From e2cd0a8eeb725edae0dc2cf3d019b8223f29eae8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Pfeuffer?= <rene.pfeuffer@cloudogu.com>
Date: Thu, 25 Feb 2021 11:39:38 +0100
Subject: [PATCH] Check log permission before returning stream

---
 .../api/v2/resources/RepositoryImportResource.java |  3 ++-
 .../RepositoryImportLoggerFactory.java             | 14 +++++++++++++-
 .../v2/resources/RepositoryImportResourceTest.java |  1 +
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryImportResource.java b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryImportResource.java
index bc394a5532..c0195c0a8b 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryImportResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryImportResource.java
@@ -261,7 +261,8 @@ public class RepositoryImportResource {
   @GET
   @Path("log/{logId}")
   @Produces(MediaType.TEXT_PLAIN)
-  public StreamingOutput getImportLog(@PathParam("logId") String logId) {
+  public StreamingOutput getImportLog(@PathParam("logId") String logId) throws IOException {
+    importLoggerFactory.checkCanReadLog(logId);
     return out -> importLoggerFactory.getLog(logId, out);
   }
 
diff --git a/scm-webapp/src/main/java/sonia/scm/importexport/RepositoryImportLoggerFactory.java b/scm-webapp/src/main/java/sonia/scm/importexport/RepositoryImportLoggerFactory.java
index 3f93132119..2113d3e868 100644
--- a/scm-webapp/src/main/java/sonia/scm/importexport/RepositoryImportLoggerFactory.java
+++ b/scm-webapp/src/main/java/sonia/scm/importexport/RepositoryImportLoggerFactory.java
@@ -53,13 +53,25 @@ public class RepositoryImportLoggerFactory {
     return new RepositoryImportLogger(blobStoreFactory.withName("imports").build());
   }
 
+  public void checkCanReadLog(String logId) throws IOException {
+    try (InputStream blob = getBlob(logId)) {
+      // nothing to read
+    }
+  }
+
   public void getLog(String logId, OutputStream out) throws IOException {
+    try (InputStream log = getBlob(logId)) {
+      IOUtil.copy(log, out);
+    }
+  }
+
+  private InputStream getBlob(String logId) throws IOException {
     BlobStore importStore = blobStoreFactory.withName("imports").build();
     InputStream log = importStore
       .getOptional(logId).orElseThrow(() -> new NotFoundException("Log", logId))
       .getInputStream();
     checkPermission(log);
-    IOUtil.copy(log, out);
+    return log;
   }
 
   private void checkPermission(InputStream log) throws IOException {
diff --git a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/RepositoryImportResourceTest.java b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/RepositoryImportResourceTest.java
index 56b5bb3144..6959738f1e 100644
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/RepositoryImportResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/RepositoryImportResourceTest.java
@@ -289,6 +289,7 @@ public class RepositoryImportResourceTest extends RepositoryTestBase {
 
     assertThat(response.getStatus()).isEqualTo(SC_OK);
     assertThat(response.getContentAsString()).isEqualTo("some log");
+    verify(importLoggerFactory).checkCanReadLog("42");
   }
 
   private boolean streamHasContent(InputStream argument, String expectedContent) {