diff options
author | st782s <statta@research.att.com> | 2017-11-22 11:41:10 -0500 |
---|---|---|
committer | Sunder Tattavarada <statta@research.att.com> | 2017-11-28 20:24:36 +0000 |
commit | ed07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 (patch) | |
tree | ee4a6e53f01f15057f32b86f271c9b6d02b25615 /ecomp-sdk/epsdk-app-common/src/main/java | |
parent | 418d7273d6d8f6fed2698df89c9910be8498a677 (diff) |
Harden code
Issue-ID: PORTAL-145,PORTAL-119
Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui
Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204
Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-common/src/main/java')
2 files changed, 84 insertions, 60 deletions
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java index fa1bcbeb..aeeaca56 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java @@ -47,6 +47,7 @@ import javax.servlet.http.HttpServletResponse; import org.json.JSONObject; import org.onap.portalsdk.core.controller.RestrictedBaseController; import org.onap.portalsdk.core.domain.BroadcastMessage; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.service.BroadcastService; import org.onap.portalsdk.core.web.support.JsonMessage; import org.springframework.beans.factory.annotation.Autowired; @@ -62,6 +63,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; @Controller @RequestMapping("/") public class BroadcastListController extends RestrictedBaseController { + private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(BroadcastListController.class); @Autowired private BroadcastService broadcastService; @@ -86,7 +88,7 @@ public class BroadcastListController extends RestrictedBaseController { JSONObject j = new JSONObject(msg); response.getWriter().write(j.toString()); } catch (Exception e) { - e.printStackTrace(); + logger.error(EELFLoggerDelegate.errorLogger, "getBroadcast() failed", e); } } @@ -120,6 +122,7 @@ public class BroadcastListController extends RestrictedBaseController { request.setCharacterEncoding("UTF-8"); PrintWriter out = response.getWriter(); out.write(e.getMessage()); + logger.error(EELFLoggerDelegate.errorLogger, "remove() failed", e); return null; } @@ -154,6 +157,7 @@ public class BroadcastListController extends RestrictedBaseController { request.setCharacterEncoding("UTF-8"); PrintWriter out = response.getWriter(); out.write(e.getMessage()); + logger.error(EELFLoggerDelegate.errorLogger, "toggleActive() failed", e); return null; } diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java index 3d2f741c..b51cb8db 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java @@ -43,6 +43,7 @@ import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; import java.util.regex.Pattern; +import org.apache.commons.lang.NotImplementedException; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringEscapeUtils; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; @@ -55,80 +56,78 @@ import org.owasp.esapi.codecs.MySQLCodec.Mode; public class SecurityXssValidator { private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - + private static final String MYSQL_DB = "mysql"; private static final String ORACLE_DB = "oracle"; - private static final String MARIA_DB ="mariadb"; - - + private static final String MARIA_DB = "mariadb"; + static SecurityXssValidator validator = null; private static Codec instance; private static final Lock lock = new ReentrantLock(); - + public static SecurityXssValidator getInstance() { - - if(validator == null) { + + if (validator == null) { lock.lock(); try { - if(validator == null) - validator = new SecurityXssValidator(); + if (validator == null) + validator = new SecurityXssValidator(); } finally { lock.unlock(); } } - + return validator; } - + private SecurityXssValidator() { // Avoid anything between script tags - XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE)); + XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE)); + + // avoid iframes + XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE)); - // avoid iframes - XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE)); + // Avoid anything in a src='...' type of expression + XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); - // Avoid anything in a src='...' type of expression - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", - Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", - Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", - Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + // Remove any lonesome </script> tag + XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE)); - // Remove any lonesome </script> tag - XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE)); + XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", Pattern.CASE_INSENSITIVE)); - // Remove any lonesome <script ...> tag - XSS_INPUT_PATTERNS - .add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", Pattern.CASE_INSENSITIVE)); - // Avoid eval(...) expressions - XSS_INPUT_PATTERNS - .add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + // Remove any lonesome <script ...> tag + XSS_INPUT_PATTERNS + .add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); - // Avoid expression(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", - Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + // Avoid eval(...) expressions + XSS_INPUT_PATTERNS + .add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); - // Avoid javascript:... expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE)); + // Avoid expression(...) expressions + XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); - // Avoid vbscript:... expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE)); + // Avoid javascript:... expressions + XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", Pattern.CASE_INSENSITIVE)); - // Avoid onload= expressions - XSS_INPUT_PATTERNS - .add(Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); + // Avoid onload= expressions + XSS_INPUT_PATTERNS.add( + Pattern.compile(".*(onload(.*?)=).*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); } - - private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>(); - + + private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>(); /** - * * This method takes a string and strips out any potential script - * injections. + * * This method takes a string and strips out any potential script injections. * * @param value * @return String - the new "sanitized" string. @@ -157,35 +156,56 @@ public class SecurityXssValidator { return value; } - - public Codec getCodec() { + + public Boolean denyXSS(String value) { + Boolean flag = Boolean.FALSE; try { - if (null == instance) { - if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - MYSQL_DB)|| StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - MARIA_DB)) { - instance = new MySQLCodec(Mode.STANDARD); - - } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - ORACLE_DB)) { - instance = new OracleCodec(); + if (StringUtils.isNotBlank(value)) { + value = ESAPI.encoder().canonicalize(value); + for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) { + if (xssInputPattern.matcher(value).matches()) { + flag = Boolean.TRUE; + break; } + } - + } + + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e); + } + + return flag; + } + + public Codec getCodec() { + try { + if (null == instance) { + if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB) + || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + MARIA_DB)) { + instance = new MySQLCodec(Mode.STANDARD); + + } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + ORACLE_DB)) { + instance = new OracleCodec(); + } else { + throw new NotImplementedException("Handling for data base \"" + + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented."); + } + } } catch (Exception ex) { - System.out.println("Could not strip XSS from value = " + " | ex = " + ex.getMessage()); + logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex); } return instance; } - public List<Pattern> getXSS_INPUT_PATTERNS() { return XSS_INPUT_PATTERNS; } - public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) { XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS; } |