From 56cb73914fd05db40417a6219b5968c8eea8a0b6 Mon Sep 17 00:00:00 2001 From: Carsten Lund Date: Fri, 9 Jun 2017 16:28:10 +0000 Subject: [DCAE-15] Final update for rebased code. Change-Id: I51a54dfc3bf645684dd94e8eea9bc55313bea176 Signed-off-by: Carsten Lund --- ncomp-utils-java-extra/pom.xml | 5 +- .../org/openecomp/ncomp/utils/extra/FileTail.java | 32 +-- ncomp-utils-java/pom.xml | 63 +++--- ncomp-utils-java/src/main/java/org/json/HTTP.java | 2 +- .../org/openecomp/ncomp/utils/CryptoUtils.java | 19 +- .../org/openecomp/ncomp/utils/CryptoUtilsTest.java | 46 +++-- .../org/openecomp/ncomp/utils/DiffUtilTest.java | 4 +- .../org/openecomp/ncomp/utils/PropertyUtil.java | 10 +- .../org/openecomp/ncomp/utils/SecurityUtils.java | 71 +++++++ .../org/openecomp/ncomp/utils/emf/EReader.java | 118 ----------- .../org/openecomp/ncomp/utils/emf/EStringUtil.java | 11 +- .../org/openecomp/ncomp/utils/maps/InetPrefix.java | 88 --------- .../ncomp/utils/maps/PersistedHashMap.java | 3 +- .../ncomp/webservice/utils/ByteBufferUtils.java | 2 +- .../ncomp/webservice/utils/FileUtils.java | 83 ++++---- .../openecomp/ncomp/webservice/utils/IpUtils.java | 217 --------------------- .../ncomp/webservice/utils/JsonUtils.java | 8 +- ncomp-utils-journaling/pom.xml | 13 ++ .../ncomp/utils/journaling/JournalingObject.java | 35 ++-- 19 files changed, 260 insertions(+), 570 deletions(-) create mode 100644 ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/SecurityUtils.java delete mode 100644 ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EReader.java delete mode 100644 ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/InetPrefix.java delete mode 100644 ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/IpUtils.java diff --git a/ncomp-utils-java-extra/pom.xml b/ncomp-utils-java-extra/pom.xml index 7740f13..99b2e09 100644 --- a/ncomp-utils-java-extra/pom.xml +++ b/ncomp-utils-java-extra/pom.xml @@ -10,6 +10,10 @@ + + + + UTF-8 1.7 @@ -29,7 +33,6 @@ - diff --git a/ncomp-utils-java-extra/src/main/java/org/openecomp/ncomp/utils/extra/FileTail.java b/ncomp-utils-java-extra/src/main/java/org/openecomp/ncomp/utils/extra/FileTail.java index 623733d..c0c2e33 100644 --- a/ncomp-utils-java-extra/src/main/java/org/openecomp/ncomp/utils/extra/FileTail.java +++ b/ncomp-utils-java-extra/src/main/java/org/openecomp/ncomp/utils/extra/FileTail.java @@ -173,22 +173,26 @@ public class FileTail { continue; } RandomAccessFile rf = new RandomAccessFile(file, "r"); - rf.seek(p); - String line = null; - while ((line = rf.readLine()) != null) { - if (line.length() == 0) - continue; - if (logger.isDebugEnabled()) - logger.debug("New line from file: " + f + " " + line); - p = rf.getFilePointer(); - try { - handler.newLine(file.getAbsolutePath(),line,context); - } catch (Exception e) { - logger.warn("Handler error: " + f + " " + e + " line=" + line); - e.printStackTrace(); + try { + rf.seek(p); + String line = null; + while ((line = rf.readLine()) != null) { + if (line.length() == 0) + continue; + if (logger.isDebugEnabled()) + logger.debug("New line from file: " + f + " " + line); + p = rf.getFilePointer(); + try { + handler.newLine(file.getAbsolutePath(),line,context); + } catch (Exception e) { + logger.warn("Handler error: " + f + " " + e + " line=" + line); + e.printStackTrace(); + } } } - rf.close(); + finally { + rf.close(); + } } synchronized (this) { filePointerMap.put(f, p); diff --git a/ncomp-utils-java/pom.xml b/ncomp-utils-java/pom.xml index 595d692..94f65d0 100644 --- a/ncomp-utils-java/pom.xml +++ b/ncomp-utils-java/pom.xml @@ -10,6 +10,10 @@ + + + + UTF-8 1.7 @@ -30,8 +34,7 @@ - - + org.sonatype.plugins @@ -114,6 +117,16 @@ snakeyaml 1.15 + + commons-io + commons-io + 2.5 + + + com.mikesamuel + json-sanitizer + [1.0,) + @@ -131,28 +144,28 @@ ecomp-site ${site.url} - - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - 2.10.4 - - false - org.umlgraph.doclet.UmlGraphDoc - - org.umlgraph - umlgraph - 5.6 - - -views - true - - - - + + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.10.4 + + false + org.umlgraph.doclet.UmlGraphDoc + + org.umlgraph + umlgraph + 5.6 + + -views + true + + + + diff --git a/ncomp-utils-java/src/main/java/org/json/HTTP.java b/ncomp-utils-java/src/main/java/org/json/HTTP.java index ef37d2d..d3f03f7 100644 --- a/ncomp-utils-java/src/main/java/org/json/HTTP.java +++ b/ncomp-utils-java/src/main/java/org/json/HTTP.java @@ -95,7 +95,7 @@ public class HTTP { String t; t = x.nextToken(); - if (t.toUpperCase().startsWith("HTTP")) { + if (t.length() > 3 && t.substring(0,4).equalsIgnoreCase("HTTP")) { // Response diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtils.java index df35eb9..034bc03 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtils.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtils.java @@ -91,7 +91,7 @@ public class CryptoUtils { public static InputStream getInputStream(final InputStream in, final EncryptionType type, final String key) { final Cipher aes; - logger.debug("crypto in stream:" + PropertyUtil.replaceForLogForcingProtection(type) + " " + PropertyUtil.replaceForLogForcingProtection(key)); + logger.debug("crypto in stream:" + p(type) + " " + p(key)); try { aes = Cipher.getInstance("AES/ECB/PKCS5Padding"); switch (type) { @@ -109,6 +109,11 @@ public class CryptoUtils { throw new RuntimeException("encryption failed:" + e); } } + + private static String p(Object v) { + return SecurityUtils.logForcingProtection(v); + } + public static OutputStream getOutputStream(final OutputStream out, final EncryptionType type, final String key) { final Cipher aes; @@ -141,7 +146,7 @@ public class CryptoUtils { ByteArrayOutputStream o = new ByteArrayOutputStream(); InputStream in = null; try { - in = new FileInputStream(FileUtils.safeFileName(fileName)); + in = new FileInputStream(SecurityUtils.safeFileName(fileName)); FileUtils.copyStream(in, o); } catch (IOException e) { throw new RuntimeException("getKey failed:" + e); @@ -167,8 +172,8 @@ public class CryptoUtils { } if (command.equals("file")) { EncryptionType t = EncryptionType.valueOf(args[1].toUpperCase()); - InputStream in = new FileInputStream(FileUtils.safeFileName(args[2])); - OutputStream out = new FileOutputStream(FileUtils.safeFileName(args[3])); + InputStream in = new FileInputStream(SecurityUtils.safeFileName(args[2])); + OutputStream out = new FileOutputStream(SecurityUtils.safeFileName(args[3])); try { in = getInputStream(in, t, args[4]); FileUtils.copyStream(in, out); @@ -195,7 +200,7 @@ public class CryptoUtils { PrivateKey privateKey = keyPair.getPrivate(); FileOutputStream out = null; try { - out = new FileOutputStream(FileUtils.safeFileName(key + ".private")); + out = new FileOutputStream(SecurityUtils.safeFileName(key + ".private")); out.write(encode64(privateKey.getEncoded()).getBytes()); } catch (Exception e) { e.printStackTrace(); @@ -205,7 +210,7 @@ public class CryptoUtils { out.close(); } try { - out = new FileOutputStream(FileUtils.safeFileName(key + ".public")); + out = new FileOutputStream(SecurityUtils.safeFileName(key + ".public")); out.write(encode64(publicKey.getEncoded()).getBytes()); } catch (Exception e) { e.printStackTrace(); @@ -244,7 +249,7 @@ public class CryptoUtils { InputStream fis = null; MessageDigest complete = null; try { - fis = new FileInputStream(FileUtils.safeFileName(filename)); + fis = new FileInputStream(SecurityUtils.safeFileName(filename)); byte[] buffer = new byte[1024]; complete = MessageDigest.getInstance("MD5"); int numRead; diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtilsTest.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtilsTest.java index a8d2021..fd4671a 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtilsTest.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/CryptoUtilsTest.java @@ -68,23 +68,27 @@ public class CryptoUtilsTest extends TestCase { digest.update("foobar".getBytes()); SecretKeySpec key1 = new SecretKeySpec(digest.digest(), 0, 16, "AES"); aes.init(Cipher.ENCRYPT_MODE, key1); - InputStream in = new FileInputStream("test/Test.txt"); - in = new CipherInputStream(in, aes); - FileOutputStream out = new FileOutputStream("test/Encrypted.txt"); + InputStream in = null; + FileOutputStream out = null; try { - FileUtils.copyStream(in, out); + in = new FileInputStream("test/Test.txt"); + CipherInputStream in2 = new CipherInputStream(in, aes); + out = new FileOutputStream("test/Encrypted.txt"); + FileUtils.copyStream(in2, out); } finally { if (in != null) in.close(); if (out != null) out.close(); } + in = null; + out = null; aes.init(Cipher.DECRYPT_MODE, key1); - in = new FileInputStream("test/Encrypted.txt"); - in = new CipherInputStream(in, aes); - out = new FileOutputStream("test/Decrypted.txt"); try { - FileUtils.copyStream(in, out); + in = new FileInputStream("test/Encrypted.txt"); + CipherInputStream in2 = new CipherInputStream(in, aes); + out = new FileOutputStream("test/Decrypted.txt"); + FileUtils.copyStream(in2, out); } finally { if (in != null) in.close(); @@ -95,25 +99,35 @@ public class CryptoUtilsTest extends TestCase { } @SuppressWarnings("resource") public void test_streams_2() throws Exception { - InputStream in = new FileInputStream("test/Test.txt"); - in = getInputStream(in, EncryptionType.ENCRYPT, k); - FileOutputStream out = new FileOutputStream("test/Encrypted.txt"); + InputStream in = null; + InputStream in2 = null; + FileOutputStream out = null; try { - FileUtils.copyStream(in, out); + in = new FileInputStream("test/Test.txt"); + in2 = getInputStream(in, EncryptionType.ENCRYPT, k); + out = new FileOutputStream("test/Encrypted.txt"); + FileUtils.copyStream(in2, out); } finally { if (in != null) in.close(); + if (in2 != null) + in2.close(); if (out != null) out.close(); } - in = new FileInputStream("test/Encrypted.txt"); - in = getInputStream(in, EncryptionType.DECRYPT, k); - out = new FileOutputStream("test/Decrypted.txt"); + in = null; + in2 = null; + out = null; try { - FileUtils.copyStream(in, out); + in = new FileInputStream("test/Encrypted.txt"); + in2 = getInputStream(in, EncryptionType.DECRYPT, k); + out = new FileOutputStream("test/Decrypted.txt"); + FileUtils.copyStream(in2, out); } finally { if (in != null) in.close(); + if (in2 != null) + in2.close(); if (out != null) out.close(); } diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/DiffUtilTest.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/DiffUtilTest.java index 9369372..d7f8187 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/DiffUtilTest.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/DiffUtilTest.java @@ -149,12 +149,12 @@ public class DiffUtilTest extends TestCase { assertEquals("editDist random 1000 0.01", d1,d2); d2 = DiffUtil.editDistSimple(alist, blist); assertEquals("editDistSimple random 1000 0.01", d1,d2); - d1 = gentest(120, alist, blist, 1000, 0.1, 0.1, 0.1); + d1 = gentest(SecurityUtils.inSecureSeed(120), alist, blist, 1000, 0.1, 0.1, 0.1); d2 = DiffUtil.editDistStats(alist, blist); assertEquals("editDist random 1000 0.1", 265,d2); d2 = DiffUtil.editDistSimple(alist, blist); assertEquals("editDistSimple random 1000 0.1", 265,d2); - d1 = gentest(130, alist, blist, 10000, 0.01, 0.01, 0.01); + d1 = gentest(SecurityUtils.inSecureSeed(130), alist, blist, 10000, 0.01, 0.01, 0.01); d2 = DiffUtil.editDistStats(alist, blist); assertEquals("editDist random 10000 0.01", 296, d2); // d2 = DiffUtil.editDistSimple(alist, blist); diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/PropertyUtil.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/PropertyUtil.java index 56710a3..c5e0bdd 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/PropertyUtil.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/PropertyUtil.java @@ -70,19 +70,19 @@ public class PropertyUtil { } for (Object k : System.getProperties().keySet()) { - Object v = props.get(k); + Object v = props.get(p(k)); if (v != null) { - logger.info("Overwriting property from system property: " + replaceForLogForcingProtection(k) + " = " + replaceForLogForcingProtection(v)); + logger.info("Overwriting property from system property: " + p(k) + " = " + p(v)); } props.put(k, System.getProperties().get(k)); } - String hostname = InetAddress.getLocalHost().getHostName(); + String hostname = SecurityUtils.getHostName(); props.put("user.hostname", hostname); return props; } - public static String replaceForLogForcingProtection(Object v) { - return v.toString().replace("\n", "NEWLINE"); + private static String p(Object v) { + return SecurityUtils.logForcingProtection(v); } } diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/SecurityUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/SecurityUtils.java new file mode 100644 index 0000000..73fa377 --- /dev/null +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/SecurityUtils.java @@ -0,0 +1,71 @@ +package org.openecomp.ncomp.utils; + +import java.io.File; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.util.List; + +public class SecurityUtils { + public static String whiteList(String str, List l, String reason) { + if (l.contains(str)) { + return str; + } + throw new RuntimeException("String not trusted: " + str + " " + reason); + } + public static double inSecureRandom() { + return (Math.random()*100.0)/100; + } + public static long inSecureSeed(long seed) { + return seed; + } + public static String logForcingProtection(Object v) { + return v.toString().replace("\n", "NEWLINE"); + } + + public static File createSafeFile(File dir, String fname) { + String fname2 = dir.getAbsolutePath() + "/" + fname; + return new File(safeFileName(fname2)); + } + + public static String safeFileName(String file) { + // creating file with safer creation. + if (file.contains("../")) + throw new RuntimeException("File name contain ..: " + file); + if (file.contains("\n")) + throw new RuntimeException("File name contain newline: " + file); + return file; + } + + public static File safeFile(File file) { + // creating file with safer creation. + if (file.getAbsolutePath().contains("..")) + throw new RuntimeException("File name contain ..: " + file.getAbsolutePath()); + return file; + } + public static String getHostName() { + try { + return InetAddress.getLocalHost().getHostName(); + } catch (UnknownHostException e) { + e.printStackTrace(); + throw new RuntimeException("HOSTNAME-UNKNOWN"); + } + } + public static String getHostAddress() { + try { + return InetAddress.getLocalHost().getHostAddress(); + } catch (UnknownHostException e) { + e.printStackTrace(); + throw new RuntimeException("HOSTNAME-UNKNOWN"); + } + } + public static String getCanonicalHostName() { + try { + return InetAddress.getLocalHost().getCanonicalHostName(); + } catch (UnknownHostException e) { + e.printStackTrace(); + throw new RuntimeException("HOSTNAME-UNKNOWN"); + } + } + + +} diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EReader.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EReader.java deleted file mode 100644 index fda7f13..0000000 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EReader.java +++ /dev/null @@ -1,118 +0,0 @@ - -/*- - * ============LICENSE_START========================================== - * OPENECOMP - DCAE - * =================================================================== - * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. - * =================================================================== - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END============================================ - */ - -package org.openecomp.ncomp.utils.emf; - -import java.io.BufferedReader; -import java.io.File; -import java.io.IOException; -import java.util.Iterator; - -import org.eclipse.emf.ecore.EObject; - -import org.openecomp.ncomp.webservice.utils.FileUtils; - -public class EReader implements Iterator, Iterable { - private EStringUtil util = null; - private BufferedReader reader; - private String fileName; - private String line; - private T e = null; - - public EReader(String fileName2, EStringUtil u, boolean isFilename) { - util = u; - fileName = fileName2; - if (isFilename) - reader = FileUtils.filename2reader(fileName2, u.errors); - else - reader = FileUtils.cmd2reader(fileName2); - } - public EReader(String fileName2, EStringUtil u) { - util = u; - fileName = fileName2; - reader = FileUtils.filename2reader(fileName2, u.errors); - } - - public EReader(File file, EStringUtil u) { - util = u; - fileName = file.getName(); - reader = FileUtils.filename2reader(fileName, u.errors); - } - - /** - * - * @return An T object for the next line (null if empty). Note the object is - * not a new object. Uses EcoreUtils.copy if needed. - */ - private T findNext() { - line = null; - try { - if (reader == null) - return null; - line = reader.readLine(); - if (line == null) { - reader.close(); - reader = null; - } - } catch (IOException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } - if (line == null) - return null; - try { - return util.str2ecore(line); - } catch (Exception e) { - throw new RuntimeException("Read error in " + fileName + " : " + e); - } - } - - public String getFileName() { - return fileName; - } - @Override - public boolean hasNext() { - if (e != null) return true; - e = findNext(); - // TODO Auto-generated method stub - return e != null; - } - @Override - public void remove() { - throw new RuntimeException("Can not remove from a reader"); - } - @Override - public T next() { - if (e != null) { - T ee = e; - e = null; - return ee; - } - return findNext(); - } - @Override - public Iterator iterator() { - return this; - } - public String getLine() { - return line; - } -} diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EStringUtil.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EStringUtil.java index e8e86da..3686621 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EStringUtil.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/emf/EStringUtil.java @@ -23,6 +23,7 @@ package org.openecomp.ncomp.utils.emf; import java.io.BufferedReader; import java.io.IOException; +import java.util.Arrays; import java.util.List; import org.eclipse.emf.common.util.BasicEList; @@ -37,6 +38,7 @@ import org.eclipse.emf.ecore.resource.ResourceSet; import org.eclipse.emf.ecore.resource.impl.ResourceSetImpl; import org.eclipse.emf.ecore.util.EcoreUtil; import org.eclipse.emf.ecore.xmi.impl.XMIResourceFactoryImpl; +import org.openecomp.ncomp.utils.SecurityUtils; import org.openecomp.ncomp.webservice.utils.ErrorMap; import org.openecomp.ncomp.webservice.utils.FileUtils; @@ -194,14 +196,9 @@ public class EStringUtil { } // ensure that not arbitary regexp is evaluated: Denial of Service: Regular Expression + private List allowedDelimeter = Arrays.asList("\\|",",",":","\t"); private String checkRegexp(String regexp) { - switch (regexp) { - case "\\|": - case ":": - case "\t": - case ",": return regexp; - } - throw new RuntimeException("Regexp not trusted: " + regexp); + return SecurityUtils.whiteList(regexp,allowedDelimeter,"Denial of Service: Regular Expression"); } private String fixValue(EDataType t, String v) { diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/InetPrefix.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/InetPrefix.java deleted file mode 100644 index ce1866f..0000000 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/InetPrefix.java +++ /dev/null @@ -1,88 +0,0 @@ - -/*- - * ============LICENSE_START========================================== - * OPENECOMP - DCAE - * =================================================================== - * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. - * =================================================================== - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END============================================ - */ - -package org.openecomp.ncomp.utils.maps; - -import java.net.InetAddress; - -import org.openecomp.ncomp.webservice.utils.IpUtils; - -public class InetPrefix { - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((ip == null) ? 0 : ip.hashCode()); - result = prime * result + maskLength; - return result; - } - @Override - public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - InetPrefix other = (InetPrefix) obj; - if (ip == null) { - if (other.ip != null) - return false; - } else if (!ip.equals(other.ip)) - return false; - if (maskLength != other.maskLength) - return false; - return true; - } - public InetPrefix(InetAddress ip, int maskLength) { - this.ip = IpUtils.mask(ip, maskLength); - this.maskLength = maskLength; - } - public InetPrefix(String s) { - String a[] = s.split("/"); - if (a.length == 2 && IpUtils.isIp(a[0])) { - this.maskLength = Integer.parseInt(a[1]); - this.ip = IpUtils.mask(IpUtils.toInetAddress(a[0]), maskLength); - return; - } - throw new RuntimeException("bad prefix" + s); - } - public InetAddress getIp() { - return ip; - } - protected void setIp(InetAddress ip) { - this.ip = ip; - } - public int getMaskLength() { - return maskLength; - } - protected void setMaskLength(int maskLength) { - this.maskLength = maskLength; - } - private InetAddress ip; - private int maskLength; - @Override - public String toString() { - return ip.getHostAddress() + "/" + maskLength; - } - - -} diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/PersistedHashMap.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/PersistedHashMap.java index 0ccf713..814c91e 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/PersistedHashMap.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/utils/maps/PersistedHashMap.java @@ -22,6 +22,7 @@ package org.openecomp.ncomp.utils.maps; import java.io.Serializable; +import java.util.Arrays; import java.util.HashMap; import org.openecomp.ncomp.webservice.utils.FileUtils; @@ -36,7 +37,7 @@ public class PersistedHashMap ex this.file = file; HashMap m = null; try { - m = (HashMap) FileUtils.file2object(file); + m = (HashMap) FileUtils.file2object(file,Arrays.asList(PersistedDateHashMap.class.getName())); } catch (Exception e) { } if (m != null) diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/ByteBufferUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/ByteBufferUtils.java index fbb0550..366d210 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/ByteBufferUtils.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/ByteBufferUtils.java @@ -71,7 +71,7 @@ public class ByteBufferUtils { ip = 256 * ip + getInt(buf); ip = 256 * ip + getInt(buf); ip = 256 * ip + getInt(buf); - if (debug ) System.out.println ( "getIpInt: " + IpUtils.toString(ip)); +// if (debug ) System.out.println ( "getIpInt: " + IpUtils.toString(ip)); return ip; } diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/FileUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/FileUtils.java index 7c2e16d..6bc90f6 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/FileUtils.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/FileUtils.java @@ -60,6 +60,8 @@ import org.eclipse.emf.ecore.util.Diagnostician; import org.eclipse.emf.ecore.xmi.XMLResource; import org.eclipse.emf.ecore.xmi.impl.XMIResourceFactoryImpl; import org.eclipse.emf.ecore.xmi.util.XMLProcessor; +import org.openecomp.ncomp.utils.SecurityUtils; +import org.apache.commons.io.serialization.ValidatingObjectInputStream; public class FileUtils { public static final Logger logger = Logger.getLogger("org.openecomp.ncomp.utils.io"); @@ -109,7 +111,7 @@ public class FileUtils { resource.getContents().add(ecore); // error = validate(req,0); // if (error != null) throw new Exception("Bad request"); - FileOutputStream fos = new FileOutputStream(FileUtils.safeFileName(fileName)); + FileOutputStream fos = new FileOutputStream(SecurityUtils.safeFileName(fileName)); Map options = new HashMap(); // gz is misleading, but supported for backwards compatibility if (fileName.endsWith("zip") || fileName.endsWith("gz")) { @@ -127,7 +129,7 @@ public class FileUtils { init(); Resource resource = resourceSet.createResource(URI.createURI(fileName)); resource.getContents().addAll(ecores); - FileOutputStream fos = new FileOutputStream(FileUtils.safeFileName(fileName)); + FileOutputStream fos = new FileOutputStream(SecurityUtils.safeFileName(fileName)); Map options = new HashMap(); // gz is misleading, but supported for backwards compatibility if (fileName.endsWith("zip") || fileName.endsWith("gz")) { @@ -162,7 +164,7 @@ public class FileUtils { } static public EObject file2ecore_old(String fileName, boolean unload, boolean useCommonRS) { - File file = new File(FileUtils.safeFileName(fileName)); + File file = new File(SecurityUtils.safeFileName(fileName)); if (!file.exists()) { throw new RuntimeException("File does not exists: " + fileName); } @@ -212,7 +214,7 @@ public class FileUtils { } static public EList file2ecores(String fileName, boolean unload, boolean useCommonRS) { - File file = new File(FileUtils.safeFileName(fileName)); + File file = new File(SecurityUtils.safeFileName(fileName)); if (!file.exists()) { throw new RuntimeException("File does not exists: " + fileName); } @@ -240,11 +242,11 @@ public class FileUtils { try { resource.load(options); } catch (IOException e1) { - logger.error("I/O error loading " + safeFileName(fileName) + " : " + e1.getMessage()); + logger.error("I/O error loading " + SecurityUtils.safeFileName(fileName) + " : " + e1.getMessage()); e1.printStackTrace(); return res; } catch (Exception e1) { - logger.error("Content error loading " + safeFileName(fileName) + " : " + e1.getMessage()); + logger.error("Content error loading " + SecurityUtils.safeFileName(fileName) + " : " + e1.getMessage()); e1.printStackTrace(); return res; } @@ -301,10 +303,10 @@ public class FileUtils { public static InputStream filename2stream(String fileName, ErrorMap errors) { InputStream res = null; - File aFile = new File(FileUtils.safeFileName(fileName)); + File aFile = new File(SecurityUtils.safeFileName(fileName)); if (!aFile.canRead()) { // try to see if a file with .gz extention exists. - aFile = new File(FileUtils.safeFileName(fileName + ".gz")); + aFile = new File(SecurityUtils.safeFileName(fileName + ".gz")); if (aFile.canRead()) return filename2stream(fileName + ".gz", errors); if (errors != null) @@ -315,7 +317,7 @@ public class FileUtils { logger.debug("Reading " + fileName); if (fileName.endsWith(".gz")) { try { - res = new GZIPInputStream(new FileInputStream(FileUtils.safeFileName(fileName)), 524288); + res = new GZIPInputStream(new FileInputStream(SecurityUtils.safeFileName(fileName)), 524288); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); @@ -384,7 +386,7 @@ public class FileUtils { public static OutputStreamWriter filename2writer(String filename, boolean gzip) { try { - File f = new File(FileUtils.safeFileName(filename)); + File f = new File(SecurityUtils.safeFileName(filename)); if (f.exists()) f.delete(); String p = f.getParent(); if (p != null) { @@ -392,10 +394,10 @@ public class FileUtils { d.mkdirs(); } if (gzip) { - OutputStream s = new GZIPOutputStream(new FileOutputStream(FileUtils.safeFileName(filename)), 524288); + OutputStream s = new GZIPOutputStream(new FileOutputStream(SecurityUtils.safeFileName(filename)), 524288); return new OutputStreamWriter(s); } else - return new FileWriter(FileUtils.safeFileName(filename)); + return new FileWriter(SecurityUtils.safeFileName(filename)); } catch (IOException e) { e.printStackTrace(); return null; @@ -403,7 +405,7 @@ public class FileUtils { } private static void find(String dirName, String regex, List res) { - File dir = new File(FileUtils.safeFileName(dirName)); + File dir = new File(SecurityUtils.safeFileName(dirName)); String[] children = dir.list(); if (children == null) { // Either dir does not exist or is not a directory @@ -411,7 +413,7 @@ public class FileUtils { for (int i = 0; i < children.length; i++) { // Get filename of file or directory String ff = dirName + "/" + children[i]; - File f = new File(FileUtils.safeFileName(ff)); + File f = new File(SecurityUtils.safeFileName(ff)); if (f.isDirectory()) { find(ff, regex, res); } else { @@ -432,7 +434,7 @@ public class FileUtils { public static void ecore2xmlfile(XMLProcessor x, EObject doc, String filename) { FileOutputStream fos = null; try { - fos = new FileOutputStream(FileUtils.safeFileName(filename)); + fos = new FileOutputStream(SecurityUtils.safeFileName(filename)); ResourceSet resourceSet = new ResourceSetImpl(); resourceSet.getResourceFactoryRegistry().getExtensionToFactoryMap() @@ -456,12 +458,12 @@ public class FileUtils { } public static void mkdirForFile(String filename) { - File f = new File(FileUtils.safeFileName(filename)); + File f = new File(SecurityUtils.safeFileName(filename)); f.getParentFile().mkdirs(); } public static boolean uptodate(String filename, String interval) { - File file = new File(FileUtils.safeFileName(filename)); + File file = new File(SecurityUtils.safeFileName(filename)); if (!file.exists()) return false; Date now = new Date(); @@ -471,15 +473,15 @@ public class FileUtils { } public static void touch(String filename) throws IOException { - File file = new File(FileUtils.safeFileName(filename)); + File file = new File(SecurityUtils.safeFileName(filename)); file.createNewFile(); Date now = new Date(); file.setLastModified(now.getTime()); } public static void copyFile(String sourceFile, String destFile) throws IOException { - File from = new File(FileUtils.safeFileName(sourceFile)); - File to = new File(FileUtils.safeFileName(destFile)); + File from = new File(SecurityUtils.safeFileName(sourceFile)); + File to = new File(SecurityUtils.safeFileName(destFile)); copyFile(from, to); } @@ -491,8 +493,8 @@ public class FileUtils { FileChannel source = null; FileChannel destination = null; try { - source = new FileInputStream(FileUtils.safeFile(sourceFile)).getChannel(); - destination = new FileOutputStream(FileUtils.safeFile(destFile)).getChannel(); + source = new FileInputStream(SecurityUtils.safeFile(sourceFile)).getChannel(); + destination = new FileOutputStream(SecurityUtils.safeFile(destFile)).getChannel(); destination.transferFrom(source, 0, source.size()); } finally { if (source != null) { @@ -510,7 +512,7 @@ public class FileUtils { destDir.mkdirs(); } for (File f : sourceDir.listFiles()) { - File dest = createSafeFile(destDir, f.getName()); + File dest = SecurityUtils.createSafeFile(destDir, f.getName()); if (f.isDirectory()) { copyDirectory(f, dest); continue; @@ -542,12 +544,17 @@ public class FileUtils { dir.delete(); } - public static Object file2object(String filename) { + public static Object file2object(String filename, List whiteList) { try { InputStream in = filename2stream(filename, null); if (in == null) return null; - ObjectInputStream r = new ObjectInputStream(in); + ValidatingObjectInputStream r = new ValidatingObjectInputStream(in); + whiteList.add("java.util.*"); + whiteList.add("java.lang.*"); + for (String s : whiteList) { + r.accept(s); + } Object o; try { o = r.readObject(); @@ -565,10 +572,10 @@ public class FileUtils { // TODO Auto-generated method stub try { String f = filename + ".tmp"; - File f1 = new File(safeFileName(f)); - File f2 = new File(safeFileName(filename)); + File f1 = new File(SecurityUtils.safeFileName(f)); + File f2 = new File(SecurityUtils.safeFileName(filename)); if (!f1.getParentFile().exists()) f1.getParentFile().mkdirs(); - ObjectOutputStream w = new ObjectOutputStream(new FileOutputStream(safeFileName(f))); + ObjectOutputStream w = new ObjectOutputStream(new FileOutputStream(SecurityUtils.safeFileName(f))); try { w.writeObject(o); w.flush(); @@ -628,26 +635,6 @@ public class FileUtils { } } - public static File createSafeFile(File dir, String fname) { - String fname2 = dir.getAbsolutePath() + "/" + fname; - return new File(safeFileName(fname2)); - } - - public static String safeFileName(String file) { - // creating file with safer creation. - if (file.contains("../")) - throw new RuntimeException("File name contain ..: " + file); - if (file.contains("\n")) - throw new RuntimeException("File name contain newline: " + file); - return file; - } - - private static File safeFile(File file) { - // creating file with safer creation. - if (file.getAbsolutePath().contains("..")) - throw new RuntimeException("File name contain ..: " + file.getAbsolutePath()); - return file; - } public static Thread copyStreamThread(final InputStream inputStream, final OutputStream outputStream) { Thread t = new Thread() { diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/IpUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/IpUtils.java deleted file mode 100644 index 62da451..0000000 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/IpUtils.java +++ /dev/null @@ -1,217 +0,0 @@ - -/*- - * ============LICENSE_START========================================== - * OPENECOMP - DCAE - * =================================================================== - * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. - * =================================================================== - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END============================================ - */ - -package org.openecomp.ncomp.webservice.utils; - -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.util.Arrays; -import java.util.StringTokenizer; -import java.util.regex.Pattern; - -public class IpUtils { - public static long toLong(String Ip) { - long res = 0; - try { - StringTokenizer tokens = new StringTokenizer(Ip, "."); - for (int i = 0; i < 4; i++) { - int t = Integer.parseInt(tokens.nextToken()); - if (t < 0 || t > 255) { - throw new RuntimeException("Bad IP: " + Ip); - } - res = 256 * res + t; - } - } catch (Exception e) { - throw new RuntimeException("Bad IP: " + Ip); - } - return res; - } - - public static int toInt(String Ip) { - long x = toLong(Ip); - // if (x<(1<<31)) return (int) x; - // TODO: does this really work?? - // System.out.println(Ip + " " + x); - return (int) x; - } - - public static String toString(int i) { - return ((i >> 24) & 0xFF) + "." + ((i >> 16) & 0xFF) + "." + ((i >> 8) & 0xFF) + "." + (i & 0xFF); - } - - public static int mask2masklen(String string) { - // 255.255.255.252 -> 30 - if (!isIp(string)) { - return Integer.parseInt(string); - } - if (isIpv6(string)) { - throw new RuntimeException("IPv6 is not supported, just use mask length"); - } - StringTokenizer st = new StringTokenizer(string,"."); - int len = 0; - for (int j = 0; j < 4; j++) { - int i = Integer.parseInt(st.nextToken()); - for (int x = 0; x < 8; x++) { - if ((i >> x) % 2 == 1) { - len += 8 - x; - break; - } - - } - } - return len; - } - - private static int[] maskvals = {0,32,31,6,30,9,5,-1,29,16,8,2,4,21,-1,19,28, - 25,15,-1,7,10,1,17,3,22,20,26,-1,11,18,23,27,12,24,13,14}; - - public static int mask2masklen (int ip) { - // This works because 2 is a primitive root mod 37! - // The negation is because % is remainder, not modulus - int indx = -(ip % 37); - if (indx < 0) return -1; // caution for non-masks - return maskvals[indx]; - } - - public static String toPrefixString(int ip, int len) { - ip = (ip >> (32-len)) << (32-len); - return IpUtils.toString(ip) + "/" + len; - } - - private static Pattern ipv4Pattern = Pattern.compile("\\d*\\.\\d*\\.\\d*\\.\\d*"); - public static boolean isIpv4(String to) { - if (to.isEmpty()) return false; - char c = to.charAt(0); - if (c > '9' || c < '0') return false; - return ipv4Pattern.matcher(to).matches(); - } - private static Pattern ipv6Pattern = Pattern.compile("[0-9a-fA-F]*:[0-9a-fA-F]*:[0-9a-fA-F:]*"); - public static boolean isIpv6(String to) { - // bad heuristic but likely works most of the time. - return ipv6Pattern.matcher(to).matches(); - } - - public static boolean isIp(String to) { - return isIpv6(to) || isIpv4(to); - } - static int numBad = 0; - public static InetAddress toInetAddress(String string) { - if (!isIp(string)) return null; - try { - return InetAddress.getByName(string); - } catch (UnknownHostException e) { - if (numBad > 1000) { - e.printStackTrace(); - // We exit here since it is important not to do lots of DNS lookups - // We should validate that the string is a valid IP somehow. - System.exit(-3); - } - } - return null; - } - - public static String toPrefixString(InetAddress ip, int len) { - return mask(ip, len).getHostAddress() + "/" + len; - } - public static String toString(InetAddress ip) { - return ip.getHostAddress(); - } - public static InetAddress mask(InetAddress ip, int prefixMask) { - int oddBits = prefixMask % 8; - int nMaskBytes = prefixMask/8 + (oddBits == 0 ? 0 : 1); - byte[] mask = new byte[nMaskBytes]; -// byte[] addr = Arrays.copyOf(ip.getAddress(), ip.getAddress().length); -// To make this Java 5 compactible. - byte[] addr = new byte[ip.getAddress().length]; - for (int i =0 ; i < ip.getAddress().length ; i ++) - addr[i]=ip.getAddress()[i]; - Arrays.fill(mask, 0, oddBits == 0 ? mask.length : mask.length - 1, (byte)0xFF); - if (oddBits != 0) { - int finalByte = (1 << oddBits) - 1; - finalByte <<= 8-oddBits; - mask[mask.length - 1] = (byte) finalByte; - } - for (int i=0; i < mask.length; i++) { - addr[i] = (byte) (addr[i] & mask[i]); - } - for (int i=nMaskBytes; i < addr.length; i++) { - addr[i] = 0; - } - try { - return InetAddress.getByAddress(addr); - } catch (UnknownHostException e) { - e.printStackTrace(); - System.exit(2); - } - return null; - } - - public static int mask (int ip, int masklen) { - if (masklen == 0) return 0; - return ip & -(1 << (32-masklen)); - } - - public static String defaultPrefix(String tmVersion) { - if (tmVersion.equals("6")) { - return "::/0"; - } - return "0.0.0.0/0"; - } - - public static boolean containedIn(InetAddress ip, InetAddress ip2, int mask) { - return (mask(ip, mask).equals(mask(ip2, mask))); - } - - public static InetAddress anonymize(InetAddress ip) { - byte[] a = ip.getAddress(); - byte[] a2 = Arrays.copyOf(a, a.length); - a2[a.length-1] = (byte) (a2[a.length-1] ^ 17); - try { - return InetAddress.getByAddress(a2); - } catch (UnknownHostException e) { - e.printStackTrace(); - System.exit(3); - } - return null; - } - - public static boolean isIpv4(InetAddress ip) { - return ip.getAddress().length == 4; - } - - public static String firstIp(String prefix) { - String a[] = prefix.split("/"); - int ip = toInt(a[0]); - int len = Integer.parseInt(a[1]); - ip = mask(ip,len); - return toString(ip); - } - - public static String lastIp(String prefix) { - String a[] = prefix.split("/"); - int ip = toInt(a[0]); - int len = Integer.parseInt(a[1]); - if (len == 0) return "255.255.255.255"; - ip = mask(ip,len) + (1 << (32-len)) - 1; - return toString(ip); - } - -} diff --git a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/JsonUtils.java b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/JsonUtils.java index 0fbb1d9..0c2da49 100644 --- a/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/JsonUtils.java +++ b/ncomp-utils-java/src/main/java/org/openecomp/ncomp/webservice/utils/JsonUtils.java @@ -47,6 +47,8 @@ import org.openecomp.ncomp.utils.PropertyUtil; import org.openecomp.ncomp.utils.StringUtil; import org.yaml.snakeyaml.Yaml; +import com.google.json.JsonSanitizer; + public class JsonUtils { public static final Logger logger = Logger.getLogger(JsonUtils.class); HashMap> features = new HashMap>(); @@ -296,7 +298,7 @@ public class JsonUtils { in.close(); buf.close(); } - return new JSONObject(buf.toString()); + return new JSONObject(JsonSanitizer.sanitize(buf.toString())); } public static JSONObject file2json(String file, Properties props, String prefix) throws IOException { @@ -313,7 +315,7 @@ public class JsonUtils { String s = buf.toString().replaceAll("##.*", ""); try { s = StringUtil.expandUsingProperties(s, props, prefix); - return new JSONObject(s); + return new JSONObject(JsonSanitizer.sanitize(s)); } catch (JSONException e) { logger.debug("bad JSON String" + s + " " + e); throw e; @@ -345,7 +347,7 @@ public class JsonUtils { if (out.toString().length() == 0) return null; String s = out.toString().replaceAll("##.*", ""); try { - return new JSONObject(s); + return new JSONObject(JsonSanitizer.sanitize(s)); } catch (JSONException e) { logger.debug("bad JSON String" + s + " " + e); throw e; diff --git a/ncomp-utils-journaling/pom.xml b/ncomp-utils-journaling/pom.xml index 9741775..ba76351 100644 --- a/ncomp-utils-journaling/pom.xml +++ b/ncomp-utils-journaling/pom.xml @@ -10,6 +10,10 @@ + + + + UTF-8 1.7 @@ -30,6 +34,8 @@ + + @@ -94,6 +100,13 @@ + + commons-io + commons-io + 2.5 + + + commons-cli commons-cli diff --git a/ncomp-utils-journaling/src/main/java/org/openecomp/ncomp/utils/journaling/JournalingObject.java b/ncomp-utils-journaling/src/main/java/org/openecomp/ncomp/utils/journaling/JournalingObject.java index 0be2649..6a41f5d 100644 --- a/ncomp-utils-journaling/src/main/java/org/openecomp/ncomp/utils/journaling/JournalingObject.java +++ b/ncomp-utils-journaling/src/main/java/org/openecomp/ncomp/utils/journaling/JournalingObject.java @@ -35,6 +35,7 @@ import java.util.ArrayList; import java.util.Date; import java.util.HashMap; import java.util.List; +import java.util.ServiceConfigurationError; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLineParser; @@ -46,8 +47,7 @@ import org.apache.commons.cli.ParseException; import org.apache.commons.io.serialization.ValidatingObjectInputStream; import org.apache.log4j.Logger; import org.json.JSONObject; - -import org.openecomp.ncomp.webservice.utils.FileUtils; +import org.openecomp.ncomp.utils.SecurityUtils; public abstract class JournalingObject { public static final Logger logger = Logger.getLogger(JournalingObject.class); @@ -94,7 +94,7 @@ public abstract class JournalingObject { dir.mkdirs(); logger.info("creating journaling data structure: " + o.getClass().getName() + " " + dir); File logFile = saveObjectFile(dir, "log.dat"); - File snapshotFile = FileUtils.createSafeFile(dir, "snapshot.dat"); + File snapshotFile = SecurityUtils.createSafeFile(dir, "snapshot.dat"); if (snapshotFile.exists()) { JournalingObject oo = initFromSnapshot(snapshotFile); if (oo != null) { @@ -192,13 +192,11 @@ public abstract class JournalingObject { case SET_METHOD: { try { Field fld = this.getClass().getDeclaredField(e.pname); - fld.setAccessible(true); logAttributeValue(e.pname, e.value); fld.set(this, e.value); } catch (Exception e1) { // TODO Auto-generated catch block - logger.error("Unable to set attribute: " + this.getClass().getName() + " " + e1); - logger.debug("Unable to set attribute: " + e.pname + " " + this.getClass().getName() + " " + e1); + logger.error("Unable to set attribute: " + p(e.pname) + " " + this.getClass().getName() + " " + e1); } return; } @@ -214,6 +212,10 @@ public abstract class JournalingObject { c.play(e, index - 1); } + private String p(String s) { + return SecurityUtils.logForcingProtection(s); + } + protected String eventToString(JournalingEvent e) { switch (e.method) { case SET_METHOD: @@ -235,8 +237,8 @@ public abstract class JournalingObject { } finally { out.close(); } - File f = FileUtils.createSafeFile(dir, fName); - File t = FileUtils.createSafeFile(dir, tName); + File f = SecurityUtils.createSafeFile(dir, fName); + File t = SecurityUtils.createSafeFile(dir, tName); if (f.exists()) { f.delete(); } @@ -279,7 +281,7 @@ public abstract class JournalingObject { snapShotInterval = i; lastSnapShot = new Date(); // make sure snapshots time are randomized and not happening at the same time. - lastSnapShot.setTime(lastSnapShot.getTime()-(long) (i*Math.random())); + lastSnapShot.setTime(lastSnapShot.getTime()-(long) (i*SecurityUtils.inSecureRandom())); } public int getLogSize() { @@ -348,8 +350,8 @@ public abstract class JournalingObject { static private File saveObjectFile(File dir, String fname, Date now) { String fname2 = fname + "." + now.getTime() + "." + num++; - File f1 = FileUtils.createSafeFile(dir, fname); - File f2 = FileUtils.createSafeFile(dir, fname2); + File f1 = SecurityUtils.createSafeFile(dir, fname); + File f2 = SecurityUtils.createSafeFile(dir, fname2); if (f1.exists()) { if (f2.exists()) { f2.delete(); @@ -363,7 +365,7 @@ public abstract class JournalingObject { } static private ObjectOutputStream getObjectFile(File dir, String fname) { - File f1 = FileUtils.createSafeFile(dir, fname); + File f1 = SecurityUtils.createSafeFile(dir, fname); ObjectOutputStream s = null; try { s = new ObjectOutputStream(new BufferedOutputStream(new FileOutputStream(f1))); @@ -377,10 +379,12 @@ public abstract class JournalingObject { int numEvents = 0; Object o = null; try { - FileInputStream fin = new FileInputStream(file); - ValidatingObjectInputStream in = new ValidatingObjectInputStream(fin); - addAccept(in); + FileInputStream fin = null; + ValidatingObjectInputStream in = null; try { + fin = new FileInputStream(file); + in = new ValidatingObjectInputStream(fin); + addAccept(in); while (true) { try { o = in.readUnshared(); @@ -409,7 +413,6 @@ public abstract class JournalingObject { } catch (EOFException e) { logger.debug("initFromLog failed: " + file + " numEvents=" + numEvents + " o=" + o); } catch (Exception e) { - System.err.println(e); logger.debug("initFromLog failed: " + file + " numEvents=" + numEvents + " o=" + o); e.printStackTrace(); } -- cgit 1.2.3-korg