From a65a5ec9983817716c9f2c10bf972bc6690d7c94 Mon Sep 17 00:00:00 2001
From: tharikaGitHub <tharika.m92@gmail.com>
Date: Mon, 8 Jul 2024 11:01:57 +0530
Subject: [PATCH] Fix checking cannonical paths in files and remove unused code

---
 .../gateway/service/APIGatewayAdmin.java      | 48 ++-----------------
 .../MicroGatewayArtifactGenerator.java        |  5 ++
 2 files changed, 8 insertions(+), 45 deletions(-)

diff --git a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/APIGatewayAdmin.java b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/APIGatewayAdmin.java
index e9c66c45601b..83c59df1de7e 100644
--- a/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/APIGatewayAdmin.java
+++ b/components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/service/APIGatewayAdmin.java
@@ -28,7 +28,6 @@
 import org.wso2.carbon.apimgt.api.gateway.CredentialDto;
 import org.wso2.carbon.apimgt.api.gateway.GatewayAPIDTO;
 import org.wso2.carbon.apimgt.api.gateway.GatewayContentDTO;
-import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
 import org.wso2.carbon.apimgt.api.gateway.GatewayPolicyDTO;
 import org.wso2.carbon.apimgt.gateway.utils.EndpointAdminServiceProxy;
 import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils;
@@ -45,8 +44,6 @@
 import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
 
 import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -554,37 +551,7 @@ protected MediationSecurityAdminServiceProxy getMediationSecurityAdminServicePro
      * @throws AxisFault
      */
     public boolean deployPolicy(String content, String fileName) throws AxisFault {
-
-        File file = new File(APIConstants.POLICY_FILE_FOLDER);      //WSO2Carbon_Home/repository/deployment/server
-        // /throttle-config
-        //if directory doesn't exist, make onee
-        if (!file.exists()) {
-            file.mkdir();
-        }
-        File writeFile = new File(APIConstants.POLICY_FILE_LOCATION + fileName + APIConstants.XML_EXTENSION);  //file
-        // folder+/
-        FileOutputStream fos = null;
-        try {
-            fos = new FileOutputStream(writeFile);
-            //if file doesn't exit make one
-            if (!writeFile.exists()) {
-                writeFile.createNewFile();
-            }
-            byte[] contentInBytes = content.getBytes();
-            fos.write(contentInBytes);
-            fos.flush();
-            return true;
-        } catch (IOException e) {
-            log.error("Error occurred writing to " + fileName + ":", e);
-        } finally {
-            try {
-                if (fos != null) {
-                    fos.close();
-                }
-            } catch (IOException e) {
-                log.error("Error occurred closing file output stream", e);
-            }
-        }
+        // Do nothing
         return false;
     }
 
@@ -594,17 +561,8 @@ public boolean deployPolicy(String content, String fileName) throws AxisFault {
      * @param fileNames file names to be deleted
      */
     public boolean undeployPolicy(String[] fileNames) {
-
-        for (int i = 0; i < fileNames.length; i++) {
-            File file = new File(APIConstants.POLICY_FILE_LOCATION + fileNames[i] + APIConstants.XML_EXTENSION);
-            boolean deleted = file.delete();
-            if (deleted) {
-                log.info("File : " + fileNames[i] + " is deleted");
-            } else {
-                log.error("Error occurred in deleting file: " + fileNames[i]);
-            }
-        }
-        return true;
+        // Do nothing
+        return false;
     }
 
     /**
diff --git a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/gatewayartifactsynchronizer/MicroGatewayArtifactGenerator.java b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/gatewayartifactsynchronizer/MicroGatewayArtifactGenerator.java
index 59f7170bca41..1d1f8510d49f 100644
--- a/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/gatewayartifactsynchronizer/MicroGatewayArtifactGenerator.java
+++ b/components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/gatewayartifactsynchronizer/MicroGatewayArtifactGenerator.java
@@ -80,6 +80,11 @@ public RuntimeArtifactDto generateGatewayArtifact(List<APIRuntimeArtifactDto> ap
                             apiRuntimeArtifactDto.getApiId().concat("-").concat(apiRuntimeArtifactDto.getRevision())
                             .concat(APIConstants.ZIP_FILE_EXTENSION);
                     Path path = Paths.get(tempDirectory.getAbsolutePath(), fileName);
+                    File file = new File(path.toString());
+                    String canonicalPath = file.getCanonicalPath();
+                    if (!canonicalPath.startsWith(new File(tempDirectory.getAbsolutePath()).getCanonicalPath())) {
+                        throw new IOException("File path is outside the root artifact directory");
+                    }
                     FileUtils.copyInputStreamToFile(artifact, path.toFile());
 
                     ApiProjectDto apiProjectDto = deploymentsMap.get(fileName);