From af4398c19298f049079a178fe7f7db96da8cda8b Mon Sep 17 00:00:00 2001
From: jhh <jorge.hernandez-herrero@att.com>
Date: Tue, 15 Jun 2021 14:50:20 -0500
Subject: filter logging input data per sonar security issue

Issue-ID: POLICY-3289
Signed-off-by: jhh <jorge.hernandez-herrero@att.com>
Change-Id: Iad22a581a6bd98e7e210162d30ec7741972669d2
---
 .../controller/IndexedDroolsControllerFactory.java      | 17 ++++++-----------
 .../onap/policy/drools/server/restful/RestManager.java  | 10 ++++++++++
 2 files changed, 16 insertions(+), 11 deletions(-)

(limited to 'policy-management/src')

diff --git a/policy-management/src/main/java/org/onap/policy/drools/controller/IndexedDroolsControllerFactory.java b/policy-management/src/main/java/org/onap/policy/drools/controller/IndexedDroolsControllerFactory.java
index 810cb65b..3a50b9f7 100644
--- a/policy-management/src/main/java/org/onap/policy/drools/controller/IndexedDroolsControllerFactory.java
+++ b/policy-management/src/main/java/org/onap/policy/drools/controller/IndexedDroolsControllerFactory.java
@@ -232,7 +232,7 @@ class IndexedDroolsControllerFactory implements DroolsControllerFactory {
             // 2. check if there is a custom decoder for this topic that the user prefers to use
             // instead of the ones provided in the platform
 
-            CustomGsonCoder customGsonCoder = getCustomCoder(properties, propertyTopicEntityPrefix);
+            var customGsonCoder = getCustomCoder(properties, propertyTopicEntityPrefix);
 
             // 3. second the list of classes associated with each topic
 
@@ -247,9 +247,8 @@ class IndexedDroolsControllerFactory implements DroolsControllerFactory {
             List<PotentialCoderFilter> classes2Filters =
                             getFilterExpressions(properties, propertyTopicEntityPrefix, eventClasses);
 
-            TopicCoderFilterConfiguration topic2Classes2Filters =
-                    new TopicCoderFilterConfiguration(firstTopic, classes2Filters, customGsonCoder);
-            topics2DecodedClasses2Filters.add(topic2Classes2Filters);
+            topics2DecodedClasses2Filters
+                    .add(new TopicCoderFilterConfiguration(firstTopic, classes2Filters, customGsonCoder));
         }
 
         return topics2DecodedClasses2Filters;
@@ -257,7 +256,7 @@ class IndexedDroolsControllerFactory implements DroolsControllerFactory {
 
     private String getPropertyTopicPrefix(Topic topic) {
         boolean isSource = topic instanceof TopicSource;
-        CommInfrastructure commInfra = topic.getTopicCommInfrastructure();
+        var commInfra = topic.getTopicCommInfrastructure();
         if (commInfra == CommInfrastructure.UEB) {
             if (isSource) {
                 return PolicyEndPointProperties.PROPERTY_UEB_SOURCE_TOPICS + ".";
@@ -310,8 +309,7 @@ class IndexedDroolsControllerFactory implements DroolsControllerFactory {
                             + PolicyEndPointProperties.PROPERTY_TOPIC_EVENTS_SUFFIX
                             + "." + theClass + PolicyEndPointProperties.PROPERTY_TOPIC_EVENTS_FILTER_SUFFIX);
 
-            JsonProtocolFilter protocolFilter = new JsonProtocolFilter(filter);
-            PotentialCoderFilter class2Filters = new PotentialCoderFilter(theClass, protocolFilter);
+            var class2Filters = new PotentialCoderFilter(theClass, new JsonProtocolFilter(filter));
             classes2Filters.add(class2Filters);
         }
 
@@ -404,10 +402,7 @@ class IndexedDroolsControllerFactory implements DroolsControllerFactory {
 
     @Override
     public String toString() {
-        StringBuilder builder = new StringBuilder();
-        builder.append("IndexedDroolsControllerFactory [#droolsControllers=").append(droolsControllers.size())
-                .append("]");
-        return builder.toString();
+        return "IndexedDroolsControllerFactory [#droolsControllers=" + droolsControllers.size() + "]";
     }
 
 }
diff --git a/policy-management/src/main/java/org/onap/policy/drools/server/restful/RestManager.java b/policy-management/src/main/java/org/onap/policy/drools/server/restful/RestManager.java
index 89a1c43c..5d08d386 100644
--- a/policy-management/src/main/java/org/onap/policy/drools/server/restful/RestManager.java
+++ b/policy-management/src/main/java/org/onap/policy/drools/server/restful/RestManager.java
@@ -2055,6 +2055,16 @@ public class RestManager {
 
         String newLevel;
         try {
+            if (!checkValidNameInput(loggerName)) {
+                return Response.status(Response.Status.NOT_ACCEPTABLE)
+                               .entity(new Error("logger name: " + NOT_ACCEPTABLE_MSG))
+                               .build();
+            }
+            if (!Pattern.matches("^[a-zA-Z]{3,5}$", loggerLevel)) {
+                return Response.status(Response.Status.NOT_ACCEPTABLE)
+                               .entity(new Error("logger level: " + NOT_ACCEPTABLE_MSG))
+                               .build();
+            }
             newLevel = LoggerUtil.setLevel(loggerName, loggerLevel);
         } catch (final IllegalArgumentException e) {
             logger.warn("{}: invalid operation for logger {} and level {}", this, loggerName, loggerLevel, e);
-- 
cgit 1.2.3-korg