diff options
| -rw-r--r-- | INFO.yaml | 5 | ||||
| -rw-r--r-- | docs/release-notes.rst | 15 | ||||
| -rw-r--r-- | ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java | 8 | ||||
| -rw-r--r-- | ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | 46 |
4 files changed, 50 insertions, 24 deletions
@@ -41,5 +41,10 @@ committers: company: 'ATT' id: 'st782s' timezone: 'America/New_York' + - name: 'Lorraine A Welch' + email: 'lb2391@att.com' + company: 'ATT' + id: 'lorraineawelch' + timezone: 'America/New_York' tsc: approval: 'https://lists.onap.org/pipermail/onap-tsc' diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 457819bc..a1b6e09c 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -35,9 +35,15 @@ We worked on SDK upgrade to integrate with AAF. We partially implemented multi-l *Fixed Security Issues* *Known Security Issues* - * In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 <https://jira.onap.org/browse/OJSI-97>`_] - * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 <https://jira.onap.org/browse/OJSI-105>`_] - * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 <https://jira.onap.org/browse/OJSI-106>`_] + + * CVE-2019-12317 - Number of XSS vulnerabilities in Portal [`OJSI-15 <https://jira.onap.org/browse/OJSI-15>`_] + * CVE-2019-12122 - ONAP Portal allows to retrieve password of currently active user [`OJSI-65 <https://jira.onap.org/browse/OJSI-65>`_] + * CVE-2019-12121 - ONAP Portal is vulnerable for Padding Oracle attack [`OJSI-92 <https://jira.onap.org/browse/OJSI-92>`_] + * In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 <https://jira.onap.org/browse/OJSI-97>`_] + * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 <https://jira.onap.org/browse/OJSI-105>`_] + * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 <https://jira.onap.org/browse/OJSI-106>`_] + * CVE-2019-12318 - Number of SQL Injections in Portal [`OJSI-174 <https://jira.onap.org/browse/OJSI-174>`_] + * Portal stores users passwords encrypted instead of hashed [`OJSI-190 <https://jira.onap.org/browse/OJSI-190>`_] *Known Vulnerabilities in Used Modules* @@ -53,7 +59,8 @@ Quick Links: **Upgrade Notes** * For https Apps onboarded to portal, a certificate has to be downloaded in the browser when first trying to access the landing page of the App. * For onboarded Apps using http (since Portal is using https) the browser asks the user to click to Proceed to the unsafe URL. - * For onboarded Apps using http the icon in the URL bar will appear red, click on it and allow unsafe scripts. + * For onboarded Apps using http the icon in the URL bar will appear red, click on it and allow unsafe scripts. + * The first time some apps are selected in the Applications panel, an error stating the webpage might be temporarily down, copy the presented URL to a new browser; once that is done, the application will open in the Portal. **Deprecation Notes** diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java index 0ba7bdc6..56064b99 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java @@ -39,6 +39,7 @@ package org.onap.portalapp.controller; import static com.att.eelf.configuration.Configuration.MDC_KEY_REQUEST_ID; +import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; import java.net.URLDecoder; @@ -68,8 +69,10 @@ import org.onap.portalsdk.core.menu.MenuProperties; import org.onap.portalsdk.core.util.SystemProperties; import org.slf4j.MDC; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; import org.springframework.stereotype.Controller; import org.springframework.util.StopWatch; +import org.springframework.web.bind.annotation.ExceptionHandler; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; @@ -409,4 +412,9 @@ public class LoginController extends EPUnRestrictedBaseController implements Log this.sharedContextService = sharedContextService; } + @ExceptionHandler(Exception.class) + protected void handleBadRequests(Exception e, HttpServletResponse response) throws IOException { + logger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e); + response.sendError(HttpStatus.BAD_REQUEST.value()); + } } diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java index 25eee828..703019f9 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -1,9 +1,9 @@ - /*- * ============LICENSE_START========================================== * ONAP Portal * =================================================================== * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modifications Copyright (c) 2019 Samsung * =================================================================== * * Unless otherwise specified, all software contained herein is licensed @@ -36,6 +36,7 @@ * * */ + package org.onap.portalapp.filter; import java.io.BufferedReader; @@ -48,7 +49,6 @@ import java.util.Enumeration; import javax.servlet.FilterChain; import javax.servlet.ReadListener; -import javax.servlet.ServletException; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; @@ -62,7 +62,7 @@ import org.springframework.web.filter.OncePerRequestFilter; public class SecurityXssFilter extends OncePerRequestFilter { - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); + private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); private static final String APPLICATION_JSON = "application/json"; @@ -120,40 +120,47 @@ public class SecurityXssFilter extends OncePerRequestFilter { @Override public void setReadListener(ReadListener readListener) { - + // do nothing } - } } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) - throws ServletException, IOException { + throws IOException { StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString()); - String queryString = request.getQueryString(); - String requestUrl = ""; - if (queryString == null) { - requestUrl = requestURL.toString(); - } else { - requestUrl = requestURL.append('?').append(queryString).toString(); - } - validateRequest(requestUrl, response); + String queryString = request.getQueryString(); + String requestUrl; + + if (queryString == null) { + requestUrl = requestURL.toString(); + } else { + requestUrl = requestURL.append('?').append(queryString).toString(); + } + + validateRequest(requestUrl, response); StringBuilder headerValues = new StringBuilder(); Enumeration<String> headerNames = request.getHeaderNames(); + while (headerNames.hasMoreElements()) { - String key = (String) headerNames.nextElement(); + String key = headerNames.nextElement(); String value = request.getHeader(key); headerValues.append(value); } + validateRequest(headerValues.toString(), response); + if (validateRequestType(request)) { request = new RequestWrapper(request); String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString()); validateRequest(requestData, response); - filterChain.doFilter(request, response); + } - } else { + try { filterChain.doFilter(request, response); + } catch (Exception e) { + sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e); + response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request"); } } @@ -171,9 +178,8 @@ public class SecurityXssFilter extends OncePerRequestFilter { throw new SecurityException(ERROR_BAD_REQUEST); } } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); + sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); response.getWriter().close(); - return; } } -}
\ No newline at end of file +} |