Fix DRFeedsServlet Vulnerabilities

Change-Id: I0d942085e35f21c87c5f2af749d600644bf80de5 Signed-off-by: Conor Ward <conor.ward@ericsson.com> Issue-ID: DMAAP-775
author: Conor Ward <conor.ward@ericsson.com> 2018-09-15 09:45:16 +0000
committer: Conor Ward <conor.ward@ericsson.com> 2018-09-17 14:47:01 +0000
commit: d70c8e87db67c45ef106ad156d21165c3c2f2388 (patch)
tree: 7898269eb7b8f2a1195da84af0f5af29b1e7c123 /datarouter-prov
parent: 1298e6487340fcb1644c4a0a7e06026d156bdf8f (diff)
1 files changed, 48 insertions, 26 deletions
diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java
index 47156d28..d7da4dc1 100644
--- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java
+++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/DRFeedsServlet.java
@@ -41,6 +41,8 @@ import org.onap.dmaap.datarouter.provisioning.utils.JSONUtilities;
 import com.att.eelf.configuration.EELFLogger;
 import com.att.eelf.configuration.EELFManager;
 
+import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError;
+
 /**
  * This servlet handles provisioning for the &lt;drFeedsURL&gt; which is the URL on the provisioning server used to
  * create new feeds.  It supports POST to create new feeds, and GET to support the Feeds Collection Query function.
@@ -59,7 +61,7 @@ public class DRFeedsServlet extends ProxyServlet {
      * DELETE on the &lt;drFeedsURL&gt; -- not supported.
      */
     @Override
-    public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+    public void doDelete(HttpServletRequest req, HttpServletResponse resp) {
         setIpAndFqdnForEelf("doDelete");
         eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
         String message = "DELETE not allowed for the drFeedsURL.";
@@ -67,7 +69,7 @@ public class DRFeedsServlet extends ProxyServlet {
         elr.setMessage(message);
         elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
         eventlogger.info(elr);
-        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message);
+        sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger);
     }
 
     /**
@@ -75,7 +77,7 @@ public class DRFeedsServlet extends ProxyServlet {
      * Queries</i> section in the <b>Provisioning API</b> document for details on how this method should be invoked.
      */
     @Override
-    public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+    public void doGet(HttpServletRequest req, HttpServletResponse resp) {
         setIpAndFqdnForEelf("doGet");
         eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
         EventLogRecord elr = new EventLogRecord(req);
@@ -84,11 +86,15 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_FORBIDDEN);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+            sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
             return;
         }
         if (isProxyServer()) {
-            super.doGet(req, resp);
+            try {
+                super.doGet(req, resp);
+            } catch (IOException ioe) {
+                eventlogger.error("IOException" + ioe.getMessage());
+            }
             return;
         }
         String bhdr = req.getHeader(BEHALF_HEADER);
@@ -97,7 +103,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+            sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
             return;
         }
         String path = req
@@ -107,7 +113,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_NOT_FOUND);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_NOT_FOUND, message);
+            sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger);
             return;
         }
         // Check with the Authorizer
@@ -117,7 +123,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_FORBIDDEN);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+            sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
             return;
         }
 
@@ -133,14 +139,18 @@ public class DRFeedsServlet extends ProxyServlet {
                 elr.setMessage(message);
                 elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
                 eventlogger.info(elr);
-                resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+                sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
             } else {
                 // send response
                 elr.setResult(HttpServletResponse.SC_OK);
                 eventlogger.info(elr);
                 resp.setStatus(HttpServletResponse.SC_OK);
                 resp.setContentType(FEEDFULL_CONTENT_TYPE);
-                resp.getOutputStream().print(feed.asJSONObject(true).toString());
+                try {
+                    resp.getOutputStream().print(feed.asJSONObject(true).toString());
+                } catch (IOException ioe) {
+                    eventlogger.error("IOException" + ioe.getMessage());
+                }
             }
         } else {
             // Display a list of URLs
@@ -160,7 +170,11 @@ public class DRFeedsServlet extends ProxyServlet {
             eventlogger.info(elr);
             resp.setStatus(HttpServletResponse.SC_OK);
             resp.setContentType(FEEDLIST_CONTENT_TYPE);
-            resp.getOutputStream().print(t);
+            try {
+                resp.getOutputStream().print(t);
+            } catch (IOException ioe) {
+                eventlogger.error("IOException" + ioe.getMessage());
+            }
         }
     }
 
@@ -168,7 +182,7 @@ public class DRFeedsServlet extends ProxyServlet {
      * PUT on the &lt;drFeedsURL&gt; -- not supported.
      */
     @Override
-    public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+    public void doPut(HttpServletRequest req, HttpServletResponse resp) {
         setIpAndFqdnForEelf("doPut");
         eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + "");
         String message = "PUT not allowed for the drFeedsURL.";
@@ -176,7 +190,7 @@ public class DRFeedsServlet extends ProxyServlet {
         elr.setMessage(message);
         elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
         eventlogger.info(elr);
-        resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message);
+        sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger);
     }
 
     /**
@@ -184,7 +198,7 @@ public class DRFeedsServlet extends ProxyServlet {
      * <b>Provisioning API</b> document for details on how this method should be invoked.
      */
     @Override
-    public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+    public void doPost(HttpServletRequest req, HttpServletResponse resp) {
         setIpAndFqdnForEelf("doPost");
         eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF, req.getHeader(BEHALF_HEADER));
         EventLogRecord elr = new EventLogRecord(req);
@@ -193,11 +207,15 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_FORBIDDEN);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+            sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
             return;
         }
         if (isProxyServer()) {
-            super.doPost(req, resp);
+            try {
+                super.doPost(req, resp);
+            } catch (IOException ioe) {
+                eventlogger.error("IOException" + ioe.getMessage());
+            }
             return;
         }
         String bhdr = req.getHeader(BEHALF_HEADER);
@@ -206,7 +224,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+            sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
             return;
         }
         String path = req
@@ -216,7 +234,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_NOT_FOUND);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_NOT_FOUND, message);
+            sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger);
             return;
         }
         // check content type is FEED_CONTENT_TYPE, version 1.0
@@ -227,7 +245,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message);
+            sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger);
             return;
         }
         // Check with the Authorizer
@@ -237,7 +255,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_FORBIDDEN);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+            sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger);
             return;
         }
         JSONObject jo = getJSONfromInput(req);
@@ -246,7 +264,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+            sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
             return;
         }
         if (intlogger.isDebugEnabled()) {
@@ -258,7 +276,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_CONFLICT);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_CONFLICT, message);
+            sendResponseError(resp, HttpServletResponse.SC_CONFLICT, message, eventlogger);
             return;
         }
         Feed feed = null;
@@ -269,7 +287,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+            sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
             return;
         }
         feed.setPublisher(bhdr);    // set from X-ATT-DR-ON-BEHALF-OF header
@@ -281,7 +299,7 @@ public class DRFeedsServlet extends ProxyServlet {
             elr.setMessage(message);
             elr.setResult(HttpServletResponse.SC_BAD_REQUEST);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message);
+            sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger);
             return;
         }
 
@@ -293,13 +311,17 @@ public class DRFeedsServlet extends ProxyServlet {
             resp.setStatus(HttpServletResponse.SC_CREATED);
             resp.setContentType(FEEDFULL_CONTENT_TYPE);
             resp.setHeader("Location", feed.getLinks().getSelf());
-            resp.getOutputStream().print(feed.asLimitedJSONObject().toString());
+            try {
+                resp.getOutputStream().print(feed.asLimitedJSONObject().toString());
+            } catch (IOException ioe) {
+                eventlogger.error("IOException" + ioe.getMessage());
+            }
             provisioningDataChanged();
         } else {
             // Something went wrong with the INSERT
             elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
             eventlogger.info(elr);
-            resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG);
+            sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger);
         }
     }
 }
author	Conor Ward <conor.ward@ericsson.com>	2018-09-15 09:45:16 +0000
committer	Conor Ward <conor.ward@ericsson.com>	2018-09-17 14:47:01 +0000
commit	d70c8e87db67c45ef106ad156d21165c3c2f2388 (patch)
tree	7898269eb7b8f2a1195da84af0f5af29b1e7c123 /datarouter-prov
parent	1298e6487340fcb1644c4a0a7e06026d156bdf8f (diff)