aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorConor Ward <conor.ward@ericsson.com>2018-09-17 06:45:07 +0000
committerConor Ward <conor.ward@ericsson.com>2018-09-17 15:17:32 +0000
commit6e41fb8a999c662d612e01b6fe30350ea5979dca (patch)
tree062d5bf681b16396200d3dbcfd56e399e50fa52b
parent1298e6487340fcb1644c4a0a7e06026d156bdf8f (diff)
Fix InternalServlet Vulenrabilities
Change-Id: I6b733b9cde0e331a1ad48833e294435179606852 Signed-off-by: Conor Ward <conor.ward@ericsson.com> Issue-ID: DMAAP-775
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java140
-rwxr-xr-xdatarouter-prov/src/main/resources/provserver.properties3
-rwxr-xr-xdatarouter-prov/src/test/resources/h2Database.properties3
3 files changed, 98 insertions, 48 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java
index 10aea782..c35978b6 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/InternalServlet.java
@@ -51,6 +51,8 @@ import org.onap.dmaap.datarouter.provisioning.utils.RLEBitSet;
import com.att.eelf.configuration.EELFLogger;
import com.att.eelf.configuration.EELFManager;
+import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError;
+
/**
* <p>
* This servlet handles requests to URLs under /internal on the provisioning server. These include:
@@ -164,7 +166,7 @@ public class InternalServlet extends ProxyServlet {
* details on how this method should be invoked.
*/
@Override
- public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doDelete(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doDelete");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
EventLogRecord elr = new EventLogRecord(req);
@@ -172,14 +174,18 @@ public class InternalServlet extends ProxyServlet {
elr.setMessage("Unauthorized.");
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized.");
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, "Unauthorized.", eventlogger);
return;
}
String path = req.getPathInfo();
if (path.startsWith("/api/")) {
if (isProxyOK(req) && isProxyServer()) {
- super.doDelete(req, resp);
+ try {
+ super.doDelete(req, resp);
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
String key = path.substring(5);
@@ -196,13 +202,13 @@ public class InternalServlet extends ProxyServlet {
// Something went wrong with the DELETE
elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG);
+ sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger);
}
return;
}
}
}
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, "Bad URL.");
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, "Bad URL.", eventlogger);
}
/**
@@ -210,14 +216,15 @@ public class InternalServlet extends ProxyServlet {
* document for details on how this method should be invoked.
*/
@Override
- public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doGet(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doGet");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
String path = req.getPathInfo();
+ Properties props = (new DB()).getProperties();
if (path.equals("/halt") && !req.isSecure()) {
// request to halt the server - can ONLY come from localhost
String remote = req.getRemoteAddr();
- if (remote.equals("127.0.0.1")) {
+ if (remote.equals(props.getProperty("org.onap.dmaap.datarouter.provserver.localhost"))) {
intlogger.info("PROV0009 Request to HALT received.");
resp.setStatus(HttpServletResponse.SC_OK);
Main.shutdown();
@@ -233,7 +240,7 @@ public class InternalServlet extends ProxyServlet {
elr.setMessage("Unauthorized.");
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized.");
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, "Unauthorized.", eventlogger);
return;
}
if (path.equals("/fetchProv") && !req.isSecure()) {
@@ -250,7 +257,7 @@ public class InternalServlet extends ProxyServlet {
return;
}
} catch (IOException ioe) {
- intlogger.error("Error: " + ioe.getMessage());
+ intlogger.error("IOException" + ioe.getMessage());
}
// fall back to returning the local data if the remote is unreachable
intlogger.info("Active server unavailable; falling back to local copy.");
@@ -258,18 +265,25 @@ public class InternalServlet extends ProxyServlet {
Poker p = Poker.getPoker();
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType(PROVFULL_CONTENT_TYPE2);
- resp.getOutputStream().print(p.getProvisioningString());
+ try {
+ resp.getOutputStream().print(p.getProvisioningString());
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
if (path.equals("/logs") || path.equals("/logs/")) {
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType("application/json");
- resp.getOutputStream().print(generateLogfileList().toString());
+ try {
+ resp.getOutputStream().print(generateLogfileList().toString());
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
if (path.startsWith("/logs/")) {
- Properties p = (new DB()).getProperties();
- String logdir = p.getProperty("org.onap.dmaap.datarouter.provserver.accesslog.dir");
+ String logdir = props.getProperty("org.onap.dmaap.datarouter.provserver.accesslog.dir");
String logfile = path.substring(6);
if (logdir != null && logfile != null && logfile.indexOf('/') < 0) {
File log = new File(logdir + "/" + logfile);
@@ -277,16 +291,24 @@ public class InternalServlet extends ProxyServlet {
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType("text/plain");
Path logpath = Paths.get(log.getAbsolutePath());
- Files.copy(logpath, resp.getOutputStream());
+ try {
+ Files.copy(logpath, resp.getOutputStream());
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
}
- resp.sendError(HttpServletResponse.SC_NO_CONTENT, "No file.");
+ sendResponseError(resp, HttpServletResponse.SC_NO_CONTENT, "No file.", eventlogger);
return;
}
if (path.startsWith("/api/")) {
if (isProxyOK(req) && isProxyServer()) {
- super.doGet(req, resp);
+ try {
+ super.doGet(req, resp);
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
String key = path.substring(5);
@@ -295,7 +317,11 @@ public class InternalServlet extends ProxyServlet {
if (param != null) {
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType("text/plain");
- resp.getOutputStream().print(param.getValue() + "\n");
+ try {
+ resp.getOutputStream().print(param.getValue() + "\n");
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
}
@@ -305,10 +331,14 @@ public class InternalServlet extends ProxyServlet {
LogfileLoader lfl = LogfileLoader.getLoader();
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType("text/plain");
- resp.getOutputStream().print(lfl.getBitSet().toString());
+ try {
+ resp.getOutputStream().print(lfl.getBitSet().toString());
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, "Bad URL.");
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, "Bad URL.", eventlogger);
}
/**
@@ -316,7 +346,7 @@ public class InternalServlet extends ProxyServlet {
* details on how this method should be invoked.
*/
@Override
- public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doPut(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doPut");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
EventLogRecord elr = new EventLogRecord(req);
@@ -324,13 +354,17 @@ public class InternalServlet extends ProxyServlet {
elr.setMessage("Unauthorized.");
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized.");
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, "Unauthorized.", eventlogger);
return;
}
String path = req.getPathInfo();
if (path.startsWith("/api/")) {
if (isProxyOK(req) && isProxyServer()) {
- super.doPut(req, resp);
+ try {
+ super.doPut(req, resp);
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
String key = path.substring(5);
@@ -349,13 +383,13 @@ public class InternalServlet extends ProxyServlet {
// Something went wrong with the UPDATE
elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG);
+ sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger);
}
return;
}
}
}
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, "Bad URL.");
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, "Bad URL.", eventlogger);
}
/**
@@ -364,7 +398,7 @@ public class InternalServlet extends ProxyServlet {
*/
@SuppressWarnings("resource")
@Override
- public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doPost(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doPost");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF, req.getHeader(BEHALF_HEADER));
EventLogRecord elr = new EventLogRecord(req);
@@ -372,14 +406,18 @@ public class InternalServlet extends ProxyServlet {
elr.setMessage("Unauthorized.");
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized.");
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, "Unauthorized.", eventlogger);
return;
}
String path = req.getPathInfo();
if (path.startsWith("/api/")) {
if (isProxyOK(req) && isProxyServer()) {
- super.doPost(req, resp);
+ try {
+ super.doPost(req, resp);
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
String key = path.substring(5);
@@ -398,7 +436,7 @@ public class InternalServlet extends ProxyServlet {
// Something went wrong with the INSERT
elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG);
+ sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger);
}
return;
}
@@ -437,8 +475,12 @@ public class InternalServlet extends ProxyServlet {
long total = 0;
long avail = 0;
for (FileStore store : fs.getFileStores()) {
- total += store.getTotalSpace();
- avail += store.getUsableSpace();
+ try {
+ total += store.getTotalSpace();
+ avail += store.getUsableSpace();
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
}
try {
fs.close();
@@ -452,12 +494,16 @@ public class InternalServlet extends ProxyServlet {
}
Path tmppath = Paths.get(spooldir, spoolname);
Path donepath = Paths.get(spooldir, "IN." + spoolname);
- Files.copy(req.getInputStream(), Paths.get(spooldir, spoolname), StandardCopyOption.REPLACE_EXISTING);
- Files.move(tmppath, donepath, StandardCopyOption.REPLACE_EXISTING);
- elr.setResult(HttpServletResponse.SC_CREATED);
- resp.setStatus(HttpServletResponse.SC_CREATED);
- eventlogger.info(elr);
- LogfileLoader.getLoader(); // This starts the logfile loader "task"
+ try {
+ Files.copy(req.getInputStream(), Paths.get(spooldir, spoolname), StandardCopyOption.REPLACE_EXISTING);
+ Files.move(tmppath, donepath, StandardCopyOption.REPLACE_EXISTING);
+ elr.setResult(HttpServletResponse.SC_CREATED);
+ resp.setStatus(HttpServletResponse.SC_CREATED);
+ eventlogger.info(elr);
+ LogfileLoader.getLoader(); // This starts the logfile loader "task"
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
return;
}
@@ -471,27 +517,27 @@ public class InternalServlet extends ProxyServlet {
eventlogger.info(elr);
return;
}
- InputStream is = req.getInputStream();
- ByteArrayOutputStream bos = new ByteArrayOutputStream();
- int ch;
try {
+ InputStream is = req.getInputStream();
+ ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ int ch;
while ((ch = is.read()) >= 0) {
bos.write(ch);
}
+ RLEBitSet bs = new RLEBitSet(bos.toString()); // The set of records to retrieve
+ elr.setResult(HttpServletResponse.SC_OK);
+ resp.setStatus(HttpServletResponse.SC_OK);
+ resp.setContentType("text/plain");
+ LogRecord.printLogRecords(resp.getOutputStream(), bs);
+ eventlogger.info(elr);
} catch (IOException ioe) {
- intlogger.error("Error: " + ioe.getMessage());
+ intlogger.error("IOException" + ioe.getMessage());
}
- RLEBitSet bs = new RLEBitSet(bos.toString()); // The set of records to retrieve
- elr.setResult(HttpServletResponse.SC_OK);
- resp.setStatus(HttpServletResponse.SC_OK);
- resp.setContentType("text/plain");
- LogRecord.printLogRecords(resp.getOutputStream(), bs);
- eventlogger.info(elr);
return;
}
elr.setResult(HttpServletResponse.SC_NOT_FOUND);
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, "Bad URL.");
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, "Bad URL.", eventlogger);
eventlogger.info(elr);
}
diff --git a/datarouter-prov/src/main/resources/provserver.properties b/datarouter-prov/src/main/resources/provserver.properties
index 744bc9ce..84218b9f 100755
--- a/datarouter-prov/src/main/resources/provserver.properties
+++ b/datarouter-prov/src/main/resources/provserver.properties
@@ -42,6 +42,9 @@ org.onap.dmaap.datarouter.provserver.logretention = 30
# relaxation to accommodate OOM kubernetes deploy
org.onap.dmaap.datarouter.provserver.isaddressauthenabled = false
+#Localhost address config
+org.onap.dmaap.datarouter.provserver.localhost = 127.0.0.1
+
# Database access
org.onap.dmaap.datarouter.db.driver = org.mariadb.jdbc.Driver
org.onap.dmaap.datarouter.db.url = jdbc:mariadb://172.100.0.2:3306/datarouter
diff --git a/datarouter-prov/src/test/resources/h2Database.properties b/datarouter-prov/src/test/resources/h2Database.properties
index 336af0e2..a7ed3fa0 100755
--- a/datarouter-prov/src/test/resources/h2Database.properties
+++ b/datarouter-prov/src/test/resources/h2Database.properties
@@ -27,4 +27,5 @@ org.onap.dmaap.datarouter.db.url = jdbc:h2:mem:test;DB
org.onap.dmaap.datarouter.provserver.isaddressauthenabled = true
org.onap.dmaap.datarouter.provserver.https.relaxation = false
org.onap.dmaap.datarouter.provserver.accesslog.dir = unit-test-logs
-org.onap.dmaap.datarouter.provserver.spooldir = unit-test-logs/spool \ No newline at end of file
+org.onap.dmaap.datarouter.provserver.spooldir = unit-test-logs/spool
+org.onap.dmaap.datarouter.provserver.localhost = 127.0.0.1 \ No newline at end of file