aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorConor Ward <conor.ward@ericsson.com>2018-09-14 13:22:18 +0000
committerConor Ward <conor.ward@ericsson.com>2018-09-17 10:17:01 +0000
commitc2a3499c9dd1ca8f531da8b23c06d71e4fecf428 (patch)
tree905be617dd19889e1b6a0060e7ef6191f16b358b
parentd6c28ce28b8c66fe9784af894cf9385f6d2c8e76 (diff)
Fix Vulnerabilities in SubscriptionServlet
Change-Id: I3ba9192d334a6023756eaac217999b01e598d7cb Signed-off-by: Conor Ward <conor.ward@ericsson.com> Issue-ID: DMAAP-775
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java115
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/HttpServletUtils.java38
2 files changed, 110 insertions, 43 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java
index 3294580b..3bfa7507 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java
@@ -44,6 +44,8 @@ import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs;
import com.att.eelf.configuration.EELFLogger;
import com.att.eelf.configuration.EELFManager;
+import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError;
+
/**
* This servlet handles provisioning for the &lt;subscriptionURL&gt; which is generated by the provisioning server to
* handle the inspection, modification, and deletion of a particular subscription to a feed. It supports DELETE to
@@ -66,7 +68,7 @@ public class SubscriptionServlet extends ProxyServlet {
* the <b>Provisioning API</b> document for details on how this method should be invoked.
*/
@Override
- public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doDelete(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doDelete");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
EventLogRecord elr = new EventLogRecord(req);
@@ -75,11 +77,15 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
if (isProxyServer()) {
- super.doDelete(req, resp);
+ try {
+ super.doDelete(req, resp);
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
return;
}
String bhdr = req.getHeader(BEHALF_HEADER);
@@ -88,7 +94,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
int subid = getIdFromPath(req);
@@ -97,7 +103,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
Subscription sub = Subscription.getSubscriptionById(subid);
@@ -106,7 +112,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_NOT_FOUND);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, message);
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger);
return;
}
// Check with the Authorizer
@@ -116,7 +122,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
@@ -132,7 +138,7 @@ public class SubscriptionServlet extends ProxyServlet {
// Something went wrong with the DELETE
elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG);
+ sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, intlogger);
}
}
@@ -142,7 +148,7 @@ public class SubscriptionServlet extends ProxyServlet {
* invoked.
*/
@Override
- public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doGet(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doGet");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
EventLogRecord elr = new EventLogRecord(req);
@@ -151,11 +157,15 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
if (isProxyServer()) {
- super.doGet(req, resp);
+ try {
+ super.doGet(req, resp);
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
return;
}
String bhdr = req.getHeader(BEHALF_HEADER);
@@ -164,7 +174,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
int subid = getIdFromPath(req);
@@ -173,7 +183,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
Subscription sub = Subscription.getSubscriptionById(subid);
@@ -182,7 +192,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_NOT_FOUND);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, message);
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger);
return;
}
// Check with the Authorizer
@@ -192,7 +202,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
@@ -201,7 +211,11 @@ public class SubscriptionServlet extends ProxyServlet {
eventlogger.info(elr);
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType(SUBFULL_CONTENT_TYPE);
- resp.getOutputStream().print(sub.asJSONObject(true).toString());
+ try {
+ resp.getOutputStream().print(sub.asJSONObject(true).toString());
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
}
/**
@@ -209,7 +223,7 @@ public class SubscriptionServlet extends ProxyServlet {
* the <b>Provisioning API</b> document for details on how this method should be invoked.
*/
@Override
- public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doPut(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doPut");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
EventLogRecord elr = new EventLogRecord(req);
@@ -218,11 +232,15 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
if (isProxyServer()) {
- super.doPut(req, resp);
+ try {
+ super.doPut(req, resp);
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
return;
}
String bhdr = req.getHeader(BEHALF_HEADER);
@@ -231,7 +249,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
int subid = getIdFromPath(req);
@@ -240,7 +258,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
Subscription oldsub = Subscription.getSubscriptionById(subid);
@@ -249,7 +267,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_NOT_FOUND);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, message);
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger);
return;
}
// Check with the Authorizer
@@ -259,7 +277,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
// check content type is SUB_CONTENT_TYPE, version 1.0
@@ -270,7 +288,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message);
+ sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger);
return;
}
JSONObject jo = getJSONfromInput(req);
@@ -279,7 +297,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
if (intlogger.isDebugEnabled()) {
@@ -293,7 +311,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
sub.setSubid(oldsub.getSubid());
@@ -306,7 +324,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
@@ -317,14 +335,22 @@ public class SubscriptionServlet extends ProxyServlet {
eventlogger.info(elr);
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType(SUBFULL_CONTENT_TYPE);
- resp.getOutputStream().print(sub.asLimitedJSONObject().toString());
+ try {
+ resp.getOutputStream().print(sub.asLimitedJSONObject().toString());
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
/**Change Owner ship of Subscriber Adding for group feature:Rally US708115*/
if (jo.has("changeowner") && subjectgroup != null) {
- Boolean changeowner = (Boolean) jo.get("changeowner");
- if (changeowner != null && changeowner.equals(true)) {
- sub.setSubscriber(req.getHeader(BEHALF_HEADER));
- sub.changeOwnerShip();
+ try {
+ Boolean changeowner = (Boolean) jo.get("changeowner");
+ if (changeowner != null && changeowner.equals(true)) {
+ sub.setSubscriber(req.getHeader(BEHALF_HEADER));
+ sub.changeOwnerShip();
+ }
+ } catch (JSONException je) {
+ eventlogger.error("JSONException: " + je.getMessage());
}
}
/***End of change ownership*/
@@ -334,7 +360,7 @@ public class SubscriptionServlet extends ProxyServlet {
// Something went wrong with the UPDATE
elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG);
+ sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, intlogger);
}
}
@@ -343,7 +369,7 @@ public class SubscriptionServlet extends ProxyServlet {
* Schedule</i> section in the <b>Provisioning API</b> document for details on how this method should be invoked.
*/
@Override
- public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doPost(HttpServletRequest req, HttpServletResponse resp) {
// OLD pre-3.0 code
// String message = "POST not allowed for the subscriptionURL.";
// EventLogRecord elr = new EventLogRecord(req);
@@ -360,11 +386,15 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
if (isProxyServer()) {
- super.doPost(req, resp);
+ try {
+ super.doPost(req, resp);
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
return;
}
String bhdr = req.getHeader(BEHALF_HEADER);
@@ -373,7 +403,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
final int subid = getIdFromPath(req);
@@ -382,7 +412,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
// check content type is SUBCNTRL_CONTENT_TYPE, version 1.0
@@ -393,7 +423,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message);
+ sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger);
return;
}
// Check with the Authorizer
@@ -403,7 +433,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
JSONObject jo = getJSONfromInput(req);
@@ -412,7 +442,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
try {
@@ -434,7 +464,7 @@ public class SubscriptionServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
}
}
@@ -474,7 +504,6 @@ public class SubscriptionServlet extends ProxyServlet {
}
} catch (Exception e) {
intlogger.warn("Caught exception in SubscriberNotifyThread: " + e);
- e.printStackTrace();
}
}
}
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/HttpServletUtils.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/HttpServletUtils.java
new file mode 100644
index 00000000..ce287f4d
--- /dev/null
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/HttpServletUtils.java
@@ -0,0 +1,38 @@
+/*******************************************************************************
+ * ============LICENSE_START==================================================
+ * * org.onap.dmaap
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.dmaap.datarouter.provisioning.utils;
+
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.apache.log4j.Logger;
+
+public class HttpServletUtils {
+ public static void sendResponseError(HttpServletResponse response, int errorCode, String message, Logger intlogger) {
+ try {
+ response.sendError(errorCode, message);
+ } catch (IOException ioe) {
+ intlogger.error("IOException" + ioe.getMessage());
+ }
+ }
+}