PrawnXMLFileHandler.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -358,4 +358,4 @@ public CalamariReportsEngine getNewReportsEngine() {
358358
initReportsEngineWithCurrentPrawnFileName();
359359
return reportsEngine;
360360
}
361-
}
361+
}

squidCore/src/main/java/org/cirdles/squid/tasks/Task.java

+9-20
Original file line numberDiff line numberDiff line change
@@ -574,7 +574,6 @@ public void updateTaskDesignFromTask(TaskDesign taskDesign, boolean includeCusto
574574

575575
public boolean taskDesignDiffersFromTask(TaskDesign taskDesign) {
576576
boolean noChange = false;
577-
// if (taskType.equals(TaskTypeEnum.GEOCHRON)) {
578577
List<String> taskMasses = getNominalMasses();
579578
List<String> designerMasses = taskDesign.getNominalMasses();
580579
designerMasses.addAll(REQUIRED_NOMINAL_MASSES);
@@ -584,27 +583,10 @@ public boolean taskDesignDiffersFromTask(TaskDesign taskDesign) {
584583
List<String> designerRatios = taskDesign.getRatioNames();
585584
designerRatios.addAll(REQUIRED_RATIO_NAMES);
586585
noChange = noChange && taskRatios.containsAll(designerRatios) && designerRatios.containsAll(taskRatios);
587-
588-
// // test background index and 4 horsemen and directives
589-
// noChange = noChange && (isDirectAltPD() == taskDesign.isDirectAltPD());
590-
// noChange = noChange && (isPbU() == taskDesign.isPbU());
591-
// noChange = noChange
592-
// && (getSpecialSquidFourExpressionsMap().get(UNCOR206PB238U_CALIB_CONST).compareToIgnoreCase(
593-
// taskDesign.getSpecialSquidFourExpressionsMap().get(UNCOR206PB238U_CALIB_CONST)) == 0);
594-
// noChange = noChange
595-
// && (getSpecialSquidFourExpressionsMap().get(UNCOR208PB232TH_CALIB_CONST).compareToIgnoreCase(
596-
// taskDesign.getSpecialSquidFourExpressionsMap().get(UNCOR208PB232TH_CALIB_CONST)) == 0);
597-
// noChange = noChange
598-
// && (getSpecialSquidFourExpressionsMap().get(TH_U_EXP_DEFAULT).compareToIgnoreCase(
599-
// taskDesign.getSpecialSquidFourExpressionsMap().get(TH_U_EXP_DEFAULT)) == 0);
600-
// noChange = noChange
601-
// && (getSpecialSquidFourExpressionsMap().get(PARENT_ELEMENT_CONC_CONST).compareToIgnoreCase(
602-
// taskDesign.getSpecialSquidFourExpressionsMap().get(PARENT_ELEMENT_CONC_CONST)) == 0);
603-
//
604586
noChange = noChange && (getIndexOfBackgroundSpecies() == taskDesign.getIndexOfBackgroundSpecies());
605587

606588
System.out.println("nochange = " + noChange);
607-
// }
589+
608590
return noChange;
609591
}
610592

@@ -642,8 +624,15 @@ private void generateConstants() {
642624
}
643625

644626
private void generateParameters() {
645-
Map<String, ExpressionTreeInterface> parameters = BuiltInExpressionsFactory.generateParameters();
646627
this.namedParametersMap = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
628+
629+
// dec 2021 issue #674 - parameters were set to defaults in builder and need to be set here instead
630+
Map<String, ExpressionTreeInterface> parameters = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
631+
ExpressionTreeInterface extPErrUExp = new ConstantNode(MIN_206PB238U_EXT_1SIGMA_ERR_PCT, extPErrU);
632+
parameters.put(MIN_206PB238U_EXT_1SIGMA_ERR_PCT, extPErrUExp);
633+
ExpressionTreeInterface extPErrThExp = new ConstantNode(MIN_208PB232TH_EXT_1SIGMA_ERR_PCT, extPErrTh);
634+
parameters.put(MIN_208PB232TH_EXT_1SIGMA_ERR_PCT, extPErrThExp);
635+
647636
namedParametersMap.putAll(parameters);
648637
}
649638

squidCore/src/main/java/org/cirdles/squid/tasks/expressions/builtinExpressions/BuiltInExpressionsFactory.java

+14-30
Original file line numberDiff line numberDiff line change
@@ -64,22 +64,6 @@ public static Map<String, ExpressionTreeInterface> generateConstants() {
6464
return constants;
6565
}
6666

67-
/**
68-
* @return
69-
*/
70-
public static Map<String, ExpressionTreeInterface> generateParameters() {
71-
Map<String, ExpressionTreeInterface> parameters = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
72-
73-
// over written by task
74-
ExpressionTreeInterface extPErrU = new ConstantNode(MIN_206PB238U_EXT_1SIGMA_ERR_PCT, 0.75);
75-
parameters.put(MIN_206PB238U_EXT_1SIGMA_ERR_PCT, extPErrU);
76-
77-
ExpressionTreeInterface extPErrTh = new ConstantNode(MIN_208PB232TH_EXT_1SIGMA_ERR_PCT, 0.75);
78-
parameters.put(MIN_208PB232TH_EXT_1SIGMA_ERR_PCT, extPErrTh);
79-
80-
return parameters;
81-
}
82-
8367
/**
8468
* @return Map<String, ExpressionTreeInterface> spotLookupFields
8569
*/
@@ -684,7 +668,7 @@ public static SortedSet<Expression> generateOverCountExpressions(boolean isDirec
684668
overCountExpressionsOrdered.add(expressionOverCountPerSec4_7);
685669

686670
Expression expressionOverCount7CorrCalib = buildExpression(CORR_7_PRIMARY_CALIB_CONST_DELTA_PCT,
687-
"ABS(100*((1-" + COM_64 + "*[" + R204206 + "])/(1-" + COM_64 + "*[\"" + OVER_COUNT_4_6_7 + "\"])-1))", true, false, false);
671+
"100*((1-" + COM_64 + "*[" + R204206 + "])/(1-" + COM_64 + "*[\"" + OVER_COUNT_4_6_7 + "\"])-1)", true, false, false);
688672
overCountExpressionsOrdered.add(expressionOverCount7CorrCalib);
689673

690674
// new section to accommodate reporting corrections per Bodorkos 13 Aug 2018
@@ -700,7 +684,7 @@ public static SortedSet<Expression> generateOverCountExpressions(boolean isDirec
700684
overCountExpressionsOrdered.add(expressionOverCountPerSec4_8);
701685

702686
Expression expressionOverCount8CorrCalib = buildExpression(CORR_8_PRIMARY_CALIB_CONST_DELTA_PCT,
703-
"ABS(100*((1-" + COM_64 + "*[" + R204206 + "])/(1-" + COM_64 + "*[\"" + OVER_COUNT_4_6_8 + "\"])-1)) ", true, false, false);
687+
"100*((1-" + COM_64 + "*[" + R204206 + "])/(1-" + COM_64 + "*[\"" + OVER_COUNT_4_6_8 + "\"])-1) ", true, false, false);
704688
overCountExpressionsOrdered.add(expressionOverCount8CorrCalib);
705689

706690
} else {
@@ -716,7 +700,7 @@ public static SortedSet<Expression> generateOverCountExpressions(boolean isDirec
716700
overCountExpressionsOrdered.add(expression4CorrOverCountPerSec4_8);
717701

718702
Expression expression4CorrOverCount8CorrCalib = buildExpression("" + PB4CORR + CORR_8_PRIMARY_CALIB_CONST_DELTA_PCT,
719-
"ABS(100*((1-" + COM_64 + "*[" + R204206 + "])/(1-" + COM_64 + "*[\"" + PB4CORR + OVER_COUNT_4_6_8 + "\"])-1)) ", true, false, false);
703+
"100*((1-" + COM_64 + "*[" + R204206 + "])/(1-" + COM_64 + "*[\"" + PB4CORR + OVER_COUNT_4_6_8 + "\"])-1) ", true, false, false);
720704
overCountExpressionsOrdered.add(expression4CorrOverCount8CorrCalib);
721705

722706
Expression expression7CorrOverCount4_6_8 = buildExpression(PB7CORR + OVER_COUNT_4_6_8,
@@ -730,7 +714,7 @@ public static SortedSet<Expression> generateOverCountExpressions(boolean isDirec
730714
overCountExpressionsOrdered.add(expression7CorrOverCountPerSec4_8);
731715

732716
Expression expression7CorrOverCount8CorrCalib = buildExpression(PB7CORR + CORR_8_PRIMARY_CALIB_CONST_DELTA_PCT,
733-
"ABS(100*((1-" + COM_64 + "*[" + R204206 + "])/(1-" + COM_64 + "*[\"" + PB7CORR + OVER_COUNT_4_6_8 + "\"])-1)) ", true, false, false);
717+
"100*((1-" + COM_64 + "*[" + R204206 + "])/(1-" + COM_64 + "*[\"" + PB7CORR + OVER_COUNT_4_6_8 + "\"])-1) ", true, false, false);
734718
overCountExpressionsOrdered.add(expression7CorrOverCount8CorrCalib);
735719
}
736720

@@ -787,44 +771,44 @@ public static SortedSet<Expression> generatePerSpotProportionsOfCommonPb() {
787771
// for ref materials
788772
// sept 2019 - remove double duty RU expressions - 3 cases below
789773
Expression expression4corCom206RM = buildExpression(PB4CORR + COM206PB_PCT_RM,
790-
"ABS(100*" + COM_64 + "*[" + R204206 + "])", true, false, false);
774+
"100*" + COM_64 + "*[" + R204206 + "]", true, false, false);
791775
perSpotPbCorrectionsOrdered.add(expression4corCom206RM);
792776

793777
Expression expression7corCom206RM = buildExpression(PB7CORR + COM206PB_PCT_RM,
794-
"ABS(100*" + COM_64 + "*[\"" + OVER_COUNT_4_6_7 + "\"])", true, false, false);
778+
"100*" + COM_64 + "*[\"" + OVER_COUNT_4_6_7 + "\"]", true, false, false);
795779
perSpotPbCorrectionsOrdered.add(expression7corCom206RM);
796780

797781
Expression expression8corCom206RM = buildExpression(PB8CORR + COM206PB_PCT_RM,
798-
"ABS(100*" + COM_64 + "*[\"" + OVER_COUNT_4_6_8 + "\"])", true, false, false);
782+
"100*" + COM_64 + "*[\"" + OVER_COUNT_4_6_8 + "\"]", true, false, false);
799783
perSpotPbCorrectionsOrdered.add(expression8corCom206RM);
800784

801785
Expression expression4corCom208RM = buildExpression(PB4CORR + COM208PB_PCT_RM,
802-
"ABS(100*" + COM_84 + "/[" + R208206 + "]*[" + R204206 + "])", true, false, false);
786+
"100*" + COM_84 + "/[" + R208206 + "]*[" + R204206 + "]", true, false, false);
803787
perSpotPbCorrectionsOrdered.add(expression4corCom208RM);
804788

805789
Expression expression7corCom208RM = buildExpression(PB7CORR + COM208PB_PCT_RM,
806-
"ABS(100*" + COM_84 + "/[" + R208206 + "]*[\"" + OVER_COUNT_4_6_7 + "\"])", true, false, false);
790+
"100*" + COM_84 + "/[" + R208206 + "]*[\"" + OVER_COUNT_4_6_7 + "\"]", true, false, false);
807791
perSpotPbCorrectionsOrdered.add(expression7corCom208RM);
808792

809793
// for samples
810794
Expression expression4corCom206 = buildExpression(PB4CORR + COM206PB_PCT,
811-
"ABS(100*" + COM_64 + "*[" + R204206 + "])", false, true, false);
795+
"100*" + COM_64 + "*[" + R204206 + "]", false, true, false);
812796
perSpotPbCorrectionsOrdered.add(expression4corCom206);
813797

814798
Expression expression7corCom206 = buildExpression(PB7CORR + COM206PB_PCT,
815-
"ABS(100*" + COM_64 + "*[\"" + PB7CORR + R204PB_206PB + "\"])", false, true, false);
799+
"100*" + COM_64 + "*[\"" + PB7CORR + R204PB_206PB + "\"]", false, true, false);
816800
perSpotPbCorrectionsOrdered.add(expression7corCom206);
817801

818802
Expression expression8corCom206 = buildExpression(PB8CORR + COM206PB_PCT,
819-
"ABS(100*" + COM_64 + "*[\"" + PB8CORR + R204PB_206PB + "\"])", false, true, false);
803+
"100*" + COM_64 + "*[\"" + PB8CORR + R204PB_206PB + "\"]", false, true, false);
820804
perSpotPbCorrectionsOrdered.add(expression8corCom206);
821805

822806
Expression expression4corCom208 = buildExpression(PB4CORR + COM208PB_PCT,
823-
"ABS(100*" + COM_84 + "/[" + R208206 + "]*[" + R204206 + "])", false, true, false);
807+
"100*" + COM_84 + "/[" + R208206 + "]*[" + R204206 + "]", false, true, false);
824808
perSpotPbCorrectionsOrdered.add(expression4corCom208);
825809

826810
Expression expression7corCom208 = buildExpression(PB7CORR + COM208PB_PCT,
827-
"ABS(100*" + COM_84 + "/[" + R208206 + "]*[\"" + PB7CORR + R204PB_206PB + "\"])", false, true, false);
811+
"100*" + COM_84 + "/[" + R208206 + "]*[\"" + PB7CORR + R204PB_206PB + "\"]", false, true, false);
828812
perSpotPbCorrectionsOrdered.add(expression7corCom208);
829813

830814
// The next step is to calculate all the applicable radiogenic 208Pb/206Pb values.

squidCore/src/main/java/org/cirdles/squid/tasks/expressions/functions/Abs.java

-1
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ public Object[][] eval(
6161
try {
6262
double number = convertObjectArrayToDoubles(childrenET.get(0).eval(shrimpFractions, task)[0])[0];
6363
retVal = StrictMath.abs(number);
64-
;
6564
} catch (SquidException se) {
6665
retVal = 0.0;
6766
}

squidCore/src/main/java/org/cirdles/squid/utilities/FileUtilities.java

+18-16
Original file line numberDiff line numberDiff line change
@@ -5,19 +5,14 @@
55
*/
66
package org.cirdles.squid.utilities;
77

8-
import com.google.common.io.ByteStreams;
9-
import com.google.common.io.FileWriteMode;
8+
import org.apache.poi.util.IOUtils;
109

11-
import java.io.BufferedReader;
12-
import java.io.File;
13-
import java.io.IOException;
14-
import java.io.InputStreamReader;
10+
import java.io.*;
1511
import java.nio.file.Files;
1612
import java.nio.file.Path;
1713
import java.util.Comparator;
1814
import java.util.Enumeration;
1915
import java.util.zip.ZipEntry;
20-
import java.util.zip.ZipException;
2116
import java.util.zip.ZipFile;
2217

2318
/**
@@ -86,19 +81,26 @@ public static boolean isFileClosedUnix(File file) {
8681
}
8782

8883
public static void unpackZipFile(final File archive, final File targetDirectory)
89-
throws ZipException, IOException {
84+
throws IOException {
9085
ZipFile zipFile = new ZipFile(archive);
9186
Enumeration<? extends ZipEntry> entries = zipFile.entries();
87+
// Dec 2021 this fix comes from https://cwe.mitre.org/data/definitions/23.html and SNYK CODE
88+
// via https://app.snyk.io/org/bowring/project/7dd848fc-362b-4514-a91c-3c04628633ac
9289
while (entries.hasMoreElements()) {
93-
final ZipEntry zipEntry = entries.nextElement();
94-
if (zipEntry.isDirectory()) {
95-
continue;
90+
ZipEntry entry = entries.nextElement();
91+
Path entryPath = targetDirectory.toPath().resolve(entry.getName());
92+
if (!entryPath.normalize().startsWith(targetDirectory.toPath()))
93+
throw new IOException("Zip entry contained path traversal");
94+
if (entry.isDirectory()) {
95+
Files.createDirectories(entryPath);
96+
} else {
97+
Files.createDirectories(entryPath.getParent());
98+
try (InputStream in = zipFile.getInputStream(entry)) {
99+
try (OutputStream out = new FileOutputStream(entryPath.toFile())) {
100+
IOUtils.copy(in, out);
101+
}
102+
}
96103
}
97-
final File targetFile = new File(targetDirectory,
98-
zipEntry.getName());
99-
com.google.common.io.Files.createParentDirs(targetFile);
100-
ByteStreams.copy(zipFile.getInputStream(zipEntry),
101-
com.google.common.io.Files.asByteSink(targetFile, FileWriteMode.APPEND).openStream());
102104
}
103105
}
104106
}

squidCore/src/main/java/org/cirdles/squid/utilities/fileUtilities/ZipUtility.java

+11-31
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,12 @@
1515
*/
1616
package org.cirdles.squid.utilities.fileUtilities;
1717

18-
import java.io.*;
18+
import org.cirdles.squid.utilities.FileUtilities;
19+
20+
import java.io.File;
21+
import java.io.FileInputStream;
22+
import java.io.IOException;
1923
import java.net.URI;
20-
import java.nio.file.FileSystem;
2124
import java.nio.file.*;
2225
import java.util.Collections;
2326
import java.util.HashMap;
@@ -60,7 +63,7 @@ public void accept(Path entry) {
6063
try {
6164
Files.copy(entry, zipFileFileSystem.getPath(level + entry.getFileName()));
6265

63-
if (Files.isDirectory(entry, new LinkOption[]{})) {
66+
if (Files.isDirectory(entry)) {
6467
zipDirectoryOrFile(level + entry.getFileName() + "/", entry, zipFileFileSystem);
6568
}
6669
} catch (IOException iOException) {
@@ -70,38 +73,15 @@ public void accept(Path entry) {
7073
}
7174

7275
public static Path extractZippedFile(File inFile, File destination) throws IOException {
73-
File outFile = null;
74-
OutputStream out = null;
7576
Path retVal = null;
7677
try (ZipInputStream zis = new ZipInputStream(new FileInputStream(inFile))) {
77-
//open infile for reading
78-
ZipEntry entry;
79-
80-
//checks first entry exists
81-
if ((entry = zis.getNextEntry()) != null) {
82-
String outFilename = entry.getName();
83-
outFile = new File(destination, outFilename);
84-
85-
try {
86-
//open outFile for writing
87-
out = new FileOutputStream(outFile);
88-
byte[] buff = new byte[2048];
89-
int len;
90-
91-
while ((len = zis.read(buff)) > 0) {
92-
out.write(buff, 0, len);
93-
}
94-
} finally {
95-
//close outFile
96-
if (out != null) {
97-
out.close();
98-
retVal = Paths.get(outFile.getPath());
99-
}
100-
}
78+
ZipEntry zipEntry;
79+
if ((zipEntry = zis.getNextEntry()) != null) {
80+
File outDirectory = new File(destination.getPath());
81+
FileUtilities.unpackZipFile(inFile, outDirectory);
82+
retVal = Paths.get(outDirectory.getPath() + File.separator + zipEntry);
10183
}
10284
}
103-
10485
return retVal;
105-
10686
}
10787
}

0 commit comments

Comments
 (0)