Add uploaded file validation

LMCROSSITXSADEPLOY-3175

Author: Yavor16

multiapps-controller-core/pom.xml

@@ -1,5 +1,5 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <artifactId>multiapps-controller-core</artifactId>
@@ -13,6 +13,10 @@
     </parent>
 
     <dependencies>
+        <dependency>
+            <groupId>org.apache.tika</groupId>
+            <artifactId>tika-core</artifactId>
+        </dependency>
         <dependency>
             <groupId>jakarta.xml.bind</groupId>
             <artifactId>jakarta.xml.bind-api</artifactId>

multiapps-controller-core/src/main/java/module-info.java

@@ -45,6 +45,7 @@
     requires transitive org.cloudfoundry.multiapps.controller.persistence;
     requires transitive org.cloudfoundry.multiapps.mta;
 
+    requires org.apache.tika.core;
     requires org.cloudfoundry.client;
     requires com.fasterxml.jackson.annotation;
     requires com.fasterxml.jackson.core;

multiapps-controller-core/src/main/java/org/cloudfoundry/multiapps/controller/core/Messages.java

@@ -86,6 +86,10 @@ public final class Messages {
     public static final String OBJECT_STORE_FILE_STORAGE_HEALTH_DATABASE_HEALTH = "Object store file storage health: \"{0}\", Database health: \"{1}\"";
     public static final String ERROR_OCCURRED_DURING_OBJECT_STORE_HEALTH_CHECKING_FOR_INSTANCE = "Error occurred during object store health checking for instance: \"{0}\"";
     public static final String ERROR_OCCURRED_WHILE_CHECKING_DATABASE_INSTANCE_0 = "Error occurred while checking database instance: \"{0}\"";
+    public static final String INVALID_MULTIPART_FILE = "The provided multipart file cannot be empty";
+    public static final String INVALID_YAML_FILE = "The provided yaml file is invalid";
+    public static final String INVALID_MTAR_FILE = "The provided mtar file is invalid";
+    public static final String UNSUPPORTED_FILE_FORMAT = "Unsupported file format! \"{0}\" detected";
 
     // Warning messages
     public static final String ENVIRONMENT_VARIABLE_IS_NOT_SET_USING_DEFAULT = "Environment variable \"{0}\" is not set. Using default \"{1}\"...";

multiapps-controller-core/src/main/java/org/cloudfoundry/multiapps/controller/core/validators/parameters/FileMimeTypeValidator.java

@@ -0,0 +1,70 @@
+package org.cloudfoundry.multiapps.controller.core.validators.parameters;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.text.MessageFormat;
+
+import org.apache.commons.io.FilenameUtils;
+import org.apache.tika.Tika;
+import org.cloudfoundry.multiapps.common.SLException;
+import org.cloudfoundry.multiapps.controller.core.Messages;
+import org.springframework.web.multipart.MultipartFile;
+import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.error.YAMLException;
+
+public class FileMimeTypeValidator {
+
+    private static final String APPLICATION_ZIP_MIME_TYPE = "application/zip";
+    private static final String APPLICATION_OCTET_STREAM_MIME_TYPE = "application/octet-stream";
+    private static final String TEXT_PLAIN_MIME_TYPE = "text/plain";
+    private static final String YAML_FILE_EXTENSION = "yaml";
+    private static final String EXTENSION_DESCRIPTOR_FILE_EXTENSION = "mtaext";
+    private static final Tika tika = new Tika();
+
+    private FileMimeTypeValidator() {
+    }
+
+    public static void validateMultipartFileMimeType(MultipartFile multipartFile) {
+        if (multipartFile == null || multipartFile.isEmpty()) {
+            throw new IllegalArgumentException(Messages.INVALID_MULTIPART_FILE);
+        }
+
+        try {
+            validateInputStreamMimeType(multipartFile.getInputStream(), multipartFile.getOriginalFilename());
+        } catch (IOException e) {
+            throw new SLException(e);
+        }
+    }
+
+    public static void validateInputStreamMimeType(InputStream uploadedFileInputStream, String filename) throws IOException {
+        String detectedType = getFileMimeType(uploadedFileInputStream);
+        switch (detectedType) {
+            case TEXT_PLAIN_MIME_TYPE -> validateYamlFile(uploadedFileInputStream, filename);
+            case APPLICATION_ZIP_MIME_TYPE, APPLICATION_OCTET_STREAM_MIME_TYPE -> {
+            }
+            default -> throw new IllegalArgumentException(MessageFormat.format(Messages.UNSUPPORTED_FILE_FORMAT, detectedType));
+        }
+    }
+
+    private static String getFileMimeType(InputStream uploadedFileInputStream) throws IOException {
+        return tika.detect(uploadedFileInputStream);
+    }
+
+    private static void validateYamlFile(InputStream uploadedFileInputStream, String filename) {
+        validateTextFileExtension(filename);
+        Yaml yaml = new Yaml();
+        try {
+            yaml.load(uploadedFileInputStream);
+        } catch (YAMLException e) {
+            throw new IllegalArgumentException(Messages.INVALID_YAML_FILE);
+        }
+    }
+
+    private static void validateTextFileExtension(String filename) {
+        String fileExtension = FilenameUtils.getExtension(filename);
+
+        if (!(YAML_FILE_EXTENSION.equals(fileExtension) || EXTENSION_DESCRIPTOR_FILE_EXTENSION.equals(fileExtension))) {
+            throw new IllegalArgumentException(Messages.INVALID_YAML_FILE);
+        }
+    }
+}

multiapps-controller-core/src/test/java/org/cloudfoundry/multiapps/controller/core/validators/parameters/FileMimeTypeValidatorTest.java

@@ -0,0 +1,72 @@
+package org.cloudfoundry.multiapps.controller.core.validators.parameters;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+
+import org.apache.tika.Tika;
+import org.cloudfoundry.multiapps.controller.core.Messages;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+import org.springframework.web.multipart.MultipartFile;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.when;
+
+class FileMimeTypeValidatorTest {
+
+    private Tika tika;
+    private MultipartFile multipartFile;
+    private InputStream inputStream;
+
+    @BeforeEach
+    void setUp() {
+        tika = Mockito.mock(Tika.class);
+        multipartFile = Mockito.mock(MultipartFile.class);
+    }
+
+    @Test
+    void testValidateMultipartFileMimeTypeWithNullFile() {
+        assertThrows(IllegalArgumentException.class, () -> {
+            FileMimeTypeValidator.validateMultipartFileMimeType(null);
+        }, Messages.INVALID_MULTIPART_FILE);
+    }
+
+    @Test
+    void testValidateMultipartFileMimeTypeWithEmptyFile() {
+        when(multipartFile.isEmpty()).thenReturn(true);
+
+        assertThrows(IllegalArgumentException.class, () -> {
+            FileMimeTypeValidator.validateMultipartFileMimeType(multipartFile);
+        }, Messages.INVALID_MULTIPART_FILE);
+    }
+
+    @Test
+    void testValidateMultipartFileMimeType_ValidYamlFile() throws Exception {
+        inputStream = new ByteArrayInputStream("test: test".getBytes());
+
+        when(multipartFile.getInputStream()).thenReturn(inputStream);
+        when(multipartFile.getOriginalFilename()).thenReturn("valid.yaml");
+        when(tika.detect(inputStream)).thenReturn("text/plain");
+
+        FileMimeTypeValidator.validateMultipartFileMimeType(multipartFile);
+    }
+
+    @Test
+    void testValidateMultipartFileOctetStreamMimeType() throws Exception {
+        when(multipartFile.getInputStream()).thenReturn(inputStream);
+        when(multipartFile.getOriginalFilename()).thenReturn("valid.zip");
+        when(tika.detect(inputStream)).thenReturn("application/octet-stream");
+
+        FileMimeTypeValidator.validateMultipartFileMimeType(multipartFile);
+    }
+
+    @Test
+    void testValidateMultipartFileOApplicationZipMimeType() throws Exception {
+        when(multipartFile.getInputStream()).thenReturn(inputStream);
+        when(multipartFile.getOriginalFilename()).thenReturn("valid.zip");
+        when(tika.detect(inputStream)).thenReturn("application/zip");
+
+        FileMimeTypeValidator.validateMultipartFileMimeType(multipartFile);
+    }
+}

multiapps-controller-process/src/main/java/org/cloudfoundry/multiapps/controller/process/steps/ValidateDeployParametersStep.java

@@ -1,5 +1,6 @@
 package org.cloudfoundry.multiapps.controller.process.steps;
 
+import java.io.IOException;
 import java.math.BigInteger;
 import java.text.MessageFormat;
 import java.util.ArrayList;
@@ -8,15 +9,19 @@
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
 import org.apache.commons.io.IOUtils;
 import org.cloudfoundry.multiapps.common.ContentException;
 import org.cloudfoundry.multiapps.common.SLException;
 import org.cloudfoundry.multiapps.controller.client.util.ResilientOperationExecutor;
+import org.cloudfoundry.multiapps.controller.core.validators.parameters.FileMimeTypeValidator;
 import org.cloudfoundry.multiapps.controller.persistence.model.FileEntry;
 import org.cloudfoundry.multiapps.controller.persistence.model.ImmutableFileEntry;
 import org.cloudfoundry.multiapps.controller.persistence.services.FileStorageException;
 import org.cloudfoundry.multiapps.controller.process.Messages;
 import org.cloudfoundry.multiapps.controller.process.stream.ArchiveStreamWithName;
+import org.cloudfoundry.multiapps.controller.process.stream.LazyArchiveInputStream;
 import org.cloudfoundry.multiapps.controller.process.util.FileSweeper;
 import org.cloudfoundry.multiapps.controller.process.util.MergedArchiveStreamCreator;
 import org.cloudfoundry.multiapps.controller.process.util.PriorityCallable;
@@ -25,9 +30,6 @@
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Scope;
 
-import jakarta.inject.Inject;
-import jakarta.inject.Named;
-
 @Named("validateDeployParametersStep")
 @Scope(BeanDefinition.SCOPE_PROTOTYPE)
 public class ValidateDeployParametersStep extends SyncFlowableStep {
@@ -177,13 +179,18 @@ private void mergeArchive(ProcessContext context, List<FileEntry> archivePartEnt
     private void mergeArchive(ProcessContext context, List<FileEntry> archivePartEntries, BigInteger archiveSize) {
         ArchiveStreamWithName archiveStreamWithName = getMergedArchiveStreamCreator(archivePartEntries, archiveSize).createArchiveStream();
         try {
+            LazyArchiveInputStream lazyArchiveInputStream = (LazyArchiveInputStream) archiveStreamWithName.getArchiveStream();
+            FileMimeTypeValidator.validateInputStreamMimeType(lazyArchiveInputStream.getCurrentInputStream(),
+                                                              archiveStreamWithName.getArchiveName());
             getStepLogger().infoWithoutProgressMessage(Messages.ARCHIVE_IS_SPLIT_TO_0_PARTS_TOTAL_SIZE_IN_BYTES_1_UPLOADING,
                                                        archivePartEntries.size(), archiveSize);
             FileEntry uploadedArchive = persistArchive(archiveStreamWithName, context, archiveSize);
             context.setVariable(Variables.APP_ARCHIVE_ID, uploadedArchive.getId());
             getStepLogger().infoWithoutProgressMessage(MessageFormat.format(Messages.ARCHIVE_WITH_ID_0_AND_NAME_1_WAS_STORED,
                                                                             uploadedArchive.getId(),
                                                                             archiveStreamWithName.getArchiveName()));
+        } catch (IOException e) {
+            throw new SLException(e);
         } finally {
             IOUtils.closeQuietly(archiveStreamWithName.getArchiveStream());
         }
@@ -195,7 +202,7 @@ private String[] getArchivePartIds(ProcessContext context) {
     }
 
     private List<FileEntry> getArchivePartEntries(ProcessContext context, String[] appArchivePartsId) {
-        return Arrays.stream(appArchivePartsId) 
+        return Arrays.stream(appArchivePartsId)
                      .map(appArchivePartId -> findFile(context, appArchivePartId))
                      .toList();
     }

multiapps-controller-process/src/main/java/org/cloudfoundry/multiapps/controller/process/stream/LazyArchiveInputStream.java

@@ -82,6 +82,10 @@ public synchronized int read(byte[] b, int off, int len) throws IOException {
         return bytesRead;
     }
 
+    public InputStream getCurrentInputStream() {
+        return currentInputStream;
+    }
+
     @Override
     public synchronized int available() throws IOException {
         // The return value of this method must be anything except 0

multiapps-controller-web/src/main/java/org/cloudfoundry/multiapps/controller/web/api/impl/FilesApiServiceImpl.java

@@ -20,12 +20,15 @@
 import java.util.Base64;
 import java.util.List;
 import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import java.util.concurrent.RejectedExecutionException;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.stream.Collectors;
 
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.input.ProxyInputStream;
 import org.cloudfoundry.multiapps.common.SLException;
@@ -44,6 +47,7 @@
 import org.cloudfoundry.multiapps.controller.core.util.ApplicationConfiguration;
 import org.cloudfoundry.multiapps.controller.core.util.FileUtils;
 import org.cloudfoundry.multiapps.controller.core.util.UriUtil;
+import org.cloudfoundry.multiapps.controller.core.validators.parameters.FileMimeTypeValidator;
 import org.cloudfoundry.multiapps.controller.persistence.model.AsyncUploadJobEntry;
 import org.cloudfoundry.multiapps.controller.persistence.model.AsyncUploadJobEntry.State;
 import org.cloudfoundry.multiapps.controller.persistence.model.FileEntry;
@@ -69,9 +73,6 @@
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.multipart.MultipartHttpServletRequest;
 
-import jakarta.inject.Inject;
-import jakarta.inject.Named;
-
 @Named
 public class FilesApiServiceImpl implements FilesApiService {
 
@@ -81,13 +82,15 @@ public class FilesApiServiceImpl implements FilesApiService {
     private static final Duration HTTP_CONNECT_TIMEOUT = Duration.ofMinutes(10);
     private static final String RETRY_AFTER_SECONDS = "30";
     private static final String USERNAME_PASSWORD_URL_FORMAT = "{0}:{1}";
+
     static {
         System.setProperty(Constants.RETRY_LIMIT_PROPERTY, "0");
     }
 
     private final CachedMap<String, AtomicLong> jobCounters = new CachedMap<>(Duration.ofHours(1));
     private final CachedMap<String, Future<?>> runningTasks = new CachedMap<>(Duration.ofHours(1));
     private final ResilientOperationExecutor resilientOperationExecutor = getResilientOperationExecutor();
+    private final ConcurrentHashMap<UUID, Boolean> terminatedProcesses = new ConcurrentHashMap<>();
     @Inject
     @Named("fileService")
     private FileService fileService;
@@ -124,6 +127,7 @@ public ResponseEntity<List<FileMetadata>> getFiles(String spaceGuid, String name
     public ResponseEntity<FileMetadata> uploadFile(MultipartHttpServletRequest request, String spaceGuid, String namespace) {
         LOGGER.trace(Messages.RECEIVED_UPLOAD_REQUEST, ServletUtil.decodeUri(request));
         var multipartFile = getFileFromRequest(request);
+        FileMimeTypeValidator.validateMultipartFileMimeType(multipartFile);
         try (InputStream in = new BufferedInputStream(multipartFile.getInputStream(), INPUT_STREAM_BUFFER_SIZE)) {
             var startTime = LocalDateTime.now();
             FileEntry fileEntry = fileStorageThreadPool.submit(createUploadFileTask(spaceGuid, namespace, multipartFile, in))

pom.xml

@@ -468,6 +468,12 @@
                 <artifactId>slf4j-jdk14</artifactId>
                 <version>${slf4j.version}</version>
             </dependency>
+            <!-- https://mvnrepository.com/artifact/org.apache.tika/tika-core -->
+            <dependency>
+                <groupId>org.apache.tika</groupId>
+                <artifactId>tika-core</artifactId>
+                <version>3.1.0</version>
+            </dependency>
             <!-- https://mvnrepository.com/artifact/commons-io/commons-io -->
             <dependency>
                 <groupId>commons-io</groupId>