summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPiotr Borelowski <p.borelowski@partner.samsung.com>2019-05-10 12:23:48 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2019-05-28 17:12:04 +0200
commitb9d4b9d9075f40bfcf1bef58c1738de4713e5e70 (patch)
treed7ce9a7ff7236599e23e0818adf13fed66cd1048
parentf9a1944a4b3cda8d9708087902a52baa40c0e2ea (diff)
Don't give user the exact exception description
The exact description of the exception especially if related to cryptography cannot be given to the user as it may be abused by the attacker. To fix that, we started to use @ExceptionHandler for all exceptions in the LoginController as well. CVE: CVE-2019-12121 Issue-ID: OJSI-92 Change-Id: I100b37ff33d28ebccc2411c3acc62bdb7ce11ca8 Signed-off-by: Piotr Borelowski <p.borelowski@partner.samsung.com> Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com> Acked-by: Manoop Talasila <talasila@research.att.com>
-rw-r--r--ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java8
1 files changed, 8 insertions, 0 deletions
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
index 0ba7bdc6..56064b99 100644
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
@@ -39,6 +39,7 @@ package org.onap.portalapp.controller;
import static com.att.eelf.configuration.Configuration.MDC_KEY_REQUEST_ID;
+import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLDecoder;
@@ -68,8 +69,10 @@ import org.onap.portalsdk.core.menu.MenuProperties;
import org.onap.portalsdk.core.util.SystemProperties;
import org.slf4j.MDC;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.util.StopWatch;
+import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -409,4 +412,9 @@ public class LoginController extends EPUnRestrictedBaseController implements Log
this.sharedContextService = sharedContextService;
}
+ @ExceptionHandler(Exception.class)
+ protected void handleBadRequests(Exception e, HttpServletResponse response) throws IOException {
+ logger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e);
+ response.sendError(HttpStatus.BAD_REQUEST.value());
+ }
}