Implement file storage plugin

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

src/main/java/org/dependencytrack/storage/LocalFileStorage.java

@@ -32,7 +32,6 @@
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.HexFormat;
 
@@ -142,16 +141,9 @@ public boolean delete(final FileMetadata fileMetadata) throws IOException {
     }
 
     private Path resolveFilePath(final String filePath) {
-        Path resolvedFilePath = Paths.get(filePath).normalize();
-        if (resolvedFilePath.isAbsolute()) {
-            // Ensure that paths are relative such that they can be resolved
-            // using the configured base directory: /foo/bar -> foo/bar
-            resolvedFilePath = resolvedFilePath.subpath(0, resolvedFilePath.getNameCount());
-        }
-
-        resolvedFilePath = baseDirPath.resolve(resolvedFilePath).normalize().toAbsolutePath();
+        final Path resolvedFilePath = baseDirPath.resolve(filePath).normalize().toAbsolutePath();
         if (!resolvedFilePath.startsWith(baseDirPath)) {
-            throw new IllegalStateException("""
+            throw new IllegalArgumentException("""
                     The provided filePath %s does not resolve to a path within the \
                     configured base directory (%s)""".formatted(filePath, baseDirPath));
         }
@@ -170,12 +162,14 @@ Path resolveFilePath(final FileMetadata fileMetadata) {
             throw new IllegalArgumentException(
                     "%s: Host portion is not allowed for scheme %s".formatted(locationUri, EXTENSION_NAME));
         }
-        if (locationUri.getPath() == null) {
+        if (locationUri.getPath() == null || locationUri.getPath().equals("/")) {
             throw new IllegalArgumentException(
                     "%s: Path portion not set; Unable to determine file name".formatted(locationUri));
         }
 
-        return resolveFilePath(locationUri.getPath());
+        // The value returned by URI#getPath always has a leading slash.
+        // Remove it to prevent the path from erroneously be interpreted as absolute.
+        return resolveFilePath(locationUri.getPath().replaceFirst("^/", ""));
     }
 
 }

src/main/java/org/dependencytrack/storage/MemoryFileStorage.java

@@ -26,7 +26,6 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.file.NoSuchFileException;
-import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.HexFormat;
@@ -113,12 +112,7 @@ public boolean delete(final FileMetadata fileMetadata) {
     }
 
     private static String normalizeFileName(final String fileName) {
-        Path filePath = Paths.get(fileName).normalize();
-        if (filePath.isAbsolute()) {
-            filePath = filePath.subpath(0, filePath.getNameCount());
-        }
-
-        return filePath.toString();
+        return Paths.get(fileName).normalize().toString();
     }
 
     private static String resolveFileName(final FileMetadata fileMetadata) {
@@ -136,7 +130,9 @@ private static String resolveFileName(final FileMetadata fileMetadata) {
                     "%s: Path portion not set; Unable to determine file name".formatted(locationUri));
         }
 
-        return normalizeFileName(locationUri.getPath());
+        // The value returned by URI#getPath always has a leading slash.
+        // Remove it to prevent the path from erroneously be interpreted as absolute.
+        return normalizeFileName(locationUri.getPath().replaceFirst("^/", ""));
     }
 
 }

src/main/java/org/dependencytrack/storage/S3FileStorage.java

@@ -18,6 +18,7 @@
  */
 package org.dependencytrack.storage;
 
+import com.github.luben.zstd.Zstd;
 import io.minio.GetObjectArgs;
 import io.minio.GetObjectResponse;
 import io.minio.MinioClient;
@@ -51,10 +52,18 @@ final class S3FileStorage implements FileStorage {
 
     private final MinioClient s3Client;
     private final String bucketName;
-
-    S3FileStorage(final MinioClient s3Client, final String bucketName) {
+    private final int compressionThresholdBytes;
+    private final int compressionLevel;
+
+    S3FileStorage(
+            final MinioClient s3Client,
+            final String bucketName,
+            final int compressionThresholdBytes,
+            final int compressionLevel) {
         this.s3Client = s3Client;
         this.bucketName = bucketName;
+        this.compressionThresholdBytes = compressionThresholdBytes;
+        this.compressionLevel = compressionLevel;
     }
 
     private record S3FileLocation(String bucket, String object) {
@@ -74,7 +83,9 @@ private static S3FileLocation from(final FileMetadata fileMetadata) {
                         "Path portion of URI %s not set; Unable to determine object name".formatted(locationUri));
             }
 
-            return new S3FileLocation(locationUri.getHost(), locationUri.getPath());
+            // The value returned by URI#getPath always has a leading slash.
+            // Remove it to prevent the path from erroneously be interpreted as absolute.
+            return new S3FileLocation(locationUri.getHost(), locationUri.getPath().replaceFirst("^/", ""));
         }
 
         private URI asURI() {
@@ -99,13 +110,17 @@ public FileMetadata store(final String fileName, final byte[] content) throws IO
         final var fileLocation = new S3FileLocation(bucketName, fileName);
         final URI locationUri = fileLocation.asURI();
 
-        final byte[] contentDigest = DigestUtils.sha256(content);
+        final byte[] maybeCompressedContent = content.length >= compressionThresholdBytes
+                ? Zstd.compress(content, compressionLevel)
+                : content;
+
+        final byte[] contentDigest = DigestUtils.sha256(maybeCompressedContent);
 
         try {
             s3Client.putObject(PutObjectArgs.builder()
                     .bucket(fileLocation.bucket())
                     .object(fileLocation.object())
-                    .stream(new ByteArrayInputStream(content), content.length, -1)
+                    .stream(new ByteArrayInputStream(maybeCompressedContent), maybeCompressedContent.length, -1)
                     .build());
         } catch (Exception e) {
             if (e instanceof final IOException ioe) {
@@ -132,14 +147,14 @@ public byte[] get(final FileMetadata fileMetadata) throws IOException {
             throw new IllegalArgumentException("File metadata does not contain " + METADATA_KEY_SHA256_DIGEST);
         }
 
-        final byte[] fileContent;
+        final byte[] maybeCompressedContent;
         try {
             try (final GetObjectResponse response = s3Client.getObject(
                     GetObjectArgs.builder()
                             .bucket(fileLocation.bucket())
                             .object(fileLocation.object())
                             .build())) {
-                fileContent = response.readAllBytes();
+                maybeCompressedContent = response.readAllBytes();
             }
         } catch (ErrorResponseException e) {
             // https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#ErrorCodeList
@@ -156,15 +171,20 @@ public byte[] get(final FileMetadata fileMetadata) throws IOException {
             throw new IOException(e);
         }
 
-        final byte[] actualContentDigest = DigestUtils.sha256(fileContent);
+        final byte[] actualContentDigest = DigestUtils.sha256(maybeCompressedContent);
         final byte[] expectedContentDigest = HexFormat.of().parseHex(expectedContentDigestHex);
 
         if (!Arrays.equals(actualContentDigest, expectedContentDigest)) {
             throw new IOException("SHA256 digest mismatch: actual=%s, expected=%s".formatted(
                     HexFormat.of().formatHex(actualContentDigest), expectedContentDigestHex));
         }
 
-        return fileContent;
+        final long decompressedSize = Zstd.decompressedSize(maybeCompressedContent);
+        if (Zstd.decompressedSize(maybeCompressedContent) <= 0) {
+            return maybeCompressedContent; // Not compressed.
+        }
+
+        return Zstd.decompress(maybeCompressedContent, Math.toIntExact(decompressedSize));
     }
 
     @Override

src/main/java/org/dependencytrack/storage/S3FileStorageFactory.java

@@ -18,6 +18,7 @@
  */
 package org.dependencytrack.storage;
 
+import alpine.Config;
 import io.minio.BucketExistsArgs;
 import io.minio.MinioClient;
 import org.dependencytrack.plugin.api.ConfigDefinition;
@@ -61,9 +62,21 @@ public final class S3FileStorageFactory implements ExtensionFactory<FileStorage>
             ConfigSource.DEPLOYMENT,
             /* isRequired */ false,
             /* isSecret */ false);
+    static final ConfigDefinition CONFIG_COMPRESSION_THRESHOLD_BYTES = new ConfigDefinition(
+            "compression.threshold.bytes",
+            ConfigSource.DEPLOYMENT,
+            /* isRequired */ false,
+            /* isSecret */ false);
+    static final ConfigDefinition CONFIG_COMPRESSION_LEVEL = new ConfigDefinition(
+            "compression.level",
+            ConfigSource.DEPLOYMENT,
+            /* isRequired */ false,
+            /* isSecret */ false);
 
     private MinioClient s3Client;
     private String bucketName;
+    private int compressionThresholdBytes;
+    private int compressionLevel;
 
     @Override
     public String extensionName() {
@@ -95,13 +108,24 @@ public void init(final ConfigRegistry configRegistry) {
         optionalRegion.ifPresent(clientBuilder::region);
         s3Client = clientBuilder.build();
 
+        s3Client.setAppInfo(
+                Config.getInstance().getApplicationName(),
+                Config.getInstance().getApplicationVersion());
+
+        compressionThresholdBytes = configRegistry.getOptionalValue(CONFIG_COMPRESSION_THRESHOLD_BYTES)
+                .map(Integer::parseInt)
+                .orElse(1024);
+        compressionLevel = configRegistry.getOptionalValue(CONFIG_COMPRESSION_LEVEL)
+                .map(Integer::parseInt)
+                .orElse(5);
+
         LOGGER.debug("Verifying existence of bucket {}", bucketName);
         requireBucketExists(s3Client, bucketName);
     }
 
     @Override
     public FileStorage create() {
-        return new S3FileStorage(s3Client, bucketName);
+        return new S3FileStorage(s3Client, bucketName, compressionThresholdBytes, compressionLevel);
     }
 
     @Override

src/main/resources/application.properties

@@ -1602,4 +1602,22 @@ file.storage.extension.s3.enabled=false
 #
 # @category: Storage
 # @type:     string
-# file.storage.extension.s3.region=
+# file.storage.extension.s3.region=
+
+# Defines the size threshold for files after which they will be compressed.
+# Compression is performed using the zstd algorithm.
+# Has no effect unless file.storage.extension.s3.enabled is `true`.
+#
+# @category: Storage
+# @default:  1024
+# @type:     integer
+# file.storage.extension.s3.compression.threshold.bytes=
+
+# Defines the zstd compression level to use.
+# Has no effect unless file.storage.extension.s3.enabled is `true`.
+#
+# @category:     Storage
+# @default:      5
+# @type:         integer
+# @valid-values: [-7..22]
+# file.storage.extension.s3.compression.level=

src/test/java/org/dependencytrack/storage/LocalFileStorageTest.java

@@ -28,7 +28,6 @@
 import java.nio.file.Files;
 import java.nio.file.NoSuchFileException;
 import java.nio.file.Path;
-import java.util.Collections;
 import java.util.HexFormat;
 import java.util.Map;
 
@@ -70,15 +69,17 @@ public void shouldStoreGetAndDeleteFile() throws Exception {
 
         final FileStorage storage = storageFactory.create();
 
-        final FileMetadata fileMetadata = storage.store("foo", "bar".getBytes());
+        final FileMetadata fileMetadata = storage.store("foo/bar", "baz".getBytes());
         assertThat(fileMetadata).isNotNull();
-        assertThat(fileMetadata.getLocation()).isEqualTo("local:///foo");
+        assertThat(fileMetadata.getLocation()).isEqualTo("local:///foo/bar");
         assertThat(fileMetadata.getStorageMetadataMap()).containsExactly(
-                Map.entry("sha256_digest", "fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9"));
+                Map.entry("sha256_digest", "baa5a0964d3320fbc0c6a922140453c8513ea24ab8fd0577034804a967248096"));
+
+        assertThat(tempDirPath.resolve("foo/bar")).exists();
 
         final byte[] fileContent = storage.get(fileMetadata);
         assertThat(fileContent).isNotNull();
-        assertThat(fileContent).asString().isEqualTo("bar");
+        assertThat(fileContent).asString().isEqualTo("baz");
 
         final boolean deleted = storage.delete(fileMetadata);
         assertThat(deleted).isTrue();
@@ -136,6 +137,22 @@ public void storeShouldOverwriteExistingFile() throws Exception {
         assertThat(storage.get(fileMetadataB)).asString().isEqualTo("qux");
     }
 
+    @Test
+    @SuppressWarnings("resource")
+    public void storeShouldThrowWhenFileNameAttemptsTraversal() {
+        final var storageFactory = new LocalFileStorageFactory();
+        storageFactory.init(new MockConfigRegistry(Map.of(
+                CONFIG_DIRECTORY.name(), tempDirPath.toAbsolutePath().toString())));
+
+        final FileStorage storage = storageFactory.create();
+
+        assertThatExceptionOfType(IllegalArgumentException.class)
+                .isThrownBy(() -> storage.store("foo/../../../bar", "bar".getBytes()))
+                .withMessage("""
+                        The provided filePath foo/../../../bar does not resolve to a path \
+                        within the configured base directory (%s)""", tempDirPath);
+    }
+
     @Test
     @SuppressWarnings("resource")
     public void storeShouldThrowWhenFileHasInvalidName() {
@@ -167,6 +184,26 @@ public void getShouldThrowWhenFileLocationHasInvalidScheme() {
                 .withMessage("foo:///bar: Unexpected scheme foo, expected local");
     }
 
+    @Test
+    @SuppressWarnings("resource")
+    public void getShouldThrowWhenFileNameAttemptsTraversal() {
+        final var storageFactory = new LocalFileStorageFactory();
+        storageFactory.init(new MockConfigRegistry(Map.of(
+                CONFIG_DIRECTORY.name(), tempDirPath.toAbsolutePath().toString())));
+
+        final FileStorage storage = storageFactory.create();
+
+        assertThatExceptionOfType(IllegalArgumentException.class)
+                .isThrownBy(() -> storage.get(
+                        FileMetadata.newBuilder()
+                                .setLocation("local:///foo/../../../bar")
+                                .putStorageMetadata("sha256_digest", "some-digest")
+                                .build()))
+                .withMessage("""
+                        The provided filePath foo/../../../bar does not resolve to a path \
+                        within the configured base directory (%s)""", tempDirPath);
+    }
+
     @Test
     @SuppressWarnings("resource")
     public void getShouldThrowWhenFileDoesNotExist() {

src/test/java/org/dependencytrack/storage/MemoryFileStorageTest.java

@@ -25,6 +25,7 @@
 import java.io.IOException;
 import java.nio.file.NoSuchFileException;
 import java.util.Collections;
+import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -53,14 +54,15 @@ public void shouldStoreGetAndDeleteFile() throws Exception {
 
         final FileStorage storage = storageFactory.create();
 
-        final FileMetadata fileMetadata = storage.store("foo", "bar".getBytes());
+        final FileMetadata fileMetadata = storage.store("foo/bar", "baz".getBytes());
         assertThat(fileMetadata).isNotNull();
-        assertThat(fileMetadata.getLocation()).isEqualTo("memory:///foo");
-        assertThat(fileMetadata.getStorageMetadataMap()).isEmpty();
+        assertThat(fileMetadata.getLocation()).isEqualTo("memory:///foo/bar");
+        assertThat(fileMetadata.getStorageMetadataMap()).containsExactly(
+                Map.entry("sha256_digest", "baa5a0964d3320fbc0c6a922140453c8513ea24ab8fd0577034804a967248096"));
 
         final byte[] fileContent = storage.get(fileMetadata);
         assertThat(fileContent).isNotNull();
-        assertThat(fileContent).asString().isEqualTo("bar");
+        assertThat(fileContent).asString().isEqualTo("baz");
 
         final boolean deleted = storage.delete(fileMetadata);
         assertThat(deleted).isTrue();