Merge pull request #200 from tencentyun/dev/update_demo

check get obj path & fix xxe

Author: Dzkol

pom.xml

@@ -4,7 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.qcloud</groupId>
     <artifactId>cos_api</artifactId>
-    <version>5.6.211</version>
+    <version>5.6.212</version>
     <packaging>jar</packaging>
     <name>cos-java-sdk</name>
     <description>java sdk for qcloud cos</description>

src/main/java/com/qcloud/cos/COSClient.java

@@ -1070,6 +1070,11 @@ public COSObject getObject(GetObjectRequest getObjectRequest)
         rejectNull(clientConfig.getRegion(),
                 "region is null, region in clientConfig must be specified when requesting an object");
 
+        if (clientConfig.isCheckRequestPath()) {
+            if (StringUtils.isRequestPathInvalid(getObjectRequest.getKey())) {
+                throw new IllegalArgumentException("The key you specified is invalid");
+            }
+        }
 
         CosHttpRequest<GetObjectRequest> request = createRequest(getObjectRequest.getBucketName(),
                 getObjectRequest.getKey(), getObjectRequest, HttpMethodName.GET);

src/main/java/com/qcloud/cos/ClientConfig.java

@@ -111,6 +111,12 @@ public class ClientConfig {
 
     private boolean isPrintShutdownStackTrace = true;
 
+    private boolean isCheckRequestPath = true;
+
+    private int timeout_client_thread_size = 0;
+
+    private int error_log_status_code_thresh = 500;
+
     // 不传入region 用于后续调用List Buckets(获取所有的bucket信息)
     public ClientConfig() {
         super();
@@ -379,4 +385,28 @@ public boolean isPrintShutdownStackTrace() {
     public void setPrintShutdownStackTrace(boolean printShutdownStackTrace) {
         isPrintShutdownStackTrace = printShutdownStackTrace;
     }
+
+    public void setCheckRequestPath(boolean isCheck) {
+        isCheckRequestPath = isCheck;
+    }
+
+    public boolean isCheckRequestPath() {
+        return isCheckRequestPath;
+    }
+
+    public int getTimeoutClientThreadSize() {
+        return timeout_client_thread_size;
+    }
+
+    public void setTimeoutClientThreadSize(int pool_size) {
+        timeout_client_thread_size = pool_size;
+    }
+
+    public void setErrorLogStatusCodeThresh(int status_code) {
+        error_log_status_code_thresh = status_code;
+    }
+
+    public int getErrorLogStatusCodeThresh() {
+        return error_log_status_code_thresh;
+    }
 }

src/main/java/com/qcloud/cos/http/DefaultCosHttpClient.java

@@ -517,7 +517,11 @@ public <X, Y extends CosServiceRequest> X exeute(CosHttpRequest<Y> request,
                         retryIndex, maxErrorRetry);
                 request.addLogDetails(new ExceptionLogDetail(cse, errorMsg));
                 if (!shouldRetry(request, httpResponse, cse, retryIndex, retryPolicy)) {
-                    if (cse.getStatusCode() >= 400) {
+                    int status_code_thresh = clientConfig.getErrorLogStatusCodeThresh();
+                    if (status_code_thresh < 0) {
+                        status_code_thresh = 500;
+                    }
+                    if (cse.getStatusCode() >= status_code_thresh) {
                         handleLog(request);
                     }
                     throw cse;

src/main/java/com/qcloud/cos/http/TimeOutCosHttpClient.java

@@ -19,7 +19,11 @@ public class TimeOutCosHttpClient  extends DefaultCosHttpClient{
 
     public TimeOutCosHttpClient(ClientConfig clientConfig) {
         super(clientConfig);
-        threadPool =  Executors.newFixedThreadPool(Runtime.getRuntime().availableProcessors() * 5);
+        int pool_size = clientConfig.getTimeoutClientThreadSize();
+        if (pool_size <= 0) {
+            pool_size = Runtime.getRuntime().availableProcessors() * 5;
+        }
+        threadPool =  Executors.newFixedThreadPool(pool_size);
     }
 
     @Override

src/main/java/com/qcloud/cos/internal/CosErrorResponseHandler.java

@@ -46,7 +46,15 @@ public class CosErrorResponseHandler implements HttpResponseHandler<CosServiceEx
     private static final Logger log = LoggerFactory.getLogger(CosErrorResponseHandler.class);
 
     /** Shared factory for creating XML event readers */
-    private static final XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+    private static final XMLInputFactory xmlInputFactory = createXMLInputFactory();
+
+    private static XMLInputFactory createXMLInputFactory() {
+        XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+        inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+
+        return inputFactory;
+    }
 
     private static enum COSErrorTags {
         Error, Code, Message, Resource, RequestId, TraceId;

src/main/java/com/qcloud/cos/internal/XmlResponsesSaxParser.java

@@ -237,6 +237,10 @@ public XmlResponsesSaxParser() throws CosClientException {
         // Ensure we can load the XML Reader.
         try {
             xr = XMLReaderFactory.createXMLReader();
+            xr.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            xr.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            xr.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xr.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
         } catch (SAXException e) {
             throw new CosClientException("Couldn't initialize a SAX driver to create an XMLReader",
                     e);

src/main/java/com/qcloud/cos/utils/StringUtils.java

@@ -20,10 +20,12 @@
 
 import java.math.BigDecimal;
 import java.math.BigInteger;
-import java.nio.ByteBuffer;
 import java.nio.charset.Charset;
+import java.util.ArrayDeque;
 import java.util.Date;
+import java.util.Deque;
 import java.util.List;
+import java.util.Objects;
 
 /**
  * Utilities for converting objects to strings.
@@ -223,4 +225,31 @@ public static String join(List<String> strings) {
     public static boolean beginsWithIgnoreCase(final String data, final String seq) {
         return data.regionMatches(true, 0, seq, 0, seq.length());
     }
+
+    public static boolean isRequestPathInvalid(String path) {
+        String[] pathElements = path.split("/");
+        Deque<String> stack = new ArrayDeque<>();
+
+        for (String pathElement : pathElements) {
+            if (Objects.equals(pathElement, "..")) {
+                if (!stack.isEmpty()) {
+                    stack.pollLast();
+                }
+            } else if (pathElement.length() > 0 && !Objects.equals(pathElement, ".")) {
+                stack.offerLast(pathElement);
+            }
+        }
+
+        StringBuffer simplifyPath = new StringBuffer();
+        if (stack.isEmpty()) {
+            simplifyPath.append('/');
+        } else {
+            while (!stack.isEmpty()) {
+                simplifyPath.append('/');
+                simplifyPath.append(stack.pollFirst());
+            }
+        }
+
+        return Objects.equals(simplifyPath.toString(), "/");
+    }
 }