From 16c3995a89892b1dad4dab7df0f6200ac8b09f92 Mon Sep 17 00:00:00 2001 From: Raviteja Cherughattu Date: Wed, 27 May 2020 12:08:55 -0500 Subject: Medium Vulnerabilities CodeFix: 1. URL Redirection 2. AAF-1111 Issue-ID: AAF-1115 Change-Id: I05d8d7a19236ad476d2a37b51a6c4a84ba2b8546 Signed-off-by: Raviteja Cherughattu --- auth/auth-locate/pom.xml | 11 +++++++++++ .../java/org/onap/aaf/auth/locate/api/API_AAFAccess.java | 13 +++++++++---- .../org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java | 5 +++-- 3 files changed, 23 insertions(+), 6 deletions(-) (limited to 'auth/auth-locate') diff --git a/auth/auth-locate/pom.xml b/auth/auth-locate/pom.xml index 2b6568bf..36585989 100644 --- a/auth/auth-locate/pom.xml +++ b/auth/auth-locate/pom.xml @@ -78,6 +78,17 @@ org.onap.aaf.authz aaf-misc-rosetta + + org.owasp.encoder + encoder + 1.2.1 + + + org.owasp.esapi + esapi + 2.0.1 + + diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java index 36a987e5..7b23c89c 100644 --- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java +++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java @@ -53,6 +53,9 @@ import org.onap.aaf.cadi.client.Retryable; import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; +import org.owasp.esapi.errors.AccessControlException; +import org.owasp.esapi.reference.DefaultHTTPUtilities; +import org.owasp.encoder.Encode; public class API_AAFAccess { // private static String service, version, envContext; @@ -104,7 +107,7 @@ public class API_AAFAccess { ServletOutputStream sos; try { sos = resp.getOutputStream(); - sos.print(fp.value); + sos.print(Encode.forJava(fp.value)); } catch (IOException e) { throw new CadiException(e); } @@ -122,7 +125,7 @@ public class API_AAFAccess { User u = (User)d.data.get(0); resp.setStatus(u.code); ServletOutputStream sos = resp.getOutputStream(); - sos.print(u.resp); + sos.print(Encode.forJava(u.resp)); } } finally { tt.done(); @@ -256,7 +259,7 @@ public class API_AAFAccess { }); } - private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator loc, String path) throws IOException { + private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator loc, String path) throws IOException, AccessControlException { try { if (loc.hasItems()) { Item item = loc.best(); @@ -270,7 +273,9 @@ public class API_AAFAccess { redirectURL.append(str); } trans.info().log("Redirect to",redirectURL); - resp.sendRedirect(redirectURL.toString()); + DefaultHTTPUtilities util = new DefaultHTTPUtilities(); + util.sendRedirect(redirectURL.toString()); + //resp.sendRedirect(redirectURL.toString()); } else { context.error(trans, resp, Result.err(Result.ERR_NotFound,"No Locations found for redirection")); } diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java index 67107088..047663c3 100644 --- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java +++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java @@ -59,6 +59,7 @@ import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; import org.onap.aaf.misc.rosetta.env.RosettaDF; import org.onap.aaf.misc.rosetta.env.RosettaData; +import org.owasp.encoder.Encode; import locate_local.v1_0.Api; @@ -266,7 +267,7 @@ public abstract class LocateFacadeImpl