diff options
author | Carsten Lund <lund@research.att.com> | 2017-06-09 16:28:10 +0000 |
---|---|---|
committer | Carsten Lund <lund@research.att.com> | 2017-06-09 16:28:10 +0000 |
commit | 56cb73914fd05db40417a6219b5968c8eea8a0b6 (patch) | |
tree | ce0e9cfac07b1d51a493e305ab54bdecf5c65c42 /ncomp-utils-java | |
parent | 03f9567726dfa0c6af315d88c316be9cb380d8ae (diff) |
[DCAE-15] Final update for rebased code.
Change-Id: I51a54dfc3bf645684dd94e8eea9bc55313bea176
Signed-off-by: Carsten Lund <lund@research.att.com>
Diffstat (limited to 'ncomp-utils-java')
15 files changed, 206 insertions, 539 deletions
diff --git a/ncomp-utils-java/pom.xml b/ncomp-utils-java/pom.xml index 595d692..94f65d0 100644 --- a/ncomp-utils-java/pom.xml +++ b/ncomp-utils-java/pom.xml @@ -10,6 +10,10 @@ + + + + <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <maven.compiler.target>1.7</maven.compiler.target> @@ -30,8 +34,7 @@ - -<build> + <build> <plugins> <plugin> <groupId>org.sonatype.plugins</groupId> @@ -114,6 +117,16 @@ <artifactId>snakeyaml</artifactId> <version>1.15</version> </dependency> + <dependency> + <groupId>commons-io</groupId> + <artifactId>commons-io</artifactId> + <version>2.5</version> + </dependency> + <dependency> + <groupId>com.mikesamuel</groupId> + <artifactId>json-sanitizer</artifactId> + <version>[1.0,)</version> + </dependency> </dependencies> @@ -131,28 +144,28 @@ <site> <id>ecomp-site</id> <url>${site.url}</url> - </site> - </distributionManagement> - - <reporting> - <plugins> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-javadoc-plugin</artifactId> - <version>2.10.4</version> - <configuration> - <failOnError>false</failOnError> - <doclet>org.umlgraph.doclet.UmlGraphDoc</doclet> - <docletArtifact> - <groupId>org.umlgraph</groupId> - <artifactId>umlgraph</artifactId> - <version>5.6</version> - </docletArtifact> - <additionalparam>-views</additionalparam> - <useStandardDocletOptions>true</useStandardDocletOptions> - </configuration> - </plugin> - </plugins> - </reporting> + </site> + </distributionManagement> + + <reporting> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-javadoc-plugin</artifactId> + <version>2.10.4</version> + <configuration> + <failOnError>false</failOnError> + <doclet>org.umlgraph.doclet.UmlGraphDoc</doclet> + <docletArtifact> + <groupId>org.umlgraph</groupId> + <artifactId>umlgraph</artifactId> + <version>5.6</version> + </docletArtifact> + <additionalparam>-views</additionalparam> + <useStandardDocletOptions>true</useStandardDocletOptions> + </configuration> + </plugin> + </plugins> + </reporting> </project> diff --git a/ncomp-utils-java/src/main/java/org/json/HTTP.java b/ncomp-utils-java/src/main/java/org/json/HTTP.java index ef37d2d..d3f03f7 100644 --- a/ncomp-utils-java/src/main/java/org/json/HTTP.java +++ b/ncomp-utils-java/src/main/java/org/json/HTTP.java @@ -95,7 +95,7 @@ public class HTTP { String t; t = x.nextToken(); - if (t.toUpperCase().startsWith("HTTP")) { + if (t.length() > 3 && t.substring(0,4).equalsIgnoreCase("HTTP")) { // Response diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtils.java index df35eb9..034bc03 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtils.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtils.java @@ -91,7 +91,7 @@ public class CryptoUtils { public static InputStream getInputStream(final InputStream in, final EncryptionType type, final String key) { final Cipher aes; - logger.debug("crypto in stream:" + PropertyUtil.replaceForLogForcingProtection(type) + " " + PropertyUtil.replaceForLogForcingProtection(key)); + logger.debug("crypto in stream:" + p(type) + " " + p(key)); try { aes = Cipher.getInstance("AES/ECB/PKCS5Padding"); switch (type) { @@ -109,6 +109,11 @@ public class CryptoUtils { throw new RuntimeException("encryption failed:" + e); } } + + private static String p(Object v) { + return SecurityUtils.logForcingProtection(v); + } + public static OutputStream getOutputStream(final OutputStream out, final EncryptionType type, final String key) { final Cipher aes; @@ -141,7 +146,7 @@ public class CryptoUtils { ByteArrayOutputStream o = new ByteArrayOutputStream(); InputStream in = null; try { - in = new FileInputStream(FileUtils.safeFileName(fileName)); + in = new FileInputStream(SecurityUtils.safeFileName(fileName)); FileUtils.copyStream(in, o); } catch (IOException e) { throw new RuntimeException("getKey failed:" + e); @@ -167,8 +172,8 @@ public class CryptoUtils { } if (command.equals("file")) { EncryptionType t = EncryptionType.valueOf(args[1].toUpperCase()); - InputStream in = new FileInputStream(FileUtils.safeFileName(args[2])); - OutputStream out = new FileOutputStream(FileUtils.safeFileName(args[3])); + InputStream in = new FileInputStream(SecurityUtils.safeFileName(args[2])); + OutputStream out = new FileOutputStream(SecurityUtils.safeFileName(args[3])); try { in = getInputStream(in, t, args[4]); FileUtils.copyStream(in, out); @@ -195,7 +200,7 @@ public class CryptoUtils { PrivateKey privateKey = keyPair.getPrivate(); FileOutputStream out = null; try { - out = new FileOutputStream(FileUtils.safeFileName(key + ".private")); + out = new FileOutputStream(SecurityUtils.safeFileName(key + ".private")); out.write(encode64(privateKey.getEncoded()).getBytes()); } catch (Exception e) { e.printStackTrace(); @@ -205,7 +210,7 @@ public class CryptoUtils { out.close(); } try { - out = new FileOutputStream(FileUtils.safeFileName(key + ".public")); + out = new FileOutputStream(SecurityUtils.safeFileName(key + ".public")); out.write(encode64(publicKey.getEncoded()).getBytes()); } catch (Exception e) { e.printStackTrace(); @@ -244,7 +249,7 @@ public class CryptoUtils { InputStream fis = null; MessageDigest complete = null; try { - fis = new FileInputStream(FileUtils.safeFileName(filename)); + fis = new FileInputStream(SecurityUtils.safeFileName(filename)); byte[] buffer = new byte[1024]; complete = MessageDigest.getInstance("MD5"); int numRead; diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtilsTest.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtilsTest.java index a8d2021..fd4671a 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtilsTest.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtilsTest.java @@ -68,23 +68,27 @@ public class CryptoUtilsTest extends TestCase { digest.update("foobar".getBytes()); SecretKeySpec key1 = new SecretKeySpec(digest.digest(), 0, 16, "AES"); aes.init(Cipher.ENCRYPT_MODE, key1); - InputStream in = new FileInputStream("test/Test.txt"); - in = new CipherInputStream(in, aes); - FileOutputStream out = new FileOutputStream("test/Encrypted.txt"); + InputStream in = null; + FileOutputStream out = null; try { - FileUtils.copyStream(in, out); + in = new FileInputStream("test/Test.txt"); + CipherInputStream in2 = new CipherInputStream(in, aes); + out = new FileOutputStream("test/Encrypted.txt"); + FileUtils.copyStream(in2, out); } finally { if (in != null) in.close(); if (out != null) out.close(); } + in = null; + out = null; aes.init(Cipher.DECRYPT_MODE, key1); - in = new FileInputStream("test/Encrypted.txt"); - in = new CipherInputStream(in, aes); - out = new FileOutputStream("test/Decrypted.txt"); try { - FileUtils.copyStream(in, out); + in = new FileInputStream("test/Encrypted.txt"); + CipherInputStream in2 = new CipherInputStream(in, aes); + out = new FileOutputStream("test/Decrypted.txt"); + FileUtils.copyStream(in2, out); } finally { if (in != null) in.close(); @@ -95,25 +99,35 @@ public class CryptoUtilsTest extends TestCase { } @SuppressWarnings("resource") public void test_streams_2() throws Exception { - InputStream in = new FileInputStream("test/Test.txt"); - in = getInputStream(in, EncryptionType.ENCRYPT, k); - FileOutputStream out = new FileOutputStream("test/Encrypted.txt"); + InputStream in = null; + InputStream in2 = null; + FileOutputStream out = null; try { - FileUtils.copyStream(in, out); + in = new FileInputStream("test/Test.txt"); + in2 = getInputStream(in, EncryptionType.ENCRYPT, k); + out = new FileOutputStream("test/Encrypted.txt"); + FileUtils.copyStream(in2, out); } finally { if (in != null) in.close(); + if (in2 != null) + in2.close(); if (out != null) out.close(); } - in = new FileInputStream("test/Encrypted.txt"); - in = getInputStream(in, EncryptionType.DECRYPT, k); - out = new FileOutputStream("test/Decrypted.txt"); + in = null; + in2 = null; + out = null; try { - FileUtils.copyStream(in, out); + in = new FileInputStream("test/Encrypted.txt"); + in2 = getInputStream(in, EncryptionType.DECRYPT, k); + out = new FileOutputStream("test/Decrypted.txt"); + FileUtils.copyStream(in2, out); } finally { if (in != null) in.close(); + if (in2 != null) + in2.close(); if (out != null) out.close(); } diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/DiffUtilTest.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/DiffUtilTest.java index 9369372..d7f8187 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/DiffUtilTest.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/DiffUtilTest.java @@ -149,12 +149,12 @@ public class DiffUtilTest extends TestCase { assertEquals("editDist random 1000 0.01", d1,d2); d2 = DiffUtil.editDistSimple(alist, blist); assertEquals("editDistSimple random 1000 0.01", d1,d2); - d1 = gentest(120, alist, blist, 1000, 0.1, 0.1, 0.1); + d1 = gentest(SecurityUtils.inSecureSeed(120), alist, blist, 1000, 0.1, 0.1, 0.1); d2 = DiffUtil.editDistStats(alist, blist); assertEquals("editDist random 1000 0.1", 265,d2); d2 = DiffUtil.editDistSimple(alist, blist); assertEquals("editDistSimple random 1000 0.1", 265,d2); - d1 = gentest(130, alist, blist, 10000, 0.01, 0.01, 0.01); + d1 = gentest(SecurityUtils.inSecureSeed(130), alist, blist, 10000, 0.01, 0.01, 0.01); d2 = DiffUtil.editDistStats(alist, blist); assertEquals("editDist random 10000 0.01", 296, d2); // d2 = DiffUtil.editDistSimple(alist, blist); diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/PropertyUtil.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/PropertyUtil.java index 56710a3..c5e0bdd 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/PropertyUtil.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/PropertyUtil.java @@ -70,19 +70,19 @@ public class PropertyUtil { } for (Object k : System.getProperties().keySet()) { - Object v = props.get(k); + Object v = props.get(p(k)); if (v != null) { - logger.info("Overwriting property from system property: " + replaceForLogForcingProtection(k) + " = " + replaceForLogForcingProtection(v)); + logger.info("Overwriting property from system property: " + p(k) + " = " + p(v)); } props.put(k, System.getProperties().get(k)); } - String hostname = InetAddress.getLocalHost().getHostName(); + String hostname = SecurityUtils.getHostName(); props.put("user.hostname", hostname); return props; } - public static String replaceForLogForcingProtection(Object v) { - return v.toString().replace("\n", "NEWLINE"); + private static String p(Object v) { + return SecurityUtils.logForcingProtection(v); } } diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/SecurityUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/SecurityUtils.java new file mode 100644 index 0000000..73fa377 --- /dev/null +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/SecurityUtils.java @@ -0,0 +1,71 @@ +package org.openecomp.ncomp.utils; + +import java.io.File; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.util.List; + +public class SecurityUtils { + public static String whiteList(String str, List<String> l, String reason) { + if (l.contains(str)) { + return str; + } + throw new RuntimeException("String not trusted: " + str + " " + reason); + } + public static double inSecureRandom() { + return (Math.random()*100.0)/100; + } + public static long inSecureSeed(long seed) { + return seed; + } + public static String logForcingProtection(Object v) { + return v.toString().replace("\n", "NEWLINE"); + } + + public static File createSafeFile(File dir, String fname) { + String fname2 = dir.getAbsolutePath() + "/" + fname; + return new File(safeFileName(fname2)); + } + + public static String safeFileName(String file) { + // creating file with safer creation. + if (file.contains("../")) + throw new RuntimeException("File name contain ..: " + file); + if (file.contains("\n")) + throw new RuntimeException("File name contain newline: " + file); + return file; + } + + public static File safeFile(File file) { + // creating file with safer creation. + if (file.getAbsolutePath().contains("..")) + throw new RuntimeException("File name contain ..: " + file.getAbsolutePath()); + return file; + } + public static String getHostName() { + try { + return InetAddress.getLocalHost().getHostName(); + } catch (UnknownHostException e) { + e.printStackTrace(); + throw new RuntimeException("HOSTNAME-UNKNOWN"); + } + } + public static String getHostAddress() { + try { + return InetAddress.getLocalHost().getHostAddress(); + } catch (UnknownHostException e) { + e.printStackTrace(); + throw new RuntimeException("HOSTNAME-UNKNOWN"); + } + } + public static String getCanonicalHostName() { + try { + return InetAddress.getLocalHost().getCanonicalHostName(); + } catch (UnknownHostException e) { + e.printStackTrace(); + throw new RuntimeException("HOSTNAME-UNKNOWN"); + } + } + + +} diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EReader.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EReader.java deleted file mode 100644 index fda7f13..0000000 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EReader.java +++ /dev/null @@ -1,118 +0,0 @@ - -/*- - * ============LICENSE_START========================================== - * OPENECOMP - DCAE - * =================================================================== - * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. - * =================================================================== - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END============================================ - */ - -package org.openecomp.ncomp.utils.emf; - -import java.io.BufferedReader; -import java.io.File; -import java.io.IOException; -import java.util.Iterator; - -import org.eclipse.emf.ecore.EObject; - -import org.openecomp.ncomp.webservice.utils.FileUtils; - -public class EReader<T extends EObject> implements Iterator<T>, Iterable<T> { - private EStringUtil<T> util = null; - private BufferedReader reader; - private String fileName; - private String line; - private T e = null; - - public EReader(String fileName2, EStringUtil<T> u, boolean isFilename) { - util = u; - fileName = fileName2; - if (isFilename) - reader = FileUtils.filename2reader(fileName2, u.errors); - else - reader = FileUtils.cmd2reader(fileName2); - } - public EReader(String fileName2, EStringUtil<T> u) { - util = u; - fileName = fileName2; - reader = FileUtils.filename2reader(fileName2, u.errors); - } - - public EReader(File file, EStringUtil<T> u) { - util = u; - fileName = file.getName(); - reader = FileUtils.filename2reader(fileName, u.errors); - } - - /** - * - * @return An T object for the next line (null if empty). Note the object is - * not a new object. Uses EcoreUtils.copy if needed. - */ - private T findNext() { - line = null; - try { - if (reader == null) - return null; - line = reader.readLine(); - if (line == null) { - reader.close(); - reader = null; - } - } catch (IOException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } - if (line == null) - return null; - try { - return util.str2ecore(line); - } catch (Exception e) { - throw new RuntimeException("Read error in " + fileName + " : " + e); - } - } - - public String getFileName() { - return fileName; - } - @Override - public boolean hasNext() { - if (e != null) return true; - e = findNext(); - // TODO Auto-generated method stub - return e != null; - } - @Override - public void remove() { - throw new RuntimeException("Can not remove from a reader"); - } - @Override - public T next() { - if (e != null) { - T ee = e; - e = null; - return ee; - } - return findNext(); - } - @Override - public Iterator<T> iterator() { - return this; - } - public String getLine() { - return line; - } -} diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EStringUtil.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EStringUtil.java index e8e86da..3686621 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EStringUtil.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EStringUtil.java @@ -23,6 +23,7 @@ package org.openecomp.ncomp.utils.emf; import java.io.BufferedReader; import java.io.IOException; +import java.util.Arrays; import java.util.List; import org.eclipse.emf.common.util.BasicEList; @@ -37,6 +38,7 @@ import org.eclipse.emf.ecore.resource.ResourceSet; import org.eclipse.emf.ecore.resource.impl.ResourceSetImpl; import org.eclipse.emf.ecore.util.EcoreUtil; import org.eclipse.emf.ecore.xmi.impl.XMIResourceFactoryImpl; +import org.openecomp.ncomp.utils.SecurityUtils; import org.openecomp.ncomp.webservice.utils.ErrorMap; import org.openecomp.ncomp.webservice.utils.FileUtils; @@ -194,14 +196,9 @@ public class EStringUtil<T extends EObject> { } // ensure that not arbitary regexp is evaluated: Denial of Service: Regular Expression + private List<String> allowedDelimeter = Arrays.asList("\\|",",",":","\t"); private String checkRegexp(String regexp) { - switch (regexp) { - case "\\|": - case ":": - case "\t": - case ",": return regexp; - } - throw new RuntimeException("Regexp not trusted: " + regexp); + return SecurityUtils.whiteList(regexp,allowedDelimeter,"Denial of Service: Regular Expression"); } private String fixValue(EDataType t, String v) { diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/InetPrefix.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/InetPrefix.java deleted file mode 100644 index ce1866f..0000000 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/InetPrefix.java +++ /dev/null @@ -1,88 +0,0 @@ - -/*- - * ============LICENSE_START========================================== - * OPENECOMP - DCAE - * =================================================================== - * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. - * =================================================================== - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END============================================ - */ - -package org.openecomp.ncomp.utils.maps; - -import java.net.InetAddress; - -import org.openecomp.ncomp.webservice.utils.IpUtils; - -public class InetPrefix { - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((ip == null) ? 0 : ip.hashCode()); - result = prime * result + maskLength; - return result; - } - @Override - public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - InetPrefix other = (InetPrefix) obj; - if (ip == null) { - if (other.ip != null) - return false; - } else if (!ip.equals(other.ip)) - return false; - if (maskLength != other.maskLength) - return false; - return true; - } - public InetPrefix(InetAddress ip, int maskLength) { - this.ip = IpUtils.mask(ip, maskLength); - this.maskLength = maskLength; - } - public InetPrefix(String s) { - String a[] = s.split("/"); - if (a.length == 2 && IpUtils.isIp(a[0])) { - this.maskLength = Integer.parseInt(a[1]); - this.ip = IpUtils.mask(IpUtils.toInetAddress(a[0]), maskLength); - return; - } - throw new RuntimeException("bad prefix" + s); - } - public InetAddress getIp() { - return ip; - } - protected void setIp(InetAddress ip) { - this.ip = ip; - } - public int getMaskLength() { - return maskLength; - } - protected void setMaskLength(int maskLength) { - this.maskLength = maskLength; - } - private InetAddress ip; - private int maskLength; - @Override - public String toString() { - return ip.getHostAddress() + "/" + maskLength; - } - - -} diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/PersistedHashMap.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/PersistedHashMap.java index 0ccf713..814c91e 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/PersistedHashMap.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/PersistedHashMap.java @@ -22,6 +22,7 @@ package org.openecomp.ncomp.utils.maps; import java.io.Serializable; +import java.util.Arrays; import java.util.HashMap; import org.openecomp.ncomp.webservice.utils.FileUtils; @@ -36,7 +37,7 @@ public class PersistedHashMap<K extends Serializable, V extends Serializable> ex this.file = file; HashMap<K, V> m = null; try { - m = (HashMap<K, V>) FileUtils.file2object(file); + m = (HashMap<K, V>) FileUtils.file2object(file,Arrays.asList(PersistedDateHashMap.class.getName())); } catch (Exception e) { } if (m != null) diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/ByteBufferUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/ByteBufferUtils.java index fbb0550..366d210 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/ByteBufferUtils.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/ByteBufferUtils.java @@ -71,7 +71,7 @@ public class ByteBufferUtils { ip = 256 * ip + getInt(buf); ip = 256 * ip + getInt(buf); ip = 256 * ip + getInt(buf); - if (debug ) System.out.println ( "getIpInt: " + IpUtils.toString(ip)); +// if (debug ) System.out.println ( "getIpInt: " + IpUtils.toString(ip)); return ip; } diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/FileUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/FileUtils.java index 7c2e16d..6bc90f6 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/FileUtils.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/FileUtils.java @@ -60,6 +60,8 @@ import org.eclipse.emf.ecore.util.Diagnostician; import org.eclipse.emf.ecore.xmi.XMLResource; import org.eclipse.emf.ecore.xmi.impl.XMIResourceFactoryImpl; import org.eclipse.emf.ecore.xmi.util.XMLProcessor; +import org.openecomp.ncomp.utils.SecurityUtils; +import org.apache.commons.io.serialization.ValidatingObjectInputStream; public class FileUtils { public static final Logger logger = Logger.getLogger("org.openecomp.ncomp.utils.io"); @@ -109,7 +111,7 @@ public class FileUtils { resource.getContents().add(ecore); // error = validate(req,0); // if (error != null) throw new Exception("Bad request"); - FileOutputStream fos = new FileOutputStream(FileUtils.safeFileName(fileName)); + FileOutputStream fos = new FileOutputStream(SecurityUtils.safeFileName(fileName)); Map<String, Object> options = new HashMap<String, Object>(); // gz is misleading, but supported for backwards compatibility if (fileName.endsWith("zip") || fileName.endsWith("gz")) { @@ -127,7 +129,7 @@ public class FileUtils { init(); Resource resource = resourceSet.createResource(URI.createURI(fileName)); resource.getContents().addAll(ecores); - FileOutputStream fos = new FileOutputStream(FileUtils.safeFileName(fileName)); + FileOutputStream fos = new FileOutputStream(SecurityUtils.safeFileName(fileName)); Map<String, Object> options = new HashMap<String, Object>(); // gz is misleading, but supported for backwards compatibility if (fileName.endsWith("zip") || fileName.endsWith("gz")) { @@ -162,7 +164,7 @@ public class FileUtils { } static public EObject file2ecore_old(String fileName, boolean unload, boolean useCommonRS) { - File file = new File(FileUtils.safeFileName(fileName)); + File file = new File(SecurityUtils.safeFileName(fileName)); if (!file.exists()) { throw new RuntimeException("File does not exists: " + fileName); } @@ -212,7 +214,7 @@ public class FileUtils { } static public EList<EObject> file2ecores(String fileName, boolean unload, boolean useCommonRS) { - File file = new File(FileUtils.safeFileName(fileName)); + File file = new File(SecurityUtils.safeFileName(fileName)); if (!file.exists()) { throw new RuntimeException("File does not exists: " + fileName); } @@ -240,11 +242,11 @@ public class FileUtils { try { resource.load(options); } catch (IOException e1) { - logger.error("I/O error loading " + safeFileName(fileName) + " : " + e1.getMessage()); + logger.error("I/O error loading " + SecurityUtils.safeFileName(fileName) + " : " + e1.getMessage()); e1.printStackTrace(); return res; } catch (Exception e1) { - logger.error("Content error loading " + safeFileName(fileName) + " : " + e1.getMessage()); + logger.error("Content error loading " + SecurityUtils.safeFileName(fileName) + " : " + e1.getMessage()); e1.printStackTrace(); return res; } @@ -301,10 +303,10 @@ public class FileUtils { public static InputStream filename2stream(String fileName, ErrorMap errors) { InputStream res = null; - File aFile = new File(FileUtils.safeFileName(fileName)); + File aFile = new File(SecurityUtils.safeFileName(fileName)); if (!aFile.canRead()) { // try to see if a file with .gz extention exists. - aFile = new File(FileUtils.safeFileName(fileName + ".gz")); + aFile = new File(SecurityUtils.safeFileName(fileName + ".gz")); if (aFile.canRead()) return filename2stream(fileName + ".gz", errors); if (errors != null) @@ -315,7 +317,7 @@ public class FileUtils { logger.debug("Reading " + fileName); if (fileName.endsWith(".gz")) { try { - res = new GZIPInputStream(new FileInputStream(FileUtils.safeFileName(fileName)), 524288); + res = new GZIPInputStream(new FileInputStream(SecurityUtils.safeFileName(fileName)), 524288); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); @@ -384,7 +386,7 @@ public class FileUtils { public static OutputStreamWriter filename2writer(String filename, boolean gzip) { try { - File f = new File(FileUtils.safeFileName(filename)); + File f = new File(SecurityUtils.safeFileName(filename)); if (f.exists()) f.delete(); String p = f.getParent(); if (p != null) { @@ -392,10 +394,10 @@ public class FileUtils { d.mkdirs(); } if (gzip) { - OutputStream s = new GZIPOutputStream(new FileOutputStream(FileUtils.safeFileName(filename)), 524288); + OutputStream s = new GZIPOutputStream(new FileOutputStream(SecurityUtils.safeFileName(filename)), 524288); return new OutputStreamWriter(s); } else - return new FileWriter(FileUtils.safeFileName(filename)); + return new FileWriter(SecurityUtils.safeFileName(filename)); } catch (IOException e) { e.printStackTrace(); return null; @@ -403,7 +405,7 @@ public class FileUtils { } private static void find(String dirName, String regex, List<String> res) { - File dir = new File(FileUtils.safeFileName(dirName)); + File dir = new File(SecurityUtils.safeFileName(dirName)); String[] children = dir.list(); if (children == null) { // Either dir does not exist or is not a directory @@ -411,7 +413,7 @@ public class FileUtils { for (int i = 0; i < children.length; i++) { // Get filename of file or directory String ff = dirName + "/" + children[i]; - File f = new File(FileUtils.safeFileName(ff)); + File f = new File(SecurityUtils.safeFileName(ff)); if (f.isDirectory()) { find(ff, regex, res); } else { @@ -432,7 +434,7 @@ public class FileUtils { public static void ecore2xmlfile(XMLProcessor x, EObject doc, String filename) { FileOutputStream fos = null; try { - fos = new FileOutputStream(FileUtils.safeFileName(filename)); + fos = new FileOutputStream(SecurityUtils.safeFileName(filename)); ResourceSet resourceSet = new ResourceSetImpl(); resourceSet.getResourceFactoryRegistry().getExtensionToFactoryMap() @@ -456,12 +458,12 @@ public class FileUtils { } public static void mkdirForFile(String filename) { - File f = new File(FileUtils.safeFileName(filename)); + File f = new File(SecurityUtils.safeFileName(filename)); f.getParentFile().mkdirs(); } public static boolean uptodate(String filename, String interval) { - File file = new File(FileUtils.safeFileName(filename)); + File file = new File(SecurityUtils.safeFileName(filename)); if (!file.exists()) return false; Date now = new Date(); @@ -471,15 +473,15 @@ public class FileUtils { } public static void touch(String filename) throws IOException { - File file = new File(FileUtils.safeFileName(filename)); + File file = new File(SecurityUtils.safeFileName(filename)); file.createNewFile(); Date now = new Date(); file.setLastModified(now.getTime()); } public static void copyFile(String sourceFile, String destFile) throws IOException { - File from = new File(FileUtils.safeFileName(sourceFile)); - File to = new File(FileUtils.safeFileName(destFile)); + File from = new File(SecurityUtils.safeFileName(sourceFile)); + File to = new File(SecurityUtils.safeFileName(destFile)); copyFile(from, to); } @@ -491,8 +493,8 @@ public class FileUtils { FileChannel source = null; FileChannel destination = null; try { - source = new FileInputStream(FileUtils.safeFile(sourceFile)).getChannel(); - destination = new FileOutputStream(FileUtils.safeFile(destFile)).getChannel(); + source = new FileInputStream(SecurityUtils.safeFile(sourceFile)).getChannel(); + destination = new FileOutputStream(SecurityUtils.safeFile(destFile)).getChannel(); destination.transferFrom(source, 0, source.size()); } finally { if (source != null) { @@ -510,7 +512,7 @@ public class FileUtils { destDir.mkdirs(); } for (File f : sourceDir.listFiles()) { - File dest = createSafeFile(destDir, f.getName()); + File dest = SecurityUtils.createSafeFile(destDir, f.getName()); if (f.isDirectory()) { copyDirectory(f, dest); continue; @@ -542,12 +544,17 @@ public class FileUtils { dir.delete(); } - public static Object file2object(String filename) { + public static Object file2object(String filename, List<String> whiteList) { try { InputStream in = filename2stream(filename, null); if (in == null) return null; - ObjectInputStream r = new ObjectInputStream(in); + ValidatingObjectInputStream r = new ValidatingObjectInputStream(in); + whiteList.add("java.util.*"); + whiteList.add("java.lang.*"); + for (String s : whiteList) { + r.accept(s); + } Object o; try { o = r.readObject(); @@ -565,10 +572,10 @@ public class FileUtils { // TODO Auto-generated method stub try { String f = filename + ".tmp"; - File f1 = new File(safeFileName(f)); - File f2 = new File(safeFileName(filename)); + File f1 = new File(SecurityUtils.safeFileName(f)); + File f2 = new File(SecurityUtils.safeFileName(filename)); if (!f1.getParentFile().exists()) f1.getParentFile().mkdirs(); - ObjectOutputStream w = new ObjectOutputStream(new FileOutputStream(safeFileName(f))); + ObjectOutputStream w = new ObjectOutputStream(new FileOutputStream(SecurityUtils.safeFileName(f))); try { w.writeObject(o); w.flush(); @@ -628,26 +635,6 @@ public class FileUtils { } } - public static File createSafeFile(File dir, String fname) { - String fname2 = dir.getAbsolutePath() + "/" + fname; - return new File(safeFileName(fname2)); - } - - public static String safeFileName(String file) { - // creating file with safer creation. - if (file.contains("../")) - throw new RuntimeException("File name contain ..: " + file); - if (file.contains("\n")) - throw new RuntimeException("File name contain newline: " + file); - return file; - } - - private static File safeFile(File file) { - // creating file with safer creation. - if (file.getAbsolutePath().contains("..")) - throw new RuntimeException("File name contain ..: " + file.getAbsolutePath()); - return file; - } public static Thread copyStreamThread(final InputStream inputStream, final OutputStream outputStream) { Thread t = new Thread() { diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/IpUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/IpUtils.java deleted file mode 100644 index 62da451..0000000 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/IpUtils.java +++ /dev/null @@ -1,217 +0,0 @@ - -/*- - * ============LICENSE_START========================================== - * OPENECOMP - DCAE - * =================================================================== - * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. - * =================================================================== - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END============================================ - */ - -package org.openecomp.ncomp.webservice.utils; - -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.util.Arrays; -import java.util.StringTokenizer; -import java.util.regex.Pattern; - -public class IpUtils { - public static long toLong(String Ip) { - long res = 0; - try { - StringTokenizer tokens = new StringTokenizer(Ip, "."); - for (int i = 0; i < 4; i++) { - int t = Integer.parseInt(tokens.nextToken()); - if (t < 0 || t > 255) { - throw new RuntimeException("Bad IP: " + Ip); - } - res = 256 * res + t; - } - } catch (Exception e) { - throw new RuntimeException("Bad IP: " + Ip); - } - return res; - } - - public static int toInt(String Ip) { - long x = toLong(Ip); - // if (x<(1<<31)) return (int) x; - // TODO: does this really work?? - // System.out.println(Ip + " " + x); - return (int) x; - } - - public static String toString(int i) { - return ((i >> 24) & 0xFF) + "." + ((i >> 16) & 0xFF) + "." + ((i >> 8) & 0xFF) + "." + (i & 0xFF); - } - - public static int mask2masklen(String string) { - // 255.255.255.252 -> 30 - if (!isIp(string)) { - return Integer.parseInt(string); - } - if (isIpv6(string)) { - throw new RuntimeException("IPv6 is not supported, just use mask length"); - } - StringTokenizer st = new StringTokenizer(string,"."); - int len = 0; - for (int j = 0; j < 4; j++) { - int i = Integer.parseInt(st.nextToken()); - for (int x = 0; x < 8; x++) { - if ((i >> x) % 2 == 1) { - len += 8 - x; - break; - } - - } - } - return len; - } - - private static int[] maskvals = {0,32,31,6,30,9,5,-1,29,16,8,2,4,21,-1,19,28, - 25,15,-1,7,10,1,17,3,22,20,26,-1,11,18,23,27,12,24,13,14}; - - public static int mask2masklen (int ip) { - // This works because 2 is a primitive root mod 37! - // The negation is because % is remainder, not modulus - int indx = -(ip % 37); - if (indx < 0) return -1; // caution for non-masks - return maskvals[indx]; - } - - public static String toPrefixString(int ip, int len) { - ip = (ip >> (32-len)) << (32-len); - return IpUtils.toString(ip) + "/" + len; - } - - private static Pattern ipv4Pattern = Pattern.compile("\\d*\\.\\d*\\.\\d*\\.\\d*"); - public static boolean isIpv4(String to) { - if (to.isEmpty()) return false; - char c = to.charAt(0); - if (c > '9' || c < '0') return false; - return ipv4Pattern.matcher(to).matches(); - } - private static Pattern ipv6Pattern = Pattern.compile("[0-9a-fA-F]*:[0-9a-fA-F]*:[0-9a-fA-F:]*"); - public static boolean isIpv6(String to) { - // bad heuristic but likely works most of the time. - return ipv6Pattern.matcher(to).matches(); - } - - public static boolean isIp(String to) { - return isIpv6(to) || isIpv4(to); - } - static int numBad = 0; - public static InetAddress toInetAddress(String string) { - if (!isIp(string)) return null; - try { - return InetAddress.getByName(string); - } catch (UnknownHostException e) { - if (numBad > 1000) { - e.printStackTrace(); - // We exit here since it is important not to do lots of DNS lookups - // We should validate that the string is a valid IP somehow. - System.exit(-3); - } - } - return null; - } - - public static String toPrefixString(InetAddress ip, int len) { - return mask(ip, len).getHostAddress() + "/" + len; - } - public static String toString(InetAddress ip) { - return ip.getHostAddress(); - } - public static InetAddress mask(InetAddress ip, int prefixMask) { - int oddBits = prefixMask % 8; - int nMaskBytes = prefixMask/8 + (oddBits == 0 ? 0 : 1); - byte[] mask = new byte[nMaskBytes]; -// byte[] addr = Arrays.copyOf(ip.getAddress(), ip.getAddress().length); -// To make this Java 5 compactible. - byte[] addr = new byte[ip.getAddress().length]; - for (int i =0 ; i < ip.getAddress().length ; i ++) - addr[i]=ip.getAddress()[i]; - Arrays.fill(mask, 0, oddBits == 0 ? mask.length : mask.length - 1, (byte)0xFF); - if (oddBits != 0) { - int finalByte = (1 << oddBits) - 1; - finalByte <<= 8-oddBits; - mask[mask.length - 1] = (byte) finalByte; - } - for (int i=0; i < mask.length; i++) { - addr[i] = (byte) (addr[i] & mask[i]); - } - for (int i=nMaskBytes; i < addr.length; i++) { - addr[i] = 0; - } - try { - return InetAddress.getByAddress(addr); - } catch (UnknownHostException e) { - e.printStackTrace(); - System.exit(2); - } - return null; - } - - public static int mask (int ip, int masklen) { - if (masklen == 0) return 0; - return ip & -(1 << (32-masklen)); - } - - public static String defaultPrefix(String tmVersion) { - if (tmVersion.equals("6")) { - return "::/0"; - } - return "0.0.0.0/0"; - } - - public static boolean containedIn(InetAddress ip, InetAddress ip2, int mask) { - return (mask(ip, mask).equals(mask(ip2, mask))); - } - - public static InetAddress anonymize(InetAddress ip) { - byte[] a = ip.getAddress(); - byte[] a2 = Arrays.copyOf(a, a.length); - a2[a.length-1] = (byte) (a2[a.length-1] ^ 17); - try { - return InetAddress.getByAddress(a2); - } catch (UnknownHostException e) { - e.printStackTrace(); - System.exit(3); - } - return null; - } - - public static boolean isIpv4(InetAddress ip) { - return ip.getAddress().length == 4; - } - - public static String firstIp(String prefix) { - String a[] = prefix.split("/"); - int ip = toInt(a[0]); - int len = Integer.parseInt(a[1]); - ip = mask(ip,len); - return toString(ip); - } - - public static String lastIp(String prefix) { - String a[] = prefix.split("/"); - int ip = toInt(a[0]); - int len = Integer.parseInt(a[1]); - if (len == 0) return "255.255.255.255"; - ip = mask(ip,len) + (1 << (32-len)) - 1; - return toString(ip); - } - -} diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/JsonUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/JsonUtils.java index 0fbb1d9..0c2da49 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/JsonUtils.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/JsonUtils.java @@ -47,6 +47,8 @@ import org.openecomp.ncomp.utils.PropertyUtil; import org.openecomp.ncomp.utils.StringUtil; import org.yaml.snakeyaml.Yaml; +import com.google.json.JsonSanitizer; + public class JsonUtils { public static final Logger logger = Logger.getLogger(JsonUtils.class); HashMap<String, List<String>> features = new HashMap<String, List<String>>(); @@ -296,7 +298,7 @@ public class JsonUtils { in.close(); buf.close(); } - return new JSONObject(buf.toString()); + return new JSONObject(JsonSanitizer.sanitize(buf.toString())); } public static JSONObject file2json(String file, Properties props, String prefix) throws IOException { @@ -313,7 +315,7 @@ public class JsonUtils { String s = buf.toString().replaceAll("##.*", ""); try { s = StringUtil.expandUsingProperties(s, props, prefix); - return new JSONObject(s); + return new JSONObject(JsonSanitizer.sanitize(s)); } catch (JSONException e) { logger.debug("bad JSON String" + s + " " + e); throw e; @@ -345,7 +347,7 @@ public class JsonUtils { if (out.toString().length() == 0) return null; String s = out.toString().replaceAll("##.*", ""); try { - return new JSONObject(s); + return new JSONObject(JsonSanitizer.sanitize(s)); } catch (JSONException e) { logger.debug("bad JSON String" + s + " " + e); throw e; |