FINERACT-1873: Template request fix for 1.7.x

Author: vidakovic

fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/FineractProperties.java

@@ -19,6 +19,7 @@
 
 package org.apache.fineract.infrastructure.core.config;
 
+import java.util.List;
 import lombok.Getter;
 import lombok.Setter;
 import org.springframework.boot.context.properties.ConfigurationProperties;
@@ -34,6 +35,8 @@ public class FineractProperties {
 
     private FineractModeProperties mode;
 
+    private FineractTemplateProperties template;
+
     @Getter
     @Setter
     public static class FineractTenantProperties {
@@ -61,4 +64,12 @@ public boolean isReadOnlyMode() {
             return readEnabled && !writeEnabled && !batchEnabled;
         }
     }
+
+    @Getter
+    @Setter
+    public static class FineractTemplateProperties {
+
+        private boolean regexWhitelistEnabled;
+        private List<String> regexWhitelist;
+    }
 }

fineract-provider/src/main/java/org/apache/fineract/template/exception/TemplateForbiddenException.java

@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.fineract.template.exception;
+
+import org.apache.fineract.infrastructure.core.exception.AbstractPlatformResourceNotFoundException;
+
+public class TemplateForbiddenException extends AbstractPlatformResourceNotFoundException {
+
+    public TemplateForbiddenException(final String url) {
+        super("error.msg.template.url.forbidden", "Template with url " + url + " not allowed");
+    }
+}

fineract-provider/src/main/java/org/apache/fineract/template/service/TemplateMergeService.java

@@ -38,19 +38,23 @@
 import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.fineract.infrastructure.core.config.FineractProperties;
 import org.apache.fineract.template.domain.Template;
 import org.apache.fineract.template.domain.TemplateFunctions;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.fineract.template.exception.TemplateForbiddenException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 
+@Slf4j
+@RequiredArgsConstructor
 @Service
 public class TemplateMergeService {
 
-    private static final Logger LOG = LoggerFactory.getLogger(TemplateMergeService.class);
-
-    // private final FromJsonHelper fromApiJsonHelper;
+    private final FineractProperties fineractProperties;
     private Map<String, Object> scopes;
     private String authToken;
 
@@ -92,7 +96,7 @@ private Map<String, Object> getCompiledMapFromMappers(final Map<String, String>
                 try {
                     this.scopes.put(entry.getKey(), getMapFromUrl(url));
                 } catch (final IOException e) {
-                    LOG.error("getCompiledMapFromMappers() failed", e);
+                    log.error("getCompiledMapFromMappers() failed", e);
                 }
             }
         }
@@ -114,6 +118,26 @@ private Map<String, Object> getMapFromUrl(final String url) throws IOException {
     }
 
     private HttpURLConnection getConnection(final String url) {
+        if (fineractProperties.getTemplate() != null && fineractProperties.getTemplate().isRegexWhitelistEnabled()) {
+            boolean whitelisted = false;
+
+            if (fineractProperties.getTemplate().getRegexWhitelist() != null
+                    && !fineractProperties.getTemplate().getRegexWhitelist().isEmpty()) {
+                for (String urlPattern : fineractProperties.getTemplate().getRegexWhitelist()) {
+                    Pattern pattern = Pattern.compile(urlPattern);
+                    Matcher matcher = pattern.matcher(url);
+                    if (matcher.matches()) {
+                        whitelisted = true;
+                        break;
+                    }
+                }
+            }
+
+            if (!whitelisted) {
+                throw new TemplateForbiddenException(url);
+            }
+        }
+
         if (this.authToken == null) {
             final String name = SecurityContextHolder.getContext().getAuthentication().getName();
             final String password = SecurityContextHolder.getContext().getAuthentication().getCredentials().toString();
@@ -138,7 +162,7 @@ protected PasswordAuthentication getPasswordAuthentication() {
             connection.setDoInput(true);
 
         } catch (IOException | KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
-            LOG.error("getConnection() failed, return null", e);
+            log.error("getConnection() failed, return null", e);
         }
 
         return connection;
@@ -158,13 +182,13 @@ private static String getStringFromInputStream(final InputStream is) {
             }
 
         } catch (final IOException e) {
-            LOG.error("getStringFromInputStream() failed", e);
+            log.error("getStringFromInputStream() failed", e);
         } finally {
             if (br != null) {
                 try {
                     br.close();
                 } catch (final IOException e) {
-                    LOG.error("Problem occurred in getStringFromInputStream function", e);
+                    log.error("Problem occurred in getStringFromInputStream function", e);
                 }
             }
         }

fineract-provider/src/main/resources/application.properties

@@ -44,6 +44,9 @@ fineract.content.regex-whitelist=${FINERACT_CONTENT_REGEX_WHITELIST:.*\\.pdf$,.*
 fineract.content.mime-whitelist-enabled=${FINERACT_CONTENT_MIME_WHITELIST_ENABLED:true}
 fineract.content.mime-whitelist=${FINERACT_CONTENT_MIME_WHITELIST:application/pdf,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,image/jpeg,image/png}
 
+fineract.template.regex-whitelist-enabled=${FINERACT_TEMPLATE_REGEX_WHITELIST_ENABLED:true}
+fineract.template.regex-whitelist=${FINERACT_TEMPLATE_REGEX_WHITELIST:}
+
 management.health.jms.enabled=false
 
 # FINERACT 1296

fineract-provider/src/test/java/org/apache/fineract/template/service/TemplateServiceStepDefinitions.java

@@ -34,11 +34,12 @@
 import org.apache.commons.io.IOUtils;
 import org.apache.fineract.template.domain.Template;
 import org.apache.fineract.template.domain.TemplateMapper;
+import org.springframework.beans.factory.annotation.Autowired;
 
 public class TemplateServiceStepDefinitions implements En {
 
-    private TemplateMergeService tms = new TemplateMergeService();
-
+    @Autowired
+    private TemplateMergeService tms;
     private String template;
 
     private Map<String, Object> data;