Fix code QL security issues (#1231)

* Fix code QL security issues:

- Added a timeout to the Regex constructor to prevent potential Regular Expression Denial of Service (ReDoS).
- Sanitized the user-provided filename in GetBinary.
- Improved debug logging in GXMetadata.cs by logging class names instead of constructor arguments, and removed ConstructorArgsString to prevent unsanitized user input from being written to log files.

* Add directory traversal checks for ZIP extraction

---------

Co-authored-by: claudiamurialdo <[email protected]>

Author: claudiamurialdo

dotnet/src/dotnetcore/GxClasses.Web/Middleware/GXRouting.cs

@@ -41,8 +41,9 @@ internal class GXRouting : IGXRouting
 		public static bool AzureRuntime;
 		public AzureDeployFeature AzureDeploy = new AzureDeployFeature();
 		public static string AzureFunctionName;
+		const int REGEX_DEFAULT_MATCH_TIMEOUT_SECONDS= 10;
 
-		static Regex SDSVC_PATTERN = new Regex("([^/]+/)*(sdsvc_[^/]+/[^/]+)(\\?.*)*");
+		static Regex SDSVC_PATTERN = new Regex("([^/]+/)*(sdsvc_[^/]+/[^/]+)(\\?.*)*", RegexOptions.None, TimeSpan.FromSeconds(REGEX_DEFAULT_MATCH_TIMEOUT_SECONDS));
 
 		internal const string PRIVATE_DIR = "private";
 		public Dictionary<string, string> servicesPathUrl = new Dictionary<string, string>();

dotnet/src/dotnetframework/GxClasses/Data/GXDataCommon.cs

@@ -947,7 +947,7 @@ protected static byte[] GetBinary(string fileNameParm, bool dbBlob)
 				}
 				else
 				{
-					GXLogging.Error(log, "Not a valid URI: ", fileName);
+					GXLogging.WarnSanitized(log, "Not a valid URI: ", fileName);
 					throw new GxADODataException("GxCommand. Not a valid uri:  " + fileName);
 				}
 				return binary;

dotnet/src/dotnetframework/GxClasses/Helpers/GXMetadata.cs

@@ -226,19 +226,9 @@ static public object FindInstance(string defaultAssemblyName, string clss, Objec
 		static public object FindInstance(string defaultAssemblyName, string nspace, string clss, Object[] constructorArgs, Assembly defaultAssembly, bool ignoreCase=false)
 		{
 			Type objType = FindType( defaultAssemblyName, nspace, clss, defaultAssembly, ignoreCase);
-			GXLogging.Debug(log, "CreateInstance, Args ", ConstructorArgsString(constructorArgs));
+			GXLogging.Debug(log, "CreateInstance class:", clss);
 			return Activator.CreateInstance(objType, constructorArgs);
 		}
-		internal static string ConstructorArgsString(Object[] constructorArgs)
-		{
-			string argsConstr = "";
-			for (int i = 0; constructorArgs != null && i < constructorArgs.Length; i++)
-			{
-				argsConstr += "'" + constructorArgs[i] + "' ";
-			}
-			return argsConstr;
-		}
-
 		static public void ExecuteVoidRef(object o, string mthd, Object[] args)
 		{
 			try

dotnet/src/dotnetframework/GxCompress/GXCompressor.cs

@@ -603,6 +603,14 @@ private static void DecompressZip(FileInfo file, string outputPath)
 				foreach (var entry in archive.Entries)
 				{
 					string fullPath = Path.Combine(outputPath, entry.FullName);
+					string destFileName = Path.GetFullPath(fullPath);
+					string fullDestDirPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
+					if (!destFileName.StartsWith(fullDestDirPath))
+					{
+						throw new InvalidOperationException("Entry is outside the target dir: " + destFileName);
+					}
+
+
 					if (string.IsNullOrEmpty(entry.Name))
 					{
 						Directory.CreateDirectory(fullPath);
@@ -742,6 +750,14 @@ private static void DecompressJar(FileInfo file, string outputPath)
 				foreach (var entry in archive.Entries)
 				{
 					string destinationPath = Path.Combine(outputPath, entry.FullName);
+					string destFileName = Path.GetFullPath(destinationPath);
+					string fullDestDirPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
+					if (!destFileName.StartsWith(fullDestDirPath))
+					{
+						throw new InvalidOperationException("Entry is outside the target dir: " + destFileName);
+					}
+
+
 					if (string.IsNullOrEmpty(entry.Name))
 					{
 						Directory.CreateDirectory(destinationPath);