Fix CWE-73: File Manipulation

ocs-api/main.go

@@ -62,13 +62,13 @@ func main() {
 	ExchangeInternalInterval = outils.GetEnvVarIntWithDefault("EXCHANGE_INTERNAL_INTERVAL", 5)
 
 	// Ensure we can get to the db, and create the necessary subdirs, if necessary
-	if err := os.MkdirAll(OcsDbDir+"/v1/devices", 0750); err != nil {
+	if err := os.MkdirAll(filepath.Clean(OcsDbDir+"/v1/devices"), 0750); err != nil {
 		outils.Fatal(3, "could not create directory %s: %v", OcsDbDir+"/v1/devices", err)
 	}
-	if err := os.MkdirAll(OcsDbDir+"/v1/values", 0750); err != nil {
+	if err := os.MkdirAll(filepath.Clean(OcsDbDir+"/v1/values"), 0750); err != nil {
 		outils.Fatal(3, "could not create directory %s: %v", OcsDbDir+"/v1/values", err)
 	}
-	if err := os.MkdirAll(OcsDbDir+"/v1/creds/publicKeys", 0750); err != nil {
+	if err := os.MkdirAll(filepath.Clean(OcsDbDir+"/v1/creds/publicKeys"), 0750); err != nil {
 		outils.Fatal(3, "could not create directory %s: %v", OcsDbDir+"/v1/creds/publicKeys", err)
 	}
 
@@ -82,8 +82,8 @@ func main() {
 	http.HandleFunc("/api/", apiHandler)
 
 	// Set To2 Address on start up in FDO Owner Services
-    fdoTo2Host, fdoTo2Port := outils.GetTo2OwnerHost()
-    fmt.Println("Setting To2 Address as: " + fdoTo2Host + ":" + fdoTo2Port)
+	fdoTo2Host, fdoTo2Port := outils.GetTo2OwnerHost()
+	fmt.Println("Setting To2 Address as: " + fdoTo2Host + ":" + fdoTo2Port)
 	fdoOwnerURL := os.Getenv("HZN_FDO_API_URL")
 	if fdoOwnerURL == "" {
 		log.Fatalln("HZN_FDO_API_URL is not set")
@@ -226,7 +226,7 @@ func apiHandler(w http.ResponseWriter, r *http.Request) {
 	} else if matches := OrgFDORedirectRegex.FindStringSubmatch(r.URL.Path); r.Method == "POST" && len(matches) >= 2 { // POST /api/orgs/{ord-id}/fdo/redirect
 		postFdoRedirectHandler(matches[1], w, r)
 	} else if matches := OrgFDORedirectRegex.FindStringSubmatch(r.URL.Path); r.Method == "GET" && len(matches) >= 2 { // GET /api/orgs/{ord-id}/fdo/redirect
-    	getFdoRedirectHandler(matches[1], w, r)
+		getFdoRedirectHandler(matches[1], w, r)
 	} else if matches := GetFDOTo0Regex.FindStringSubmatch(r.URL.Path); r.Method == "GET" && len(matches) >= 3 { // GET /api/orgs/{ord-id}/fdo/to0/{deviceUuid}
 		getFdoTo0Handler(matches[1], matches[2], w, r)
 	} else if matches := OrgFDOResourceRegex.FindStringSubmatch(r.URL.Path); r.Method == "POST" && len(matches) >= 3 { // POST /api/orgs/{ord-id}/fdo/resource/{resourceFile}
@@ -244,7 +244,7 @@ func apiHandler(w http.ResponseWriter, r *http.Request) {
 
 // Route Handlers --------------------------------------------------------------------------------------------------
 
-//============= GET /api/version =============
+// ============= GET /api/version =============
 // Returns the ocs-api version (in plain text, not json)
 func getVersionHandler(w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("GET /api/version ...")
@@ -258,7 +258,7 @@ func getVersionHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-//============= GET /api/fdo/version =============
+// ============= GET /api/fdo/version =============
 // Returns the fdo Owner Service version (in plain text, not json)
 func getFdoVersionHandler(w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("GET /api/fdo/version ...")
@@ -284,7 +284,7 @@ func getFdoVersionHandler(w http.ResponseWriter, r *http.Request) {
 
 }
 
-//============= GET /api/orgs/{ord-id}/fdo/certificate/<alias> =============
+// ============= GET /api/orgs/{ord-id}/fdo/certificate/<alias> =============
 // Reads/returns owner service public keys based off device alias
 func getFdoPublicKeyHandler(orgId string, publicKeyType string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("GET /api/orgs/%s/fdo/certificate/%s ...", orgId)
@@ -307,7 +307,7 @@ func getFdoPublicKeyHandler(orgId string, publicKeyType string, w http.ResponseW
 		return
 	}
 
-    //Only 5 public key alias types allowed
+	//Only 5 public key alias types allowed
 	if (publicKeyType) != "SECP256R1" && (publicKeyType) != "SECP384R1" && (publicKeyType) != "RSAPKCS3072" && (publicKeyType) != "RSAPKCS2048" && (publicKeyType) != "RSA2048RESTR" {
 		http.Error(w, "Public key type must be one of these supported alias': SECP256R1, SECP384R1, RSAPKCS3072, RSAPKCS2048, RSA2048RESTR", http.StatusBadRequest)
 		return
@@ -346,8 +346,8 @@ func getFdoPublicKeyHandler(orgId string, publicKeyType string, w http.ResponseW
 	outils.WriteResponse(http.StatusOK, w, respBodyBytes)
 }
 
-//IMPORT VOUCHER
-//============= POST /api/orgs/{ord-id}/fdo/vouchers and POST /api/fdo/vouchers =============
+// IMPORT VOUCHER
+// ============= POST /api/orgs/{ord-id}/fdo/vouchers and POST /api/fdo/vouchers =============
 // Imports a voucher
 func postFdoVoucherHandler(orgId string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("POST /api/orgs/%s/fdo/vouchers ... ...", orgId)
@@ -419,7 +419,7 @@ func postFdoVoucherHandler(orgId string, w http.ResponseWriter, r *http.Request)
 
 	// Create the device directory in the OCS DB
 	deviceDir := OcsDbDir + "/v1/devices/" + deviceUuid
-	if err := os.MkdirAll(deviceDir, 0750); err != nil {
+	if err := os.MkdirAll(filepath.Clean(deviceDir), 0750); err != nil {
 		http.Error(w, "could not create directory "+deviceDir+": "+err.Error(), http.StatusInternalServerError)
 		return
 	}
@@ -530,7 +530,7 @@ func postFdoVoucherHandler(orgId string, w http.ResponseWriter, r *http.Request)
 
 }
 
-//============= GET /api/orgs/{ord-id}/fdo/vouchers =============
+// ============= GET /api/orgs/{ord-id}/fdo/vouchers =============
 // Reads/returns all of the already imported vouchers
 func getFdoVouchersHandler(orgId string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("GET /api/orgs/%s/fdo/vouchers ...", orgId)
@@ -616,8 +616,8 @@ func getFdoVouchersHandler(orgId string, w http.ResponseWriter, r *http.Request)
 
 }
 
-//GET A SPECIFIED VOUCHER
-//============= GET /api/orgs/{ord-id}/fdo/vouchers/{deviceUuid} =============
+// GET A SPECIFIED VOUCHER
+// ============= GET /api/orgs/{ord-id}/fdo/vouchers/{deviceUuid} =============
 // Reads/returns a specific imported voucher
 func getFdoVoucherHandler(orgId string, deviceUuid string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("GET /api/orgs/%s/fdo/vouchers/%s ...", orgId)
@@ -704,7 +704,7 @@ func getFdoVoucherHandler(orgId string, deviceUuid string, w http.ResponseWriter
 	outils.WriteResponse(http.StatusOK, w, voucherBytes)
 }
 
-//============= POST /api/orgs/{ord-id}/fdo/redirect =============
+// ============= POST /api/orgs/{ord-id}/fdo/redirect =============
 // Configure the Owner Services TO2 address
 func postFdoRedirectHandler(orgId string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("POST /api/orgs/%s/fdo/redirect ... ...", orgId)
@@ -780,7 +780,7 @@ func postFdoRedirectHandler(orgId string, w http.ResponseWriter, r *http.Request
 	outils.WriteResponse(http.StatusOK, w, respBodyBytes)
 }
 
-//============= GET /api/orgs/{ord-id}/fdo/redirect =============
+// ============= GET /api/orgs/{ord-id}/fdo/redirect =============
 // Get the Owner Services TO2 address
 func getFdoRedirectHandler(orgId string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("GET /api/orgs/%s/fdo/redirect ... ...", orgId)
@@ -839,7 +839,7 @@ func getFdoRedirectHandler(orgId string, w http.ResponseWriter, r *http.Request)
 	outils.WriteResponse(http.StatusOK, w, respBodyBytes)
 }
 
-//============= GET /api/orgs/{ord-id}/fdo/to0/{deviceUuid} =============
+// ============= GET /api/orgs/{ord-id}/fdo/to0/{deviceUuid} =============
 // Initiates TO0 from Owner service
 func getFdoTo0Handler(orgId string, deviceUuid string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("GET /api/orgs/%s/fdo/to0/%s ...", orgId)
@@ -893,8 +893,8 @@ func getFdoTo0Handler(orgId string, deviceUuid string, w http.ResponseWriter, r
 	outils.WriteResponse(http.StatusOK, w, respBodyBytes)
 }
 
-//IMPORT RESOURCE FILE (agent-install-wrapper.sh) TO OWNER DB FOR SERVICE INFO PACKAGE
-//============= POST /api/orgs/{ord-id}/fdo/resource/{resourceFile} =============
+// IMPORT RESOURCE FILE (agent-install-wrapper.sh) TO OWNER DB FOR SERVICE INFO PACKAGE
+// ============= POST /api/orgs/{ord-id}/fdo/resource/{resourceFile} =============
 // Imports a resource file to the DB in order to use for service info package
 func postFdoResourceHandler(orgId string, resourceFile string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("POST /api/orgs/%s/fdo/resource/%s ... ...", orgId)
@@ -970,7 +970,7 @@ func postFdoResourceHandler(orgId string, resourceFile string, w http.ResponseWr
 	outils.WriteResponse(http.StatusOK, w, respBodyBytes)
 }
 
-//============= GET /api/orgs/{ord-id}/fdo/resource/{resourceFile} =============
+// ============= GET /api/orgs/{ord-id}/fdo/resource/{resourceFile} =============
 // Gets a resource file that was imported to the DB in order to use for service info package
 func getFdoResourceHandler(orgId string, resourceFile string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("GET /api/orgs/%s/fdo/resource/%s ... ...", orgId)
@@ -1045,7 +1045,7 @@ func getFdoResourceHandler(orgId string, resourceFile string, w http.ResponseWri
 	outils.WriteResponse(http.StatusOK, w, respBodyBytes)
 }
 
-//============= POST /api/orgs/{ord-id}/fdo/svi =============
+// ============= POST /api/orgs/{ord-id}/fdo/svi =============
 // Uploads SVI instructions to SYSTEM_PACKAGE table in owner db.
 func postFdoSVIHandler(orgId string, w http.ResponseWriter, r *http.Request) {
 	outils.Verbose("POST /api/orgs/%s/fdo/svi ... ...", orgId)