aboutsummaryrefslogtreecommitdiffstats
path: root/ONAP-PAP-REST/src
diff options
context:
space:
mode:
authoreramkve <ram.krishna.verma@ericsson.com>2018-03-23 14:29:02 +0000
committereramkve <ram.krishna.verma@ericsson.com>2018-03-23 14:30:00 +0000
commitbbd56ec8187ce2a072b574b90ea0906d8ec0a140 (patch)
tree8d3535837dd59ba2905c85414b83f559ad6d54d0 /ONAP-PAP-REST/src
parent7a14106f07b1de10d9627ba4baa25587043be6e3 (diff)
Fix final 10 vulnerabilities in policy/engine
Code fixes for final 10 vulnerabilities in policy/engine Change-Id: I234194b596bdacd5f3f9fd1becd4da9d6d0b5cf4 Issue-ID: POLICY-662 Signed-off-by: eramkve <ram.krishna.verma@ericsson.com>
Diffstat (limited to 'ONAP-PAP-REST/src')
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java56
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java2
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java4
12 files changed, 46 insertions, 34 deletions
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
index 9564acc25..a30c9c7ec 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java
@@ -792,7 +792,6 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
} else {
PolicyLogger.info("requestID was provided in call to XACMLPapSrvlet (doGet)");
}
- try {
loggingContext.metricStarted();
XACMLRest.dumpRequest(request);
loggingContext.metricEnded();
@@ -907,7 +906,18 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
request.getRemoteHost().equals(request.getLocalAddr())) {
// Return status information - basically all the groups
loggingContext.setServiceName("PAP.getGroups");
- Set<OnapPDPGroup> groups = papEngine.getOnapPDPGroups();
+ Set<OnapPDPGroup> groups = null;
+ try {
+ groups = papEngine.getOnapPDPGroups();
+ } catch(PAPException e) {
+ LOGGER.debug(e);
+ PolicyLogger.error(MessageCodes.ERROR_UNKNOWN, e, "XACMLPapServlet", " GET exception");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+ im.endTransaction();
+ return;
+ }
// convert response object to JSON and include in the response
mapperWriteValue(new ObjectMapper(), response, groups);
response.setHeader("content-type", "application/json");
@@ -984,15 +994,6 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
PolicyLogger.audit("Transaction Failed - See Error.log");
setResponseError(response,HttpServletResponse.SC_NOT_FOUND, message);
}
- } catch (PAPException e) {
- LOGGER.debug(e);
- PolicyLogger.error(MessageCodes.ERROR_UNKNOWN, e, "XACMLPapServlet", " GET exception");
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
- im.endTransaction();
- return;
- }
loggingContext.transactionEnded();
PolicyLogger.audit("Transaction Ended");
im.endTransaction();
@@ -1892,7 +1893,16 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
} else {
// request is for top-level properties about all groups
loggingContext.setServiceName("AC:PAP.getAllGroups");
- Set<OnapPDPGroup> groups = papEngine.getOnapPDPGroups();
+ Set<OnapPDPGroup> groups = null;
+ try {
+ groups = papEngine.getOnapPDPGroups();
+ } catch(PAPException e) {
+ PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " AC Get exception");
+ loggingContext.transactionEnded();
+ PolicyLogger.audit("Transaction Failed - See Error.log");
+ setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
+ return;
+ }
// convert response object to JSON and include in the response
mapperWriteValue(new ObjectMapper(), response, groups);
if (LOGGER.isDebugEnabled()) {
@@ -2039,7 +2049,12 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
LOGGER.info("JSON request from AC: " + json);
// convert Object sent as JSON into local object
ObjectMapper mapper = new ObjectMapper();
- Object objectFromJSON = mapper.readValue(json, StdPDP.class);
+ Object objectFromJSON = null;
+ try {
+ objectFromJSON = mapper.readValue(json, StdPDP.class);
+ } catch(Exception e) {
+ LOGGER.error(e);
+ }
if (pdpId == null ||
objectFromJSON == null ||
! (objectFromJSON instanceof StdPDP) ||
@@ -2144,7 +2159,12 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
LOGGER.info("JSON request from AC: " + json);
// convert Object sent as JSON into local object
ObjectMapper mapper = new ObjectMapper();
- Object objectFromJSON = mapper.readValue(json, StdPDPGroup.class);
+ Object objectFromJSON = null;
+ try {
+ objectFromJSON = mapper.readValue(json, StdPDPGroup.class);
+ } catch(Exception e) {
+ LOGGER.error(e);
+ }
if (objectFromJSON == null || ! (objectFromJSON instanceof StdPDPGroup) ||
! ((StdPDPGroup)objectFromJSON).getId().equals(group.getId())) {
PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " Group update had bad input. id=" + group.getId() + " objectFromJSON="+objectFromJSON);
@@ -2209,14 +2229,6 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList
PolicyLogger.audit("Transaction Failed - See Error.log");
setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
return;
- } catch (IOException | JsonException e) {
- LOGGER.debug(e);
- acPutTransaction.rollbackTransaction();
- PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " AC PUT exception");
- loggingContext.transactionEnded();
- PolicyLogger.audit("Transaction Failed - See Error.log");
- setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
- return;
}
}
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java
index 3d275c3d9..59a7ed312 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java
@@ -64,7 +64,7 @@ public class ActionPolicyDictionaryController {
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@RequestMapping(value={"/get_ActionPolicyDictDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE)
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java
index f07ca3478..0ab5cf935 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java
@@ -91,7 +91,7 @@ public class BRMSDictionaryController{
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@RequestMapping(value={"/get_BRMSParamDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE)
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java
index 2b0556716..5d28c82e7 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java
@@ -89,7 +89,7 @@ public class ClosedLoopDictionaryController{
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@RequestMapping(value={"/get_VSCLActionDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE)
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java
index 9b79303fa..6e68d78d9 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java
@@ -66,7 +66,7 @@ public class DecisionPolicyDictionaryController {
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@RequestMapping(value={"/get_SettingsDictionaryDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE)
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java
index 364a4f73a..db710961f 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java
@@ -65,7 +65,7 @@ public class DescriptiveDictionaryController {
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@RequestMapping(value={"/get_DescriptiveScopeByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE)
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java
index 7e30635f9..0b7693c6f 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java
@@ -69,7 +69,7 @@ public class DictionaryController {
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@RequestMapping(value={"/get_AttributeDatabyAttributeName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE)
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java
index d02cbca73..bd1fb0e32 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java
@@ -113,7 +113,7 @@ public class FirewallDictionaryController {
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@RequestMapping(value={"/get_PrefixListDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE)
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java
index 20e75a08b..becf5adf7 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java
@@ -92,7 +92,7 @@ public class MicroServiceDictionaryController {
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@Autowired
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java
index 40c9d7269..fd3d2f641 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java
@@ -71,7 +71,7 @@ public class PolicyScopeDictionaryController {
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@Autowired
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java
index 23450cbbe..209ba4f45 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java
@@ -66,7 +66,7 @@ public class SafePolicyController {
}
private DictionaryUtils getDictionaryUtilsInstance(){
- return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils();
+ return DictionaryUtils.getDictionaryUtils();
}
@RequestMapping(value = { "/get_RiskTypeDataByName" }, method = {RequestMethod.GET }, produces = MediaType.APPLICATION_JSON_VALUE)
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java
index e18595956..5610577a9 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java
@@ -58,10 +58,10 @@ public class DictionaryUtils {
private static CommonClassDao commonClassDao;
- public static DictionaryUtils dictionaryUtils;
+ private static DictionaryUtils dictionaryUtils;
public static synchronized DictionaryUtils getDictionaryUtils() {
- return dictionaryUtils;
+ return dictionaryUtils != null ? dictionaryUtils : new DictionaryUtils();
}
public static synchronized void setDictionaryUtils(DictionaryUtils dictionaryUtils) {