FINERACT-1872: Template request fix for 1.8.x

Author: vidakovic

fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/FineractProperties.java

@@ -19,6 +19,7 @@
 
 package org.apache.fineract.infrastructure.core.config;
 
+import java.util.List;
 import lombok.Getter;
 import lombok.Setter;
 import org.springframework.boot.context.properties.ConfigurationProperties;
@@ -36,6 +37,8 @@ public class FineractProperties {
 
     private FineractCorrelationProperties correlation;
 
+    private FineractTemplateProperties template;
+
     @Getter
     @Setter
     public static class FineractTenantProperties {
@@ -72,4 +75,12 @@ public static class FineractCorrelationProperties {
         private boolean enabled;
         private String headerName;
     }
+
+    @Getter
+    @Setter
+    public static class FineractTemplateProperties {
+
+        private boolean regexWhitelistEnabled;
+        private List<String> regexWhitelist;
+    }
 }

fineract-provider/src/main/java/org/apache/fineract/template/exception/TemplateForbiddenException.java

@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.fineract.template.exception;
+
+import org.apache.fineract.infrastructure.core.exception.AbstractPlatformException;
+
+public class TemplateForbiddenException extends AbstractPlatformException {
+
+    public TemplateForbiddenException(final String url) {
+        super("error.msg.template.url.forbidden", "Template with url " + url + " not allowed");
+    }
+}

fineract-provider/src/main/java/org/apache/fineract/template/service/TemplateMergeService.java

@@ -38,19 +38,24 @@
 import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.fineract.infrastructure.core.config.FineractProperties;
 import org.apache.fineract.template.domain.Template;
 import org.apache.fineract.template.domain.TemplateFunctions;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.fineract.template.exception.TemplateForbiddenException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 
+@Slf4j
+@RequiredArgsConstructor
 @Service
 public class TemplateMergeService {
 
-    private static final Logger LOG = LoggerFactory.getLogger(TemplateMergeService.class);
+    private final FineractProperties fineractProperties;
 
-    // private final FromJsonHelper fromApiJsonHelper;
     private Map<String, Object> scopes;
     private String authToken;
 
@@ -92,7 +97,7 @@ private Map<String, Object> getCompiledMapFromMappers(final Map<String, String>
                 try {
                     this.scopes.put(entry.getKey(), getMapFromUrl(url));
                 } catch (final IOException e) {
-                    LOG.error("getCompiledMapFromMappers() failed", e);
+                    log.error("getCompiledMapFromMappers() failed", e);
                 }
             }
         }
@@ -114,6 +119,26 @@ private Map<String, Object> getMapFromUrl(final String url) throws IOException {
     }
 
     private HttpURLConnection getConnection(final String url) {
+        if (fineractProperties.getTemplate() != null && fineractProperties.getTemplate().isRegexWhitelistEnabled()) {
+            boolean whitelisted = false;
+
+            if (fineractProperties.getTemplate().getRegexWhitelist() != null
+                    && !fineractProperties.getTemplate().getRegexWhitelist().isEmpty()) {
+                for (String urlPattern : fineractProperties.getTemplate().getRegexWhitelist()) {
+                    Pattern pattern = Pattern.compile(urlPattern);
+                    Matcher matcher = pattern.matcher(url);
+                    if (matcher.matches()) {
+                        whitelisted = true;
+                        break;
+                    }
+                }
+            }
+
+            if (!whitelisted) {
+                throw new TemplateForbiddenException(url);
+            }
+        }
+
         if (this.authToken == null) {
             final String name = SecurityContextHolder.getContext().getAuthentication().getName();
             final String password = SecurityContextHolder.getContext().getAuthentication().getCredentials().toString();
@@ -138,7 +163,7 @@ protected PasswordAuthentication getPasswordAuthentication() {
             connection.setDoInput(true);
 
         } catch (IOException | KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
-            LOG.error("getConnection() failed, return null", e);
+            log.error("getConnection() failed, return null", e);
         }
 
         return connection;
@@ -158,13 +183,13 @@ private static String getStringFromInputStream(final InputStream is) {
             }
 
         } catch (final IOException e) {
-            LOG.error("getStringFromInputStream() failed", e);
+            log.error("getStringFromInputStream() failed", e);
         } finally {
             if (br != null) {
                 try {
                     br.close();
                 } catch (final IOException e) {
-                    LOG.error("Problem occurred in getStringFromInputStream function", e);
+                    log.error("Problem occurred in getStringFromInputStream function", e);
                 }
             }
         }

fineract-provider/src/main/resources/application.properties

@@ -48,6 +48,9 @@ fineract.content.regex-whitelist=${FINERACT_CONTENT_REGEX_WHITELIST:.*\\.pdf$,.*
 fineract.content.mime-whitelist-enabled=${FINERACT_CONTENT_MIME_WHITELIST_ENABLED:true}
 fineract.content.mime-whitelist=${FINERACT_CONTENT_MIME_WHITELIST:application/pdf,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,image/jpeg,image/png}
 
+fineract.template.regex-whitelist-enabled=${FINERACT_TEMPLATE_REGEX_WHITELIST_ENABLED:true}
+fineract.template.regex-whitelist=${FINERACT_TEMPLATE_REGEX_WHITELIST:}
+
 # Logging pattern for the console
 logging.pattern.console=${CONSOLE_LOG_PATTERN:%clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:-%5p}) %clr(${PID:- }){magenta} %clr(%replace([%X{correlationId}]){'\\[\\]', ''}) %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}}
 

fineract-provider/src/test/java/org/apache/fineract/template/service/TemplateServiceStepDefinitions.java

@@ -34,11 +34,12 @@
 import org.apache.commons.io.IOUtils;
 import org.apache.fineract.template.domain.Template;
 import org.apache.fineract.template.domain.TemplateMapper;
+import org.springframework.beans.factory.annotation.Autowired;
 
 public class TemplateServiceStepDefinitions implements En {
 
-    private TemplateMergeService tms = new TemplateMergeService();
-
+    @Autowired
+    private TemplateMergeService tms;
     private String template;
 
     private Map<String, Object> data;