github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

added check to see if the file is xml prior to unzipping it per issue #441

Browse Source
This commit is contained in:
Jeremy Long
2016-02-06 08:11:24 -05:00
parent 7b0784843c
commit 2190c0229c
2 changed files with 61 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -22,10 +22,12 @@ import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import java.util.logging.Level;
import java.util.zip.GZIPInputStream;
import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
@@ -176,15 +178,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
LOGGER.debug("", ex);
return null;
}
if (url1.toExternalForm().endsWith(".xml.gz")) {
if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
extractGzip(first);
}
if (url2.toExternalForm().endsWith(".xml.gz")) {
if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
extractGzip(second);
}
LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(),
System.currentTimeMillis() - startDownload);
System.currentTimeMillis() - startDownload);
if (this.processorService == null) {
return null;
}
@@ -226,6 +228,45 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
}
}
/**
* Checks the file header to see if it is an XML file.
*
* @param file the file to check
* @return true if the file is XML
*/
public static boolean isXml(File file) {
if (file == null || !file.isFile()) {
return false;
}
InputStream is = null;
try {
is = new FileInputStream(file);
byte[] buf = new byte[5];
int read = 0;
try {
read = is.read(buf);
} catch (IOException ex) {
return false;
}
return read == 5
&& buf[0] == '<'
&& (buf[1] == '?')
&& (buf[2] == 'x' || buf[2] == 'X')
&& (buf[3] == 'm' || buf[3] == 'M')
&& (buf[4] == 'l' || buf[4] == 'L');
} catch (FileNotFoundException ex) {
return false;
} finally {
if (is != null) {
try {
is.close();
} catch (IOException ex) {
}
}
}
}
/**
* Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
*

21
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java
View File

@@ -17,25 +17,26 @@
*/
package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
import java.io.File;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import org.junit.After;
import org.junit.AfterClass;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import org.owasp.dependencycheck.utils.Settings;
/**
*
* @author Jeremy Long
*/
public class DownloadTaskTest {
public class DownloadTaskTest extends BaseTest {
public DownloadTaskTest() {
}
@@ -74,4 +75,16 @@ public class DownloadTaskTest {
Future<ProcessTask> result = instance.call();
assertNull(result);
}
/**
* Test of isXml(file).
*/
@Test
public void testIsXML() {
File f = getResourceAsFile(this, "nvdcve-modified.xml");
assertTrue(DownloadTask.isXml(f));
f = getResourceAsFile(this, "file.tar.gz");
assertFalse(DownloadTask.isXml(f));
}
}