From 7fc63309a08cfee169c4643b108aa2a8f41d692b Mon Sep 17 00:00:00 2001 From: Bogumil Zebek Date: Tue, 21 Apr 2020 11:24:14 +0200 Subject: Fix security vulnerable User provided data, such as URL parameters, POST data payloads or cookies, should always be considered untrusted and tainted. Applications logging tainted data could enable an attacker to inject characters that would break the log file pattern. This could be used to block monitors and SIEM (Security Information and Event Management) systems from detecting other malicious events. This problem could be mitigated by sanitizing the user provided data before logging it. Issue-ID: INT-1517 Signed-off-by: Zebek Bogumil Change-Id: Ifc4cd24daba49c3fe2e41a5709a87d5cf3daa642 --- .../main/java/org/onap/pnfsimulator/rest/SimulatorController.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'pnfsimulator/src/main') diff --git a/pnfsimulator/src/main/java/org/onap/pnfsimulator/rest/SimulatorController.java b/pnfsimulator/src/main/java/org/onap/pnfsimulator/rest/SimulatorController.java index 75a7b74..3647ecc 100644 --- a/pnfsimulator/src/main/java/org/onap/pnfsimulator/rest/SimulatorController.java +++ b/pnfsimulator/src/main/java/org/onap/pnfsimulator/rest/SimulatorController.java @@ -82,6 +82,7 @@ public class SimulatorController { private static final Marker ENTRY = MarkerFactory.getMarker("ENTRY"); private static final String INCORRECT_TEMPLATE_MESSAGE = "Cannot start simulator, template %s is not in valid format: %s"; private static final String NOT_EXISTING_TEMPLATE = "Cannot start simulator - template %s not found."; + private static final String BREAKING_CHARACTER_REGEX = "[\n|\r|\t]"; private final DateFormat responseDateFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss,SSS"); private final SimulatorService simulatorService; private EventDataService eventDataService; @@ -163,7 +164,7 @@ public class SimulatorController { @PostMapping("cancel/{jobName}") public ResponseEntity cancelEvent(@PathVariable String jobName) throws SchedulerException { - LOGGER.info(ENTRY, "Cancel called on {}.", jobName); + LOGGER.info(ENTRY, "Cancel called on {}.", replaceBreakingCharacters(jobName)); boolean isCancelled = simulatorService.cancelEvent(jobName); return createCancelEventResponse(isCancelled); } @@ -184,6 +185,10 @@ public class SimulatorController { return buildResponse(ACCEPTED, ImmutableMap.of(MESSAGE, "One-time direct event sent successfully")); } + private String replaceBreakingCharacters(String jobName) { + return jobName.replaceAll(BREAKING_CHARACTER_REGEX, "_"); + } + private ResponseEntity processRequest(SimulatorRequest triggerEventRequest) throws IOException, SchedulerException, GeneralSecurityException { -- cgit 1.2.3-korg