summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-app-common/src/main
diff options
context:
space:
mode:
authorst782s <statta@research.att.com>2017-11-22 11:41:10 -0500
committerSunder Tattavarada <statta@research.att.com>2017-11-28 20:24:36 +0000
commited07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 (patch)
treeee4a6e53f01f15057f32b86f271c9b6d02b25615 /ecomp-sdk/epsdk-app-common/src/main
parent418d7273d6d8f6fed2698df89c9910be8498a677 (diff)
Harden code
Issue-ID: PORTAL-145,PORTAL-119 Harden code to address SQL injecton, XSS vulnerabilities; Separate docker images for portal, sdk app and DMaaPBC ui Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204 Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-common/src/main')
-rw-r--r--ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java6
-rw-r--r--ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java138
2 files changed, 84 insertions, 60 deletions
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
index fa1bcbeb..aeeaca56 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
@@ -47,6 +47,7 @@ import javax.servlet.http.HttpServletResponse;
import org.json.JSONObject;
import org.onap.portalsdk.core.controller.RestrictedBaseController;
import org.onap.portalsdk.core.domain.BroadcastMessage;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.service.BroadcastService;
import org.onap.portalsdk.core.web.support.JsonMessage;
import org.springframework.beans.factory.annotation.Autowired;
@@ -62,6 +63,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
@Controller
@RequestMapping("/")
public class BroadcastListController extends RestrictedBaseController {
+ private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(BroadcastListController.class);
@Autowired
private BroadcastService broadcastService;
@@ -86,7 +88,7 @@ public class BroadcastListController extends RestrictedBaseController {
JSONObject j = new JSONObject(msg);
response.getWriter().write(j.toString());
} catch (Exception e) {
- e.printStackTrace();
+ logger.error(EELFLoggerDelegate.errorLogger, "getBroadcast() failed", e);
}
}
@@ -120,6 +122,7 @@ public class BroadcastListController extends RestrictedBaseController {
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
out.write(e.getMessage());
+ logger.error(EELFLoggerDelegate.errorLogger, "remove() failed", e);
return null;
}
@@ -154,6 +157,7 @@ public class BroadcastListController extends RestrictedBaseController {
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
out.write(e.getMessage());
+ logger.error(EELFLoggerDelegate.errorLogger, "toggleActive() failed", e);
return null;
}
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
index 3d2f741c..b51cb8db 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
@@ -43,6 +43,7 @@ import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.regex.Pattern;
+import org.apache.commons.lang.NotImplementedException;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringEscapeUtils;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
@@ -55,80 +56,78 @@ import org.owasp.esapi.codecs.MySQLCodec.Mode;
public class SecurityXssValidator {
private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
-
+
private static final String MYSQL_DB = "mysql";
private static final String ORACLE_DB = "oracle";
- private static final String MARIA_DB ="mariadb";
-
-
+ private static final String MARIA_DB = "mariadb";
+
static SecurityXssValidator validator = null;
private static Codec instance;
private static final Lock lock = new ReentrantLock();
-
+
public static SecurityXssValidator getInstance() {
-
- if(validator == null) {
+
+ if (validator == null) {
lock.lock();
try {
- if(validator == null)
- validator = new SecurityXssValidator();
+ if (validator == null)
+ validator = new SecurityXssValidator();
} finally {
lock.unlock();
}
}
-
+
return validator;
}
-
+
private SecurityXssValidator() {
// Avoid anything between script tags
- XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE));
+
+ // avoid iframes
+ XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE));
- // avoid iframes
- XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE));
+ // Avoid anything in a src='...' type of expression
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
+ Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
- // Avoid anything in a src='...' type of expression
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
+ Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)",
+ Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ // Remove any lonesome </script> tag
+ XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE));
- // Remove any lonesome </script> tag
- XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE));
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", Pattern.CASE_INSENSITIVE));
- // Remove any lonesome <script ...> tag
- XSS_INPUT_PATTERNS
- .add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", Pattern.CASE_INSENSITIVE));
- // Avoid eval(...) expressions
- XSS_INPUT_PATTERNS
- .add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ // Remove any lonesome <script ...> tag
+ XSS_INPUT_PATTERNS
+ .add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
- // Avoid expression(...) expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ // Avoid eval(...) expressions
+ XSS_INPUT_PATTERNS
+ .add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
- // Avoid javascript:... expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE));
+ // Avoid expression(...) expressions
+ XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)",
+ Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
- // Avoid vbscript:... expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE));
+ // Avoid javascript:... expressions
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", Pattern.CASE_INSENSITIVE));
- // Avoid onload= expressions
- XSS_INPUT_PATTERNS
- .add(Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ // Avoid onload= expressions
+ XSS_INPUT_PATTERNS.add(
+ Pattern.compile(".*(onload(.*?)=).*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
}
-
- private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
-
+
+ private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
/**
- * * This method takes a string and strips out any potential script
- * injections.
+ * * This method takes a string and strips out any potential script injections.
*
* @param value
* @return String - the new "sanitized" string.
@@ -157,35 +156,56 @@ public class SecurityXssValidator {
return value;
}
-
- public Codec getCodec() {
+
+ public Boolean denyXSS(String value) {
+ Boolean flag = Boolean.FALSE;
try {
- if (null == instance) {
- if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- MYSQL_DB)|| StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- MARIA_DB)) {
- instance = new MySQLCodec(Mode.STANDARD);
-
- } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- ORACLE_DB)) {
- instance = new OracleCodec();
+ if (StringUtils.isNotBlank(value)) {
+ value = ESAPI.encoder().canonicalize(value);
+ for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
+ if (xssInputPattern.matcher(value).matches()) {
+ flag = Boolean.TRUE;
+ break;
}
+
}
-
+ }
+
+ } catch (Exception e) {
+ logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
+ }
+
+ return flag;
+ }
+
+ public Codec getCodec() {
+ try {
+ if (null == instance) {
+ if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
+ || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+ MARIA_DB)) {
+ instance = new MySQLCodec(Mode.STANDARD);
+
+ } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+ ORACLE_DB)) {
+ instance = new OracleCodec();
+ } else {
+ throw new NotImplementedException("Handling for data base \""
+ + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
+ }
+ }
} catch (Exception ex) {
- System.out.println("Could not strip XSS from value = " + " | ex = " + ex.getMessage());
+ logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
}
return instance;
}
-
public List<Pattern> getXSS_INPUT_PATTERNS() {
return XSS_INPUT_PATTERNS;
}
-
public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
}