From f97a44af67b935aec93f76b5831bdef422e93875 Mon Sep 17 00:00:00 2001 From: "Dr. Christoph \"Schorsch\" Jung" Date: Mon, 27 May 2024 11:42:07 +0200 Subject: [PATCH] fix: check connector urls and headers coming from config. --- .../eclipse/tractusx/agents/AgentConfig.java | 32 ++++++++++++++++--- .../agents/http/DelegationServiceImpl.java | 7 ++-- 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/matchmaking/src/main/java/org/eclipse/tractusx/agents/AgentConfig.java b/matchmaking/src/main/java/org/eclipse/tractusx/agents/AgentConfig.java index f58ecf3..ab191ec 100644 --- a/matchmaking/src/main/java/org/eclipse/tractusx/agents/AgentConfig.java +++ b/matchmaking/src/main/java/org/eclipse/tractusx/agents/AgentConfig.java @@ -93,6 +93,11 @@ public class AgentConfig { public static final String SERVICE_DENY_ASSET_PROPERTY = "cx.agent.service.asset.deny"; public static final String DEFAULT_SERVICE_DENY_ASSET_PATTERN = "^$"; + public static final String SERVICE_ALLOW_CONNECTOR_PROPERTY = "cx.agent.service.connector.allow"; + public static final String DEFAULT_SERVICE_ALLOW_CONNECTOR_PATTERN = "https://.*"; + public static final String SERVICE_DENY_CONNECTOR_PROPERTY = "cx.agent.service.connector.deny"; + public static final String DEFAULT_SERVICE_DENY_CONNECTOR_PATTERN = "^$"; + public static final String MATCHMAKING_PORT = "web.http.internal.port"; public static final String MATCHMAKING_PATH = "web.http.internal.path"; @@ -110,6 +115,11 @@ public class AgentConfig { protected final Pattern serviceAssetAllowPattern; protected final Pattern serviceAssetDenyPattern; protected final Pattern assetReferencePattern; + protected final Pattern connectorAllowPattern; + protected final Pattern connectorDenyPattern; + + public static final Pattern PARAMETER_KEY_ALLOW = Pattern.compile("^(?(?!asset$)[^&?=]+)$"); + public static final Pattern PARAMETER_VALUE_ALLOW = Pattern.compile("^(?[^&]+)$"); /** * references to EDC services @@ -130,6 +140,8 @@ public AgentConfig(Monitor monitor, Config config) { serviceDenyPattern = Pattern.compile(config.getString(SERVICE_DENY_PROPERTY, DEFAULT_SERVICE_DENY_PATTERN)); serviceAssetAllowPattern = Pattern.compile(config.getString(SERVICE_ALLOW_ASSET_PROPERTY, DEFAULT_SERVICE_ALLOW_ASSET_PATTERN)); serviceAssetDenyPattern = Pattern.compile(config.getString(SERVICE_DENY_ASSET_PROPERTY, DEFAULT_SERVICE_DENY_ASSET_PATTERN)); + connectorAllowPattern = Pattern.compile(config.getString(SERVICE_ALLOW_CONNECTOR_PROPERTY, DEFAULT_SERVICE_ALLOW_CONNECTOR_PATTERN)); + connectorDenyPattern = Pattern.compile(config.getString(SERVICE_DENY_CONNECTOR_PROPERTY, DEFAULT_SERVICE_DENY_CONNECTOR_PATTERN)); assetReferencePattern = Pattern.compile("((?[^#]+)#)?(?.+)"); } @@ -183,7 +195,11 @@ public String getAccessPoint() { * @return uri of the control plane management endpoint (without concrete api) */ public String getControlPlaneManagementUrl() { - return config.getString(CONTROL_PLANE_MANAGEMENT, null); + String url = config.getString(CONTROL_PLANE_MANAGEMENT, null); + if (url != null && connectorAllowPattern.matcher(url).matches() && !connectorDenyPattern.matcher(url).matches()) { + return url; + } + return null; } /** @@ -192,7 +208,11 @@ public String getControlPlaneManagementUrl() { * @return uri of the control plane management endpoint (without concrete api) */ public String getControlPlaneManagementProviderUrl() { - return config.getString(CONTROL_PLANE_MANAGEMENT_PROVIDER, config.getString(CONTROL_PLANE_MANAGEMENT, null)); + String url = config.getString(CONTROL_PLANE_MANAGEMENT_PROVIDER, config.getString(CONTROL_PLANE_MANAGEMENT, null)); + if (url != null && connectorAllowPattern.matcher(url).matches() && !connectorDenyPattern.matcher(url).matches()) { + return url; + } + return null; } /** @@ -201,7 +221,11 @@ public String getControlPlaneManagementProviderUrl() { * @return uri of the control plane ids endpoint (without concrete api) */ public String getControlPlaneIdsUrl() { - return config.getString(CONTROL_PLANE_IDS, null); + String url = config.getString(CONTROL_PLANE_IDS, null); + if (url != null && connectorAllowPattern.matcher(url).matches() && !connectorDenyPattern.matcher(url).matches()) { + return url; + } + return null; } /** @@ -212,7 +236,7 @@ public String getControlPlaneIdsUrl() { public Map getControlPlaneManagementHeaders() { String key = config.getString(CONTROL_PLANE_AUTH_HEADER, "X-Api-Key"); String value = config.getString(CONTROL_PLANE_AUTH_VALUE, null); - if (key != null && value != null) { + if (key != null && PARAMETER_KEY_ALLOW.matcher(key).matches() && value != null && PARAMETER_VALUE_ALLOW.matcher(value).matches()) { return Map.of(key, value); } return Map.of(); diff --git a/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/DelegationServiceImpl.java b/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/DelegationServiceImpl.java index b02fb2e..f7a7313 100644 --- a/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/DelegationServiceImpl.java +++ b/matchmaking/src/main/java/org/eclipse/tractusx/agents/http/DelegationServiceImpl.java @@ -185,8 +185,7 @@ public DelegationResponse sendPostRequest(EndpointDataReference dataReference, S return new DelegationResponse(sendRequest(newRequest, response), Response.status(response.getStatus()).build()); } - protected static final Pattern PARAMETER_KEY_ALLOW = Pattern.compile("^(?(?!asset$)[^&?=]+)$"); - protected static final Pattern PARAMETER_VALUE_ALLOW = Pattern.compile("^(?[^&]+)$"); + /** * computes the url to target the given data plane @@ -211,11 +210,11 @@ protected HttpUrl getUrl(String connectorUrl, String subUrl, HttpHeaders headers HttpUrl.Builder httpBuilder = Objects.requireNonNull(okhttp3.HttpUrl.parse(url)).newBuilder(); for (Map.Entry> param : uri.getQueryParameters().entrySet()) { String key = param.getKey(); - Matcher keyMatcher = PARAMETER_KEY_ALLOW.matcher(key); + Matcher keyMatcher = AgentConfig.PARAMETER_KEY_ALLOW.matcher(key); if (keyMatcher.matches()) { String recodeKey = HttpUtils.urlEncodeParameter(keyMatcher.group("param")); for (String value : param.getValue()) { - Matcher valueMatcher = PARAMETER_VALUE_ALLOW.matcher(value); + Matcher valueMatcher = AgentConfig.PARAMETER_VALUE_ALLOW.matcher(value); if (valueMatcher.matches()) { String recodeValue = HttpUtils.urlEncodeParameter(valueMatcher.group("value")); httpBuilder = httpBuilder.addQueryParameter(recodeKey, recodeValue);