diff options
author | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:22:19 -0400 |
---|---|---|
committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:44:33 -0400 |
commit | e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch) | |
tree | 07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-app-common/src/main/java | |
parent | ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff) |
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.
Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-common/src/main/java')
3 files changed, 209 insertions, 7 deletions
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java index e7682809..b89cb43c 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java @@ -50,6 +50,8 @@ import org.onap.portalsdk.core.controller.RestrictedBaseController; import org.onap.portalsdk.core.domain.Role; import org.onap.portalsdk.core.domain.User; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; +import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; import org.onap.portalsdk.core.service.RoleService; import org.onap.portalsdk.core.web.support.JsonMessage; import org.onap.portalsdk.core.web.support.UserUtils; @@ -73,6 +75,11 @@ public class RoleListController extends RestrictedBaseController { private RoleService service; private String viewName; + + private static final String isAccessCentralized = PortalApiProperties + .getProperty(PortalApiConstants.ROLE_ACCESS_CENTRALIZED); + private static final String isCentralized = "remote"; + @RequestMapping(value = { "/role_list" }, method = RequestMethod.GET) public ModelAndView getRoleList(HttpServletRequest request) { @@ -151,8 +158,9 @@ public class RoleListController extends RestrictedBaseController { Role role = mapper.readValue(root.get("role").toString(), Role.class); Role domainRole = service.getRole(user.getOrgUserId(), role.getId()); - + if (!isCentralized.equals(isAccessCentralized)) { service.deleteDependcyRoleRecord(user.getOrgUserId(), role.getId()); + } service.deleteRole(user.getOrgUserId(), domainRole); logger.info(EELFLoggerDelegate.auditLogger, "Remove role " + domainRole.getId()); diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java index 34e4db7d..aa327850 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java @@ -40,6 +40,7 @@ package org.onap.portalapp.controller.sample; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.io.FilenameUtils; import org.onap.portalsdk.core.controller.RestrictedBaseController; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.service.ElementLinkService; @@ -57,11 +58,11 @@ public class ElementModelController extends RestrictedBaseController { @RequestMapping(value = { "/elementMapLayout" }, method = RequestMethod.GET, produces = "text/plain") public String layout(HttpServletRequest request, HttpServletResponse response) throws Exception { - String collapseDomains = request.getParameter("collapsedDomains"); - String expandDomains = request.getParameter("expandedDomains"); + String collapseDomains = FilenameUtils.normalize(request.getParameter("collapsedDomains")); + String expandDomains = FilenameUtils.normalize(request.getParameter("expandedDomains")); - String contentFileName = request.getParameter("contentFileName"); - String layoutFileName = request.getParameter("layoutFileName"); + String contentFileName = FilenameUtils.normalize(request.getParameter("contentFileName")); + String layoutFileName = FilenameUtils.normalize(request.getParameter("layoutFileName")); final String realPath = request.getServletContext().getRealPath("/"); logger.debug(EELFLoggerDelegate.debugLogger, "layout: servlet context real path: {}", realPath); @@ -76,8 +77,8 @@ public class ElementModelController extends RestrictedBaseController { @RequestMapping(value = { "/elementMapLink" }, method = RequestMethod.GET, produces = "text/plain") public String callflow(HttpServletRequest request, HttpServletResponse response) throws Exception { - String callFlowName = request.getParameter("callFlowName"); - String callFlowStep = request.getParameter("callFlowStep"); + String callFlowName = FilenameUtils.normalize(request.getParameter("callFlowName")); + String callFlowStep = FilenameUtils.normalize(request.getParameter("callFlowStep")); final String realPath = request.getServletContext().getRealPath("/"); logger.debug(EELFLoggerDelegate.debugLogger, "callflow: servlet context real path: {}", realPath); diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java new file mode 100644 index 00000000..3d2f741c --- /dev/null +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java @@ -0,0 +1,193 @@ +/*- + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ +package org.onap.portalapp.util; + +import java.util.ArrayList; +import java.util.List; +import java.util.concurrent.locks.Lock; +import java.util.concurrent.locks.ReentrantLock; +import java.util.regex.Pattern; + +import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringEscapeUtils; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SystemProperties; +import org.owasp.esapi.ESAPI; +import org.owasp.esapi.codecs.Codec; +import org.owasp.esapi.codecs.MySQLCodec; +import org.owasp.esapi.codecs.OracleCodec; +import org.owasp.esapi.codecs.MySQLCodec.Mode; + +public class SecurityXssValidator { + private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); + + private static final String MYSQL_DB = "mysql"; + private static final String ORACLE_DB = "oracle"; + private static final String MARIA_DB ="mariadb"; + + + static SecurityXssValidator validator = null; + private static Codec instance; + private static final Lock lock = new ReentrantLock(); + + public static SecurityXssValidator getInstance() { + + if(validator == null) { + lock.lock(); + try { + if(validator == null) + validator = new SecurityXssValidator(); + } finally { + lock.unlock(); + } + } + + return validator; + } + + private SecurityXssValidator() { + // Avoid anything between script tags + XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE)); + + // avoid iframes + XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE)); + + // Avoid anything in a src='...' type of expression + XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + + XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + + XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + + // Remove any lonesome </script> tag + XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE)); + + // Remove any lonesome <script ...> tag + XSS_INPUT_PATTERNS + .add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + + // Avoid eval(...) expressions + XSS_INPUT_PATTERNS + .add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + + // Avoid expression(...) expressions + XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + + // Avoid javascript:... expressions + XSS_INPUT_PATTERNS.add(Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE)); + + // Avoid vbscript:... expressions + XSS_INPUT_PATTERNS.add(Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE)); + + // Avoid onload= expressions + XSS_INPUT_PATTERNS + .add(Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + } + + private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>(); + + + /** + * * This method takes a string and strips out any potential script + * injections. + * + * @param value + * @return String - the new "sanitized" string. + */ + public String stripXSS(String value) { + + try { + + if (StringUtils.isNotBlank(value)) { + + value = StringEscapeUtils.escapeHtml4(value); + + value = ESAPI.encoder().canonicalize(value); + + // Avoid null characters + value = value.replaceAll("\0", ""); + + for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) { + value = xssInputPattern.matcher(value).replaceAll(""); + } + } + + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e); + } + + return value; + } + + public Codec getCodec() { + try { + if (null == instance) { + if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + MYSQL_DB)|| StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + MARIA_DB)) { + instance = new MySQLCodec(Mode.STANDARD); + + } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + ORACLE_DB)) { + instance = new OracleCodec(); + } + } + + + } catch (Exception ex) { + System.out.println("Could not strip XSS from value = " + " | ex = " + ex.getMessage()); + } + return instance; + + } + + + public List<Pattern> getXSS_INPUT_PATTERNS() { + return XSS_INPUT_PATTERNS; + } + + + public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) { + XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS; + } + +}
\ No newline at end of file |