aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRam Koya <rk541m@att.com>2018-09-18 13:20:06 +0000
committerGerrit Code Review <gerrit@onap.org>2018-09-18 13:20:06 +0000
commitf2d0005ff6081f7a0ee91203243443a39912c246 (patch)
treef8ea92e8eb63b9db201d53059e8b981ef3e96211
parent3e87e886fec43912139629c63a8bc2a595753cdf (diff)
parent03e14b304e651a35b8752b6e5e89c9d30696f12f (diff)
Merge "Fix SubscribeServlet Vulnerabilities"
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java66
1 files changed, 42 insertions, 24 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java
index 21d391e5..e8828f12 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java
@@ -42,6 +42,8 @@ import org.onap.dmaap.datarouter.provisioning.utils.JSONUtilities;
import com.att.eelf.configuration.EELFLogger;
import com.att.eelf.configuration.EELFManager;
+import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError;
+
/**
* This servlet handles provisioning for the &lt;subscribeURL&gt; which is generated by the provisioning server to
* handle the creation and inspection of subscriptions to a specific feed.
@@ -60,7 +62,7 @@ public class SubscribeServlet extends ProxyServlet {
* DELETE on the &lt;subscribeUrl&gt; -- not supported.
*/
@Override
- public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doDelete(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doDelete");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
String message = "DELETE not allowed for the subscribeURL.";
@@ -68,7 +70,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message);
+ sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger);
}
/**
@@ -76,7 +78,7 @@ public class SubscribeServlet extends ProxyServlet {
* Query</i> section in the <b>Provisioning API</b> document for details on how this method should be invoked.
*/
@Override
- public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doGet(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doGet");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
EventLogRecord elr = new EventLogRecord(req);
@@ -85,11 +87,15 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
if (isProxyServer()) {
- super.doGet(req, resp);
+ try {
+ super.doGet(req, resp);
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
return;
}
String bhdr = req.getHeader(BEHALF_HEADER);
@@ -98,7 +104,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
int feedid = getIdFromPath(req);
@@ -107,7 +113,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
Feed feed = Feed.getFeedById(feedid);
@@ -116,7 +122,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_NOT_FOUND);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, message);
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger);
return;
}
// Check with the Authorizer
@@ -126,7 +132,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
@@ -139,14 +145,18 @@ public class SubscribeServlet extends ProxyServlet {
eventlogger.info(elr);
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType(SUBLIST_CONTENT_TYPE);
- resp.getOutputStream().print(t);
+ try {
+ resp.getOutputStream().print(t);
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
}
/**
* PUT on the &lt;subscribeUrl&gt; -- not supported.
*/
@Override
- public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doPut(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doPut");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
String message = "PUT not allowed for the subscribeURL.";
@@ -154,7 +164,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message);
+ sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger);
}
/**
@@ -171,11 +181,15 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
if (isProxyServer()) {
- super.doPost(req, resp);
+ try {
+ super.doPost(req, resp);
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
return;
}
String bhdr = req.getHeader(BEHALF_HEADER);
@@ -184,7 +198,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
int feedid = getIdFromPath(req);
@@ -193,7 +207,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
Feed feed = Feed.getFeedById(feedid);
@@ -202,7 +216,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_NOT_FOUND);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_NOT_FOUND, message);
+ sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger);
return;
}
// Check with the Authorizer
@@ -212,7 +226,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_FORBIDDEN);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+ sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
return;
}
@@ -225,7 +239,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message);
+ sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger);
return;
}
JSONObject jo = getJSONfromInput(req);
@@ -234,7 +248,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
if (intlogger.isDebugEnabled()) {
@@ -246,7 +260,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_CONFLICT);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_CONFLICT, message);
+ sendResponseError(resp, HttpServletResponse.SC_CONFLICT, message, eventlogger);
return;
}
Subscription sub = null;
@@ -258,7 +272,7 @@ public class SubscribeServlet extends ProxyServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
return;
}
sub.setFeedid(feedid);
@@ -280,7 +294,11 @@ public class SubscribeServlet extends ProxyServlet {
resp.setStatus(HttpServletResponse.SC_CREATED);
resp.setContentType(SUBFULL_CONTENT_TYPE);
resp.setHeader("Location", sub.getLinks().getSelf());
- resp.getOutputStream().print(sub.asLimitedJSONObject().toString());
+ try {
+ resp.getOutputStream().print(sub.asLimitedJSONObject().toString());
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
+ }
provisioningDataChanged();
} else {
@@ -288,7 +306,7 @@ public class SubscribeServlet extends ProxyServlet {
activeSubs--;
elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG);
+ sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger);
}
}
}