From 16c3995a89892b1dad4dab7df0f6200ac8b09f92 Mon Sep 17 00:00:00 2001 From: Raviteja Cherughattu Date: Wed, 27 May 2020 12:08:55 -0500 Subject: Medium Vulnerabilities CodeFix: 1. URL Redirection 2. AAF-1111 Issue-ID: AAF-1115 Change-Id: I05d8d7a19236ad476d2a37b51a6c4a84ba2b8546 Signed-off-by: Raviteja Cherughattu --- auth/auth-cmd/pom.xml | 6 +++++- auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java | 3 ++- auth/auth-core/pom.xml | 5 +++++ .../java/org/onap/aaf/auth/rserv/CachingFileAccess.java | 5 +++-- auth/auth-fs/pom.xml | 10 ++++++++++ auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java | 5 +++-- auth/auth-hello/pom.xml | 7 ++++++- .../src/main/java/org/onap/aaf/auth/hello/API_Hello.java | 10 ++++++---- auth/auth-locate/pom.xml | 11 +++++++++++ .../java/org/onap/aaf/auth/locate/api/API_AAFAccess.java | 13 +++++++++---- .../org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java | 5 +++-- 11 files changed, 63 insertions(+), 17 deletions(-) (limited to 'auth') diff --git a/auth/auth-cmd/pom.xml b/auth/auth-cmd/pom.xml index 7133a5b1..01ec4ec9 100644 --- a/auth/auth-cmd/pom.xml +++ b/auth/auth-cmd/pom.xml @@ -178,7 +178,11 @@ jline 2.14.2 - + + org.owasp.encoder + encoder + 1.2.1 + diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java index 0ae4ce99..40616abc 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java @@ -54,6 +54,7 @@ import aaf.v2_0.History; import aaf.v2_0.History.Item; import aaf.v2_0.Request; +import org.owasp.encoder.Encode; public abstract class Cmd { // Sonar claims DateFormat is not thread safe. Leave as Instance Variable. @@ -272,7 +273,7 @@ public abstract class Cmd { sb.append(", "); sb.append(desc); } - pw().println(sb); + pw().println(Encode.forJava(sb.toString())); } diff --git a/auth/auth-core/pom.xml b/auth/auth-core/pom.xml index 884ecbe3..972b12cb 100644 --- a/auth/auth-core/pom.xml +++ b/auth/auth-core/pom.xml @@ -107,6 +107,11 @@ org.slf4j slf4j-log4j12 + + org.owasp.encoder + encoder + 1.2.1 + diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java index cdda50db..b342c428 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java @@ -53,6 +53,7 @@ import org.onap.aaf.misc.env.EnvJAXB; import org.onap.aaf.misc.env.LogTarget; import org.onap.aaf.misc.env.Store; import org.onap.aaf.misc.env.Trans; +import org.owasp.encoder.Encode; /* * CachingFileAccess * @@ -429,9 +430,9 @@ public class CachingFileAccess extends HttpCode"); - w.append(f.getName()); + w.append(Encode.forJava(f.getName())); w.append("\n"); } w.append(F); diff --git a/auth/auth-fs/pom.xml b/auth/auth-fs/pom.xml index 39cb03b8..943c1082 100644 --- a/auth/auth-fs/pom.xml +++ b/auth/auth-fs/pom.xml @@ -76,6 +76,16 @@ org.onap.aaf.authz aaf-cadi-core + + org.owasp.encoder + encoder + 1.2.1 + + + org.owasp.esapi + esapi + 2.0.1 + diff --git a/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java b/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java index 64d93539..fdedd6bc 100644 --- a/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java +++ b/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java @@ -45,7 +45,7 @@ import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.register.Registrant; import org.onap.aaf.cadi.register.RemoteRegistrant; - +import org.owasp.esapi.reference.DefaultHTTPUtilities; public class AAF_FS extends AbsService { @@ -82,7 +82,8 @@ public class AAF_FS extends AbsService { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { trans.info().printf("Redirecting %s to HTTP/S %s", req.getRemoteAddr(), req.getLocalAddr()); - resp.sendRedirect(url); + DefaultHTTPUtilities util = new DefaultHTTPUtilities(); + util.sendRedirect(url); } }; diff --git a/auth/auth-hello/pom.xml b/auth/auth-hello/pom.xml index 11971e0d..f9a420f9 100644 --- a/auth/auth-hello/pom.xml +++ b/auth/auth-hello/pom.xml @@ -55,7 +55,12 @@ org.onap.aaf.authz aaf-cadi-aaf - + + org.owasp.encoder + encoder + 1.2.1 + + diff --git a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java index 4ffb1787..cdaa6a76 100644 --- a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java +++ b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java @@ -35,6 +35,8 @@ import org.onap.aaf.auth.rserv.HttpMethods; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; +import org.owasp.encoder.Encode; + /** * API Apis * @author Jonathan @@ -70,7 +72,7 @@ public class API_Hello { String perm = pathParam(req, "perm"); if (perm!=null && perm.length()>0) { os.print('('); - os.print(req.getUserPrincipal().getName()); + os.print(Encode.forJava(req.getUserPrincipal().getName())); TimeTaken tt = trans.start("Authorize perm", Env.REMOTE); try { if (req.isUserInRole(perm)) { @@ -82,7 +84,7 @@ public class API_Hello { tt.done(); } os.print("Permission: "); - os.print(perm); + os.print(Encode.forJava(perm)); os.print(')'); } os.println(); @@ -144,7 +146,7 @@ public class API_Hello { } sb.append("}"); ServletOutputStream os = resp.getOutputStream(); - os.println(sb.toString()); + os.println(Encode.forJava(sb.toString())); trans.info().printf("Said 'RESTful Hello' to %s, Authentication type: %s",trans.getUserPrincipal().getName(),trans.getUserPrincipal().getClass().getSimpleName()); } },APPLICATION_JSON); @@ -164,7 +166,7 @@ public class API_Hello { trans.info().printf("Content from %s: %s\n", pathParam(req, ":id"),content); if (content.startsWith("{") && content.endsWith("}")) { resp.setStatus(200 /* OK */); - resp.getOutputStream().print(content); + resp.getOutputStream().print(Encode.forJava(content)); } else { resp.getOutputStream().write(NOT_JSON); resp.setStatus(406); diff --git a/auth/auth-locate/pom.xml b/auth/auth-locate/pom.xml index 2b6568bf..36585989 100644 --- a/auth/auth-locate/pom.xml +++ b/auth/auth-locate/pom.xml @@ -78,6 +78,17 @@ org.onap.aaf.authz aaf-misc-rosetta + + org.owasp.encoder + encoder + 1.2.1 + + + org.owasp.esapi + esapi + 2.0.1 + + diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java index 36a987e5..7b23c89c 100644 --- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java +++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java @@ -53,6 +53,9 @@ import org.onap.aaf.cadi.client.Retryable; import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; +import org.owasp.esapi.errors.AccessControlException; +import org.owasp.esapi.reference.DefaultHTTPUtilities; +import org.owasp.encoder.Encode; public class API_AAFAccess { // private static String service, version, envContext; @@ -104,7 +107,7 @@ public class API_AAFAccess { ServletOutputStream sos; try { sos = resp.getOutputStream(); - sos.print(fp.value); + sos.print(Encode.forJava(fp.value)); } catch (IOException e) { throw new CadiException(e); } @@ -122,7 +125,7 @@ public class API_AAFAccess { User u = (User)d.data.get(0); resp.setStatus(u.code); ServletOutputStream sos = resp.getOutputStream(); - sos.print(u.resp); + sos.print(Encode.forJava(u.resp)); } } finally { tt.done(); @@ -256,7 +259,7 @@ public class API_AAFAccess { }); } - private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator loc, String path) throws IOException { + private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator loc, String path) throws IOException, AccessControlException { try { if (loc.hasItems()) { Item item = loc.best(); @@ -270,7 +273,9 @@ public class API_AAFAccess { redirectURL.append(str); } trans.info().log("Redirect to",redirectURL); - resp.sendRedirect(redirectURL.toString()); + DefaultHTTPUtilities util = new DefaultHTTPUtilities(); + util.sendRedirect(redirectURL.toString()); + //resp.sendRedirect(redirectURL.toString()); } else { context.error(trans, resp, Result.err(Result.ERR_NotFound,"No Locations found for redirection")); } diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java index 67107088..047663c3 100644 --- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java +++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java @@ -59,6 +59,7 @@ import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; import org.onap.aaf.misc.rosetta.env.RosettaDF; import org.onap.aaf.misc.rosetta.env.RosettaData; +import org.owasp.encoder.Encode; import locate_local.v1_0.Api; @@ -266,7 +267,7 @@ public abstract class LocateFacadeImpl