Validate the path during ConfigFile upload
The IBM management console usecase - ConfigFile upload was allowing
to create or modify any file at the BMC when the path url is given
as below.
PUT https://${bmc}/ibm/v1/Host/ConfigFiles/../../../../../<any file under root dir> --data-binary "junk data"
This commit adds validation to the "path" variable after the "ConfigFiles/"
in the url - so that only the ConfigFiles are created or modified.
The filename validation includes:
Restrict the maximum filename length to 20 characters
Restrict the allowed charaters to [A-Za-z0-9-]
The minimum size of the file allowed is 100 bytes
The maximum size of the file allowed is 500KB
Maximum total size of the ConfigFile directory at BMC file system allowed is 10MB
Tested by:
1. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/../../../../../etc/p2 --data-binary "some data"
Bad Request
2. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/../../../etc/p2 --data-binary "some data"
Bad Request
3. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/../etc/p2 --data-binary "some data"
Bad Request
4. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/etc/p2 --data-binary "some data"
{
"Description": "Error while creating the file"
}
5. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/mydir/p2 --data-binary "some data"
{
"Description": "Error while creating the file"
}
6. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/ --data-binary "some data"
Not Found
7. PUT https://${bmc}/ibm/v1/Host/ConfigFiles --data-binary "some data"
Method Not Allowed
8. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/p2/../p2 --data-binary "some data"
Bad Request
9. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/p2/p2 --data-binary "some data"
{
"Description": "Error while creating the file"
}
10. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/p2/../../../p2 --data-binary "some data"
Bad Request
11. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/./../../p2 --data-binary "some data"
Bad Request
12. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/. --data-binary "some data"
Bad Request
13. PUT https://${bmc}/ibm/v1/Host/../ConfigFiles/p2 --data-binary "some data"
Not Found
14. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/p2 --data-binary "some data"
{
"Description": "File Created"
}
15. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/p2 --data-binary "some data"
{
"Description": "File Updated"
}
16. PUT https://${bmc}/ibm/v1/Host/ConfigFiles/p2.ext --data-binary "some data"
{
"Description": "File Created"
}
17. Tested sending filename greater than 20 charaters
Bad Request
18. Tested sending filename with special charaters
Bad Request
19. Tested sending filesize less than 100bytes
Bad request
20. Tested sending filesize greater than 500KB
Bad request
21. Tested uploading the file when the directory size is nearly full
Bad request
22. Added unit test for isValidConfigFileName
Signed-off-by: Sunitha Harish <sunharis@in.ibm.com>
Change-Id: I838d39d5765ddc8701f7e5c533a93eebde021cbf
diff --git a/redfish-core/ut/configfile_test.cpp b/redfish-core/ut/configfile_test.cpp
new file mode 100644
index 0000000..9f6bc13
--- /dev/null
+++ b/redfish-core/ut/configfile_test.cpp
@@ -0,0 +1,71 @@
+#include "ibm/management_console_rest.hpp"
+#include "nlohmann/json.hpp"
+
+#include <string>
+
+#include "gmock/gmock.h"
+
+namespace crow
+{
+namespace ibm_mc
+{
+
+TEST(ConfigFileTest, FileNameValidChar)
+{
+ crow::Response res;
+
+ const std::string fileName = "GoodConfigFile";
+ EXPECT_TRUE(isValidConfigFileName(fileName, res));
+}
+TEST(ConfigFileTest, FileNameInvalidChar)
+{
+ crow::Response res;
+
+ const std::string fileName = "Bad@file";
+ EXPECT_FALSE(isValidConfigFileName(fileName, res));
+}
+TEST(ConfigFileTest, FileNameInvalidPath1)
+{
+ crow::Response res;
+
+ const std::string fileName = "/../../../../../etc/badpath";
+ EXPECT_FALSE(isValidConfigFileName(fileName, res));
+}
+TEST(ConfigFileTest, FileNameInvalidPath2)
+{
+ crow::Response res;
+
+ const std::string fileName = "/../../etc/badpath";
+ EXPECT_FALSE(isValidConfigFileName(fileName, res));
+}
+TEST(ConfigFileTest, FileNameInvalidPath3)
+{
+ crow::Response res;
+
+ const std::string fileName = "/mydir/configFile";
+ EXPECT_FALSE(isValidConfigFileName(fileName, res));
+}
+TEST(ConfigFileTest, FileNameNull)
+{
+ crow::Response res;
+
+ const std::string fileName = "";
+ EXPECT_FALSE(isValidConfigFileName(fileName, res));
+}
+TEST(ConfigFileTest, FileNameSlash)
+{
+ crow::Response res;
+
+ const std::string fileName = "/";
+ EXPECT_FALSE(isValidConfigFileName(fileName, res));
+}
+TEST(ConfigFileTest, FileNameMorethan20Char)
+{
+ crow::Response res;
+
+ const std::string fileName = "BadfileBadfileBadfile";
+ EXPECT_FALSE(isValidConfigFileName(fileName, res));
+}
+
+} // namespace ibm_mc
+} // namespace crow