diff options
author | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:22:19 -0400 |
---|---|---|
committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:44:33 -0400 |
commit | e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch) | |
tree | 07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-app-os/src | |
parent | ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff) |
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.
Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-os/src')
-rw-r--r-- | ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | 130 | ||||
-rw-r--r-- | ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml | 10 |
2 files changed, 139 insertions, 1 deletions
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java new file mode 100644 index 00000000..b3ebed73 --- /dev/null +++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -0,0 +1,130 @@ + +/*- + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ +package org.onap.portalapp.filter; + +import java.io.IOException; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; + +import org.apache.commons.lang.StringUtils; +import org.onap.portalapp.util.SecurityXssValidator; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; + +public class SecurityXssFilter implements Filter { + + private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); + + private SecurityXssValidator validator = SecurityXssValidator.getInstance(); + + class SecurityRequestWrapper extends HttpServletRequestWrapper { + + public SecurityRequestWrapper(HttpServletRequest servletRequest) { + super(servletRequest); + } + + @Override + public String[] getParameterValues(String parameter) { + String[] values = super.getParameterValues(parameter); + + if (values == null) { + return null; + } + + int count = values.length; + String[] encodedValues = new String[count]; + for (int i = 0; i < count; i++) { + encodedValues[i] = stripXss(values[i]); + + } + + return encodedValues; + } + + private String stripXss(String value) { + + + return validator.stripXSS(value); + } + + @Override + public String getParameter(String parameter) { + String value = super.getParameter(parameter); + if (StringUtils.isNotBlank(value)) { + value = stripXss(value); + } + return value; + } + + @Override + public String getHeader(String name) { + String value = super.getHeader(name); + if (StringUtils.isNotBlank(value)) { + value = stripXss(value); + } + return value; + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + } + + @Override + public void destroy() { + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException { + + try { + + chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response); + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e); + } + } + +} diff --git a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml index 0290f1fc..7441508a 100644 --- a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml +++ b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml @@ -10,8 +10,16 @@ <distributable /> <session-config> - <session-timeout>7</session-timeout> + <session-timeout>30</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config> + <filter> + <filter-name>SecurityXssFilter</filter-name> + <filter-class>org.onap.portalapp.filtersss.SecurityXssFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>SecurityXssFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> </web-app>
\ No newline at end of file |