aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorConor Ward <conor.ward@ericsson.com>2018-09-21 12:44:11 +0000
committerConor Ward <conor.ward@ericsson.com>2018-09-24 15:11:09 +0000
commit731b3831655b1673e71d023aa516904f96daaf2a (patch)
treeef1fe9e054a331c3322cd50fada9dbe587f9bc50
parent46ef61c0fe477483be17dbf9af2ef3b1023da0d8 (diff)
Fix LogServlet Vulnerabilities
Change-Id: Ifcd5f535e1f554e0d6cd0a154ca59239806fa363 Signed-off-by: Conor Ward <conor.ward@ericsson.com> Issue-ID: DMAAP-775
-rw-r--r--datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java96
1 files changed, 50 insertions, 46 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java
index 101c9e6f..cdc23311 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java
@@ -39,7 +39,6 @@ import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.log4j.Logger;
import org.onap.dmaap.datarouter.provisioning.beans.DeliveryRecord;
import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord;
import org.onap.dmaap.datarouter.provisioning.beans.ExpiryRecord;
@@ -53,6 +52,8 @@ import org.onap.dmaap.datarouter.provisioning.utils.LOGJSONObject;
import com.att.eelf.configuration.EELFLogger;
import com.att.eelf.configuration.EELFManager;
+import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError;
+
/**
* This servlet handles requests to the &lt;feedLogURL&gt; and &lt;subLogURL&gt;,
* which are generated by the provisioning server to handle the log query API.
@@ -65,8 +66,8 @@ public class LogServlet extends BaseServlet {
//Adding EELF Logger Rally:US664892
private static EELFLogger eelflogger = EELFManager.getInstance().getLogger("org.onap.dmaap.datarouter.provisioning.LogServlet");
private static final long TWENTYFOUR_HOURS = (24 * 60 * 60 * 1000L);
- private static final String fmt1 = "yyyy-MM-dd'T'HH:mm:ss'Z'";
- private static final String fmt2 = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
+ private static final String FMT_1 = "yyyy-MM-dd'T'HH:mm:ss'Z'";
+ private static final String FMT_2 = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
private static boolean isfeedlog;
@@ -145,7 +146,7 @@ public class LogServlet extends BaseServlet {
* DELETE a logging URL -- not supported.
*/
@Override
- public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doDelete(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doDelete");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+"");
String message = "DELETE not allowed for the logURL.";
@@ -153,76 +154,79 @@ public class LogServlet extends BaseServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message);
+ sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger);
}
/**
* GET a logging URL -- retrieve logging data for a feed or subscription.
* See the <b>Logging API</b> document for details on how this method should be invoked.
*/
@Override
- public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doGet(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doGet");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+"");
int id = getIdFromPath(req);
if (id < 0) {
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing or bad feed/subscription number.");
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, "Missing or bad feed/subscription number.", eventlogger);
return;
}
Map<String, String> map = buildMapFromRequest(req);
if (map.get("err") != null) {
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid arguments: "+map.get("err"));
+ sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, "Invalid arguments: "+map.get("err"), eventlogger);
return;
}
// check Accept: header??
resp.setStatus(HttpServletResponse.SC_OK);
resp.setContentType(LOGLIST_CONTENT_TYPE);
- @SuppressWarnings("resource")
- ServletOutputStream out = resp.getOutputStream();
- final String fields = req.getParameter("fields");
- out.print("[");
- if (isfeedlog) {
- // Handle /feedlog/feedid request
- boolean firstrow = true;
+ try (ServletOutputStream out = resp.getOutputStream()) {
+ final String fields = req.getParameter("fields");
+
+ out.print("[");
+ if (isfeedlog) {
+ // Handle /feedlog/feedid request
+ boolean firstrow = true;
- // 1. Collect publish records for this feed
- RowHandler rh = new PublishRecordRowHandler(out, fields, firstrow);
- getPublishRecordsForFeed(id, rh, map);
- firstrow = rh.firstrow;
+ // 1. Collect publish records for this feed
+ RowHandler rh = new PublishRecordRowHandler(out, fields, firstrow);
+ getPublishRecordsForFeed(id, rh, map);
+ firstrow = rh.firstrow;
- // 2. Collect delivery records for subscriptions to this feed
- rh = new DeliveryRecordRowHandler(out, fields, firstrow);
- getDeliveryRecordsForFeed(id, rh, map);
- firstrow = rh.firstrow;
+ // 2. Collect delivery records for subscriptions to this feed
+ rh = new DeliveryRecordRowHandler(out, fields, firstrow);
+ getDeliveryRecordsForFeed(id, rh, map);
+ firstrow = rh.firstrow;
- // 3. Collect expiry records for subscriptions to this feed
- rh = new ExpiryRecordRowHandler(out, fields, firstrow);
- getExpiryRecordsForFeed(id, rh, map);
- } else {
- // Handle /sublog/subid request
- Subscription sub = Subscription.getSubscriptionById(id);
- if (sub != null) {
- // 1. Collect publish records for the feed this subscription feeds
- RowHandler rh = new PublishRecordRowHandler(out, fields, true);
- getPublishRecordsForFeed(sub.getFeedid(), rh, map);
+ // 3. Collect expiry records for subscriptions to this feed
+ rh = new ExpiryRecordRowHandler(out, fields, firstrow);
+ getExpiryRecordsForFeed(id, rh, map);
+ } else {
+ // Handle /sublog/subid request
+ Subscription sub = Subscription.getSubscriptionById(id);
+ if (sub != null) {
+ // 1. Collect publish records for the feed this subscription feeds
+ RowHandler rh = new PublishRecordRowHandler(out, fields, true);
+ getPublishRecordsForFeed(sub.getFeedid(), rh, map);
- // 2. Collect delivery records for this subscription
- rh = new DeliveryRecordRowHandler(out, fields, rh.firstrow);
- getDeliveryRecordsForSubscription(id, rh, map);
+ // 2. Collect delivery records for this subscription
+ rh = new DeliveryRecordRowHandler(out, fields, rh.firstrow);
+ getDeliveryRecordsForSubscription(id, rh, map);
- // 3. Collect expiry records for this subscription
- rh = new ExpiryRecordRowHandler(out, fields, rh.firstrow);
- getExpiryRecordsForSubscription(id, rh, map);
+ // 3. Collect expiry records for this subscription
+ rh = new ExpiryRecordRowHandler(out, fields, rh.firstrow);
+ getExpiryRecordsForSubscription(id, rh, map);
+ }
}
+ out.print("]");
+ } catch (IOException ioe) {
+ eventlogger.error("IOException: " + ioe.getMessage());
}
- out.print("\n]");
}
/**
* PUT a logging URL -- not supported.
*/
@Override
- public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doPut(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doPut");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+"");
String message = "PUT not allowed for the logURL.";
@@ -230,13 +234,13 @@ public class LogServlet extends BaseServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message);
+ sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger);
}
/**
* POST a logging URL -- not supported.
*/
@Override
- public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ public void doPost(HttpServletRequest req, HttpServletResponse resp) {
setIpAndFqdnForEelf("doPost");
eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF, req.getHeader(BEHALF_HEADER));
String message = "POST not allowed for the logURL.";
@@ -244,11 +248,11 @@ public class LogServlet extends BaseServlet {
elr.setMessage(message);
elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
eventlogger.info(elr);
- resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message);
+ sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger);
}
private Map<String, String> buildMapFromRequest(HttpServletRequest req) {
- Map<String, String> map = new HashMap<String, String>();
+ Map<String, String> map = new HashMap<>();
String s = req.getParameter("type");
if (s != null) {
if (s.equals("pub") || s.equals("del") || s.equals("exp")) {
@@ -341,7 +345,7 @@ public class LogServlet extends BaseServlet {
return 0;
try {
// First, look for an RFC 3339 date
- String fmt = (s.indexOf('.') > 0) ? fmt2 : fmt1;
+ String fmt = (s.indexOf('.') > 0) ? FMT_2 : FMT_1;
SimpleDateFormat sdf = new SimpleDateFormat(fmt);
Date d = sdf.parse(s);
return d.getTime();