From 47613cbd6f6b96c4b1b5de9eb35997b4bc7f1574 Mon Sep 17 00:00:00 2001 From: Conor Ward Date: Sat, 15 Sep 2018 10:33:20 +0000 Subject: Fix GroupServlet Vulnerabilities Change-Id: I51c0546dcdbbc059db277744218f2b00a2001556 Signed-off-by: Conor Ward Issue-ID: DMAAP-775 --- .../datarouter/provisioning/GroupServlet.java | 97 +++++++++++++--------- 1 file changed, 58 insertions(+), 39 deletions(-) (limited to 'datarouter-prov/src/main') diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java index 8537ff4b..96a9924f 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/GroupServlet.java @@ -26,18 +26,15 @@ package org.onap.dmaap.datarouter.provisioning; import java.io.IOException; import java.io.InvalidObjectException; -import java.util.Collection; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.json.JSONObject; -import org.onap.dmaap.datarouter.authz.AuthorizationResponse; -import org.onap.dmaap.datarouter.provisioning.BaseServlet.ContentHeader; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord; import org.onap.dmaap.datarouter.provisioning.beans.Group; -import org.onap.dmaap.datarouter.provisioning.beans.Subscription; -import org.onap.dmaap.datarouter.provisioning.utils.JSONUtilities; + +import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError; /** * This servlet handles provisioning for the <groups> which is generated by the provisioning @@ -53,13 +50,13 @@ public class GroupServlet extends ProxyServlet { * DELETE on the <GRUPS> -- not supported. */ @Override - public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doDelete(HttpServletRequest req, HttpServletResponse resp) { String message = "DELETE not allowed for the GROUPS."; EventLogRecord elr = new EventLogRecord(req); elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } /** * GET on the the list of groups to a feed/sub. @@ -67,18 +64,22 @@ public class GroupServlet extends ProxyServlet { * document for details on how this method should be invoked. */ @Override - public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doGet(HttpServletRequest req, HttpServletResponse resp) { EventLogRecord elr = new EventLogRecord(req); String message = isAuthorizedForProvisioning(req); if (message != null) { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doGet(req, resp); + try { + super.doGet(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -87,7 +88,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } @@ -122,7 +123,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } @@ -132,7 +133,11 @@ public class GroupServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(GROUPFULL_CONTENT_TYPE); - resp.getOutputStream().print(gup.asJSONObject().toString()); + try { + resp.getOutputStream().print(gup.asJSONObject().toString()); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } // Display a list of Groups /*Collection list = Group.getGroupById(groupid); @@ -149,18 +154,22 @@ public class GroupServlet extends ProxyServlet { * PUT on the <GROUPS> -- not supported. */ @Override - public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPut(HttpServletRequest req, HttpServletResponse resp) { EventLogRecord elr = new EventLogRecord(req); String message = isAuthorizedForProvisioning(req); if (message != null) { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doPut(req, resp); + try { + super.doPut(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -169,7 +178,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int groupid = getIdFromPath(req); @@ -178,7 +187,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Group oldgup = Group.getGroupById(groupid); @@ -187,7 +196,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -208,7 +217,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message); + sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger); return; } JSONObject jo = getJSONfromInput(req); @@ -217,12 +226,12 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } if (intlogger.isDebugEnabled()) intlogger.debug(jo.toString()); - Group gup = null; + Group gup; try { gup = new Group(jo); } catch (InvalidObjectException e) { @@ -230,17 +239,15 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } gup.setGroupid(oldgup.getGroupid()); - - Group gb2 = Group.getGroupMatching(gup, oldgup.getGroupid()); if (gb2 != null) { eventlogger.warn("PROV0011 Creating a duplicate Group: "+gup.getName()); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Duplicate Group:"+gup.getName()); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, "Duplicate Group:"+gup.getName(), eventlogger); return; } @@ -251,13 +258,17 @@ public class GroupServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(GROUPFULL_CONTENT_TYPE); - resp.getOutputStream().print(gup.asJSONObject().toString()); + try { + resp.getOutputStream().print(gup.asJSONObject().toString()); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } provisioningDataChanged(); } else { // Something went wrong with the UPDATE elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG); + sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger); } } /** @@ -266,18 +277,22 @@ public class GroupServlet extends ProxyServlet { * document for details on how this method should be invoked. */ @Override - public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPost(HttpServletRequest req, HttpServletResponse resp) { EventLogRecord elr = new EventLogRecord(req); String message = isAuthorizedForProvisioning(req); if (message != null) { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doPost(req, resp); + try { + super.doPost(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -286,7 +301,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } /*int feedid = getIdFromPath(req); @@ -327,7 +342,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message); + sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger); return; } JSONObject jo = getJSONfromInput(req); @@ -336,13 +351,13 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } if (intlogger.isDebugEnabled()) intlogger.debug(jo.toString()); - Group gup = null; + Group gup; try { gup = new Group(jo); } catch (InvalidObjectException e) { @@ -350,7 +365,7 @@ public class GroupServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } //gup.setFeedid(feedid); @@ -361,7 +376,7 @@ public class GroupServlet extends ProxyServlet { if (gb2 != null) { eventlogger.warn("PROV0011 Creating a duplicate Group: "+gup.getName()); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Duplicate Group:"+gup.getName()); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, "Duplicate Group:"+gup.getName(), eventlogger); return; } @@ -373,13 +388,17 @@ public class GroupServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_CREATED); resp.setContentType(GROUPFULL_CONTENT_TYPE); - resp.getOutputStream().print(gup.asJSONObject().toString()); + try { + resp.getOutputStream().print(gup.asJSONObject().toString()); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } provisioningDataChanged(); } else { // Something went wrong with the INSERT elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG); + sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger); } } } -- cgit 1.2.3-korg