diff options
author | david.mcweeney <david.mcweeney@est.tech> | 2021-07-27 15:53:14 +0100 |
---|---|---|
committer | david.mcweeney <david.mcweeney@est.tech> | 2021-07-27 15:53:18 +0100 |
commit | 8df9c4d2a1ac8fcbf76a38a4bb8a2e42b590ae18 (patch) | |
tree | b37ae89c2b0f1df54c05a7f0fa213ccce8fceb49 | |
parent | 4916be0d1ef49873bb8f08e71502a7c0cb2233b1 (diff) |
DMAAP-DR Header Injection fix
Signed-off-by: david.mcweeney <david.mcweeney@est.tech>
Change-Id: I5eb00945762064a5beeb5ce9c57e24243364c238
Issue-ID: DMAAP-1624
-rw-r--r-- | datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java | 7 | ||||
-rw-r--r-- | datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java | 11 |
2 files changed, 18 insertions, 0 deletions
diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java index 0d030683..27fa5f3e 100644 --- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java +++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java @@ -253,6 +253,13 @@ public class NodeServlet extends HttpServlet { return; } fileid = fileid.substring(18); + if (req.getHeader("X-DMAAP-DR-PUBLISH-ID") != null && !req.getHeader("X-DMAAP-DR-PUBLISH-ID").matches("^[a-zA-Z0-9_]+$")) { + String reason = "Error validating header"; + eelfLogger.error(reason); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, reason); + eelfLogger.info(EelfMsgs.EXIT); + return; + } pubid = req.getHeader("X-DMAAP-DR-PUBLISH-ID"); user = "datartr"; // SP6 : Added usr as datartr to avoid null entries for internal routing targets = config.parseRouting(req.getHeader("X-DMAAP-DR-ROUTING")); diff --git a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java index 4340b018..ad2fcf5d 100644 --- a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java +++ b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java @@ -205,6 +205,17 @@ public class NodeServletTest { } @Test + public void Given_Request_Is_HTTP_PUT_And_Internal_Publish_But_Invalid_Header_Then_Bad_Request_Response_Is_Generated() throws Exception { + when(request.getPathInfo()).thenReturn("/internal/publish/1/blah"); + when(request.getRemoteAddr()).thenReturn("1.2.3.4"); + when(config.isAnotherNode(anyString(), anyString())).thenReturn(true); + when(request.getHeader("X-DMAAP-DR-PUBLISH-ID")).thenReturn("User1+"); + nodeServlet.doPut(request, response); + verify(response).sendError(eq(HttpServletResponse.SC_BAD_REQUEST), anyString()); + verifyEnteringExitCalled(listAppender); + } + + @Test public void Given_Request_Is_HTTP_PUT_On_Publish_And_Ingress_Node_Is_Provided_Then_Request_Is_Redirected() throws Exception { setNodeConfigManagerToAllowRedirectOnIngressNode(); when(request.getPathInfo()).thenReturn("/publish/1/fileName"); |