diff options
| author |   efiacor <fiachra.corcoran@est.tech> | 2022-03-09 16:23:37 +0000 |
|---|---|---|
| committer | efiacor <fiachra.corcoran@est.tech> | 2022-03-09 16:24:00 +0000 |
| commit | d1741d61283e8dfc54339c543abeea2e5ad4fed8 (patch) | |
| tree | e1c8aad2f276f303a11982a1be5b4c4e9bf1d5db | |
| parent | 7d9ba5eea9377ab15f359bd32306bdb9c276f638 (diff) | |
[DMAAP-DR] Another fix for sql injection
Signed-off-by: efiacor <fiachra.corcoran@est.tech>
Change-Id: Id7f05dc3ba3dca0a7da3f94cd072ecb9204a728a
Issue-ID: DMAAP-1623
3 files changed, 224 insertions, 41 deletions
diff --git a/csit/scripts/dmaap-datarouter/docker-compose/docker-compose.yml b/csit/scripts/dmaap-datarouter/docker-compose/docker-compose.yml index 9140d0fc..d2902ff5 100644 --- a/csit/scripts/dmaap-datarouter/docker-compose/docker-compose.yml +++ b/csit/scripts/dmaap-datarouter/docker-compose/docker-compose.yml @@ -30,6 +30,7 @@ services: - "8080:8080" volumes: - ./provserver.properties:/opt/app/datartr/etc/provserver.properties + - ./logback.xml:/opt/app/datartr/etc/logback.xml - ../dr_certs/dr_prov/truststore.jks:/opt/app/osaaf/local/truststore.jks - ../dr_certs/dr_prov/org.onap.dmaap-dr-prov.p12:/opt/app/osaaf/local/org.onap.dmaap-dr-prov.p12 - ../dr_certs/dr_prov/org.onap.dmaap-dr.cred.props:/opt/app/osaaf/local/org.onap.dmaap-dr.cred.props diff --git a/csit/scripts/dmaap-datarouter/docker-compose/logback.xml b/csit/scripts/dmaap-datarouter/docker-compose/logback.xml new file mode 100644 index 00000000..8e3183a3 --- /dev/null +++ b/csit/scripts/dmaap-datarouter/docker-compose/logback.xml @@ -0,0 +1,189 @@ +<!-- + ============LICENSE_START======================================================= + Copyright (C) 2019 Nordix Foundation. + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + SPDX-License-Identifier: Apache-2.0 + ============LICENSE_END========================================================= +--> +<configuration scan="true" scanPeriod="3 seconds" debug="true"> + <property name="logDir" value="/opt/app/datartr/logs" /> + <!-- log file names --> + <property name="generalLogName" value="apicalls" /> + <property name="errorLogName" value="errors" /> + <property name="debugLogName" value="debug"/> + <property name="jettyLogName" value="jetty"/> + <property name="defaultPattern" value="%d{MM/dd-HH:mm:ss.SSS}|%logger|%X{RequestId}|%X{InvocationId}|%X{ServiceInstanceId}|%thread|%X{ServiceName}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{RemoteHost}|%X{Timer}|%msg%n" /> + <property name="jettyLoggerPattern" value="%d{MM/dd-HH:mm:ss.SSS}|%logger|%thread|%.-5level|%msg%n" /> + + <property name="debugLoggerPattern" value="%d{MM/dd-HH:mm:ss.SSS}|%logger|%X{RequestId}|%X{InvocationId}|%X{ServiceInstanceId}|%thread|%X{ServiceName}|%X{InstanceUUID}|%.-5level|%X{AlertSeverity}|%X{ServerIPAddress}|%X{ServerFQDN}|%X{RemoteHost}|%X{Timer}|[%caller{3}]|%msg%n" /> + <property name="logDirectory" value="${logDir}" /> + + <!-- Example evaluator filter applied against console appender --> + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern>${defaultPattern}</pattern> + </encoder> + </appender> + + <!-- ============================================================================ --> + <!-- EELF Appenders --> + <!-- ============================================================================ --> + + <!-- The EELFAppender is used to record events to the general application + log --> + + <appender name="EELF" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${generalLogName}.log</file> + <filter class="ch.qos.logback.classic.filter.LevelFilter"> + <level>INFO</level> + <onMatch>ACCEPT</onMatch> + <onMismatch>DENY</onMismatch> + </filter> + <rollingPolicy + class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${logDirectory}/${generalLogName}.%i.log.zip + </fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy + class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>50MB</maxFileSize> + </triggeringPolicy> + <encoder> + <pattern>${defaultPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELF" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELF" /> + </appender> + + <appender name="EELFError" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${errorLogName}.log</file> + <filter class="ch.qos.logback.classic.filter.LevelFilter"> + <level>ERROR</level> + <onMatch>ACCEPT</onMatch> + <onMismatch>DENY</onMismatch> + </filter> + <rollingPolicy + class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${logDirectory}/${errorLogName}.%i.log.zip + </fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy + class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>50MB</maxFileSize> + </triggeringPolicy> + <encoder> + <pattern>${defaultPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFError" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFError"/> + </appender> + + <!-- ============================================================================ --> + <appender name="jettylog" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${jettyLogName}.log</file> + <filter class="org.onap.dmaap.datarouter.provisioning.eelf.JettyFilter" /> + <rollingPolicy + class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${logDirectory}/${jettyLogName}.%i.log.zip + </fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy + class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>50MB</maxFileSize> + </triggeringPolicy> + <encoder> + <pattern>${jettyLoggerPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFjettylog" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="jettylog" /> + <includeCallerData>true</includeCallerData> + </appender> + + <!-- ============================================================================ --> + + + <appender name="EELFDebug" + class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${debugLogName}.log</file> + <filter class="org.onap.dmaap.datarouter.provisioning.eelf.DebugTraceFilter" /> + <rollingPolicy + class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> + <fileNamePattern>${logDirectory}/${debugLogName}.%i.log.zip + </fileNamePattern> + <minIndex>1</minIndex> + <maxIndex>9</maxIndex> + </rollingPolicy> + <triggeringPolicy + class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> + <maxFileSize>50MB</maxFileSize> + </triggeringPolicy> + <encoder> + <pattern>${defaultPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFDebug" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFDebug" /> + <includeCallerData>true</includeCallerData> + </appender> + + + <!-- ============================================================================ --> + <!-- EELF loggers --> + <!-- ============================================================================ --> + <logger name="com.att.eelf" level="info" additivity="false"> + <appender-ref ref="asyncEELF" /> + </logger> + + <logger name="com.att.eelf.error" level="error" additivity="false"> + <appender-ref ref="asyncEELFError" /> + </logger> + + <logger name="log4j.logger.org.eclipse.jetty" additivity="false" level="info"> + <appender-ref ref="asyncEELFjettylog"/> + </logger> + + <logger name="com.att.eelf.debug" level="debug" additivity="false"> + <appender-ref ref="asyncEELFDebug" /> + </logger> + + <root level="DEBUG"> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="asyncEELFError" /> + <appender-ref ref="asyncEELFjettylog" /> + <appender-ref ref="asyncEELFDebug" /> + <appender-ref ref="STDOUT" /> + </root> + +</configuration>
\ No newline at end of file diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java index 964ef037..6049eea0 100755 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java @@ -64,6 +64,7 @@ public class StatisticsServlet extends BaseServlet { private static final String FMT1 = "yyyy-MM-dd'T'HH:mm:ss'Z'";
private static final String FMT2 = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
public static final String FEEDID = "FEEDID";
+ public static final String START = "start";
//sql Strings
private static final String SQL_SELECT_NAME = "SELECT (SELECT NAME FROM FEEDS AS f WHERE f.FEEDID in(";
@@ -301,11 +302,12 @@ public class StatisticsServlet extends BaseServlet { /**
- * queryGeneretor - Generating sql query.
+ * getResultSet - Set the result from the query.
*
* @param map as key value pare of all user input fields
*/
- private PreparedStatement queryGeneretor(Map<String, String> map) throws ParseException, SQLException {
+ private void getResultSet(Map<String, String> map, String outputType, ServletOutputStream out,
+ HttpServletResponse resp) throws ParseException, SQLException, IOException {
String sql;
String feedids = null;
@@ -315,8 +317,8 @@ public class StatisticsServlet extends BaseServlet { long startInMillis = 0;
long endInMillis = 0;
String subid = " ";
- String compareType = null;
- PreparedStatement ps = null;
+ String compareType;
+ ResultSet rs;
if (map.get(FEEDIDS) != null) {
feedids = map.get(FEEDIDS);
@@ -334,8 +336,7 @@ public class StatisticsServlet extends BaseServlet { if (endTime == null && startTime == null) {
sql = SQL_SELECT_NAME + "?" + SQL_FEED_ID + SQL_SELECT_COUNT + "?" + SQL_TYPE_PUB + SQL_SELECT_SUM
+ "?" + SQL_PUBLISH_LENGTH + SQL_SUBSCRIBER_URL + SQL_SUB_ID + SQL_DELIVERY_TIME + SQL_AVERAGE_DELAY
- + SQL_JOIN_RECORDS + "?" + ") " + "?" + SQL_STATUS_204
- + SQL_GROUP_SUB_ID;
+ + SQL_JOIN_RECORDS + "?" + ") " + SQL_STATUS_204 + SQL_GROUP_SUB_ID;
compareType = "default";
} else if (startTime != null && endTime == null) {
long inputTimeInMilli = 60000 * Long.parseLong(startTime);
@@ -344,9 +345,9 @@ public class StatisticsServlet extends BaseServlet { compareTime = currentTimeInMilli - inputTimeInMilli;
sql = SQL_SELECT_NAME + "?" + SQL_FEED_ID + SQL_SELECT_COUNT + "?" + SQL_TYPE_PUB + SQL_SELECT_SUM
+ "?" + SQL_PUBLISH_LENGTH + SQL_SUBSCRIBER_URL + SQL_SUB_ID + SQL_DELIVERY_TIME + SQL_AVERAGE_DELAY
- + SQL_JOIN_RECORDS + "?" + ") " + "?" + SQL_STATUS_204
+ + SQL_JOIN_RECORDS + "?" + ") " + SQL_STATUS_204
+ " and e.event_time>=" + "?" + SQL_GROUP_SUB_ID;
- compareType = "start";
+ compareType = START;
} else {
SimpleDateFormat inFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
Date startDate = inFormat.parse(startTime);
@@ -355,32 +356,28 @@ public class StatisticsServlet extends BaseServlet { endInMillis = endDate.getTime();
sql = SQL_SELECT_NAME + "?" + SQL_FEED_ID + SQL_SELECT_COUNT + "?" + SQL_TYPE_PUB + SQL_SELECT_SUM
+ "?" + SQL_PUBLISH_LENGTH + SQL_SUBSCRIBER_URL + SQL_SUB_ID + SQL_DELIVERY_TIME + SQL_AVERAGE_DELAY
- + SQL_JOIN_RECORDS + "?" + ") " + "?" + SQL_STATUS_204
+ + SQL_JOIN_RECORDS + "?" + ") " + SQL_STATUS_204
+ " and e.event_time between " + "?" + " and " + "?" + SQL_GROUP_SUB_ID;
compareType = "startAndEnd";
}
- try (Connection conn = ProvDbUtils.getInstance().getConnection()) {
+ try (Connection conn = ProvDbUtils.getInstance().getConnection();
+ PreparedStatement ps = conn.prepareStatement(sql)) {
eventlogger.debug("SQL Query for Statistics resultset. " + sql);
intlogger.debug(sql);
- ps = conn.prepareStatement(sql);
ps.setString(1, feedids);
ps.setString(2, feedids);
ps.setString(3, feedids);
ps.setString(4, feedids);
- ps.setString(5, subid);
- if (compareType.equals("start")) {
- ps.setLong(6, compareTime);
+ if (compareType.equals(START)) {
+ ps.setLong(5, compareTime);
}
if (compareType.equals("startAndEnd")) {
- ps.setLong(6, startInMillis);
- ps.setLong(7, endInMillis);
- }
- } finally {
- if (ps != null) {
- ps.close();
+ ps.setLong(5, startInMillis);
+ ps.setLong(6, endInMillis);
}
+ rs = ps.executeQuery();
+ parseResult(outputType, out, resp, rs);
}
- return ps;
}
@@ -491,7 +488,7 @@ public class StatisticsServlet extends BaseServlet { }
}
- long stime = getTimeFromParam(req.getParameter("start"));
+ long stime = getTimeFromParam(req.getParameter(START));
if (stime < 0) {
map.put("err", "bad start");
return map;
@@ -540,12 +537,12 @@ public class StatisticsServlet extends BaseServlet { HttpServletResponse resp) {
eventlogger.info("Generating sql query to get Statistics resultset. ");
try {
- PreparedStatement ps = this.queryGeneretor(map);
long start = System.currentTimeMillis();
- executeQuery(outputType, out, resp, ps);
+ this.getResultSet(map, outputType, out, resp);
intlogger.debug("Time: " + (System.currentTimeMillis() - start) + " ms");
} catch (SQLException e) {
- eventlogger.error("SQLException:" + e);
+ eventlogger.error("SQLException:" + e.getMessage());
+ e.printStackTrace();
} catch (IOException e) {
eventlogger.error("IOException - Generating JSON/CSV:" + e);
} catch (JSONException e) {
@@ -555,22 +552,18 @@ public class StatisticsServlet extends BaseServlet { }
}
- private void executeQuery(String outputType, ServletOutputStream out, HttpServletResponse resp,
- PreparedStatement ps) throws IOException {
- try (ResultSet rs = ps.executeQuery()) {
- if (CSV_OUTPUT_TYPE.equals(outputType)) {
- resp.setContentType("application/octet-stream");
- DateTimeFormatter formatter = DateTimeFormatter.ofPattern("dd-MM-yyyy HH:mm:ss");
- resp.setHeader("Content-Disposition",
- "attachment; filename=\"result:" + LocalDateTime.now().format(formatter) + ".csv\"");
- eventlogger.info("Generating CSV file from Statistics resultset");
- rsToCSV(rs, out);
- } else {
- eventlogger.info("Generating JSON for Statistics resultset");
- this.rsToJson(rs, out);
- }
- } catch (SQLException e) {
- eventlogger.error("SQLException:" + e);
+ private void parseResult(String outputType, ServletOutputStream out, HttpServletResponse resp,
+ ResultSet rs) throws IOException, SQLException {
+ if (CSV_OUTPUT_TYPE.equals(outputType)) {
+ resp.setContentType("application/octet-stream");
+ DateTimeFormatter formatter = DateTimeFormatter.ofPattern("dd-MM-yyyy HH:mm:ss");
+ resp.setHeader("Content-Disposition",
+ "attachment; filename=\"result:" + LocalDateTime.now().format(formatter) + ".csv\"");
+ eventlogger.info("Generating CSV file from Statistics resultset");
+ rsToCSV(rs, out);
+ } else {
+ eventlogger.info("Generating JSON for Statistics resultset");
+ this.rsToJson(rs, out);
}
}
}
|