From a411571a8035814da3ff4ff81a0c0615e3186d25 Mon Sep 17 00:00:00 2001 From: sharath reddy Date: Thu, 21 Apr 2022 09:53:35 +0530 Subject: Changed the code to not log user-controlled data. Issue-ID: VNFSDK-834 Signed-off-by: sharath reddy Change-Id: I18f52715a254500bf36d2b2b61d11ea63763d2db --- .../vnfsdk/marketplace/wrapper/PackageWrapper.java | 64 +++++++++++++++++----- 1 file changed, 49 insertions(+), 15 deletions(-) diff --git a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java index 1fc37427..8afc2593 100644 --- a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java +++ b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java @@ -21,9 +21,11 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.Objects; import java.util.concurrent.Callable; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; @@ -33,7 +35,6 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.Status; -import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.StringUtils; import org.eclipse.jetty.http.HttpStatus; import org.glassfish.jersey.media.multipart.FormDataContentDisposition; @@ -87,7 +88,7 @@ public class PackageWrapper { } public Response updateValidateStatus(InputStream inputStream) throws IOException { - String reqParam = IOUtils.toString(inputStream); + String reqParam = new String(inputStream.readAllBytes(), StandardCharsets.UTF_8); LOG.info("updateValidateStatus request param:{}" , reqParam); if(StringUtils.isBlank(reqParam)) { LOG.error("The updateValidateStatus request params can't be null"); @@ -142,8 +143,11 @@ public class PackageWrapper { String type) { List dbresult = new ArrayList<>(); List result = new ArrayList<>(); - LOG.info("query package info.name:{} provider:{} version{} deletionPending{} type:{}" , name , provider , version - , deletionPending , type); + if (LOG.isInfoEnabled()) { + LOG.info("query package info.name:{} provider:{} version{} deletionPending{} type:{}" , loggerPatternBreaking(name) , loggerPatternBreaking(provider) , loggerPatternBreaking(version) + , loggerPatternBreaking(deletionPending) , loggerPatternBreaking(type)); + } + try { dbresult = PackageManager.getInstance().queryPackage(name, provider, version, deletionPending, type); result = PackageWrapperUtil.packageDataList2PackageMetaList(dbresult); @@ -154,6 +158,11 @@ public class PackageWrapper { } } + private String loggerPatternBreaking(String loggerInput) { + return Objects.nonNull(loggerInput) ? loggerInput.replaceAll("[\n\r\t]", "_") : StringUtils.EMPTY; + + } + /** * query package by id. * @@ -205,8 +214,11 @@ public class PackageWrapper { packageMeta.setDownloadUri(dowloadUri); String jsonPackageMeta = ToolUtil.objectToString(packageMeta); - LOG.info("dest path is : {}" , path); - LOG.info("packageMeta = {}" , jsonPackageMeta); + if (LOG.isInfoEnabled()) { + LOG.info("dest path is : {}" , loggerPatternBreaking(path)); + LOG.info("packageMeta = {}" , loggerPatternBreaking(jsonPackageMeta)); + } + PackageData packageData = PackageWrapperUtil.getPackageData(packageMeta); @@ -230,9 +242,12 @@ public class PackageWrapper { PackageData packateDbData = PackageManager.getInstance().addPackage(packageData); String jsonPackageDbData = ToolUtil.objectToString(packateDbData); - LOG.info("Store package data to database succed ! packateDbData = {}" - , jsonPackageDbData); - LOG.info("upload package file end, fileName:{}" , fileName); + if (LOG.isInfoEnabled()) { + LOG.info("Store package data to database succed ! packateDbData = {}" + , loggerPatternBreaking(jsonPackageDbData)); + LOG.info("upload package file end, fileName:{}" , loggerPatternBreaking(fileName)); + } + result.setCsarId(packateDbData.getCsarId()); @@ -275,7 +290,10 @@ public class PackageWrapper { String fileName = "temp_" + packageId + FILE_FORMAT; if(null != fileDetail) { String jsonFileDetail = ToolUtil.objectToString(fileDetail); - LOG.info("the fileDetail = {}" , jsonFileDetail); + if(LOG.isInfoEnabled()) { + LOG.info("the fileDetail = {}" , loggerPatternBreaking(jsonFileDetail)); + } + fileName = ToolUtil.processFileName(fileDetail.getFileName()); } @@ -286,7 +304,10 @@ public class PackageWrapper { if(head != null) { contentRange = head.getHeaderString(CommonConstant.HTTP_HEADER_CONTENT_RANGE); } - LOG.info("store package chunk file, fileName:{} contentRange:{}", fileName , contentRange); + if(LOG.isInfoEnabled()) { + LOG.info("store package chunk file, fileName:{} contentRange:{}", loggerPatternBreaking(fileName) , loggerPatternBreaking(contentRange)); + } + if(ToolUtil.isEmptyString(contentRange)) { int fileSize = uploadedInputStream.available(); contentRange = "0-" + fileSize + "/" + fileSize; @@ -354,7 +375,10 @@ public class PackageWrapper { * @return Response */ public Response delPackage(String csarId) { - LOG.info("delete package info.csarId:{}" , csarId); + if(LOG.isInfoEnabled()) { + LOG.info("delete package info.csarId:{}" , loggerPatternBreaking(csarId)); + } + if(ToolUtil.isEmptyString(csarId)) { LOG.error("delete package fail, csarid is null"); return Response.serverError().build(); @@ -508,7 +532,11 @@ public class PackageWrapper { * @return */ public Response getOnBoardingResult(String csarId, String operTypeId, String operId) { - LOG.info("getOnBoardingResult request csarId:{} operTypeId:{} operId:{}", csarId , operTypeId , operId); + if(LOG.isInfoEnabled()) { + LOG.info("getOnBoardingResult request csarId:{} operTypeId:{} operId:{}", loggerPatternBreaking(csarId) , loggerPatternBreaking(operTypeId) , loggerPatternBreaking(operId)); + } + + try { PackageData packageData = PackageWrapperUtil.getPackageInfoById(csarId); if(null == packageData) { @@ -563,14 +591,20 @@ public class PackageWrapper { * @return */ public Response getOperResultByOperTypeId(String csarId, String operTypeId) { - LOG.error("getOnBoardingResult request : csarId:{} operTypeId:{}" , csarId , operTypeId); + if(LOG.isErrorEnabled()) { + LOG.error("getOnBoardingResult request : csarId:{} operTypeId:{}" , loggerPatternBreaking(csarId) , loggerPatternBreaking(operTypeId)); + } + if(null == csarId || null == operTypeId || csarId.isEmpty() || operTypeId.isEmpty()) { return Response.status(Status.BAD_REQUEST).build(); } PackageData packageData = PackageWrapperUtil.getPackageInfoById(csarId); if(null == packageData) { - LOG.error("Failed to find package for PackageID:{}" , csarId); + if(LOG.isErrorEnabled()) { + LOG.error("Failed to find package for PackageID:{}" , loggerPatternBreaking(csarId)); + } + return Response.status(Status.PRECONDITION_FAILED).build(); } -- cgit 1.2.3-korg