Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Development: Improve background image input validation #7170

Merged
merged 34 commits into from
Oct 3, 2023
Merged

Development: Improve background image input validation #7170

merged 34 commits into from
Oct 3, 2023

Conversation

MarkusPaulsen
Copy link
Contributor

@MarkusPaulsen MarkusPaulsen commented Sep 10, 2023
edited
Loading

Checklist

General

Server

  • Important: I implemented the changes with a very good performance and prevented too many (unnecessary) database calls.
  • I followed the coding and design guidelines.
  • I added multiple integration tests (Spring) related to the features (with a high test coverage).
  • I documented the Java code using JavaDoc style.

Changes affecting Programming Exercises

  • I tested all changes and their related features with all corresponding user types on Test Server 1 (Atlassian Suite).
  • I tested all changes and their related features with all corresponding user types on Test Server 2 (Jenkins and Gitlab).

Motivation and Context

Several endpoints in the classes ExamResource, ExerciseGroupResource and QuizExerciseResource do not sanitise the background file path of imported quiz exercises, which can lead to path traversal when being used without sanatisation.

Description

We now:

  1. Sanatize every background file path
  2. Check if every background file path starts with /api/files/drag-and-drop/backgrounds

Steps for Testing

Prerequisites:

  • 1 Instructor
  1. Log in to Artemis
  2. Navigate to Course Administration
  3. Either create a new course or access an existing one
  4. Navigate to the exercise overview
  5. Create a quiz
  6. Add Drag-And-Drop Question exercise with a background and a picture drag item to the quiz
  7. Save the quiz
  8. Navigate to the exercise overview
  9. Click on import quiz
  10. Import the created quiz as a new quiz
  11. Click on Preview Quiz
  12. Check, whether the imported exercise displays the background image and the picture drag item correctly

Exam Mode Testing

Prerequisites:

  • 1 Instructor
  1. Log in to Artemis
  2. Navigate to the exam overview
  3. Create a new exam
  4. Navigate to the exercise group overview
  5. Create a new exercise group
  6. Import the previously created quiz
  7. Navigate to the exam overview
  8. Import the created exam as a new exam
  9. Click on Preview Quiz
  10. Check, if the exercise in the exported exam correctly displays the background image
  11. Navigate to the exercise group overview
  12. Import the exercise group from the firstly created exam.
  13. Click on Preview Quiz
  14. Check, if the exercise in the newly created exam correctly displays the background image

Review Progress

Performance Review

  • I (as a reviewer) confirm that the server changes (in particular related to database calls) are implemented with a very good performance

Code Review

  • Code Review 1
  • Code Review 2

Manual Tests

  • Test 1
  • Test 2

Exam Mode Test

  • Test 1
  • Test 2

Test Coverage

@MarkusPaulsen MarkusPaulsen requested a review from a team as a code owner September 10, 2023 20:54
@github-actions github-actions bot added tests server Pull requests that update Java code. (Added Automatically!) labels Sep 10, 2023
@MarkusPaulsen MarkusPaulsen changed the title Improved input validation. Development: Improved input validation. Sep 11, 2023
@MarkusPaulsen MarkusPaulsen changed the title Development: Improved input validation. Development: Improve background image input validation. Sep 11, 2023
laadvo
laadvo reviewed Sep 11, 2023
View reviewed changes
Copy link
Contributor

@laadvo laadvo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Due to the changes, some import quiz exercise tests from QuizExerciseIntegrationTest seem to fail with Status response 500 now.
I am guessing this is because they use images with invalid paths. Additionally, could you move the two new tests into QuizExerciseIntegrationTest since quiz import is already tested there? Alternatively, you could move the existing quiz import tests into the new class, but then make sure to keep it package-private (see Codacy and failing architecture test).

Markus Paulsen added 2 commits September 11, 2023 10:07
Ignore cases where backgroundFilePath == null || backgroundFilePath.c…
f60b9e3 
…ontains("files/temp").
Changed the location of the checkIfBackgroundFilePathIsABackgroundFil…
303e417 
…ePathElseThrow method from QuizExerciseImportTest.java to QuizExerciseIntegrationTest.java.
@MarkusPaulsen
Copy link
Contributor Author

Due to the changes, some import quiz exercise tests from QuizExerciseIntegrationTest seem to fail with Status response 500 now. I am guessing this is because they use images with invalid paths. Additionally, could you move the two new tests into QuizExerciseIntegrationTest since quiz import is already tested there? Alternatively, you could move the existing quiz import tests into the new class, but then make sure to keep it package-private (see Codacy and failing architecture test).

Fixed in:

jakubriegel
jakubriegel previously approved these changes Sep 11, 2023
View reviewed changes
Copy link
Contributor

@jakubriegel jakubriegel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works on ts1

MaximilianAnzinger
MaximilianAnzinger previously approved these changes Sep 11, 2023
View reviewed changes
Copy link
Collaborator

@MaximilianAnzinger MaximilianAnzinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing Session TS1

pal03377
pal03377 approved these changes Sep 11, 2023
View reviewed changes
Copy link
Contributor

@pal03377 pal03377 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested in testing session on TS1. We tested

  • normal quiz creation with background image
  • exam quiz creation with background image
  • importing those quiz exercises (exam and non-exam)
  • importing whole exams

The images were always intact and available, also in the student view.

nityanandaz
nityanandaz previously approved these changes Sep 11, 2023
View reviewed changes
Copy link
Contributor

@nityanandaz nityanandaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manual test on TS1

Drag and drop worked in all places

Kroko-fant
Kroko-fant previously approved these changes Sep 11, 2023
View reviewed changes
Copy link
Contributor

@Kroko-fant Kroko-fant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested in a testing session everything worked so far.

@pal03377 pal03377 temporarily deployed to artemis-test5.artemis.cit.tum.de September 11, 2023 16:19 — with GitHub Actions Inactive
pal03377
pal03377 suggested changes Sep 11, 2023
View reviewed changes
Copy link
Contributor

@pal03377 pal03377 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code: As @julian-christl mentioned, the paths to check are actually URL paths relative to the domain, so we should not use File utils to check them. Also, I found one other place in the code where it might sense to introduce a similar check.

src/main/java/de/tum/in/www1/artemis/service/QuizExerciseImportService.java Outdated Show resolved Hide resolved
1. Deleted Legacy Paths.
1dd1398 
2. Rename sanitizeByCheckingIfPathContainsSubPathElseThrow to sanitizeByCheckingIfPathStartsWithSubPathElseThrow.
julian-christl
julian-christl approved these changes Sep 24, 2023
View reviewed changes
Copy link
Member

@julian-christl julian-christl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that looks good. Thank you.

@jakubriegel jakubriegel temporarily deployed to artemis-test4.artemis.cit.tum.de September 25, 2023 13:42 — with GitHub Actions Inactive
jakubriegel
jakubriegel approved these changes Sep 25, 2023
View reviewed changes
Copy link
Contributor

@jakubriegel jakubriegel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM 👍🏻 Change works on TS4

@pal03377 pal03377 temporarily deployed to artemis-test4.artemis.cit.tum.de September 27, 2023 11:23 — with GitHub Actions Inactive
pal03377
pal03377 approved these changes Sep 27, 2023
View reviewed changes
Copy link
Contributor

@pal03377 pal03377 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks really solid now! I also manually tested the upload on TS4 again.

laadvo
laadvo approved these changes Sep 28, 2023
View reviewed changes
Copy link
Contributor

@laadvo laadvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good to me

@MarkusPaulsen MarkusPaulsen added ready to merge maintainer-approved The feature maintainer has approved the PR labels Oct 1, 2023
@krusche krusche changed the title Development: Improve background image input validation. Development: Improve background image input validation Oct 3, 2023
@krusche krusche added this to the 6.5.4 milestone Oct 3, 2023
@krusche krusche merged commit fa029c1 into develop Oct 3, 2023
@krusche krusche deleted the bugfix/fix-background-image-input-validation branch October 3, 2023 07:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Strohgelaender Strohgelaender Strohgelaender left review comments

@laadvo laadvo laadvo approved these changes

@julian-christl julian-christl julian-christl approved these changes

@jakubriegel jakubriegel jakubriegel approved these changes

@pal03377 pal03377 pal03377 approved these changes

@MaximilianAnzinger MaximilianAnzinger MaximilianAnzinger left review comments

@Kroko-fant Kroko-fant Kroko-fant left review comments

@nityanandaz nityanandaz nityanandaz left review comments

Assignees

@MarkusPaulsen MarkusPaulsen

Labels
maintainer-approved The feature maintainer has approved the PR ready to merge server Pull requests that update Java code. (Added Automatically!) tests
Projects
None yet
Milestone
6.5.4
Development

Successfully merging this pull request may close these issues.
10 participants
@MarkusPaulsen @pal03377 @nityanandaz @Kroko-fant @Strohgelaender @jakubriegel @MaximilianAnzinger @julian-christl @laadvo @krusche