Merge branch 'Hotfix/988-fixSpecialCharacters' into 'master'

Hotfix/988-fixSpecialCharacters See merge request coscine/api/blobapi!6

Merge branch 'Hotfix/988-fixSpecialCharacters' into 'master'
Hotfix/988-fixSpecialCharacters See merge request coscine/api/blobapi!6
b7a4fe55 · Marcel Nellesen · 7056b8d7 · 8fdc73b7 · b7a4fe55 · b7a4fe55
Commit b7a4fe55 authored Aug 25, 2020 by Marcel Nellesen
--- a/src/Blob/Blob.csproj
+++ b/src/Blob/Blob.csproj
@@ -53,8 +53,8 @@
    <Reference Include="Consul, Version=0.7.2.6, Culture=neutral, PublicKeyToken=20a6ad9a81df1d95, processorArchitecture=MSIL">
      <HintPath>..\packages\Consul.0.7.2.6\lib\net45\Consul.dll</HintPath>
    </Reference>
-    <Reference Include="Coscine.Api.WaterbutlerHelper, Version=1.1.0.0, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>..\packages\Coscine.Api.WaterbutlerHelper.1.1.0\lib\net461\Coscine.Api.WaterbutlerHelper.dll</HintPath>
+    <Reference Include="Coscine.Api.WaterbutlerHelper, Version=1.1.1.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\Coscine.Api.WaterbutlerHelper.1.1.1\lib\net461\Coscine.Api.WaterbutlerHelper.dll</HintPath>
    </Reference>
    <Reference Include="Coscine.ApiCommons, Version=1.9.0.0, Culture=neutral, PublicKeyToken=af4c1345df96546b, processorArchitecture=MSIL">
      <HintPath>..\packages\Coscine.ApiCommons.1.9.0\lib\net461\Coscine.ApiCommons.dll</HintPath>

--- a/src/Blob/Controllers/BlobController.cs
+++ b/src/Blob/Controllers/BlobController.cs
@@ -140,13 +140,17 @@ namespace Coscine.Api.Blob.Controllers
        // inferring a ../ (urlencoded) can manipulate the url.
        // However the constructed signature for s3 won't match and it will not be resolved.
        // This may be a problem for other provider!
-        [HttpGet("[controller]/{resourceId}/{path}")]
+        [HttpGet("[controller]/{resourceId}/{*path}")]
        [DisableRequestSizeLimit]
        public async Task<IActionResult> GetFile(string resourceId, string path)
        {
-            var user = _authenticator.GetUser();
+            path = $"/{path}";
+            if (path.Contains("%2F") || path.Contains("%2f"))
+            {
+                return BadRequest("Path can not contain the sequence %2F.");
+            }

-            path = HttpUtility.UrlDecode(path);
+            var user = _authenticator.GetUser();

            var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
            if (check != null)
@@ -201,13 +205,17 @@ namespace Coscine.Api.Blob.Controllers
        // inferring a ../ (urlencoded) can manipulate the url.
        // However the constructed signature for s3 won't match and it will not be resolved.
        // This may be a problem for other provider!
-        [HttpPut("[controller]/{resourceId}/{path}")]
+        [HttpPut("[controller]/{resourceId}/{*path}")]
        [DisableRequestSizeLimit]
        public async Task<IActionResult> UploadFile(string resourceId, string path)
        {
-            var user = _authenticator.GetUser();
+            path = $"/{path}";
+            if (path.Contains("%2F") || path.Contains("%2f"))
+            {
+                return BadRequest("Path can not contain the sequence %2F.");
+            }

-            path = HttpUtility.UrlDecode(path);
+            var user = _authenticator.GetUser();

            var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
            if (check != null)
@@ -229,7 +237,7 @@ namespace Coscine.Api.Blob.Controllers
            else
            {
                var provider = GetResourceTypeName(resource);
-                var infos = await _waterbutlerInterface.GetObjectInfoAsync("/" + path, provider, authHeader);
+                var infos = await _waterbutlerInterface.GetObjectInfoAsync(path, provider, authHeader);

                // Not found, upload new
                if (infos == null)
@@ -277,12 +285,16 @@ namespace Coscine.Api.Blob.Controllers
            }
        }

-        [HttpDelete("[controller]/{resourceId}/{path}")]
+        [HttpDelete("[controller]/{resourceId}/{*path}")]
        public async Task<IActionResult> DeleteFile(string resourceId, string path)
        {
-            var user = _authenticator.GetUser();
+            path = $"/{path}";
+            if (path.Contains("%2F") || path.Contains("%2f"))
+            {
+                return BadRequest("Path can not contain the sequence %2F.");
+            }

-            path = HttpUtility.UrlDecode(path);
+            var user = _authenticator.GetUser();

            var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
            if (check != null)

--- a/src/Blob/packages.config
+++ b/src/Blob/packages.config
@@ -3,7 +3,7 @@
  <package id="AWSSDK.Core" version="3.3.107.8" targetFramework="net461" />
  <package id="AWSSDK.S3" version="3.3.111.9" targetFramework="net461" />
  <package id="Consul" version="0.7.2.6" targetFramework="net461" />
-  <package id="Coscine.Api.WaterbutlerHelper" version="1.1.0" targetFramework="net461" />
+  <package id="Coscine.Api.WaterbutlerHelper" version="1.1.1" targetFramework="net461" />
  <package id="Coscine.ApiCommons" version="1.9.0" targetFramework="net461" />
  <package id="Coscine.Configuration" version="1.5.0" targetFramework="net461" />
  <package id="Coscine.Database" version="1.22.2" targetFramework="net461" />