diff options
author | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:22:19 -0400 |
---|---|---|
committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:44:33 -0400 |
commit | e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch) | |
tree | 07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion | |
parent | ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff) |
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.
Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion')
2 files changed, 7 insertions, 4 deletions
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java index 1d1fdd84..b6c985a5 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java @@ -58,6 +58,7 @@ import javax.servlet.http.HttpServletResponse; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.service.DataAccessService; +import org.owasp.esapi.ESAPI; import org.springframework.web.servlet.ModelAndView;; @@ -175,7 +176,7 @@ public class FileServletController { response.setContentLength((int) outStream.length); response.setContentType("application/octet-stream"); response.setHeader("Content-disposition", "attachment; filename=\"" - + name + "\""); + + ESAPI.encoder().canonicalize(name) + "\""); copyStream(response, outStream); } catch (Exception ex) { if (os == null) diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java index 8165801c..8478c73c 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java @@ -105,7 +105,9 @@ import org.onap.portalsdk.analytics.xmlobj.PredefinedValueList; import org.onap.portalsdk.core.controller.RestrictedBaseController; import org.onap.portalsdk.core.domain.User; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; import org.onap.portalsdk.core.web.support.UserUtils; +import org.owasp.esapi.ESAPI; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -1415,10 +1417,10 @@ public class RaptorControllerAsync extends RestrictedBaseController { for (int i = 0; i < reqParameters.length; i++) { if (!reqParameters[i].startsWith("ff")) sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", - request.getParameter(reqParameters[i].toUpperCase())); + ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i].toUpperCase()))); else - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", - request.getParameter(reqParameters[i])); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", + ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i]))); } } if (session != null) { |