diff options
author | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:22:19 -0400 |
---|---|---|
committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:44:33 -0400 |
commit | e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch) | |
tree | 07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base | |
parent | ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff) |
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.
Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base')
-rw-r--r-- | ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java index 0ba8d4c7..156572f6 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java @@ -109,6 +109,8 @@ import org.onap.portalsdk.analytics.xmlobj.Reports; import org.onap.portalsdk.analytics.xmlobj.SemaphoreList; import org.onap.portalsdk.analytics.xmlobj.SemaphoreType; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; /**<HR/> * This class is part of <B><I>RAPTOR (Rapid Application Programming Tool for OLAP Reporting)</I></B><BR/> @@ -2965,15 +2967,15 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff")) { if (nvl(request.getParameter(reqParameters[i].toUpperCase())).length() > 0) - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); } else - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } for (int i = 0; i < scheduleSessionParameters.length; i++) { if(nvl(request.getParameter(scheduleSessionParameters[i])).trim().length()>0 ) - sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) )); } } if(session != null ) { @@ -2998,7 +3000,7 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject { //debugLogger.debug("SQLSQLBASED no formfields " + sql); if(request != null ) { for (int i = 0; i < reqParameters.length; i++) { - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } } if(session != null ) { @@ -3009,9 +3011,9 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject { } } // if it is not multiple select and ParamValue is empty this is the place it can be replaced. - sql = Utils.replaceInString(sql, "[LOGGED_USERID]", userId); - sql = Utils.replaceInString(sql, "[USERID]", userId); - sql = Utils.replaceInString(sql, "[USER_ID]", userId); + sql = Utils.replaceInString(sql, "[LOGGED_USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId)); + sql = Utils.replaceInString(sql, "[USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId)); + sql = Utils.replaceInString(sql, "[USER_ID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId)); //debugLogger.debug("SQLSQLBASED no formfields after" + sql); //debugLogger.debug("Replacing String 2 "+ sql); //debugLogger.debug("Replaced String " + sql); |