github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-23 17:41:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

added check to see if the file is xml prior to unzipping it per issue #441

Browse Source
This commit is contained in:
Jeremy Long
2016-02-06 08:11:24 -05:00
parent 7b0784843c
commit 2190c0229c
2 changed files with 61 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -22,10 +22,12 @@ import java.io.FileInputStream;
import java.io.FileNotFoundException; import java.io.FileNotFoundException;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream;
import java.net.URL; import java.net.URL;
import java.util.concurrent.Callable; import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future; import java.util.concurrent.Future;
import java.util.logging.Level;
import java.util.zip.GZIPInputStream; import java.util.zip.GZIPInputStream;
import org.apache.commons.io.FileUtils; import org.apache.commons.io.FileUtils;
import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.CveDB;
@@ -176,15 +178,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
LOGGER.debug("", ex); LOGGER.debug("", ex);
return null; return null;
} }
if (url1.toExternalForm().endsWith(".xml.gz")) { if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
extractGzip(first); extractGzip(first);
} }
if (url2.toExternalForm().endsWith(".xml.gz")) { if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
extractGzip(second); extractGzip(second);
} }
LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(), LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(),
System.currentTimeMillis() - startDownload); System.currentTimeMillis() - startDownload);
if (this.processorService == null) { if (this.processorService == null) {
return null; return null;
} }
@@ -226,6 +228,45 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
} }
} }
/**
* Checks the file header to see if it is an XML file.
*
* @param file the file to check
* @return true if the file is XML
*/
public static boolean isXml(File file) {
if (file == null || !file.isFile()) {
return false;
}
InputStream is = null;
try {
is = new FileInputStream(file);
byte[] buf = new byte[5];
int read = 0;
try {
read = is.read(buf);
} catch (IOException ex) {
return false;
}
return read == 5
&& buf[0] == '<'
&& (buf[1] == '?')
&& (buf[2] == 'x' || buf[2] == 'X')
&& (buf[3] == 'm' || buf[3] == 'M')
&& (buf[4] == 'l' || buf[4] == 'L');
} catch (FileNotFoundException ex) {
return false;
} finally {
if (is != null) {
try {
is.close();
} catch (IOException ex) {
}
}
}
}
/** /**
* Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified. * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
* *

21
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java
View File

@@ -17,25 +17,26 @@
*/ */
package org.owasp.dependencycheck.data.update.nvd; package org.owasp.dependencycheck.data.update.nvd;
import org.owasp.dependencycheck.data.update.nvd.ProcessTask; import java.io.File;
import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future; import java.util.concurrent.Future;
import org.junit.After; import org.junit.After;
import org.junit.AfterClass; import org.junit.AfterClass;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import org.owasp.dependencycheck.BaseTest;
import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.Settings;
/** /**
* *
* @author Jeremy Long * @author Jeremy Long
*/ */
public class DownloadTaskTest { public class DownloadTaskTest extends BaseTest {
public DownloadTaskTest() { public DownloadTaskTest() {
} }
@@ -74,4 +75,16 @@ public class DownloadTaskTest {
Future<ProcessTask> result = instance.call(); Future<ProcessTask> result = instance.call();
assertNull(result); assertNull(result);
} }
/**
* Test of isXml(file).
*/
@Test
public void testIsXML() {
File f = getResourceAsFile(this, "nvdcve-modified.xml");
assertTrue(DownloadTask.isXml(f));
f = getResourceAsFile(this, "file.tar.gz");
assertFalse(DownloadTask.isXml(f));
}
} }