summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuangrongFu <fu.guangrong@zte.com.cn>2021-06-08 13:59:18 +0800
committerGuangrongFu <fu.guangrong@zte.com.cn>2021-06-08 14:06:16 +0800
commitbe5ca2b68e80688677d75e5f688199511745570b (patch)
tree11715da7718c00dcf014bfe72f90e78f07b1d1a2
parent4242b93bdf5079fee5339a50d8126e4ea56ad9b6 (diff)
Trying to fix the XSS problem
Change-Id: I7cb2604d886dba0c13c5c182c59f7d0991bd3ab6 Issue-ID: HOLMES-453 Signed-off-by: GuangrongFu <fu.guangrong@zte.com.cn>
-rw-r--r--holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java41
-rw-r--r--holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java17
-rw-r--r--holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java13
-rw-r--r--holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java35
4 files changed, 82 insertions, 24 deletions
diff --git a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java
index 3b12399..f72466d 100644
--- a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java
+++ b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java
@@ -1,12 +1,12 @@
/**
- * Copyright 2018 ZTE Corporation.
- *
+ * Copyright 2018 - 2021 ZTE Corporation.
+ * <p>
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -15,15 +15,6 @@
*/
package org.onap.holmes.common.utils.transactionid;
-import java.io.IOException;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.jvnet.hk2.annotations.Service;
@@ -31,6 +22,12 @@ import org.slf4j.MDC;
import org.slf4j.Marker;
import org.slf4j.MarkerFactory;
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.UUID;
+
@Service
@Slf4j
@@ -40,19 +37,21 @@ public class TransactionIdFilter implements Filter {
public static final Marker ENTRY = MarkerFactory.getMarker("ENTRY");
public static final Marker EXIT = MarkerFactory.getMarker("EXIT");
+ private static final String DEFAULT_REQUEST_ID = UUID.randomUUID().toString();
+
static {
INVOKE_SYNCHRONOUS = MarkerFactory.getMarker("INVOKE");
INVOKE_SYNCHRONOUS.add(MarkerFactory.getMarker("SYNCHRONOUS"));
}
@Override
- public void init(FilterConfig filterConfig) throws ServletException {
+ public void init(FilterConfig filterConfig) {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
- FilterChain filterChain) throws IOException, ServletException {
+ FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
AddHeadersHttpServletRequestWrapper requestWithTransactionId = new AddHeadersHttpServletRequestWrapper(
httpServletRequest);
@@ -60,10 +59,16 @@ public class TransactionIdFilter implements Filter {
String requestID = ensureTransactionIdIsPresent(requestWithTransactionId);
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
- httpServletResponse.setHeader(TransactionIdUtils.REQUEST_ID_HEADER, requestID);
+ if (TransactionIdUtils.validate(requestID)) {
+ httpServletResponse.setHeader(TransactionIdUtils.REQUEST_ID_HEADER, requestID);
+ } else {
+ log.warn("A mal-formatted request ID has been detected: {}. It will be replaced by the default ID: {}",
+ requestID, DEFAULT_REQUEST_ID);
+ requestID = DEFAULT_REQUEST_ID;
+ }
String invocationID = TransactionIdUtils.getUUID();
- httpServletResponse.setHeader(TransactionIdUtils.INVOCATIONIDID_HEADER,invocationID);
+ httpServletResponse.setHeader(TransactionIdUtils.INVOCATIONIDID_HEADER, invocationID);
MDC.put("RequestID", requestID);
MDC.put("InvocationID", invocationID);
diff --git a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java
index be61b92..7d04257 100644
--- a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java
+++ b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java
@@ -1,12 +1,12 @@
/**
* Copyright 2018 ZTE Corporation.
- *
+ * <p>
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,12 +17,21 @@ package org.onap.holmes.common.utils.transactionid;
import lombok.extern.slf4j.Slf4j;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
@Slf4j
public class TransactionIdUtils {
public static final String REQUEST_ID_HEADER = "X-TransactionID";
public static final String INVOCATIONIDID_HEADER = "X-InvocationID";
+ private static final Pattern UUID_PATTERN = Pattern.compile("[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}");
public static String getUUID() {
return java.util.UUID.randomUUID().toString();
}
+
+ public static boolean validate(String uuid) {
+ Matcher matcher = UUID_PATTERN.matcher(uuid);
+ return matcher.matches();
+ }
}
diff --git a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java
index 3ef092e..cfbf747 100644
--- a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java
+++ b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java
@@ -1,5 +1,5 @@
/**
- * Copyright 2018 ZTE Corporation.
+ * Copyright 2018 - 2021 ZTE Corporation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -38,11 +38,13 @@ public class TransactionIdFilterTest {
responseMock = EasyMock.createMock(HttpServletResponse.class);
chainMock = EasyMock.createMock(FilterChain.class);
}
+
@Test
public void callsChainDoFilter() throws Exception {
filter.doFilter(requestMock, responseMock, chainMock);
EasyMock.verify();
}
+
@Test
public void requestIdExistTest() throws Exception{
String requestID = TransactionIdUtils.getUUID();
@@ -51,8 +53,15 @@ public class TransactionIdFilterTest {
EasyMock.replay(requestMock);
filter.doFilter(requestMock, responseMock, chainMock);
EasyMock.verify();
-
}
+ @Test
+ public void requestIdInvalidRerquestId() throws Exception{
+ String requestID = "TransactionIdUtils.getUUID()";
+ EasyMock.expect(requestMock.getHeader(TransactionIdUtils.REQUEST_ID_HEADER)).andReturn(requestID);
+ EasyMock.replay(requestMock);
+ filter.doFilter(requestMock, responseMock, chainMock);
+ EasyMock.verify();
+ }
} \ No newline at end of file
diff --git a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java
new file mode 100644
index 0000000..a9684af
--- /dev/null
+++ b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java
@@ -0,0 +1,35 @@
+/**
+ * Copyright 2021 ZTE Corporation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onap.holmes.common.utils.transactionid;
+
+import org.junit.Test;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+
+public class TransactionIdUtilsTest {
+
+ @Test
+ public void validate_is_uuid() {
+ assertThat(TransactionIdUtils.validate(TransactionIdUtils.getUUID()), is(true));
+ }
+
+ @Test
+ public void validate_not_uuid() {
+ assertThat(TransactionIdUtils.validate("a-random-string"), is(false));
+ }
+} \ No newline at end of file