diff options
| author |   Raviteja Cherughattu <rc835m@att.com> | 2020-05-27 12:08:55 -0500 |
|---|---|---|
| committer | Raviteja Cherughattu <rc835m@att.com> | 2020-06-02 14:38:56 -0500 |
| commit | 16c3995a89892b1dad4dab7df0f6200ac8b09f92 (patch) | |
| tree | c08006099c726b5fb6bf56672444ae114f821fe1 | |
| parent | 03bc32d07bdd8e2698a1bdede972ff5aa43f9759 (diff) | |
Medium Vulnerabilities CodeFix: 1. URL Redirection 2. AAF-1111
Issue-ID: AAF-1115
Change-Id: I05d8d7a19236ad476d2a37b51a6c4a84ba2b8546
Signed-off-by: Raviteja Cherughattu <rc835m@att.com>
| -rw-r--r-- | auth/auth-cmd/pom.xml | 6 | ||||
| -rw-r--r-- | auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java | 3 | ||||
| -rw-r--r-- | auth/auth-core/pom.xml | 5 | ||||
| -rw-r--r-- | auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java | 5 | ||||
| -rw-r--r-- | auth/auth-fs/pom.xml | 10 | ||||
| -rw-r--r-- | auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java | 5 | ||||
| -rw-r--r-- | auth/auth-hello/pom.xml | 7 | ||||
| -rw-r--r-- | auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java | 10 | ||||
| -rw-r--r-- | auth/auth-locate/pom.xml | 11 | ||||
| -rw-r--r-- | auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java | 13 | ||||
| -rw-r--r-- | auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java | 5 | ||||
| -rw-r--r-- | cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java | 10 | ||||
| -rw-r--r-- | misc/pom.xml | 6 | ||||
| -rw-r--r-- | misc/xgen/pom.xml | 5 | ||||
| -rw-r--r-- | misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java | 5 |
15 files changed, 84 insertions, 22 deletions
diff --git a/auth/auth-cmd/pom.xml b/auth/auth-cmd/pom.xml index 7133a5b1..01ec4ec9 100644 --- a/auth/auth-cmd/pom.xml +++ b/auth/auth-cmd/pom.xml @@ -178,7 +178,11 @@ <artifactId>jline</artifactId> <version>2.14.2</version> </dependency> - + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> + </dependency> </dependencies> <distributionManagement> diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java index 0ae4ce99..40616abc 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java @@ -54,6 +54,7 @@ import aaf.v2_0.History; import aaf.v2_0.History.Item; import aaf.v2_0.Request; +import org.owasp.encoder.Encode; public abstract class Cmd { // Sonar claims DateFormat is not thread safe. Leave as Instance Variable. @@ -272,7 +273,7 @@ public abstract class Cmd { sb.append(", "); sb.append(desc); } - pw().println(sb); + pw().println(Encode.forJava(sb.toString())); } diff --git a/auth/auth-core/pom.xml b/auth/auth-core/pom.xml index 884ecbe3..972b12cb 100644 --- a/auth/auth-core/pom.xml +++ b/auth/auth-core/pom.xml @@ -107,6 +107,11 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </dependency> + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> + </dependency> </dependencies> <build> diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java index cdda50db..b342c428 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java @@ -53,6 +53,7 @@ import org.onap.aaf.misc.env.EnvJAXB; import org.onap.aaf.misc.env.LogTarget; import org.onap.aaf.misc.env.Store; import org.onap.aaf.misc.env.Trans; +import org.owasp.encoder.Encode; /* * CachingFileAccess * @@ -429,9 +430,9 @@ public class CachingFileAccess<TRANS extends Trans> extends HttpCode<TRANS, Void w.append(name); w.append('/'); } - w.append(f.getName()); + w.append(Encode.forJava(f.getName())); w.append("\">"); - w.append(f.getName()); + w.append(Encode.forJava(f.getName())); w.append("</a></li>\n"); } w.append(F); diff --git a/auth/auth-fs/pom.xml b/auth/auth-fs/pom.xml index 39cb03b8..943c1082 100644 --- a/auth/auth-fs/pom.xml +++ b/auth/auth-fs/pom.xml @@ -76,6 +76,16 @@ <groupId>org.onap.aaf.authz</groupId> <artifactId>aaf-cadi-core</artifactId> </dependency> + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> + </dependency> + <dependency> + <groupId>org.owasp.esapi</groupId> + <artifactId>esapi</artifactId> + <version>2.0.1</version> + </dependency> </dependencies> <build> diff --git a/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java b/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java index 64d93539..fdedd6bc 100644 --- a/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java +++ b/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java @@ -45,7 +45,7 @@ import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.register.Registrant; import org.onap.aaf.cadi.register.RemoteRegistrant; - +import org.owasp.esapi.reference.DefaultHTTPUtilities; public class AAF_FS extends AbsService<AuthzEnv, AuthzTrans> { @@ -82,7 +82,8 @@ public class AAF_FS extends AbsService<AuthzEnv, AuthzTrans> { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { trans.info().printf("Redirecting %s to HTTP/S %s", req.getRemoteAddr(), req.getLocalAddr()); - resp.sendRedirect(url); + DefaultHTTPUtilities util = new DefaultHTTPUtilities(); + util.sendRedirect(url); } }; diff --git a/auth/auth-hello/pom.xml b/auth/auth-hello/pom.xml index 11971e0d..f9a420f9 100644 --- a/auth/auth-hello/pom.xml +++ b/auth/auth-hello/pom.xml @@ -55,7 +55,12 @@ <groupId>org.onap.aaf.authz</groupId> <artifactId>aaf-cadi-aaf</artifactId> </dependency> - + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> + </dependency> + </dependencies> <build> diff --git a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java index 4ffb1787..cdaa6a76 100644 --- a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java +++ b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java @@ -35,6 +35,8 @@ import org.onap.aaf.auth.rserv.HttpMethods; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; +import org.owasp.encoder.Encode; + /** * API Apis * @author Jonathan @@ -70,7 +72,7 @@ public class API_Hello { String perm = pathParam(req, "perm"); if (perm!=null && perm.length()>0) { os.print('('); - os.print(req.getUserPrincipal().getName()); + os.print(Encode.forJava(req.getUserPrincipal().getName())); TimeTaken tt = trans.start("Authorize perm", Env.REMOTE); try { if (req.isUserInRole(perm)) { @@ -82,7 +84,7 @@ public class API_Hello { tt.done(); } os.print("Permission: "); - os.print(perm); + os.print(Encode.forJava(perm)); os.print(')'); } os.println(); @@ -144,7 +146,7 @@ public class API_Hello { } sb.append("}"); ServletOutputStream os = resp.getOutputStream(); - os.println(sb.toString()); + os.println(Encode.forJava(sb.toString())); trans.info().printf("Said 'RESTful Hello' to %s, Authentication type: %s",trans.getUserPrincipal().getName(),trans.getUserPrincipal().getClass().getSimpleName()); } },APPLICATION_JSON); @@ -164,7 +166,7 @@ public class API_Hello { trans.info().printf("Content from %s: %s\n", pathParam(req, ":id"),content); if (content.startsWith("{") && content.endsWith("}")) { resp.setStatus(200 /* OK */); - resp.getOutputStream().print(content); + resp.getOutputStream().print(Encode.forJava(content)); } else { resp.getOutputStream().write(NOT_JSON); resp.setStatus(406); diff --git a/auth/auth-locate/pom.xml b/auth/auth-locate/pom.xml index 2b6568bf..36585989 100644 --- a/auth/auth-locate/pom.xml +++ b/auth/auth-locate/pom.xml @@ -78,6 +78,17 @@ <groupId>org.onap.aaf.authz</groupId> <artifactId>aaf-misc-rosetta</artifactId> </dependency> + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> + </dependency> + <dependency> + <groupId>org.owasp.esapi</groupId> + <artifactId>esapi</artifactId> + <version>2.0.1</version> + </dependency> + </dependencies> <build> diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java index 36a987e5..7b23c89c 100644 --- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java +++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java @@ -53,6 +53,9 @@ import org.onap.aaf.cadi.client.Retryable; import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; +import org.owasp.esapi.errors.AccessControlException; +import org.owasp.esapi.reference.DefaultHTTPUtilities; +import org.owasp.encoder.Encode; public class API_AAFAccess { // private static String service, version, envContext; @@ -104,7 +107,7 @@ public class API_AAFAccess { ServletOutputStream sos; try { sos = resp.getOutputStream(); - sos.print(fp.value); + sos.print(Encode.forJava(fp.value)); } catch (IOException e) { throw new CadiException(e); } @@ -122,7 +125,7 @@ public class API_AAFAccess { User u = (User)d.data.get(0); resp.setStatus(u.code); ServletOutputStream sos = resp.getOutputStream(); - sos.print(u.resp); + sos.print(Encode.forJava(u.resp)); } } finally { tt.done(); @@ -256,7 +259,7 @@ public class API_AAFAccess { }); } - private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator<URI> loc, String path) throws IOException { + private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator<URI> loc, String path) throws IOException, AccessControlException { try { if (loc.hasItems()) { Item item = loc.best(); @@ -270,7 +273,9 @@ public class API_AAFAccess { redirectURL.append(str); } trans.info().log("Redirect to",redirectURL); - resp.sendRedirect(redirectURL.toString()); + DefaultHTTPUtilities util = new DefaultHTTPUtilities(); + util.sendRedirect(redirectURL.toString()); + //resp.sendRedirect(redirectURL.toString()); } else { context.error(trans, resp, Result.err(Result.ERR_NotFound,"No Locations found for redirection")); } diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java index 67107088..047663c3 100644 --- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java +++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java @@ -59,6 +59,7 @@ import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; import org.onap.aaf.misc.rosetta.env.RosettaDF; import org.onap.aaf.misc.rosetta.env.RosettaData; +import org.owasp.encoder.Encode; import locate_local.v1_0.Api; @@ -266,7 +267,7 @@ public abstract class LocateFacadeImpl<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIGURA TimeTaken tt = trans.start(API_EXAMPLE, Env.SUB); try { String content =Examples.print(apiDF.getEnv(), nameOrContentType, optional); - resp.getOutputStream().print(content); + resp.getOutputStream().print(Encode.forJava(content)); setContentType(resp,content.contains("<?xml")?TYPE.XML:TYPE.JSON); return Result.ok(); } catch (Exception e) { @@ -311,7 +312,7 @@ public abstract class LocateFacadeImpl<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIGURA } } } - resp.getOutputStream().println(output); + resp.getOutputStream().println(Encode.forJava(output)); setContentType(resp,epDF.getOutType()); return Result.ok(); } catch (Exception e) { diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java index c7b2605f..898b99c9 100644 --- a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java @@ -47,7 +47,7 @@ import org.onap.aaf.misc.env.Data; import org.onap.aaf.misc.env.Data.TYPE; import org.onap.aaf.misc.env.util.Pool.Pooled; import org.onap.aaf.misc.rosetta.env.RosettaDF; - +import org.owasp.encoder.Encode; /** * Low Level Http Client Mechanism. Chances are, you want the high level "HRcli" * for Rosetta Object Translation @@ -396,8 +396,10 @@ public class HClient implements EClient<HttpURLConnection> { // reuse Buffers Pooled<byte[]> pbuff = Rcli.buffPool.get(); try { + String strTemp; while ((read=is.read(pbuff.content))>=0) { - os.write(pbuff.content,0,read); + strTemp = new String(pbuff.content,0,read); + os.write(Encode.forJava(strTemp).getBytes()); } } finally { pbuff.done(); @@ -412,8 +414,10 @@ public class HClient implements EClient<HttpURLConnection> { errContent = new StringBuilder(); Pooled<byte[]> pbuff = Rcli.buffPool.get(); try { + String strTemp; while ((read=is.read(pbuff.content))>=0) { - os.write(pbuff.content,0,read); + strTemp = new String(pbuff.content,0,read); + os.write(Encode.forJava(strTemp).getBytes()); } } finally { pbuff.done(); diff --git a/misc/pom.xml b/misc/pom.xml index 66851bc1..61d4f5d2 100644 --- a/misc/pom.xml +++ b/misc/pom.xml @@ -73,6 +73,12 @@ <artifactId>junit</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> + </dependency> + </dependencies> <modules> diff --git a/misc/xgen/pom.xml b/misc/xgen/pom.xml index d24e8510..d4183fb9 100644 --- a/misc/xgen/pom.xml +++ b/misc/xgen/pom.xml @@ -78,6 +78,11 @@ <artifactId>aaf-misc-env</artifactId> <version>${project.version}</version> </dependency> + <dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> + </dependency> </dependencies> <!-- ============================================================== --> diff --git a/misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java b/misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java index 9f1f2a38..0d41bd9b 100644 --- a/misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java +++ b/misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java @@ -28,6 +28,7 @@ import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.Trans;
import org.onap.aaf.misc.xgen.html.State;
+import org.owasp.encoder.Encode;
public class Section<G extends XGen<G>> {
protected int indent;
@@ -48,11 +49,11 @@ public class Section<G extends XGen<G>> { }
public void forward(Writer w) throws IOException {
- w.write(forward);
+ w.write(Encode.forJava(forward));
}
public void back(Writer w) throws IOException {
- w.write(backward);
+ w.write(Encode.forJava(backward));
}
public String toString() {
|