diff options
author | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:22:19 -0400 |
---|---|---|
committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:44:33 -0400 |
commit | e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch) | |
tree | 07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-analytics/src/main | |
parent | ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff) |
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.
Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-analytics/src/main')
12 files changed, 92 insertions, 74 deletions
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java index 1ffbde28..36c9d526 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java @@ -88,6 +88,7 @@ import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; +import org.apache.commons.io.FilenameUtils; import org.onap.portalsdk.analytics.error.RaptorException; import org.onap.portalsdk.analytics.error.RaptorRuntimeException; import org.onap.portalsdk.analytics.error.RaptorSchedularException; @@ -127,6 +128,8 @@ import org.onap.portalsdk.analytics.view.ReportData; import org.onap.portalsdk.analytics.xmlobj.DataColumnType; import org.onap.portalsdk.analytics.xmlobj.FormFieldType; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; @@ -486,20 +489,13 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject { request.getSession().removeAttribute(AppConstants.EMBEDDED_REPORTDATA_MAP); } //String pdfAttachmentKey = AppUtils.getRequestValue(request, "pdfAttachmentKey"); - String report_email_sent_log_id = AppUtils.getRequestValue(request, "log_id"); + String report_email_sent_log_id = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),AppUtils.getRequestValue(request, "log_id")); logger.debug(EELFLoggerDelegate.debugLogger, ("Email PDF" + pdfAttachmentKey+" "+ report_email_sent_log_id)); //email pdf attachment specific if(nvl(pdfAttachmentKey).length()>0 && report_email_sent_log_id !=null) isEmailAttachment = true; if(isEmailAttachment) { - /* String query = "Select user_id, rep_id from CR_REPORT_EMAIL_SENT_LOG" + - " where rownum = 1" + - " and gen_key='"+pdfAttachmentKey.trim()+"'" + - " and log_id ="+report_email_sent_log_id.trim() + - " and (sysdate - sent_date) < 1 ";*/ - - String query = Globals.getDownloadAllEmailSent(); query = query.replace("[pdfAttachmentKey.trim()]", pdfAttachmentKey.trim()); query = query.replace("[report_email_sent_log_id.trim()]", report_email_sent_log_id.trim()); @@ -1031,7 +1027,8 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject { public String getQuickLinksJSON(HttpServletRequest request, String nextPage) { String jsonInString = null; try { - ArrayList<QuickLink> quickLinks = ReportLoader.getQuickLinksJSON(request, request.getParameter("quick_links_menu_id"),true); + + ArrayList<QuickLink> quickLinks = ReportLoader.getQuickLinksJSON(request, ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter("quick_links_menu_id")),true); ObjectMapper mapper = new ObjectMapper(); mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false); mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); @@ -1368,7 +1365,7 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject { public String reportDelete(HttpServletRequest request, String nextPage) { try { - String reportID = AppUtils.getRequestValue(request, AppConstants.RI_REPORT_ID); + String reportID = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),AppUtils.getRequestValue(request, AppConstants.RI_REPORT_ID)); try { int i = Integer.parseInt(reportID); } catch(NumberFormatException ex) { @@ -1757,9 +1754,9 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject { if(request != null ) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff")) - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i].toUpperCase()) )); else - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i]) )); } } if(session != null ) { @@ -1886,7 +1883,7 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject { } } logger.debug(EELFLoggerDelegate.debugLogger, ("SQL2:\n"+ rr.getCachedSQL())); - String fileName = rr.getReportID()+"_"+userId+"_"+timestamp; + String fileName = FilenameUtils.normalize(rr.getReportID()+"_"+userId+"_"+timestamp); boolean flag = false; logger.debug(EELFLoggerDelegate.debugLogger, (""+Utils.isDownloadFileExists(rr.getReportID()+"_"+userId+"_"+dateStr))); // if(Utils.isDownloadFileExists(rr.getReportID()+"_"+userId+"_"+dateStr)) { @@ -1903,8 +1900,8 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject { request.setAttribute("message", messageBuffer.toString()); } else if(!flag) { - String whole_fileName = (Globals.getShellScriptDir() +AppConstants.SHELL_QUERY_DIR+ fileName+AppConstants.FT_SQL); - String whole_columnsfileName = (Globals.getShellScriptDir() +AppConstants.SHELL_QUERY_DIR+ fileName+AppConstants.FT_COLUMNS); + String whole_fileName = FilenameUtils.normalize (Globals.getShellScriptDir() +AppConstants.SHELL_QUERY_DIR+ fileName+AppConstants.FT_SQL); + String whole_columnsfileName = FilenameUtils.normalize (Globals.getShellScriptDir() +AppConstants.SHELL_QUERY_DIR+ fileName+AppConstants.FT_COLUMNS); logger.debug(EELFLoggerDelegate.debugLogger, ("FILENAME "+whole_fileName)); diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java index 8a5e7e3c..b4c6faac 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java @@ -108,6 +108,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import org.apache.commons.io.FilenameUtils; import org.apache.poi.hssf.usermodel.HSSFCell; import org.apache.poi.hssf.usermodel.HSSFCellStyle; import org.apache.poi.hssf.usermodel.HSSFDateUtil; @@ -2791,8 +2792,8 @@ public class ReportHandler extends org.onap.portalsdk.analytics.RaptorObject { logger.debug(EELFLoggerDelegate.debugLogger, ("Xls File name " + AppUtils.getTempFolderPath() + xlsFName)); - FileOutputStream xlsOut = new FileOutputStream(AppUtils.getTempFolderPath() - + xlsFName); + FileOutputStream xlsOut = new FileOutputStream(FilenameUtils.normalize(AppUtils.getTempFolderPath() + + xlsFName)); // BufferedWriter xlsOut = new BufferedWriter(new // FileWriter(AppUtils // .getTempFolderPath() @@ -2904,8 +2905,8 @@ public class ReportHandler extends org.onap.portalsdk.analytics.RaptorObject { for(Iterator iter = setReportRuntime.iterator(); iter.hasNext(); ) { count++; try { - xlsIn = new FileInputStream (AppUtils.getTempFolderPath() - + xlsFName); + xlsIn = new FileInputStream (FilenameUtils.normalize(AppUtils.getTempFolderPath() + + xlsFName)); } catch (FileNotFoundException e) { System.out.println ("File not found in the specified path."); @@ -2914,11 +2915,11 @@ public class ReportHandler extends org.onap.portalsdk.analytics.RaptorObject { if(xlsIn != null) { fileSystem = new POIFSFileSystem (xlsIn); wb = new HSSFWorkbook(fileSystem); - xlsOut = new FileOutputStream(AppUtils.getTempFolderPath() - + xlsFName); + xlsOut = new FileOutputStream(FilenameUtils.normalize(AppUtils.getTempFolderPath() + + xlsFName)); } else { - xlsOut = new FileOutputStream(AppUtils.getTempFolderPath() - + xlsFName); + xlsOut = new FileOutputStream(FilenameUtils.normalize(AppUtils.getTempFolderPath() + + xlsFName)); wb = new HSSFWorkbook(); } diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java index 0d416ae2..3fa3ff91 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportLoader.java @@ -88,6 +88,8 @@ import org.onap.portalsdk.analytics.util.AppConstants; import org.onap.portalsdk.analytics.util.DataSet; import org.onap.portalsdk.analytics.util.Utils; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; public class ReportLoader extends org.onap.portalsdk.analytics.RaptorObject { @@ -488,19 +490,19 @@ public class ReportLoader extends org.onap.portalsdk.analytics.RaptorObject { try{ String sql1= Globals.getDeleteReportRecordLog(); - sql1 = sql1.replace("[reportID]", reportID); + sql1 = sql1.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID)); String sql2= Globals.getDeleteReportRecordUsers(); - sql2 = sql2.replace("[reportID]", reportID); + sql2 = sql2.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID)); String sql3= Globals.getDeleteReportRecordSchedule(); - sql3 = sql3.replace("[reportID]", reportID); + sql3 = sql3.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID)); String sql4= Globals.getDeleteReportRecordAccess(); - sql4 = sql4.replace("[reportID]", reportID); + sql4 = sql4.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID)); String sql5= Globals.getDeleteReportRecordEmail(); - sql5 = sql5.replace("[reportID]", reportID); + sql5 = sql5.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID)); String sql6= Globals.getDeleteReportRecordFavorite(); - sql6 = sql6.replace("[reportID]", reportID); + sql6 = sql6.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID)); String sql7= Globals.getDeleteReportRecordReport(); - sql7 = sql7.replace("[reportID]", reportID); + sql7 = sql7.replace("[reportID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),reportID)); DbUtils.executeUpdate(con, sql1); DbUtils.executeUpdate(con, sql2); @@ -580,9 +582,9 @@ public class ReportLoader extends org.onap.portalsdk.analytics.RaptorObject { roleList.append("," + ((String) iter.next())); String query = Globals.getLoadQuickLinks(); - query = query.replace("[userID]", userID); - query = query.replace("[roleList.toString()]", roleList.toString()); - query = query.replace("[nvls(menuId)]", nvls(menuId)); + query = query.replace("[userID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),userID)); + query = query.replace("[roleList.toString()]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),roleList.toString())); + query = query.replace("[nvls(menuId)]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),nvls(menuId))); DataSet ds = DbUtils .executeQuery(query); diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java index 21c260bd..a6043ea7 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java @@ -70,6 +70,7 @@ import java.util.Iterator; import javax.servlet.http.HttpServletRequest; +import org.apache.commons.io.FilenameUtils; import org.onap.portalsdk.analytics.controller.ErrorHandler; import org.onap.portalsdk.analytics.error.RaptorException; import org.onap.portalsdk.analytics.model.search.ReportSearchResult; @@ -83,6 +84,8 @@ import org.onap.portalsdk.analytics.system.Globals; import org.onap.portalsdk.analytics.util.AppConstants; import org.onap.portalsdk.analytics.util.DataSet; import org.onap.portalsdk.analytics.util.HtmlStripper; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; public class SearchHandler extends org.onap.portalsdk.analytics.RaptorObject { private static final String HTML_FORM = "forma"; @@ -128,9 +131,9 @@ public class SearchHandler extends org.onap.portalsdk.analytics.RaptorObject { String csvFName = AppUtils.generateFileName(request, (sr.getPageNo() < 0) ? AppConstants.FT_CSV_ALL : AppConstants.FT_CSV); - BufferedWriter csvOut = new BufferedWriter(new FileWriter(AppUtils + BufferedWriter csvOut = new BufferedWriter(new FileWriter(FilenameUtils.normalize(AppUtils .getTempFolderPath() - + csvFName)); + + csvFName))); createCSVFileContent(csvOut, sr); csvOut.close(); @@ -292,7 +295,7 @@ public class SearchHandler extends org.onap.portalsdk.analytics.RaptorObject { } else { rep_name_sql = " AND UPPER(cr.title) LIKE UPPER('%%') "; } - sql = sql.replace("[fReportName]", rep_name_sql); + sql = sql.replace("[fReportName]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),rep_name_sql)); if (menuId.length() > 0){ /*sql += "AND INSTR('|'||cr.menu_id||'|', '|'||'" + menuId + "'||'|') > 0 " diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java index 0ba8d4c7..156572f6 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/base/ReportWrapper.java @@ -109,6 +109,8 @@ import org.onap.portalsdk.analytics.xmlobj.Reports; import org.onap.portalsdk.analytics.xmlobj.SemaphoreList; import org.onap.portalsdk.analytics.xmlobj.SemaphoreType; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; /**<HR/> * This class is part of <B><I>RAPTOR (Rapid Application Programming Tool for OLAP Reporting)</I></B><BR/> @@ -2965,15 +2967,15 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff")) { if (nvl(request.getParameter(reqParameters[i].toUpperCase())).length() > 0) - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); } else - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } for (int i = 0; i < scheduleSessionParameters.length; i++) { if(nvl(request.getParameter(scheduleSessionParameters[i])).trim().length()>0 ) - sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) )); } } if(session != null ) { @@ -2998,7 +3000,7 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject { //debugLogger.debug("SQLSQLBASED no formfields " + sql); if(request != null ) { for (int i = 0; i < reqParameters.length; i++) { - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } } if(session != null ) { @@ -3009,9 +3011,9 @@ public class ReportWrapper extends org.onap.portalsdk.analytics.RaptorObject { } } // if it is not multiple select and ParamValue is empty this is the place it can be replaced. - sql = Utils.replaceInString(sql, "[LOGGED_USERID]", userId); - sql = Utils.replaceInString(sql, "[USERID]", userId); - sql = Utils.replaceInString(sql, "[USER_ID]", userId); + sql = Utils.replaceInString(sql, "[LOGGED_USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId)); + sql = Utils.replaceInString(sql, "[USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId)); + sql = Utils.replaceInString(sql, "[USER_ID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), userId)); //debugLogger.debug("SQLSQLBASED no formfields after" + sql); //debugLogger.debug("Replacing String 2 "+ sql); //debugLogger.debug("Replaced String " + sql); diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java index e9a4df1f..f4b54a18 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/definition/ReportSchedule.java @@ -74,6 +74,8 @@ import org.onap.portalsdk.analytics.util.DataSet; import org.onap.portalsdk.analytics.util.Utils; import org.onap.portalsdk.analytics.xmlobj.FormFieldType; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; public class ReportSchedule extends RaptorObject { @@ -652,9 +654,9 @@ public class ReportSchedule extends RaptorObject { if (paramValue!=null && paramValue.length() > 0) { if(paramValue.toLowerCase().trim().startsWith("select ")) { - paramValue = Utils.replaceInString(paramValue, "[LOGGED_USERID]", userId); - paramValue = Utils.replaceInString(paramValue, "[USERID]", userId); - paramValue = Utils.replaceInString(paramValue, "[USER_ID]", userId); + paramValue = Utils.replaceInString(paramValue, "[LOGGED_USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),userId)); + paramValue = Utils.replaceInString(paramValue, "[USERID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),userId)); + paramValue = Utils.replaceInString(paramValue, "[USER_ID]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),userId)); paramValue = Utils.replaceInString(paramValue, "''", "'"); ds = ConnectionUtils.getDataSet(paramValue, dbInfo); diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java index 0693a1c7..285142f9 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java @@ -57,6 +57,8 @@ import org.onap.portalsdk.analytics.util.Utils; import org.onap.portalsdk.analytics.xmlobj.ColFilterType; import org.onap.portalsdk.analytics.xmlobj.DataColumnType; import org.onap.portalsdk.analytics.xmlobj.FormFieldType; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; public class ReportFormFields extends Vector { private int nextElemIdx = 0; @@ -96,17 +98,17 @@ public class ReportFormFields extends Vector { if(fieldSQL!=null) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0)) - fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0) - fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } for (int i = 0; i < scheduleSessionParameters.length; i++) { //s_logger.debug(" Session " + " scheduleSessionParameters[i] " + scheduleSessionParameters[i].toUpperCase() + " " + request.getParameter(scheduleSessionParameters[i])); if(request.getParameter(scheduleSessionParameters[i])!=null && request.getParameter(scheduleSessionParameters[i]).trim().length()>0 ) - fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) ); + fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) )); if(request.getAttribute(scheduleSessionParameters[i])!=null && ((String)request.getAttribute(scheduleSessionParameters[i])).trim().length()>0 ) - fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", (String) request.getAttribute(scheduleSessionParameters[i]) ); + fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String) request.getAttribute(scheduleSessionParameters[i]) )); } @@ -129,16 +131,16 @@ public class ReportFormFields extends Vector { if(fieldDefaultSQL!=null) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0)) - fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0) - fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } for (int i = 0; i < scheduleSessionParameters.length; i++) { //s_logger.debug(" Session " + " scheduleSessionParameters[i] " + scheduleSessionParameters[i].toUpperCase() + " " + request.getParameter(scheduleSessionParameters[i])); if(request.getParameter(scheduleSessionParameters[i])!=null && request.getParameter(scheduleSessionParameters[i]).trim().length()>0 ) - fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) ); + fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) )); if(request.getAttribute(scheduleSessionParameters[i])!=null && ((String)request.getAttribute(scheduleSessionParameters[i])).trim().length()>0 ) - fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", (String) request.getAttribute(scheduleSessionParameters[i]) ); + fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String) request.getAttribute(scheduleSessionParameters[i]) )); } @@ -158,9 +160,9 @@ public class ReportFormFields extends Vector { if(rangeStartDateSQL!=null) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0)) - rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0) - rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } for (int i = 0; i < sessionParameters.length; i++) { if (session.getAttribute(sessionParameters[i])!=null && ((String)session.getAttribute(sessionParameters[i])).length() > 0) @@ -170,13 +172,13 @@ public class ReportFormFields extends Vector { if(rangeEndDateSQL!=null) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff")&& (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0)) - rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0) rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); } for (int i = 0; i < sessionParameters.length; i++) { if (session.getAttribute(sessionParameters[i])!=null && ((String)session.getAttribute(sessionParameters[i])).length() > 0) - rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + sessionParameters[i].toUpperCase()+"]", (String)session.getAttribute(sessionParameters[i]) ); + rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + sessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String)session.getAttribute(sessionParameters[i]) )); } } String helpText = fft.getComment(); diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java index d5911cbb..c50581e4 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java @@ -52,6 +52,8 @@ import org.onap.portalsdk.analytics.util.AppConstants; import org.onap.portalsdk.analytics.util.DataSet; import org.onap.portalsdk.analytics.util.Utils; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; public class ReportParamValuesForPDFExcel extends Hashtable { @@ -154,10 +156,10 @@ public class ReportParamValuesForPDFExcel extends Hashtable { if(sql!=null && sql.trim().length()>0){ if(name.equals(ff.getFieldName())){ - sql = Utils.replaceInString(sql, "[VALUE]", value); + sql = Utils.replaceInString(sql, "[VALUE]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value)); } if(name.equals(ff1.getFieldName())){ - sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", value); + sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value)); } else continue; } @@ -175,10 +177,10 @@ public class ReportParamValuesForPDFExcel extends Hashtable { if(sql!=null && sql.trim().length()>0){ if(name.equals(ff.getFieldName())){ - sql = Utils.replaceInString(sql, "[VALUE]", value); + sql = Utils.replaceInString(sql, "[VALUE]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value)); } if(name.equals(ff1.getFieldName())){ - sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", value); + sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value)); } else continue; } @@ -194,7 +196,7 @@ public class ReportParamValuesForPDFExcel extends Hashtable { if(name.length()<=0) name = ff.getFieldName(); value = rr.getParamValue(name); //debugLogger.debug("Name "+ name+ " value:" + value); - String paramValue = getParamValueForSQL(name, value); + String paramValue = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), getParamValueForSQL(name, value)); //debugLogger.debug("PDFEXCEL " + name+ " " + ff.getFieldName()+ " " + value + " " + sql +" "+ paramValue); if(name!=null && name.equals(ff.getFieldName())) sql = Utils.replaceInString(sql, "[VALUE]", paramValue); @@ -206,7 +208,7 @@ public class ReportParamValuesForPDFExcel extends Hashtable { FormField ff2 = null; for (Iterator iter1 = rff.iterator(); iter1.hasNext();) { ff2 = (FormField)iter1.next(); - sql = Utils.replaceInString(sql, "[" + ff2.getFieldDisplayName() +"]", getParamValue(ff2.getFieldName())); + sql = Utils.replaceInString(sql, "[" + ff2.getFieldDisplayName() +"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),getParamValue(ff2.getFieldName()))); } //debugLogger.debug("SQL Modified after replacing formfield" + sql); try { @@ -223,21 +225,21 @@ public class ReportParamValuesForPDFExcel extends Hashtable { //debugLogger.debug("B4 request " + sql); if(request != null ) { for (int i = 0; i < scheduleSessionParameters.length; i++) { - sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) )); } for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff")) { if (request.getParameter(reqParameters[i])!=null) { sql = Utils.replaceInString(sql, "[" + reqParameters[i]+"]", request.getParameter(reqParameters[i]) ); - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } else { sql = Utils.replaceInString(sql, "[" + reqParameters[i]+"]", request.getParameter(reqParameters[i].toUpperCase()) ); - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); } } else - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } } //debugLogger.debug("After request " + sql); diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java index f9d58fee..03c8214d 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java @@ -85,6 +85,8 @@ import org.onap.portalsdk.analytics.xmlobj.DataColumnType; import org.onap.portalsdk.analytics.xmlobj.FormFieldType; import org.onap.portalsdk.analytics.xmlobj.ObjectFactory; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; import com.fasterxml.jackson.databind.ObjectMapper; @@ -2455,7 +2457,7 @@ public class ReportRuntime extends ReportWrapper implements Cloneable, Serializa if (param.charAt(startIdx + 1) == '#') { // Parameter is a form field value String fieldId = param.substring(startIdx + 2, endIdx); - String fieldValue = request.getParameter(fieldId); + String fieldValue = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(fieldId)); sql = Utils.replaceInString(sql, "[" + fieldId.toUpperCase()+"]", fieldValue ); } } diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java index 96bc609f..55735090 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/AppUtils.java @@ -47,6 +47,8 @@ import javax.servlet.http.HttpServletRequest; import org.onap.portalsdk.analytics.error.RaptorException; import org.onap.portalsdk.analytics.util.AppConstants; import org.onap.portalsdk.analytics.util.HtmlStripper; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; public class AppUtils /* implements IAppUtils */{ private static String baseURL = null; @@ -69,7 +71,7 @@ public class AppUtils /* implements IAppUtils */{ public static String getRequestValue(HttpServletRequest request, String valueID) { String value = (String) request.getAttribute(valueID); if (value == null) - value = request.getParameter(valueID); + value = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(valueID)); return value; } // getRequestValue diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java index 1d1fdd84..b6c985a5 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java @@ -58,6 +58,7 @@ import javax.servlet.http.HttpServletResponse; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.service.DataAccessService; +import org.owasp.esapi.ESAPI; import org.springframework.web.servlet.ModelAndView;; @@ -175,7 +176,7 @@ public class FileServletController { response.setContentLength((int) outStream.length); response.setContentType("application/octet-stream"); response.setHeader("Content-disposition", "attachment; filename=\"" - + name + "\""); + + ESAPI.encoder().canonicalize(name) + "\""); copyStream(response, outStream); } catch (Exception ex) { if (os == null) diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java index 8165801c..8478c73c 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java @@ -105,7 +105,9 @@ import org.onap.portalsdk.analytics.xmlobj.PredefinedValueList; import org.onap.portalsdk.core.controller.RestrictedBaseController; import org.onap.portalsdk.core.domain.User; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; import org.onap.portalsdk.core.web.support.UserUtils; +import org.owasp.esapi.ESAPI; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -1415,10 +1417,10 @@ public class RaptorControllerAsync extends RestrictedBaseController { for (int i = 0; i < reqParameters.length; i++) { if (!reqParameters[i].startsWith("ff")) sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", - request.getParameter(reqParameters[i].toUpperCase())); + ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i].toUpperCase()))); else - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", - request.getParameter(reqParameters[i])); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", + ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i]))); } } if (session != null) { |