From 03e14b304e651a35b8752b6e5e89c9d30696f12f Mon Sep 17 00:00:00 2001 From: Conor Ward Date: Fri, 14 Sep 2018 16:18:19 +0000 Subject: Fix SubscribeServlet Vulnerabilities Change-Id: I38ac582eb5789918c50e3429ad7ae4e2524bb29a Signed-off-by: Conor Ward Issue-ID: DMAAP-775 --- .../datarouter/provisioning/SubscribeServlet.java | 66 ++++++++++++++-------- 1 file changed, 42 insertions(+), 24 deletions(-) (limited to 'datarouter-prov/src') diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java index 21d391e5..e8828f12 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscribeServlet.java @@ -42,6 +42,8 @@ import org.onap.dmaap.datarouter.provisioning.utils.JSONUtilities; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError; + /** * This servlet handles provisioning for the <subscribeURL> which is generated by the provisioning server to * handle the creation and inspection of subscriptions to a specific feed. @@ -60,7 +62,7 @@ public class SubscribeServlet extends ProxyServlet { * DELETE on the <subscribeUrl> -- not supported. */ @Override - public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doDelete(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doDelete"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); String message = "DELETE not allowed for the subscribeURL."; @@ -68,7 +70,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } /** @@ -76,7 +78,7 @@ public class SubscribeServlet extends ProxyServlet { * Query section in the Provisioning API document for details on how this method should be invoked. */ @Override - public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doGet(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doGet"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); EventLogRecord elr = new EventLogRecord(req); @@ -85,11 +87,15 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doGet(req, resp); + try { + super.doGet(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -98,7 +104,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int feedid = getIdFromPath(req); @@ -107,7 +113,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Feed feed = Feed.getFeedById(feedid); @@ -116,7 +122,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -126,7 +132,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } @@ -139,14 +145,18 @@ public class SubscribeServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(SUBLIST_CONTENT_TYPE); - resp.getOutputStream().print(t); + try { + resp.getOutputStream().print(t); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } } /** * PUT on the <subscribeUrl> -- not supported. */ @Override - public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPut(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doPut"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); String message = "PUT not allowed for the subscribeURL."; @@ -154,7 +164,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } /** @@ -171,11 +181,15 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doPost(req, resp); + try { + super.doPost(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -184,7 +198,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int feedid = getIdFromPath(req); @@ -193,7 +207,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Feed feed = Feed.getFeedById(feedid); @@ -202,7 +216,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -212,7 +226,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } @@ -225,7 +239,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message); + sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger); return; } JSONObject jo = getJSONfromInput(req); @@ -234,7 +248,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } if (intlogger.isDebugEnabled()) { @@ -246,7 +260,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_CONFLICT); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_CONFLICT, message); + sendResponseError(resp, HttpServletResponse.SC_CONFLICT, message, eventlogger); return; } Subscription sub = null; @@ -258,7 +272,7 @@ public class SubscribeServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } sub.setFeedid(feedid); @@ -280,7 +294,11 @@ public class SubscribeServlet extends ProxyServlet { resp.setStatus(HttpServletResponse.SC_CREATED); resp.setContentType(SUBFULL_CONTENT_TYPE); resp.setHeader("Location", sub.getLinks().getSelf()); - resp.getOutputStream().print(sub.asLimitedJSONObject().toString()); + try { + resp.getOutputStream().print(sub.asLimitedJSONObject().toString()); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } provisioningDataChanged(); } else { @@ -288,7 +306,7 @@ public class SubscribeServlet extends ProxyServlet { activeSubs--; elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG); + sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger); } } } -- cgit 1.2.3-korg