From 5ba143338d6fbc2b4d1e36c0efcbbabe15c65301 Mon Sep 17 00:00:00 2001 From: guangxingwang Date: Thu, 15 Feb 2018 11:13:18 -0600 Subject: Fix Fortify Scan Issue: 1) Fix Fortify Header Manipulation issue by checking the format of the message before adding it response header. 2) Fix Fortify Hardcoded Password issue by using encryption and decryption Issue-ID: POLICY-543 Change-Id: I16b44b9b0670b1af75094c9ae9d1f7d352fa894a Signed-off-by: guangxingwang --- .../src/main/java/org/onap/policy/pdp/rest/PapUrlResolver.java | 7 ++++--- .../java/org/onap/policy/pdp/rest/api/services/PAPServices.java | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'ONAP-PDP-REST/src/main') diff --git a/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/PapUrlResolver.java b/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/PapUrlResolver.java index 7ac322ec9..5462dd908 100644 --- a/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/PapUrlResolver.java +++ b/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/PapUrlResolver.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP-PDP-REST * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +32,7 @@ import java.util.Properties; import org.onap.policy.common.logging.flexlogger.FlexLogger; import org.onap.policy.common.logging.flexlogger.Logger; import org.onap.policy.rest.XACMLRestProperties; +import org.onap.policy.utils.CryptoUtils; import com.att.research.xacml.util.XACMLProperties; @@ -118,10 +119,10 @@ public class PapUrlResolver { String userId = null; String pass = null; userId = XACMLProperties.getProperty(urls[i] + "." + XACMLRestProperties.PROP_PAP_USERID); - pass = XACMLProperties.getProperty(urls[i] + "." + XACMLRestProperties.PROP_PAP_PASS); + pass = XACMLProperties.getProperty(urls[i] + "." + CryptoUtils.decryptTxtNoExStr(XACMLRestProperties.PROP_PAP_PASS)); if (userId == null || pass == null) { userId = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID); - pass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS); + pass = CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)); } if (userId == null || pass == null) { userId = ""; diff --git a/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/api/services/PAPServices.java b/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/api/services/PAPServices.java index 9ab4252c7..59194841f 100644 --- a/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/api/services/PAPServices.java +++ b/ONAP-PDP-REST/src/main/java/org/onap/policy/pdp/rest/api/services/PAPServices.java @@ -40,6 +40,7 @@ import org.onap.policy.common.logging.flexlogger.FlexLogger; import org.onap.policy.common.logging.flexlogger.Logger; import org.onap.policy.pdp.rest.config.PDPApiAuth; import org.onap.policy.rest.XACMLRestProperties; +import org.onap.policy.utils.CryptoUtils; import org.onap.policy.xacml.api.XACMLErrorConstants; import org.onap.policy.xacml.std.pap.StdPDPPolicy; @@ -76,7 +77,7 @@ public class PAPServices { private String getPAPEncoding(){ if(encoding == null){ String userID = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_USERID); - String pass = XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS); + String pass =CryptoUtils.decryptTxtNoExStr(XACMLProperties.getProperty(XACMLRestProperties.PROP_PAP_PASS)); Base64.Encoder encoder = Base64.getEncoder(); encoding = encoder.encodeToString((userID+":"+pass).getBytes(StandardCharsets.UTF_8)); } -- cgit 1.2.3-korg