Skip to content

Commit

Permalink
CB-6085 blob upload validate only uuid
Browse files Browse the repository at this point in the history
  • Loading branch information
@yagudin10
yagudin10 committed Dec 26, 2024
1 parent 3dace0d commit 543d175
Showing 1 changed file with 6 additions and 11 deletions.
17 changes: 6 additions & 11 deletions ...bundles/io.cloudbeaver.server/src/io/cloudbeaver/service/sql/WebSQLFileLoaderServlet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,7 @@
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.UUID;

@MultipartConfig
public class WebSQLFileLoaderServlet extends WebServiceServletBase {
Expand All @@ -55,8 +54,6 @@ public class WebSQLFileLoaderServlet extends WebServiceServletBase {

private static final String FILE_ID = "fileId";

private static final Pattern FORBIDDEN_CHARACTERS_FILE_PATTERN = Pattern.compile("(?U)[$()@ /]");

private static final Gson gson = new GsonBuilder()
.serializeNulls()
.setPrettyPrinting()
Expand Down Expand Up @@ -94,13 +91,11 @@ protected void processServiceRequest(
if (fileId == null) {
throw new DBWebException("File ID not found");
}
Matcher matcher = FORBIDDEN_CHARACTERS_FILE_PATTERN.matcher(fileId);
if (fileId.startsWith(".")) {
throw new DBWebException("Invalid resource path '%s': resource path cannot start with a dot".formatted(fileId));
}
if (matcher.find()) {
String illegalCharacters = matcher.group();
throw new DBException("Resource path '%s' contains illegal characters: %s".formatted(fileId, illegalCharacters));
try {
// file id must be UUID
UUID.fromString(fileId);
} catch (IllegalArgumentException e) {
throw new DBWebException("File ID is invalid");
}
Path file = tempFolder.resolve(fileId);
try {
Expand Down

0 comments on commit 543d175

Please sign in to comment.