aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordavid.mcweeney <david.mcweeney@est.tech>2021-07-27 15:53:14 +0100
committerdavid.mcweeney <david.mcweeney@est.tech>2021-07-27 15:53:18 +0100
commit8df9c4d2a1ac8fcbf76a38a4bb8a2e42b590ae18 (patch)
treeb37ae89c2b0f1df54c05a7f0fa213ccce8fceb49
parent4916be0d1ef49873bb8f08e71502a7c0cb2233b1 (diff)
DMAAP-DR Header Injection fix
Signed-off-by: david.mcweeney <david.mcweeney@est.tech> Change-Id: I5eb00945762064a5beeb5ce9c57e24243364c238 Issue-ID: DMAAP-1624
-rw-r--r--datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java7
-rw-r--r--datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java11
2 files changed, 18 insertions, 0 deletions
diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
index 0d030683..27fa5f3e 100644
--- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
+++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
@@ -253,6 +253,13 @@ public class NodeServlet extends HttpServlet {
return;
}
fileid = fileid.substring(18);
+ if (req.getHeader("X-DMAAP-DR-PUBLISH-ID") != null && !req.getHeader("X-DMAAP-DR-PUBLISH-ID").matches("^[a-zA-Z0-9_]+$")) {
+ String reason = "Error validating header";
+ eelfLogger.error(reason);
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, reason);
+ eelfLogger.info(EelfMsgs.EXIT);
+ return;
+ }
pubid = req.getHeader("X-DMAAP-DR-PUBLISH-ID");
user = "datartr"; // SP6 : Added usr as datartr to avoid null entries for internal routing
targets = config.parseRouting(req.getHeader("X-DMAAP-DR-ROUTING"));
diff --git a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
index 4340b018..ad2fcf5d 100644
--- a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
+++ b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
@@ -205,6 +205,17 @@ public class NodeServletTest {
}
@Test
+ public void Given_Request_Is_HTTP_PUT_And_Internal_Publish_But_Invalid_Header_Then_Bad_Request_Response_Is_Generated() throws Exception {
+ when(request.getPathInfo()).thenReturn("/internal/publish/1/blah");
+ when(request.getRemoteAddr()).thenReturn("1.2.3.4");
+ when(config.isAnotherNode(anyString(), anyString())).thenReturn(true);
+ when(request.getHeader("X-DMAAP-DR-PUBLISH-ID")).thenReturn("User1+");
+ nodeServlet.doPut(request, response);
+ verify(response).sendError(eq(HttpServletResponse.SC_BAD_REQUEST), anyString());
+ verifyEnteringExitCalled(listAppender);
+ }
+
+ @Test
public void Given_Request_Is_HTTP_PUT_On_Publish_And_Ingress_Node_Is_Provided_Then_Request_Is_Redirected() throws Exception {
setNodeConfigManagerToAllowRedirectOnIngressNode();
when(request.getPathInfo()).thenReturn("/publish/1/fileName");