diff options
author | Conor Ward <conor.ward@ericsson.com> | 2018-09-15 09:45:16 +0000 |
---|---|---|
committer | Conor Ward <conor.ward@ericsson.com> | 2018-09-17 14:47:01 +0000 |
commit | d70c8e87db67c45ef106ad156d21165c3c2f2388 (patch) | |
tree | 7898269eb7b8f2a1195da84af0f5af29b1e7c123 /datarouter-prov/src/main/java/org | |
parent | 1298e6487340fcb1644c4a0a7e06026d156bdf8f (diff) |
Fix DRFeedsServlet Vulnerabilities
Change-Id: I0d942085e35f21c87c5f2af749d600644bf80de5
Signed-off-by: Conor Ward <conor.ward@ericsson.com>
Issue-ID: DMAAP-775
Diffstat (limited to 'datarouter-prov/src/main/java/org')
-rw-r--r-- | datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java | 74 |
1 files changed, 48 insertions, 26 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java index 47156d28..d7da4dc1 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java @@ -41,6 +41,8 @@ import org.onap.dmaap.datarouter.provisioning.utils.JSONUtilities; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError; + /** * This servlet handles provisioning for the <drFeedsURL> which is the URL on the provisioning server used to * create new feeds. It supports POST to create new feeds, and GET to support the Feeds Collection Query function. @@ -59,7 +61,7 @@ public class DRFeedsServlet extends ProxyServlet { * DELETE on the <drFeedsURL> -- not supported. */ @Override - public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doDelete(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doDelete"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); String message = "DELETE not allowed for the drFeedsURL."; @@ -67,7 +69,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } /** @@ -75,7 +77,7 @@ public class DRFeedsServlet extends ProxyServlet { * Queries</i> section in the <b>Provisioning API</b> document for details on how this method should be invoked. */ @Override - public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doGet(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doGet"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); EventLogRecord elr = new EventLogRecord(req); @@ -84,11 +86,15 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doGet(req, resp); + try { + super.doGet(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -97,7 +103,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } String path = req @@ -107,7 +113,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -117,7 +123,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } @@ -133,14 +139,18 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); } else { // send response elr.setResult(HttpServletResponse.SC_OK); eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(FEEDFULL_CONTENT_TYPE); - resp.getOutputStream().print(feed.asJSONObject(true).toString()); + try { + resp.getOutputStream().print(feed.asJSONObject(true).toString()); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } } } else { // Display a list of URLs @@ -160,7 +170,11 @@ public class DRFeedsServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(FEEDLIST_CONTENT_TYPE); - resp.getOutputStream().print(t); + try { + resp.getOutputStream().print(t); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } } } @@ -168,7 +182,7 @@ public class DRFeedsServlet extends ProxyServlet { * PUT on the <drFeedsURL> -- not supported. */ @Override - public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPut(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doPut"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); String message = "PUT not allowed for the drFeedsURL."; @@ -176,7 +190,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } /** @@ -184,7 +198,7 @@ public class DRFeedsServlet extends ProxyServlet { * <b>Provisioning API</b> document for details on how this method should be invoked. */ @Override - public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPost(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doPost"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF, req.getHeader(BEHALF_HEADER)); EventLogRecord elr = new EventLogRecord(req); @@ -193,11 +207,15 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doPost(req, resp); + try { + super.doPost(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -206,7 +224,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } String path = req @@ -216,7 +234,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // check content type is FEED_CONTENT_TYPE, version 1.0 @@ -227,7 +245,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message); + sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger); return; } // Check with the Authorizer @@ -237,7 +255,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } JSONObject jo = getJSONfromInput(req); @@ -246,7 +264,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } if (intlogger.isDebugEnabled()) { @@ -258,7 +276,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_CONFLICT); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_CONFLICT, message); + sendResponseError(resp, HttpServletResponse.SC_CONFLICT, message, eventlogger); return; } Feed feed = null; @@ -269,7 +287,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } feed.setPublisher(bhdr); // set from X-ATT-DR-ON-BEHALF-OF header @@ -281,7 +299,7 @@ public class DRFeedsServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } @@ -293,13 +311,17 @@ public class DRFeedsServlet extends ProxyServlet { resp.setStatus(HttpServletResponse.SC_CREATED); resp.setContentType(FEEDFULL_CONTENT_TYPE); resp.setHeader("Location", feed.getLinks().getSelf()); - resp.getOutputStream().print(feed.asLimitedJSONObject().toString()); + try { + resp.getOutputStream().print(feed.asLimitedJSONObject().toString()); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } provisioningDataChanged(); } else { // Something went wrong with the INSERT elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG); + sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger); } } } |