From 601eb7fa55e373563ba396f491cec88732cd6e4e Mon Sep 17 00:00:00 2001 From: "aditya.puthuparambil" Date: Tue, 10 Mar 2020 14:12:55 +0000 Subject: Sonar Security vulnerabilities fix Issue-ID: POLICY-1913 Signed-off-by: aditya.puthuparambil Change-Id: Ic86e04776c9300e37134210cd9db5b6d7e6a5a9e --- .../apex/core/infrastructure/xml/XPathReader.java | 20 ++++---- .../onap/policy/apex/examples/bbs/WebClient.java | 56 +++++++++++++--------- .../model/basicmodel/handling/ApexModelWriter.java | 31 ++++++------ 3 files changed, 58 insertions(+), 49 deletions(-) diff --git a/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java b/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java index 08046c924..a9c57f385 100644 --- a/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java +++ b/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java @@ -1,6 +1,7 @@ /*- * ============LICENSE_START======================================================= * Copyright (C) 2016-2018 Ericsson. All rights reserved. + * Modifications Copyright (C) 2020 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,6 +23,7 @@ package org.onap.policy.apex.core.infrastructure.xml; import java.io.InputStream; +import javax.xml.XMLConstants; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.xpath.XPath; @@ -39,6 +41,7 @@ import org.w3c.dom.Document; * @author Sajeevan Achuthan (sajeevan.achuthan@ericsson.com) */ public class XPathReader { + // Logger for this class private static final XLogger LOGGER = XLoggerFactory.getXLogger(XPathReader.class); @@ -73,18 +76,17 @@ public class XPathReader { private void init() { try { LOGGER.info("Initializing XPath reader"); + DocumentBuilderFactory df = DocumentBuilderFactory.newInstance(); + df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); // Check if this is operating on a file if (xmlFileName != null) { - xmlDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(xmlFileName); - } - // Check if this is operating on a stream - else if (xmlStream != null) { - xmlDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(xmlStream); - - } - // We have an error - else { + xmlDocument = df.newDocumentBuilder().parse(xmlFileName); + } else if (xmlStream != null) { + // Check if this is operating on a stream + xmlDocument = df.newDocumentBuilder().parse(xmlStream); + } else { + // We have an error LOGGER.error("XPath reader not initialized with either a file or a stream"); return; } diff --git a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java index e4186f131..edaff6b52 100644 --- a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java +++ b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java @@ -1,7 +1,7 @@ /*- * ============LICENSE_START======================================================= * Copyright (C) 2019 Huawei. All rights reserved. - * Modifications Copyright (C) 2019 Nordix Foundation. + * Modifications Copyright (C) 2019-2020 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,7 +32,9 @@ import java.nio.charset.StandardCharsets; import java.util.Base64; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; @@ -56,6 +58,7 @@ import org.xml.sax.InputSource; * The Class WebClient act as rest client for BBS usecase. */ public class WebClient { + private static final XLogger LOGGER = XLoggerFactory.getXLogger(WebClient.class); // Duplicated string constants @@ -64,20 +67,20 @@ public class WebClient { /** * Send simple https rest request. * - * @param requestUrl url + * @param requestUrl url * @param requestMethod method eg POST/GET/PUT - * @param outputStr Data - * @param username Simple Username - * @param pass Simple password - * @param contentType http content type + * @param outputStr Data + * @param username Simple Username + * @param pass Simple password + * @param contentType http content type * @return String response message */ public String httpRequest(String requestUrl, String requestMethod, String outputStr, String username, String pass, - String contentType) { + String contentType) { String result = ""; StringBuilder builder = new StringBuilder(); try { - LOGGER.info("httpsRequest starts " + requestUrl + " method " + requestMethod); + LOGGER.info("httpsRequest starts {} method {}", requestUrl, requestMethod); disableCertificateValidation(); URL url = new URL(requestUrl); @@ -109,8 +112,8 @@ public class WebClient { outputStream.close(); } - try (BufferedReader bufferedReader = - new BufferedReader(new InputStreamReader(httpUrlConn.getInputStream(), StandardCharsets.UTF_8))) { + try (BufferedReader bufferedReader = new BufferedReader( + new InputStreamReader(httpUrlConn.getInputStream(), StandardCharsets.UTF_8))) { String str; while ((str = bufferedReader.readLine()) != null) { builder.append(str); @@ -118,9 +121,9 @@ public class WebClient { httpUrlConn.disconnect(); result = builder.toString(); } - LOGGER.info("httpsRequest success "); + LOGGER.info("httpsRequest success"); } catch (Exception ce) { - LOGGER.error("httpsRequest Exception " + ce); + LOGGER.error("httpsRequest Exception", ce); } return result; } @@ -128,20 +131,22 @@ public class WebClient { /** * Pretty print xml string. * - * @param xml Input string + * @param xml Input string * @param indent Indent number * @return Indented xml string */ public String toPrettyString(String xml, int indent) { try { try (ByteArrayInputStream br = new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8))) { - Document document = - DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(br)); + + DocumentBuilderFactory df = DocumentBuilderFactory.newInstance(); + df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + Document document = df.newDocumentBuilder().parse(new InputSource(br)); document.normalize(); XPath path = XPathFactory.newInstance().newXPath(); - NodeList nodeList = - (NodeList) path.evaluate("//text()[normalize-space()='']", document, XPathConstants.NODESET); + NodeList nodeList = (NodeList) path + .evaluate("//text()[normalize-space()='']", document, XPathConstants.NODESET); for (int i = 0; i < nodeList.getLength(); ++i) { Node node = nodeList.item(i); @@ -160,7 +165,7 @@ public class WebClient { return stringWriter.toString(); } } catch (Exception e) { - throw new ApexRuntimeException("pretiffication failed", e); + throw new ApexRuntimeException("Convert to Pretty string failed", e); } } @@ -171,14 +176,19 @@ public class WebClient { try { TrustManager[] trustAllCerts = NetworkUtil.getAlwaysTrustingManager(); - SSLContext sc = SSLContext.getInstance("SSL"); + SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); - - HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true); - + HttpsURLConnection.setDefaultHostnameVerifier((String hostname, SSLSession session) -> { + if (!hostname.equalsIgnoreCase(session.getPeerHost())) { + LOGGER.warn("Warning: URL host \"{}\" is different to SSLSession host \"{}\".", hostname, + session.getPeerHost()); + return false; + } + return true; + }); } catch (Exception e) { - LOGGER.error("certificate validation Exception " + e); + LOGGER.error("certificate validation Exception", e); } } diff --git a/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java b/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java index 35c458eaa..8d6c01e4e 100644 --- a/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java +++ b/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java @@ -1,7 +1,7 @@ /*- * ============LICENSE_START======================================================= * Copyright (C) 2016-2018 Ericsson. All rights reserved. - * Modifications Copyright (C) 2019 Nordix Foundation. + * Modifications Copyright (C) 2019-2020 Nordix Foundation. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,6 +27,7 @@ import java.io.Writer; import java.util.Set; import java.util.TreeSet; +import javax.xml.XMLConstants; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; @@ -53,10 +54,11 @@ import org.w3c.dom.Document; /** * This class writes an Apex concept to an XML file or JSON file from a Java Apex Concept. * - * @author John Keeney (john.keeney@ericsson.com) * @param the type of Apex concept to write, must be a sub class of {@link AxConcept} + * @author John Keeney (john.keeney@ericsson.com) */ public class ApexModelWriter { + private static final String CONCEPT_MAY_NOT_BE_NULL = "concept may not be null"; private static final String CONCEPT_WRITER_MAY_NOT_BE_NULL = "concept writer may not be null"; private static final String CONCEPT_STREAM_MAY_NOT_BE_NULL = "concept stream may not be null"; @@ -87,15 +89,13 @@ public class ApexModelWriter { System.setProperty("javax.xml.bind.context.factory", "org.eclipse.persistence.jaxb.JAXBContextFactory"); try { - final JAXBContext jaxbContext = JAXBContextFactory.createContext(new Class[] - { rootConceptClass }, null); + final JAXBContext jaxbContext = JAXBContextFactory.createContext(new Class[]{rootConceptClass}, null); // Set up the unmarshaller to carry out validation marshaller = jaxbContext.createMarshaller(); marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); marshaller.setEventHandler(new javax.xml.bind.helpers.DefaultValidationEventHandler()); } catch (final JAXBException e) { - LOGGER.error("JAXB marshaller creation exception", e); throw new ApexModelException("JAXB marshaller creation exception", e); } } @@ -133,14 +133,12 @@ public class ApexModelWriter { marshaller.setProperty(MarshallerProperties.MEDIA_TYPE, MediaType.APPLICATION_JSON); marshaller.setProperty(MarshallerProperties.JSON_INCLUDE_ROOT, true); } catch (final Exception e) { - LOGGER.warn("JAXB error setting marshaller for JSON output", e); throw new ApexModelException("JAXB error setting marshaller for JSON output", e); } } else { try { marshaller.setProperty(MarshallerProperties.MEDIA_TYPE, MediaType.APPLICATION_XML); } catch (final Exception e) { - LOGGER.warn("JAXB error setting marshaller for XML output", e); throw new ApexModelException("JAXB error setting marshaller for XML output", e); } } @@ -149,7 +147,7 @@ public class ApexModelWriter { /** * This method validates the Apex concept then writes it into a stream. * - * @param concept the concept to write + * @param concept the concept to write * @param apexConceptStream the stream to write to * @throws ApexModelException on validation or writing exceptions */ @@ -163,7 +161,7 @@ public class ApexModelWriter { /** * This method validates the Apex concept then writes it into a writer. * - * @param concept the concept to write + * @param concept the concept to write * @param apexConceptWriter the writer to write to * @throws ApexModelException on validation or writing exceptions */ @@ -176,9 +174,9 @@ public class ApexModelWriter { // Validate the concept first final AxValidationResult validationResult = concept.validate(new AxValidationResult()); if (!validationResult.isValid()) { - String message = "Apex concept xml (" + concept.getKey().getId() + ") validation failed: " - + validationResult.toString(); - LOGGER.warn(message); + String message = + "Apex concept xml (" + concept.getKey().getId() + ") validation failed: " + validationResult + .toString(); throw new ApexModelException(message); } } @@ -193,7 +191,7 @@ public class ApexModelWriter { /** * This method writes the Apex concept into a writer in XML format. * - * @param concept the concept to write + * @param concept the concept to write * @param apexConceptWriter the writer to write to * @throws ApexModelException on validation or writing exceptions */ @@ -206,6 +204,7 @@ public class ApexModelWriter { // Write the concept into a DOM document, then transform to add CDATA fields and pretty // print, then write out the result final DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); + docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Document document = docBuilderFactory.newDocumentBuilder().newDocument(); // Marshal the concept into the empty document. @@ -215,10 +214,9 @@ public class ApexModelWriter { // Convert the cDataFieldSet into a space delimited string domTransformer.setOutputProperty(OutputKeys.CDATA_SECTION_ELEMENTS, - cdataFieldSet.toString().replaceAll("[\\[\\]\\,]", " ")); + cdataFieldSet.toString().replaceAll("[\\[\\]\\,]", " ")); domTransformer.transform(new DOMSource(document), new StreamResult(apexConceptWriter)); } catch (JAXBException | TransformerException | ParserConfigurationException e) { - LOGGER.warn("Unable to marshal Apex concept to XML", e); throw new ApexModelException("Unable to marshal Apex concept to XML", e); } LOGGER.debug("wrote Apex concept XML"); @@ -243,7 +241,7 @@ public class ApexModelWriter { /** * This method writes the Apex concept into a writer in JSON format. * - * @param concept the concept to write + * @param concept the concept to write * @param apexConceptWriter the writer to write to * @throws ApexModelException on validation or writing exceptions */ @@ -255,7 +253,6 @@ public class ApexModelWriter { try { marshaller.marshal(concept, apexConceptWriter); } catch (final JAXBException e) { - LOGGER.warn("Unable to marshal Apex concept to JSON", e); throw new ApexModelException("Unable to marshal Apex concept to JSON", e); } LOGGER.debug("wrote Apex concept JSON"); -- cgit 1.2.3-korg