summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-app-common/src/main/java
diff options
context:
space:
mode:
authorChristopher Lott (cl778h) <clott@research.att.com>2017-10-20 08:22:19 -0400
committerChristopher Lott (cl778h) <clott@research.att.com>2017-10-20 08:44:33 -0400
commite3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch)
tree07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-app-common/src/main/java
parentddd8720d597fc9053a455b10445fb253adbc4bf7 (diff)
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion. Add filters to defend against common web Javascript attacks. Drop Greensock code with unusable license. Use OParent in EPSDK web application. Issue: US324470, US342324, PORTAL-127 Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142 Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-common/src/main/java')
-rw-r--r--ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java10
-rw-r--r--ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java13
-rw-r--r--ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java193
3 files changed, 209 insertions, 7 deletions
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
index e7682809..b89cb43c 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
@@ -50,6 +50,8 @@ import org.onap.portalsdk.core.controller.RestrictedBaseController;
import org.onap.portalsdk.core.domain.Role;
import org.onap.portalsdk.core.domain.User;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
+import org.onap.portalsdk.core.onboarding.util.PortalApiProperties;
import org.onap.portalsdk.core.service.RoleService;
import org.onap.portalsdk.core.web.support.JsonMessage;
import org.onap.portalsdk.core.web.support.UserUtils;
@@ -73,6 +75,11 @@ public class RoleListController extends RestrictedBaseController {
private RoleService service;
private String viewName;
+
+ private static final String isAccessCentralized = PortalApiProperties
+ .getProperty(PortalApiConstants.ROLE_ACCESS_CENTRALIZED);
+ private static final String isCentralized = "remote";
+
@RequestMapping(value = { "/role_list" }, method = RequestMethod.GET)
public ModelAndView getRoleList(HttpServletRequest request) {
@@ -151,8 +158,9 @@ public class RoleListController extends RestrictedBaseController {
Role role = mapper.readValue(root.get("role").toString(), Role.class);
Role domainRole = service.getRole(user.getOrgUserId(), role.getId());
-
+ if (!isCentralized.equals(isAccessCentralized)) {
service.deleteDependcyRoleRecord(user.getOrgUserId(), role.getId());
+ }
service.deleteRole(user.getOrgUserId(), domainRole);
logger.info(EELFLoggerDelegate.auditLogger, "Remove role " + domainRole.getId());
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java
index 34e4db7d..aa327850 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java
@@ -40,6 +40,7 @@ package org.onap.portalapp.controller.sample;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.io.FilenameUtils;
import org.onap.portalsdk.core.controller.RestrictedBaseController;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.service.ElementLinkService;
@@ -57,11 +58,11 @@ public class ElementModelController extends RestrictedBaseController {
@RequestMapping(value = { "/elementMapLayout" }, method = RequestMethod.GET, produces = "text/plain")
public String layout(HttpServletRequest request, HttpServletResponse response) throws Exception {
- String collapseDomains = request.getParameter("collapsedDomains");
- String expandDomains = request.getParameter("expandedDomains");
+ String collapseDomains = FilenameUtils.normalize(request.getParameter("collapsedDomains"));
+ String expandDomains = FilenameUtils.normalize(request.getParameter("expandedDomains"));
- String contentFileName = request.getParameter("contentFileName");
- String layoutFileName = request.getParameter("layoutFileName");
+ String contentFileName = FilenameUtils.normalize(request.getParameter("contentFileName"));
+ String layoutFileName = FilenameUtils.normalize(request.getParameter("layoutFileName"));
final String realPath = request.getServletContext().getRealPath("/");
logger.debug(EELFLoggerDelegate.debugLogger, "layout: servlet context real path: {}", realPath);
@@ -76,8 +77,8 @@ public class ElementModelController extends RestrictedBaseController {
@RequestMapping(value = { "/elementMapLink" }, method = RequestMethod.GET, produces = "text/plain")
public String callflow(HttpServletRequest request, HttpServletResponse response) throws Exception {
- String callFlowName = request.getParameter("callFlowName");
- String callFlowStep = request.getParameter("callFlowStep");
+ String callFlowName = FilenameUtils.normalize(request.getParameter("callFlowName"));
+ String callFlowStep = FilenameUtils.normalize(request.getParameter("callFlowStep"));
final String realPath = request.getServletContext().getRealPath("/");
logger.debug(EELFLoggerDelegate.debugLogger, "callflow: servlet context real path: {}", realPath);
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
new file mode 100644
index 00000000..3d2f741c
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
@@ -0,0 +1,193 @@
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalapp.util;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SystemProperties;
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.codecs.Codec;
+import org.owasp.esapi.codecs.MySQLCodec;
+import org.owasp.esapi.codecs.OracleCodec;
+import org.owasp.esapi.codecs.MySQLCodec.Mode;
+
+public class SecurityXssValidator {
+ private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
+
+ private static final String MYSQL_DB = "mysql";
+ private static final String ORACLE_DB = "oracle";
+ private static final String MARIA_DB ="mariadb";
+
+
+ static SecurityXssValidator validator = null;
+ private static Codec instance;
+ private static final Lock lock = new ReentrantLock();
+
+ public static SecurityXssValidator getInstance() {
+
+ if(validator == null) {
+ lock.lock();
+ try {
+ if(validator == null)
+ validator = new SecurityXssValidator();
+ } finally {
+ lock.unlock();
+ }
+ }
+
+ return validator;
+ }
+
+ private SecurityXssValidator() {
+ // Avoid anything between script tags
+ XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE));
+
+ // avoid iframes
+ XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE));
+
+ // Avoid anything in a src='...' type of expression
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
+ Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
+ Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)",
+ Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+
+ // Remove any lonesome </script> tag
+ XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE));
+
+ // Remove any lonesome <script ...> tag
+ XSS_INPUT_PATTERNS
+ .add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+
+ // Avoid eval(...) expressions
+ XSS_INPUT_PATTERNS
+ .add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+
+ // Avoid expression(...) expressions
+ XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)",
+ Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+
+ // Avoid javascript:... expressions
+ XSS_INPUT_PATTERNS.add(Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE));
+
+ // Avoid vbscript:... expressions
+ XSS_INPUT_PATTERNS.add(Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE));
+
+ // Avoid onload= expressions
+ XSS_INPUT_PATTERNS
+ .add(Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ }
+
+ private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
+
+
+ /**
+ * * This method takes a string and strips out any potential script
+ * injections.
+ *
+ * @param value
+ * @return String - the new "sanitized" string.
+ */
+ public String stripXSS(String value) {
+
+ try {
+
+ if (StringUtils.isNotBlank(value)) {
+
+ value = StringEscapeUtils.escapeHtml4(value);
+
+ value = ESAPI.encoder().canonicalize(value);
+
+ // Avoid null characters
+ value = value.replaceAll("\0", "");
+
+ for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
+ value = xssInputPattern.matcher(value).replaceAll("");
+ }
+ }
+
+ } catch (Exception e) {
+ logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
+ }
+
+ return value;
+ }
+
+ public Codec getCodec() {
+ try {
+ if (null == instance) {
+ if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+ MYSQL_DB)|| StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+ MARIA_DB)) {
+ instance = new MySQLCodec(Mode.STANDARD);
+
+ } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+ ORACLE_DB)) {
+ instance = new OracleCodec();
+ }
+ }
+
+
+ } catch (Exception ex) {
+ System.out.println("Could not strip XSS from value = " + " | ex = " + ex.getMessage());
+ }
+ return instance;
+
+ }
+
+
+ public List<Pattern> getXSS_INPUT_PATTERNS() {
+ return XSS_INPUT_PATTERNS;
+ }
+
+
+ public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
+ XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
+ }
+
+} \ No newline at end of file