From 3dace0d676c25d3d6693605ab66149296ea01453 Mon Sep 17 00:00:00 2001
From: Ainur <ainur.iagudin@dbeaver.com>
Date: Thu, 26 Dec 2024 10:13:57 +0100
Subject: [PATCH 1/2] CB-6085 blob upload validation fix

---
 .../service/sql/WebSQLFileLoaderServlet.java  | 34 +++++++++++--------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java b/server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java
index d70a9ab318..a8eaaab88c 100644
--- a/server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java
+++ b/server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java
@@ -39,6 +39,8 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 @MultipartConfig
 public class WebSQLFileLoaderServlet extends WebServiceServletBase {
@@ -53,7 +55,7 @@ public class WebSQLFileLoaderServlet extends WebServiceServletBase {
 
     private static final String FILE_ID = "fileId";
 
-    private static final String FORBIDDEN_CHARACTERS_FILE_REGEX = "(?U)[$()@ /]+";
+    private static final Pattern FORBIDDEN_CHARACTERS_FILE_PATTERN = Pattern.compile("(?U)[$()@ /]");
 
     private static final Gson gson = new GsonBuilder()
             .serializeNulls()
@@ -89,19 +91,23 @@ protected void processServiceRequest(
         Map<String, Object> variables = gson.fromJson(request.getParameter(REQUEST_PARAM_VARIABLES), MAP_STRING_OBJECT_TYPE);
 
         String fileId = JSONUtils.getString(variables, FILE_ID);
-
-        if (fileId != null && !fileId.matches(FORBIDDEN_CHARACTERS_FILE_REGEX) && !fileId.startsWith(".")) {
-            Path file = tempFolder.resolve(fileId);
-            try {
-                Files.write(file, request.getPart("fileData").getInputStream().readAllBytes());
-            } catch (ServletException e) {
-                log.error(e.getMessage());
-                throw new DBWebException(e.getMessage());
-            }
-        } else {
-            String illegalCharacters = fileId != null ?
-                fileId.replaceAll(FORBIDDEN_CHARACTERS_FILE_REGEX, " ").strip() : null;
-            throw new DBException("Resource path '" + fileId + "' contains illegal characters: " + illegalCharacters);
+        if (fileId == null) {
+            throw new DBWebException("File ID not found");
+        }
+        Matcher matcher = FORBIDDEN_CHARACTERS_FILE_PATTERN.matcher(fileId);
+        if (fileId.startsWith(".")) {
+            throw new DBWebException("Invalid resource path '%s': resource path cannot start with a dot".formatted(fileId));
+        }
+        if (matcher.find()) {
+            String illegalCharacters = matcher.group();
+            throw new DBException("Resource path '%s' contains illegal characters: %s".formatted(fileId, illegalCharacters));
+        }
+        Path file = tempFolder.resolve(fileId);
+        try {
+            Files.write(file, request.getPart("fileData").getInputStream().readAllBytes());
+        } catch (ServletException e) {
+            log.error(e.getMessage());
+            throw new DBWebException(e.getMessage());
         }
     }
 }
\ No newline at end of file

From 543d175a6f472a630670582d2b1325550f17fdd7 Mon Sep 17 00:00:00 2001
From: Ainur <ainur.iagudin@dbeaver.com>
Date: Thu, 26 Dec 2024 10:40:15 +0100
Subject: [PATCH 2/2] CB-6085 blob upload validate only uuid

---
 .../service/sql/WebSQLFileLoaderServlet.java    | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java b/server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java
index a8eaaab88c..cced78d2d7 100644
--- a/server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java
+++ b/server/bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java
@@ -39,8 +39,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Map;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
+import java.util.UUID;
 
 @MultipartConfig
 public class WebSQLFileLoaderServlet extends WebServiceServletBase {
@@ -55,8 +54,6 @@ public class WebSQLFileLoaderServlet extends WebServiceServletBase {
 
     private static final String FILE_ID = "fileId";
 
-    private static final Pattern FORBIDDEN_CHARACTERS_FILE_PATTERN = Pattern.compile("(?U)[$()@ /]");
-
     private static final Gson gson = new GsonBuilder()
             .serializeNulls()
             .setPrettyPrinting()
@@ -94,13 +91,11 @@ protected void processServiceRequest(
         if (fileId == null) {
             throw new DBWebException("File ID not found");
         }
-        Matcher matcher = FORBIDDEN_CHARACTERS_FILE_PATTERN.matcher(fileId);
-        if (fileId.startsWith(".")) {
-            throw new DBWebException("Invalid resource path '%s': resource path cannot start with a dot".formatted(fileId));
-        }
-        if (matcher.find()) {
-            String illegalCharacters = matcher.group();
-            throw new DBException("Resource path '%s' contains illegal characters: %s".formatted(fileId, illegalCharacters));
+        try {
+            // file id must be UUID
+            UUID.fromString(fileId);
+        } catch (IllegalArgumentException e) {
+            throw new DBWebException("File ID is invalid");
         }
         Path file = tempFolder.resolve(fileId);
         try {