From 731b3831655b1673e71d023aa516904f96daaf2a Mon Sep 17 00:00:00 2001 From: Conor Ward Date: Fri, 21 Sep 2018 12:44:11 +0000 Subject: Fix LogServlet Vulnerabilities Change-Id: Ifcd5f535e1f554e0d6cd0a154ca59239806fa363 Signed-off-by: Conor Ward Issue-ID: DMAAP-775 --- .../dmaap/datarouter/provisioning/LogServlet.java | 96 +++++++++++----------- 1 file changed, 50 insertions(+), 46 deletions(-) diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java index 101c9e6f..cdc23311 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/LogServlet.java @@ -39,7 +39,6 @@ import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.log4j.Logger; import org.onap.dmaap.datarouter.provisioning.beans.DeliveryRecord; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord; import org.onap.dmaap.datarouter.provisioning.beans.ExpiryRecord; @@ -53,6 +52,8 @@ import org.onap.dmaap.datarouter.provisioning.utils.LOGJSONObject; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError; + /** * This servlet handles requests to the <feedLogURL> and <subLogURL>, * which are generated by the provisioning server to handle the log query API. @@ -65,8 +66,8 @@ public class LogServlet extends BaseServlet { //Adding EELF Logger Rally:US664892 private static EELFLogger eelflogger = EELFManager.getInstance().getLogger("org.onap.dmaap.datarouter.provisioning.LogServlet"); private static final long TWENTYFOUR_HOURS = (24 * 60 * 60 * 1000L); - private static final String fmt1 = "yyyy-MM-dd'T'HH:mm:ss'Z'"; - private static final String fmt2 = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"; + private static final String FMT_1 = "yyyy-MM-dd'T'HH:mm:ss'Z'"; + private static final String FMT_2 = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"; private static boolean isfeedlog; @@ -145,7 +146,7 @@ public class LogServlet extends BaseServlet { * DELETE a logging URL -- not supported. */ @Override - public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doDelete(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doDelete"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+""); String message = "DELETE not allowed for the logURL."; @@ -153,76 +154,79 @@ public class LogServlet extends BaseServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } /** * GET a logging URL -- retrieve logging data for a feed or subscription. * See the Logging API document for details on how this method should be invoked. */ @Override - public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doGet(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doGet"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+""); int id = getIdFromPath(req); if (id < 0) { - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing or bad feed/subscription number."); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, "Missing or bad feed/subscription number.", eventlogger); return; } Map map = buildMapFromRequest(req); if (map.get("err") != null) { - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid arguments: "+map.get("err")); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, "Invalid arguments: "+map.get("err"), eventlogger); return; } // check Accept: header?? resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(LOGLIST_CONTENT_TYPE); - @SuppressWarnings("resource") - ServletOutputStream out = resp.getOutputStream(); - final String fields = req.getParameter("fields"); - out.print("["); - if (isfeedlog) { - // Handle /feedlog/feedid request - boolean firstrow = true; + try (ServletOutputStream out = resp.getOutputStream()) { + final String fields = req.getParameter("fields"); + + out.print("["); + if (isfeedlog) { + // Handle /feedlog/feedid request + boolean firstrow = true; - // 1. Collect publish records for this feed - RowHandler rh = new PublishRecordRowHandler(out, fields, firstrow); - getPublishRecordsForFeed(id, rh, map); - firstrow = rh.firstrow; + // 1. Collect publish records for this feed + RowHandler rh = new PublishRecordRowHandler(out, fields, firstrow); + getPublishRecordsForFeed(id, rh, map); + firstrow = rh.firstrow; - // 2. Collect delivery records for subscriptions to this feed - rh = new DeliveryRecordRowHandler(out, fields, firstrow); - getDeliveryRecordsForFeed(id, rh, map); - firstrow = rh.firstrow; + // 2. Collect delivery records for subscriptions to this feed + rh = new DeliveryRecordRowHandler(out, fields, firstrow); + getDeliveryRecordsForFeed(id, rh, map); + firstrow = rh.firstrow; - // 3. Collect expiry records for subscriptions to this feed - rh = new ExpiryRecordRowHandler(out, fields, firstrow); - getExpiryRecordsForFeed(id, rh, map); - } else { - // Handle /sublog/subid request - Subscription sub = Subscription.getSubscriptionById(id); - if (sub != null) { - // 1. Collect publish records for the feed this subscription feeds - RowHandler rh = new PublishRecordRowHandler(out, fields, true); - getPublishRecordsForFeed(sub.getFeedid(), rh, map); + // 3. Collect expiry records for subscriptions to this feed + rh = new ExpiryRecordRowHandler(out, fields, firstrow); + getExpiryRecordsForFeed(id, rh, map); + } else { + // Handle /sublog/subid request + Subscription sub = Subscription.getSubscriptionById(id); + if (sub != null) { + // 1. Collect publish records for the feed this subscription feeds + RowHandler rh = new PublishRecordRowHandler(out, fields, true); + getPublishRecordsForFeed(sub.getFeedid(), rh, map); - // 2. Collect delivery records for this subscription - rh = new DeliveryRecordRowHandler(out, fields, rh.firstrow); - getDeliveryRecordsForSubscription(id, rh, map); + // 2. Collect delivery records for this subscription + rh = new DeliveryRecordRowHandler(out, fields, rh.firstrow); + getDeliveryRecordsForSubscription(id, rh, map); - // 3. Collect expiry records for this subscription - rh = new ExpiryRecordRowHandler(out, fields, rh.firstrow); - getExpiryRecordsForSubscription(id, rh, map); + // 3. Collect expiry records for this subscription + rh = new ExpiryRecordRowHandler(out, fields, rh.firstrow); + getExpiryRecordsForSubscription(id, rh, map); + } } + out.print("]"); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); } - out.print("\n]"); } /** * PUT a logging URL -- not supported. */ @Override - public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPut(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doPut"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+""); String message = "PUT not allowed for the logURL."; @@ -230,13 +234,13 @@ public class LogServlet extends BaseServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } /** * POST a logging URL -- not supported. */ @Override - public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPost(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doPost"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF, req.getHeader(BEHALF_HEADER)); String message = "POST not allowed for the logURL."; @@ -244,11 +248,11 @@ public class LogServlet extends BaseServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } private Map buildMapFromRequest(HttpServletRequest req) { - Map map = new HashMap(); + Map map = new HashMap<>(); String s = req.getParameter("type"); if (s != null) { if (s.equals("pub") || s.equals("del") || s.equals("exp")) { @@ -341,7 +345,7 @@ public class LogServlet extends BaseServlet { return 0; try { // First, look for an RFC 3339 date - String fmt = (s.indexOf('.') > 0) ? fmt2 : fmt1; + String fmt = (s.indexOf('.') > 0) ? FMT_2 : FMT_1; SimpleDateFormat sdf = new SimpleDateFormat(fmt); Date d = sdf.parse(s); return d.getTime(); -- cgit 1.2.3-korg