From 4916be0d1ef49873bb8f08e71502a7c0cb2233b1 Mon Sep 17 00:00:00 2001 From: "david.mcweeney" Date: Tue, 27 Jul 2021 09:39:48 +0100 Subject: DMAAP-DR SQL Injection fix Change-Id: Ie85bbb46455d79f9e6eb23bc32253ea355a8e3b2 Signed-off-by: david.mcweeney Issue-ID: DMAAP-1623 --- .../datarouter/provisioning/StatisticsServlet.java | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java index c564db86..8a82c5cf 100755 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/StatisticsServlet.java @@ -79,6 +79,8 @@ public class StatisticsServlet extends BaseServlet { private static final String SQL_JOIN_RECORDS = " e JOIN LOG_RECORDS m ON m.PUBLISH_ID = e.PUBLISH_ID AND e.FEEDID IN ("; private static final String SQL_STATUS_204 = " AND m.STATUS=204 AND e.RESULT=204 "; private static final String SQL_GROUP_SUB_ID = " group by SUBID"; + private static final String JSON_OUTPUT_TYPE = "json"; + private static final String CSV_OUTPUT_TYPE = "csv"; /** @@ -109,7 +111,7 @@ public class StatisticsServlet extends BaseServlet { // check Accept: header?? resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(LOGLIST_CONTENT_TYPE); - String outputType = "json"; + String outputType = JSON_OUTPUT_TYPE; if (req.getParameter(FEEDID) == null && req.getParameter(GROUPID) == null) { try { resp.getOutputStream().print("Invalid request, Feedid or Group ID is required."); @@ -153,8 +155,12 @@ public class StatisticsServlet extends BaseServlet { if (req.getParameter("type") != null) { map.put(EVENT_TYPE, req.getParameter("type").replace("|", ",")); } - if (req.getParameter(OUTPUT_TYPE) != null) { - map.put(OUTPUT_TYPE, req.getParameter(OUTPUT_TYPE)); + if (req.getParameter(OUTPUT_TYPE) != null && req.getParameter(OUTPUT_TYPE).equals(CSV_OUTPUT_TYPE)) { + map.put(OUTPUT_TYPE, req.getParameter(CSV_OUTPUT_TYPE)); + outputType = CSV_OUTPUT_TYPE; + } + if (req.getParameter(OUTPUT_TYPE) != null && req.getParameter(OUTPUT_TYPE).equals(JSON_OUTPUT_TYPE)) { + map.put(OUTPUT_TYPE, req.getParameter(JSON_OUTPUT_TYPE)); } if (req.getParameter(START_TIME) != null) { map.put(START_TIME, req.getParameter(START_TIME)); @@ -166,9 +172,6 @@ public class StatisticsServlet extends BaseServlet { map.put(START_TIME, req.getParameter("time")); map.put(END_TIME, null); } - if (req.getParameter(OUTPUT_TYPE) != null) { - outputType = req.getParameter(OUTPUT_TYPE); - } try { this.getRecordsForSQL(map, outputType, resp.getOutputStream(), resp); } catch (IOException ioe) { @@ -511,7 +514,7 @@ public class StatisticsServlet extends BaseServlet { try (Connection conn = ProvDbUtils.getInstance().getConnection(); PreparedStatement ps = conn.prepareStatement(filterQuery); ResultSet rs = ps.executeQuery()) { - if ("csv".equals(outputType)) { + if (CSV_OUTPUT_TYPE.equals(outputType)) { resp.setContentType("application/octet-stream"); DateTimeFormatter formatter = DateTimeFormatter.ofPattern("dd-MM-yyyy HH:mm:ss"); resp.setHeader("Content-Disposition", -- cgit 1.2.3-korg