fix: validate urls are correctly generated (#6269)

jeremylong · Dec 10, 2023 · cb3bcb9 · cb3bcb9
1 parent 7b82df4
commit cb3bcb9
Show file tree

Hide file tree

Showing 2 changed files with 129 additions and 14 deletions.
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java
@@ -110,23 +110,30 @@ public boolean update(Engine engine) throws UpdateException {
         return processApi();
     }
 
+    protected UrlData extractUrlData(String nvdDataFeedUrl) {
+        String url;
+        String pattern = null;
+        if (nvdDataFeedUrl.endsWith(".json.gz")) {
+            final int lio = nvdDataFeedUrl.lastIndexOf("/");
+            pattern = nvdDataFeedUrl.substring(lio + 1);
+            url = nvdDataFeedUrl.substring(0, lio);
+        } else {
+            url = nvdDataFeedUrl;
+        }
+        if (!url.endsWith("/")) {
+            url += "/";
+        }
+        return new UrlData(url, pattern);
+    }
+
     private boolean processDatafeed(String nvdDataFeedUrl) throws UpdateException {
         boolean updatesMade = false;
         try {
             dbProperties = cveDb.getDatabaseProperties();
             if (checkUpdate()) {
-                String url;
-                String pattern = null;
-                if (nvdDataFeedUrl.endsWith(".json.gz")) {
-                    final int lio = nvdDataFeedUrl.lastIndexOf("/");
-                    pattern = nvdDataFeedUrl.substring(lio + 1);
-                    url = nvdDataFeedUrl.substring(0, lio);
-                } else {
-                    url = nvdDataFeedUrl;
-                }
-                if (!url.endsWith("/")) {
-                    url += "/";
-                }
+                final UrlData data = extractUrlData(nvdDataFeedUrl);
+                String url = data.getUrl();
+                String pattern = data.getPattern();
                 final Properties cacheProperties = getRemoteCacheProperties(url);
                 if (pattern == null) {
                     final String prefix = cacheProperties.getProperty("prefix", "nvdcve-");
@@ -265,14 +272,14 @@ private void processDownload(Future<Future<NvdApiProcessor>> future, final Set<F
     private boolean processApi() throws UpdateException {
         final ZonedDateTime lastChecked = dbProperties.getTimestamp(DatabaseProperties.NVD_API_LAST_CHECKED);
         final int validForHours = settings.getInt(Settings.KEYS.NVD_API_VALID_FOR_HOURS, 0);
-        if (cveDb.dataExists() && lastChecked != null && validForHours>0) {
+        if (cveDb.dataExists() && lastChecked != null && validForHours > 0) {
             // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
             final long validForSeconds = validForHours * 60L * 60L;
             final ZonedDateTime now = ZonedDateTime.now(ZoneId.of("UTC"));
             final Duration duration = Duration.between(lastChecked, now);
             final long difference = duration.getSeconds();
             if (difference < validForSeconds) {
-                LOGGER.info("Skipping the NVD API Update as it was completed within the last {} minutes", validForSeconds/60);
+                LOGGER.info("Skipping the NVD API Update as it was completed within the last {} minutes", validForSeconds / 60);
                 return false;
             }
         }
@@ -560,4 +567,35 @@ protected final Properties getRemoteCacheProperties(String url) throws UpdateExc
             throw new UpdateException("Invalid NVD Cache Properties file contents", ex);
         }
     }
+
+    protected static class UrlData {
+
+        private final String url;
+
+        private final String pattern;
+
+        public UrlData(String url, String pattern) {
+            this.url = url;
+            this.pattern = pattern;
+        }
+
+        /**
+         * Get the value of pattern
+         *
+         * @return the value of pattern
+         */
+        public String getPattern() {
+            return pattern;
+        }
+
+        /**
+         * Get the value of url
+         *
+         * @return the value of url
+         */
+        public String getUrl() {
+            return url;
+        }
+
+    }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/update/NvdApiDataSourceTest.java b/core/src/test/java/org/owasp/dependencycheck/data/update/NvdApiDataSourceTest.java
@@ -0,0 +1,77 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2023 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.update;
+
+import java.time.ZonedDateTime;
+import java.util.Map;
+import java.util.Properties;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.owasp.dependencycheck.Engine;
+
+/**
+ *
+ * @author Jeremy Long
+ */
+public class NvdApiDataSourceTest {
+
+    /**
+     * Test of extractUrlData method, of class NvdApiDataSource.
+     */
+    @Test
+    public void testExtractUrlData() {
+        String nvdDataFeedUrl = "https://internal.server/nist/nvdcve-{0}.json.gz";
+        NvdApiDataSource instance = new NvdApiDataSource();
+        String expectedUrl = "https://internal.server/nist/";
+        String expectedPattern = "nvdcve-{0}.json.gz";
+        NvdApiDataSource.UrlData result = instance.extractUrlData(nvdDataFeedUrl);
+
+        nvdDataFeedUrl = "https://internal.server/nist/";
+        expectedUrl = "https://internal.server/nist/";
+        result = instance.extractUrlData(nvdDataFeedUrl);
+
+        assertEquals(expectedUrl, result.getUrl());
+        assertNull(result.getPattern());
+
+        nvdDataFeedUrl = "https://internal.server/nist";
+        expectedUrl = "https://internal.server/nist/";
+        result = instance.extractUrlData(nvdDataFeedUrl);
+
+        assertEquals(expectedUrl, result.getUrl());
+        assertNull(result.getPattern());
+    }
+
+//    /**
+//     * Test of getRemoteCacheProperties method, of class NvdApiDataSource.
+//     */
+//    @Test
+//    public void testGetRemoteCacheProperties() throws Exception {
+//        System.out.println("getRemoteCacheProperties");
+//        String url = "";
+//        NvdApiDataSource instance = new NvdApiDataSource();
+//        Properties expResult = null;
+//        Properties result = instance.getRemoteCacheProperties(url);
+//        assertEquals(expResult, result);
+//        // TODO review the generated test code and remove the default call to fail.
+//        fail("The test case is a prototype.");
+//    }
+}