Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: P4ADEV-1496 send-email-activity #23

Closed
wants to merge 19 commits into from
Closed

feat: P4ADEV-1496 send-email-activity #23

wants to merge 19 commits into from

Conversation

silvanotamburini
Copy link
Collaborator

Description

List of Changes

Activity to send mail

Motivation and Context

Implementation of activites

How Has This Been Tested?

  • Pre-Deploy Test
    • Unit
    • Integration (Narrow)
  • Post-Deploy Test
    • Isolated Microservice
    • Broader Integration
    • Acceptance
    • Performance & Load

Types of changes

  • PATCH - Bug fix (backwards compatible bug fixes)
  • MINOR - New feature (add functionality in a backwards compatible manner)
  • MAJOR - Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.

macacia and others added 11 commits November 26, 2024 11:16
@macacia
P4ADEV-1545 FdRIngestionActity added interface implementation and its…
615f97d 
… Service/DAO/DTO
@macacia
P4ADEV-1545 FdRIngestionActity naming refactoring
9e0ada7
@silvanotamburini
send email for ingestion
bd02bd7
@silvanotamburini
fix problems
9029b33
@silvanotamburini
delete unused class
e21479f
@silvanotamburini
refactoring mail to send classes
264df5d
@silvanotamburini
refactoring tests
0d33566
@silvanotamburini
refactoring tests
457a180
@macacia
P4ADEV-1545 FdRIngestionActity added service and test
9f58e1f
@silvanotamburini
Merge branch 'P4ADEV-1545-FdRIngestionActity-implementation-retrieval…
4a378f8 
…-via-query-file-validation' into P4ADEV-1496-send-email-activity

# Conflicts:
#	src/main/java/it/gov/pagopa/payhub/activities/activity/paymentsreporting/SendEmailIngestionFlowActivityImpl.java
#	src/main/java/it/gov/pagopa/payhub/activities/activity/paymentsreporting/service/AsyncSendMailService.java
@silvanotamburini
refactoring classes
05cde12
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 27, 2024
View reviewed changes
src/main/java/it/gov/pagopa/payhub/activities/util/FileUtils.java
if (entry.isDirectory()) {
throw new InvalidIngestionFileException("ZIP file contains directories, but only files are expected");
}
String checkedFilename = SecureFileUtils.checkFileName(entry.getName());

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip") High

Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.

Copilot Autofix AI 29 days ago

To fix the problem, we need to ensure that the output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations. This can be achieved by verifying that the normalized full path of the output file starts with a prefix that matches the destination directory.

  1. Normalize the entryPath using toRealPath() or normalize().
  2. Check if the normalized entryPath starts with the outputDir.
  3. Throw an exception if the check fails.
Suggested changeset 1
src/main/java/it/gov/pagopa/payhub/activities/util/FileUtils.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/main/java/it/gov/pagopa/payhub/activities/util/FileUtils.java b/src/main/java/it/gov/pagopa/payhub/activities/util/FileUtils.java
--- a/src/main/java/it/gov/pagopa/payhub/activities/util/FileUtils.java
+++ b/src/main/java/it/gov/pagopa/payhub/activities/util/FileUtils.java
@@ -35,3 +35,6 @@
 				String checkedFilename = SecureFileUtils.checkFileName(entry.getName());
-				Path entryPath = outputDir.resolve(checkedFilename);
+				Path entryPath = outputDir.resolve(checkedFilename).normalize();
+				if (!entryPath.startsWith(outputDir)) {
+					throw new InvalidIngestionFileException("Invalid zip entry: " + entry.getName());
+				}
 				Files.createDirectories(entryPath.getParent());
EOF
@@ -35,3 +35,6 @@
String checkedFilename = SecureFileUtils.checkFileName(entry.getName());
Path entryPath = outputDir.resolve(checkedFilename);
Path entryPath = outputDir.resolve(checkedFilename).normalize();
if (!entryPath.startsWith(outputDir)) {
throw new InvalidIngestionFileException("Invalid zip entry: " + entry.getName());
}
Files.createDirectories(entryPath.getParent());
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
3 Security Hotspots
51.3% Coverage on New Code (required ≥ 80%)
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@silvanotamburini silvanotamburini deleted the P4ADEV-1496-send-email-activity branch November 28, 2024 07:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LarissaASLeite LarissaASLeite Awaiting requested review from LarissaASLeite LarissaASLeite is a code owner

@antocalo antocalo Awaiting requested review from antocalo antocalo is a code owner

@Benedetta-fabbri Benedetta-fabbri Awaiting requested review from Benedetta-fabbri Benedetta-fabbri is a code owner

@RiccardoGiuliani RiccardoGiuliani Awaiting requested review from RiccardoGiuliani RiccardoGiuliani is a code owner

@ElisKina-dev ElisKina-dev Awaiting requested review from ElisKina-dev ElisKina-dev is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@silvanotamburini @macacia