Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix - Inserted device package fields limits #3808

Merged
merged 2 commits into from
Jul 10, 2023
Merged

Fix - Inserted device package fields limits #3808

merged 2 commits into from
Jul 10, 2023

Conversation

Agnul97
Copy link
Contributor

@Agnul97 Agnul97 commented Jul 6, 2023

This PR adds limits for some fields used in the device management packages service. In this way, a reasonable upper-bound is set in order to allow clients to set the needed fields and discourage a buffer overflow attack.

@codecov
Copy link

codecov bot commented Jul 6, 2023
edited
Loading

Codecov Report

Merging #3808 (094595f) into develop (0b467de) will decrease coverage by 0.91%.
The diff coverage is 10.44%.

❗ Current head 094595f differs from pull request most recent head 2b737ad. Consider uploading reports for the commit 2b737ad to get more accurate results

Impacted file tree graph

@@              Coverage Diff              @@
##             develop    #3808      +/-   ##
=============================================
- Coverage      23.13%   22.22%   -0.91%     
+ Complexity        26        6      -20     
=============================================
  Files           1868     1876       +8     
  Lines          35322    35444     +122     
  Branches        2782     2783       +1     
=============================================
- Hits            8170     7879     -291     
- Misses         26841    27253     +412     
- Partials         311      312       +1
Impacted Files Coverage Δ
...artemis/plugin/security/MetricsSecurityPlugin.java 0.00% <0.00%> (ø)
...a/broker/artemis/plugin/security/ServerPlugin.java 0.00% <0.00%> (ø)
...ua/broker/artemis/plugin/security/context/Acl.java 0.00% <0.00%> (ø)
...temis/plugin/security/context/SecurityContext.java 0.00% <0.00%> (ø)
...eclipse/kapua/client/security/MessageListener.java 0.00% <0.00%> (ø)
...e/kapua/client/security/MetricsClientSecurity.java 0.00% <0.00%> (ø)
...ipse/kapua/client/security/metric/LoginMetric.java 0.00% <0.00%> (ø)
...se/kapua/client/security/metric/PublishMetric.java 0.00% <0.00%> (ø)
.../kapua/client/security/metric/SubscribeMetric.java 0.00% <0.00%> (ø)
...est/errors/KapuaPasswordLengthExceptionMapper.java 0.00% <0.00%> (ø)
... and 35 more

... and 46 files with indirect coverage changes

Coduz
Coduz requested changes Jul 7, 2023
View reviewed changes
Copy link
Contributor

@Coduz Coduz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make use of ArgumentValidator.lengthRange.
Move the checks on the service before AuthorizationService.checkPermission so we can validate any "bad request" before the Auth check and possibly save one auth check.

Actually, also packageDownloadRequest.getUri().toURL() check should be before auth check.

...se/kapua/service/device/management/packages/internal/DevicePackageManagementServiceImpl.java Outdated Show resolved Hide resolved
...se/kapua/service/device/management/packages/internal/DevicePackageManagementServiceImpl.java Outdated Show resolved Hide resolved
...se/kapua/service/device/management/packages/internal/DevicePackageManagementServiceImpl.java Outdated Show resolved Hide resolved
@Coduz Coduz added the Bug This is a bug or an unexpected behaviour. Fix it! label Jul 7, 2023
@Coduz Coduz merged commit c43eabb into eclipse-kapua:develop Jul 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Coduz Coduz Coduz approved these changes

Assignees
No one assigned
Labels
Bug This is a bug or an unexpected behaviour. Fix it!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Agnul97 @Coduz