Fix NodeServlet Vulnerabilities

Change-Id: I16a6a7c4f0a7ac1005878106f176a1dcf25940a3 Signed-off-by: Mariusz Sobucki <mariusz.sobucki@ericsson.com> Issue-ID: DMAAP-775
author: esobmar <mariusz.sobucki@ericsson.com> 2018-09-17 17:25:17 +0100
committer: esobmar <mariusz.sobucki@ericsson.com> 2018-09-20 14:41:27 +0100
commit: 527f8c01aab421811407a0dbe4868370e53cd7a2 (patch)
tree: c0ee999a96c940db8213804b9a9656a9f20a42ca
parent: 4e61cfafc9b10ca604b8e2c7ec0272246502fa82 (diff)
3 files changed, 36 insertions, 71 deletions
diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
index 9ddbc25a..e5eb2edc 100644
--- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
+++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
@@ -27,14 +27,12 @@ package org.onap.dmaap.datarouter.node;
 import com.att.eelf.configuration.EELFLogger;
 import com.att.eelf.configuration.EELFManager;
 import java.io.File;
-import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.Writer;
-import java.net.Socket;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -44,9 +42,12 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
 import org.apache.log4j.Logger;
 import org.onap.dmaap.datarouter.node.eelf.EelfMsgs;
 
+import static org.onap.dmaap.datarouter.node.NodeUtils.sendResponseError;
+
 /**
  * Servlet for handling all http and https requests to the data router node
  * <p>
@@ -59,11 +60,9 @@ import org.onap.dmaap.datarouter.node.eelf.EelfMsgs;
  * PUT/DELETE https://<i>node</i>/publish/<i>feedid</i>/<i>fileid</i> - publsh request
  */
 public class NodeServlet extends HttpServlet {
-
     private static Logger logger = Logger.getLogger("org.onap.dmaap.datarouter.node.NodeServlet");
     private static NodeConfigManager config;
     private static Pattern MetaDataPattern;
-    private static SubnetMatcher internalsubnet = new SubnetMatcher("135.207.136.128/25");
     //Adding EELF Logger Rally:US664892
     private static EELFLogger eelflogger = EELFManager.getInstance()
         .getLogger("org.onap.dmaap.datarouter.node.NodeServlet");
@@ -93,7 +92,7 @@ public class NodeServlet extends HttpServlet {
 
     private boolean down(HttpServletResponse resp) throws IOException {
         if (config.isShutdown() || !config.isConfigured()) {
-            resp.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
+            sendResponseError(resp, HttpServletResponse.SC_SERVICE_UNAVAILABLE, logger);
             logger.info("NODE0102 Rejecting request: Service is being quiesced");
             return (true);
         }
@@ -103,12 +102,17 @@ public class NodeServlet extends HttpServlet {
     /**
      * Handle a GET for /internal/fetchProv
      */
-    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp){
         NodeUtils.setIpAndFqdnForEelf("doGet");
         eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader("X-ATT-DR-ON-BEHALF-OF"),
             getIdFromPath(req) + "");
-        if (down(resp)) {
-            return;
+        try{
+            if (down(resp)) {
+                return;
+            }
+
+        } catch (IOException ioe) {
+            logger.error("IOException" + ioe.getMessage());
         }
         String path = req.getPathInfo();
         String qs = req.getQueryString();
@@ -128,50 +132,9 @@ public class NodeServlet extends HttpServlet {
                 return;
             }
         }
-        if (internalsubnet.matches(NodeUtils.getInetAddress(ip))) {
-            if (path.startsWith("/internal/logs/")) {
-                String f = path.substring(15);
-                File fn = new File(config.getLogDir() + "/" + f);
-                if (f.indexOf('/') != -1 || !fn.isFile()) {
-                    logger.info("NODE0103 Rejecting invalid GET of " + path + " from " + ip);
-                    resp.sendError(HttpServletResponse.SC_NOT_FOUND);
-                    return;
-                }
-                byte[] buf = new byte[65536];
-                resp.setContentType("text/plain");
-                resp.setContentLength((int) fn.length());
-                resp.setStatus(200);
-                try (InputStream is = new FileInputStream(fn)) {
-                    OutputStream os = resp.getOutputStream();
-                    int i;
-                    while ((i = is.read(buf)) > 0) {
-                        os.write(buf, 0, i);
-                    }
-                }
-                return;
-            }
-            if (path.startsWith("/internal/rtt/")) {
-                String xip = path.substring(14);
-                long st = System.currentTimeMillis();
-                String status = " unknown";
-                try {
-                    Socket s = new Socket(xip, 443);
-                    s.close();
-                    status = " connected";
-                } catch (Exception e) {
-                    status = " error " + e.toString();
-                }
-                long dur = System.currentTimeMillis() - st;
-                resp.setContentType("text/plain");
-                resp.setStatus(200);
-                byte[] buf = (dur + status + "\n").getBytes();
-                resp.setContentLength(buf.length);
-                resp.getOutputStream().write(buf);
-                return;
-            }
-        }
+
         logger.info("NODE0103 Rejecting invalid GET of " + path + " from " + ip);
-        resp.sendError(HttpServletResponse.SC_NOT_FOUND);
+        sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, logger);
     }
 
     /**
@@ -181,7 +144,12 @@ public class NodeServlet extends HttpServlet {
         NodeUtils.setIpAndFqdnForEelf("doPut");
         eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader("X-ATT-DR-ON-BEHALF-OF"),
             getIdFromPath(req) + "");
-        common(req, resp, true);
+        try {
+            common(req, resp, true);
+        }
+        catch(IOException ioe){
+            logger.error("IOException" + ioe.getMessage());
+        }
     }
 
     /**
@@ -191,7 +159,12 @@ public class NodeServlet extends HttpServlet {
         NodeUtils.setIpAndFqdnForEelf("doDelete");
         eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader("X-ATT-DR-ON-BEHALF-OF"),
             getIdFromPath(req) + "");
-        common(req, resp, false);
+        try {
+            common(req, resp, false);
+        }
+        catch(IOException ioe){
+            logger.error("IOException" + ioe.getMessage());
+        }
     }
 
     private void common(HttpServletRequest req, HttpServletResponse resp, boolean isput)
diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeUtils.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeUtils.java
index 2c013ca5..01585d9f 100644
--- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeUtils.java
+++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeUtils.java
@@ -45,6 +45,8 @@ import org.apache.log4j.Logger;
 import org.onap.dmaap.datarouter.node.eelf.EelfMsgs;
 import org.slf4j.MDC;
 
+import javax.servlet.http.HttpServletResponse;
+
 /**
  * Utility functions for the data router node
  */
@@ -261,5 +263,13 @@ public class NodeUtils {
 
     }
 
+    public static void sendResponseError(HttpServletResponse response, int errorCode, Logger intlogger) {
+        try {
+            response.sendError(errorCode);
+        } catch (IOException ioe) {
+            intlogger.error("IOException" + ioe.getMessage());
+        }
+    }
+
 
 }
diff --git a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
index 048c44fa..fbdd9230 100644
--- a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
+++ b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
@@ -87,24 +87,6 @@ public class NodeServletTest {
     }
 
     @Test
-    public void Given_Request_Is_HTTP_GET_And_Endpoint_Is_Internal_Logs_And_File_Does_Not_Exist_Then_Not_Found_Response_Is_Generated() throws Exception {
-        when(request.getPathInfo()).thenReturn("/internal/logs/fileName");
-        when(request.getRemoteAddr()).thenReturn("135.207.136.128");
-        nodeServlet.doGet(request, response);
-        verify(response).sendError(eq(HttpServletResponse.SC_NOT_FOUND));
-    }
-
-    @Test
-    public void Given_Request_Is_HTTP_GET_And_Endpoint_Is_Internal_Rtt_And_Error_Connecting_To_Socket_Occurs_Then_Ok_Response_Is_Generated() throws Exception {
-        when(request.getPathInfo()).thenReturn("/internal/rtt/0.0.0.0");
-        when(request.getRemoteAddr()).thenReturn("135.207.136.128");
-        ServletOutputStream outStream = mock(ServletOutputStream.class);
-        when(response.getOutputStream()).thenReturn(outStream);
-        nodeServlet.doGet(request, response);
-        verify(response).setStatus(eq(200));
-    }
-
-    @Test
     public void Given_Request_Is_HTTP_GET_To_Invalid_Endpoint_Then_Not_Found_Response_Is_Generated() throws Exception {
         when(request.getPathInfo()).thenReturn("/incorrect");
         nodeServlet.doGet(request, response);
author	esobmar <mariusz.sobucki@ericsson.com>	2018-09-17 17:25:17 +0100
committer	esobmar <mariusz.sobucki@ericsson.com>	2018-09-20 14:41:27 +0100
commit	527f8c01aab421811407a0dbe4868370e53cd7a2 (patch)
tree	c0ee999a96c940db8213804b9a9656a9f20a42ca
parent	4e61cfafc9b10ca604b8e2c7ec0272246502fa82 (diff)