From 0d9b3896ad594816b1eb7048949114e6a18c4bd4 Mon Sep 17 00:00:00 2001 From: "Lee, Tian (tl5884)" Date: Mon, 1 Oct 2018 16:24:47 +0100 Subject: Fix NexusIQ security vulnerabilities Remove Spring Boot Jackson dependencies and replace with Gson implementation. Fix potential source of NullPointerException. Change-Id: I3a715a023223b596e8a0979f0e0d381511fca32d Issue-ID: AAF-529 Signed-off-by: Lee, Tian (tl5884) --- sidecar/rproxy/config/auth/uri-authorization.json | 6 ------ sidecar/rproxy/pom.xml | 10 ++++------ .../org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java | 9 +++++++-- .../src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java | 6 +++--- sidecar/rproxy/src/main/resources/application.properties | 5 +---- 5 files changed, 15 insertions(+), 21 deletions(-) (limited to 'sidecar/rproxy') diff --git a/sidecar/rproxy/config/auth/uri-authorization.json b/sidecar/rproxy/config/auth/uri-authorization.json index 29b152d..61ea9e6 100644 --- a/sidecar/rproxy/config/auth/uri-authorization.json +++ b/sidecar/rproxy/config/auth/uri-authorization.json @@ -104,11 +104,5 @@ "test.auth.access\\|tenants\\|read", "test.auth.access\\|vservers\\|read" ] - }, - { - "uri": "\/rproxy\/.*", - "permissions": [ - "org\\.access\\|rproxy\\|get" - ] } ] \ No newline at end of file diff --git a/sidecar/rproxy/pom.xml b/sidecar/rproxy/pom.xml index 004f569..09a0d06 100644 --- a/sidecar/rproxy/pom.xml +++ b/sidecar/rproxy/pom.xml @@ -68,6 +68,10 @@ org.springframework.boot spring-boot-starter-tomcat + + org.springframework.boot + spring-boot-starter-json + @@ -86,11 +90,6 @@ spring-boot-starter-aop - - org.springframework.boot - spring-boot-starter-actuator - - org.springframework.boot spring-boot-starter-test @@ -108,7 +107,6 @@ com.google.code.gson gson - 2.8.5 diff --git a/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java b/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java index 6374c9d..f939249 100644 --- a/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java +++ b/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java @@ -20,6 +20,7 @@ package org.onap.aaf.rproxy; import com.google.gson.Gson; +import com.google.gson.reflect.TypeToken; import com.google.gson.stream.JsonReader; import java.io.File; import java.io.FileInputStream; @@ -30,6 +31,7 @@ import java.net.URI; import java.net.URISyntaxException; import java.security.Principal; import java.util.ArrayList; +import java.util.Collections; import java.util.List; import javax.annotation.Resource; import javax.servlet.Filter; @@ -58,7 +60,7 @@ public class ReverseProxyAuthorizationFilter implements Filter { private static final Logger LOGGER = LoggerFactory.getLogger(ReverseProxyAuthorizationFilter.class); - private ReverseProxyAuthorization[] reverseProxyAuthorizations = new ReverseProxyAuthorization[] {}; + private List reverseProxyAuthorizations = new ArrayList<>(); @Resource private ReverseProxyURIAuthorizationProperties reverseProxyURIAuthorizationProperties; @@ -72,7 +74,10 @@ public class ReverseProxyAuthorizationFilter implements Filter { try (InputStream inputStream = new FileInputStream(new File(reverseProxyURIAuthorizationProperties.getConfigurationFile())); JsonReader jsonReader = new JsonReader(new InputStreamReader(inputStream))) { - reverseProxyAuthorizations = new Gson().fromJson(jsonReader, ReverseProxyAuthorization[].class); + List untrimmedList = new Gson().fromJson(jsonReader, + new TypeToken>() {}.getType()); + untrimmedList.removeAll(Collections.singleton(null)); + reverseProxyAuthorizations = untrimmedList; } catch (IOException e) { throw new ServletException("Authorizations config file not found.", e); } diff --git a/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java b/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java index b5c000c..55fcdd1 100644 --- a/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java +++ b/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java @@ -35,7 +35,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; -import org.springframework.boot.actuate.endpoint.InvalidEndpointRequestException; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; @@ -45,6 +44,7 @@ import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; +import org.springframework.web.client.HttpClientErrorException; import org.springframework.web.client.RestTemplate; @RestController @@ -152,8 +152,8 @@ public class ReverseProxyService { restTemplate.postForEntity(forwardProxyURI, credentialCacheData, String.class); if (!response.getStatusCode().is2xxSuccessful()) { - throw new InvalidEndpointRequestException("Error posting to credential cache.", - "Status code: " + response.getStatusCodeValue() + " Message: " + response.getBody()); + throw new HttpClientErrorException(response.getStatusCode(), + "Error posting to credential cache. Message: " + response.getBody()); } } diff --git a/sidecar/rproxy/src/main/resources/application.properties b/sidecar/rproxy/src/main/resources/application.properties index f291372..9ba37aa 100644 --- a/sidecar/rproxy/src/main/resources/application.properties +++ b/sidecar/rproxy/src/main/resources/application.properties @@ -16,7 +16,4 @@ uri.authorization.configuration-file=${CONFIG_HOME}/auth/uri-authorization.json logging.config=${CONFIG_HOME}/logback-spring.xml -spring.profiles.default=secure,cadi - -# For Spring Boot Actuator endpoints -management.endpoints.web.base-path=/rproxy \ No newline at end of file +spring.profiles.default=secure,cadi \ No newline at end of file -- cgit 1.2.3-korg