Harden code

Issue-ID: PORTAL-145 Harden code to address Open Redirect in Portal SDK Change-Id: If7e923366be11b78c1359dfe5b8fc14a2927c668 Signed-off-by: robertlo <wl849v@att.com>
author: robertlo <wl849v@att.com> 2018-01-08 17:08:00 -0500
committer: robertlo <wl849v@att.com> 2018-01-08 17:08:00 -0500
commit: 304033445a8333cd088910fc3e43ca9222237816 (patch)
tree: 403346f9dfc7da2a1535cb0ba3cd08e619c4c8ed
parent: 69062c0ec148ccadaced3ef1d6eff63ba422c055 (diff)
7 files changed, 10 insertions, 21 deletions
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp
index f392ed56..42b7d9ba 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp
@@ -477,12 +477,6 @@
                          <input type="text" id="chat-input" style="font-size: 1.2em;visibility:collapse;" placeholder="type here.."/>
                          <div id="chat-output"></div>
                     </td>
-                    <!-- 
-                    <td style="background: white;">
-                        <input type="file" id="file">
-                        <div id="file-progress"></div>
-                    </td>
-                     -->
                 </tr>
             </tbody>
     </table>
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html
index cca54a6b..f2bd0bc9 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html
@@ -149,12 +149,6 @@
                          <input type="text" id="chat-input" style="font-size: 1.2em;visibility:collapse;" placeholder="type here.."/>
                          <div id="chat-output"></div>
                     </td>
-                    <!-- 
-                    <td style="background: white;">
-                        <input type="file" id="file">
-                        <div id="file-progress"></div>
-                    </td>
-                     -->
                 </tr>
             </tbody>
     </table>
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/view-models/reportdashboard-page/src/components/directives/dashboard/WidgetSettingsRaptorReportCtrl.js b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/view-models/reportdashboard-page/src/components/directives/dashboard/WidgetSettingsRaptorReportCtrl.js
index fd6a0b02..4aabe3ad 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/view-models/reportdashboard-page/src/components/directives/dashboard/WidgetSettingsRaptorReportCtrl.js
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/view-models/reportdashboard-page/src/components/directives/dashboard/WidgetSettingsRaptorReportCtrl.js
@@ -173,8 +173,9 @@ angular.module('ui.dashboard')
   			      		 	function(response) {
   			      		 		console.log(response.data);
   			      		 		$scope.showChart =  true;
-  			      		 		document.getElementById('chartiframe').contentWindow.document.write(response.data);
-  			      		 		document.getElementById('chartiframe').contentWindow.document.close();
+                                var chartiframe = document.getElementById('chartiframe');
+                                chartiframe.contentWindow.document.write(response.data);
+                                chartiframe.contentWindow.document.close();
   			      			});
   		      	} else {
   			      		 		$scope.showChart =  false;
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java
index a6b98fdf..1c32ad80 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java
@@ -102,7 +102,6 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter {
 						// "/context/single_signon.htm"
 						final String redirectUrl = request.getContextPath() + singleSignonPrefix
 								+ "redirectToPortal=Yes&" + forwardUrlParm;
-						validateDomain(redirectUrl);
 						logger.debug(EELFLoggerDelegate.debugLogger, "preHandle: session is expired, redirecting to {}",
 								redirectUrl);
 						response.sendRedirect(redirectUrl);
@@ -112,7 +111,6 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter {
 						// Redirect to an absolute path in the webapp; e.g.,
 						// "/context/single_signon.htm"
 						final String redirectUrl = request.getContextPath() + singleSignonPrefix + forwardUrlParm;
-						validateDomain(redirectUrl);
 						logger.debug(EELFLoggerDelegate.debugLogger, "preHandle: took exception {}, redirecting to {}",
 								ex.getMessage(), redirectUrl);
 						response.sendRedirect(redirectUrl);
@@ -125,7 +123,7 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter {
 		return super.preHandle(request, response, handler);
 	}
 
-	private void validateDomain(final String redirectUrl) throws MalformedURLException {
+	public void validateDomain(final String redirectUrl) throws MalformedURLException {
 		if (StringUtils.isNotBlank(redirectUrl)) {
 			String hostName = new URL(redirectUrl).getHost();
 			if (StringUtils.isNotBlank(hostName)
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
index 1303aad5..2ceb8e7c 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
@@ -61,6 +61,7 @@ import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
 import org.onap.portalsdk.core.onboarding.util.PortalApiProperties;
 import org.onap.portalsdk.core.restful.domain.EcompRole;
 import org.onap.portalsdk.core.restful.domain.EcompUser;
+import org.owasp.esapi.ESAPI;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
@@ -305,12 +306,12 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 				}
 			} else {
 				String msg = "doPost: no match for request " + requestUri;
-				logger.warn(msg);
+				logger.warn( ESAPI.encoder().encodeForHTML(msg));
 				responseJson = buildJsonResponse(false, msg);
 				response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 			}
 		} catch (Exception ex) {
-			logger.error("doPost: Failed to process request " + requestUri, ex);
+			logger.error("doPost: Failed to process request " + ESAPI.encoder().encodeForHTML(requestUri), ex);
 			response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
 			responseJson = buildJsonResponse(ex);
 		}
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java
index 2d491cfa..c1776959 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java
@@ -45,6 +45,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.owasp.esapi.ESAPI;
 
 public class SSOUtil {
 
@@ -69,7 +70,7 @@ public class SSOUtil {
 		try {
 			encodedAppURL = URLEncoder.encode(appURL, "UTF-8");
 		} catch (UnsupportedEncodingException ex) {
-			logger.error("getECOMPSSORedirectURL: Failed to encode app URL " + appURL, ex);
+			logger.error("getECOMPSSORedirectURL: Failed to encode app URL " + ESAPI.encoder().encodeForHTML(appURL), ex);
 		}
 		String portalURL = PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REDIRECT_URL);
 		if (portalURL == null || portalURL.length() == 0) {
diff --git a/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java b/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java
index b4ceb6f2..8df42ed0 100644
--- a/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java
+++ b/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java
@@ -103,7 +103,7 @@ public class WorkflowController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write("An error occurred while removing Role  in the toggleRole()");
+			out.write("An error occurred while saving the CronJob : saveCronJob()");
 		}
 
 	}
author	robertlo <wl849v@att.com>	2018-01-08 17:08:00 -0500
committer	robertlo <wl849v@att.com>	2018-01-08 17:08:00 -0500
commit	304033445a8333cd088910fc3e43ca9222237816 (patch)
tree	403346f9dfc7da2a1535cb0ba3cd08e619c4c8ed
parent	69062c0ec148ccadaced3ef1d6eff63ba422c055 (diff)