summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-app-os
diff options
context:
space:
mode:
authorst782s <statta@research.att.com>2017-11-22 11:41:10 -0500
committerSunder Tattavarada <statta@research.att.com>2017-11-28 20:24:36 +0000
commited07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 (patch)
treeee4a6e53f01f15057f32b86f271c9b6d02b25615 /ecomp-sdk/epsdk-app-os
parent418d7273d6d8f6fed2698df89c9910be8498a677 (diff)
Harden code
Issue-ID: PORTAL-145,PORTAL-119 Harden code to address SQL injecton, XSS vulnerabilities; Separate docker images for portal, sdk app and DMaaPBC ui Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204 Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-os')
-rw-r--r--ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql12
-rw-r--r--ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql39
-rw-r--r--ecomp-sdk/epsdk-app-os/db-scripts/readme34
-rw-r--r--ecomp-sdk/epsdk-app-os/db-scripts/readme.txt24
-rw-r--r--ecomp-sdk/epsdk-app-os/pom.xml54
-rw-r--r--ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java112
-rw-r--r--ecomp-sdk/epsdk-app-os/src/main/resources/key.properties41
7 files changed, 217 insertions, 99 deletions
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql
new file mode 100644
index 00000000..abc21a3a
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql
@@ -0,0 +1,12 @@
+-- ---------------------------------------------------------------------------------------------------------------
+-- This script adds tables for the OPEN-SOURCE version 2.1.0 of the ECOMP SDK application database.
+-- The DDL COMMON script must be executed first!
+-- ---------------------------------------------------------------------------------------------------------------
+
+SET FOREIGN_KEY_CHECKS=1;
+
+USE ecomp_sdk;
+
+-- No additional tables required at this time
+
+commit;
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql
new file mode 100644
index 00000000..cb4a3085
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql
@@ -0,0 +1,39 @@
+-- ---------------------------------------------------------------------------------------------------------------
+-- This script populates tables in the OPEN-SOURCE version 2.1.0 of the ECOMP SDK application database.
+-- The DML COMMON script must be executed first!
+-- ---------------------------------------------------------------------------------------------------------------
+
+SET FOREIGN_KEY_CHECKS=1;
+USE ecomp_sdk;
+
+-- fn_menu
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (1, 'Root', NULL, 10, NULL, 'menu_home', 'N', NULL, NULL, NULL, NULL, 'APP', 'N', NULL); -- we need even though it's inactive
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (5000, 'Sample Pages', 1, 30, 'sample.htm', 'menu_sample', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-documents-book');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (2, 'Home', 1, 10, 'welcome.htm', 'menu_home', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-building-home');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (8, 'Reports', 1, 40, 'report.htm', 'menu_reports', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-misc-piechart');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (9, 'Profile', 1, 90, 'userProfile', 'menu_profile', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-people-oneperson');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (10, 'Admin', 1, 110, 'role_list.htm', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-content-star');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (84, 'All Reports', 8, 50, 'report', 'menu_reports', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/reports.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) values (87, 'Create Reports', 8, 120, 'report#/report_wizard', 'menu_reports', 'Y', NULL, 'r_action=report.create', NULL, NULL, 'APP', 'N', NULL);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) values (88, 'Sample Dashboard', 8, 130, 'report_dashboard', 'menu_reports', 'N', NULL, NULL, NULL, NULL, 'APP', 'N', NULL);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (89, 'Import', 8, 140, 'report#/report_import', 'menu_reports', 'N', null, null, null, null, 'APP', 'N', null);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (94, 'Self', 9, 40,'userProfile#/self_profile', 'menu_profile', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/profile.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (101, 'Roles', 10, 20, 'admin#/admin', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/users.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (102, 'Role Functions', 10, 30, 'admin#/role_function_list', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', NULL);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (105, 'Cache Admin', 10, 40, 'admin#/jcs_admin', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/cache.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (108, 'Usage', 10, 80, 'admin#/usage_list', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/users.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (121, 'Collaboration', 5000, 100, 'samplePage#/collaborate_list', 'menu_sample', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/bubble.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (930, 'Search', 9, 15, 'userProfile', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/search_profile.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (150022, 'Menus', 10, 60, 'admin#/admin_menu_edit', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', NULL);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (150038,'Notebook',5000,135,'samplePage#/notebook','menu_sample','Y',NULL,NULL,NULL,NULL,'APP','N',NULL);
+
+-- fn_user
+Insert into fn_user (USER_ID,ORG_ID,MANAGER_ID,FIRST_NAME,MIDDLE_NAME,LAST_NAME,PHONE,FAX,CELLULAR,EMAIL,ADDRESS_ID,ALERT_METHOD_CD,HRID,ORG_USER_ID,ORG_CODE,LOGIN_ID,LOGIN_PWD,LAST_LOGIN_DATE,ACTIVE_YN,CREATED_ID,CREATED_DATE,MODIFIED_ID,MODIFIED_DATE,IS_INTERNAL_YN,ADDRESS_LINE_1,ADDRESS_LINE_2,CITY,STATE_CD,ZIP_CODE,COUNTRY_CD,LOCATION_CLLI,ORG_MANAGER_USERID,COMPANY,DEPARTMENT_NAME,JOB_TITLE,TIMEZONE,DEPARTMENT,BUSINESS_UNIT,BUSINESS_UNIT_NAME,COST_CENTER,FIN_LOC_CODE,SILO_STATUS) values (1,null,null,'Demo',null,'User',null,null,null,'demo@email.com',null,null,null,'demo',null,'demo','demo',str_to_date('24-OCT-16','%d-%M-%Y'),'Y',null,str_to_date('17-OCT-16','%d-%M-%Y'),1,str_to_date('24-OCT-16','%d-%M-%Y'),'N',null,null,null,'NJ',null,'US',null,null,null,null,null,10,null,null,null,null,null,null);
+
+-- fn_app
+Insert into fn_app (APP_ID,APP_NAME,APP_IMAGE_URL,APP_DESCRIPTION,APP_NOTES,APP_URL,APP_ALTERNATE_URL,APP_REST_ENDPOINT,ML_APP_NAME,ML_APP_ADMIN_ID,MOTS_ID,APP_PASSWORD,OPEN,ENABLED,THUMBNAIL,APP_USERNAME,UEB_KEY,UEB_SECRET,UEB_TOPIC_NAME) VALUES (1,'Default',null,'Some Default Description','Some Default Note',null,null,null,'ECPP','?','1','okYTaDrhzibcbGVq5mjkVQ==','N','N',null,'Default',null,null,'ECOMP-PORTAL-INBOX');
+
+-- fn_user_role
+Insert into fn_user_role (USER_ID,ROLE_ID,PRIORITY,APP_ID) values (1,1,null,1);
+
+commit;
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/readme b/ecomp-sdk/epsdk-app-os/db-scripts/readme
new file mode 100644
index 00000000..47f2fe1a
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/db-scripts/readme
@@ -0,0 +1,34 @@
+* This Readme file contains a description of open source scripts located in
+
+ epsdk-app-os / db-scripts /
+
+***************************************************************************************************************************************
+
+Directions:
+
+DDL
+For ONAP Amsterdam instance run EcompSdkDDLMySql_1710_Common.sql add script EcompSdkDDLMySql_1710_OS.sql.
+
+EcompSdkDDLMySql_1710_Common.sql - this is the DDL entries that both Opensource and AT&T have in common
+EcompSdkDDLMySql_1710_OS.sql - this is the specific DDL entries that only OS needs, empty placeholder
+
+For ONAP Beijing instance run EcompSdkDDLMySql_2_1_Common.sql add script EcompSdkDDLMySql_2_1_OS.sql.
+
+EcompSdkDDLMySql_2_1_Common.sql - this is the DDL entries that both Opensource and AT&T have in common
+EcompSdkDDLMySql_2_1_OS.sql - this is the specific DDL entries that only OS needs, empty placeholder
+
+DML
+For an ONAP Amsterdam instance run script EcompSdkDMLMySql_1710_Common.sql and script EcompSdkDMLMySql_1710_OS.sql.
+
+EcompSdkDMLMySql_1707_Common.sql - common DML entries
+EcompSdkDMLMySql_1707_OS.sql - DML entries for Opensource needs
+
+For an ONAP Beijing instance run script EcompSdkDMLMySql_2_1_Common.sql and script EcompSdkDMLMySql_2_1_OS.sql.
+
+EcompSdkDMLMySql_2_1_Common.sql - common DML entries
+EcompSdkDMLMySql_2_1_OS.sql - DML entries for Opensource needs
+
+Our Existing Partner Apps can call the following scripts to upgrade from earlier version
+
+EcompSdkMySql_Upgrade_1707_to_1710_Common.sql
+EcompSdkMySql_Rollback_1710_to_1707_Common.sql
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt b/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt
deleted file mode 100644
index 093f77cc..00000000
--- a/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt
+++ /dev/null
@@ -1,24 +0,0 @@
-This Readme file contains a description of open source scripts located in
-
- epsdk-app-os / db-scripts /
-
-***************************************************************************************************************************************
-
-Directions:
-
-DDL
-For ONAP instance run EcompSdkDDLMySql_1710_Common.sql add script EcompSdkDDLMySql_1710_OS.sql.
-
-EcompSdkDDLMySql_1710_Common.sql - this is the DDL entries that both Opensource and AT&T have in common
-EcompSdkDDLMySql_1710_OS.sql - this is the specific DDL entries that only OS needs
-
-DML
-For an ONAP instance run script EcompSdkDMLMySql_1710_Common.sql and script EcompSdkDMLMySql_1710_OS.sql.
-
-EcompSdkDMLMySql_1707_Common.sql - common DML entries
-EcompSdkDMLMySql_1707_OS.sql - DML entries for Opensource needs
-
-Our Existing Partner Apps can call the following scripts to upgrade from earlier version
-
-EcompSdkMySql_Upgrade_1707_to_1710_Common.sql
-EcompSdkMySql_Rollback_1710_to_1707_Common.sql
diff --git a/ecomp-sdk/epsdk-app-os/pom.xml b/ecomp-sdk/epsdk-app-os/pom.xml
index dc8e9d94..db0a455f 100644
--- a/ecomp-sdk/epsdk-app-os/pom.xml
+++ b/ecomp-sdk/epsdk-app-os/pom.xml
@@ -1,9 +1,11 @@
<?xml version="1.0"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
- <!-- This is the Maven project object model (POM) file for the open-source SDK web app.
- This is NOT the Portal - but it is developed and supported by the Portal team. -->
+ <!-- This is the Maven project object model (POM) file for the open-source
+ SDK web app. This is NOT the Portal - but it is developed and supported by
+ the Portal team. -->
<parent>
<groupId>org.onap.portal.sdk</groupId>
@@ -11,9 +13,9 @@
<version>2.1.0-SNAPSHOT</version>
</parent>
- <!-- GroupId is inherited from parent -->
+ <!-- GroupId is inherited from parent -->
<artifactId>epsdk-app-os</artifactId>
- <!-- Version is inherited from parent -->
+ <!-- Version is inherited from parent -->
<packaging>war</packaging>
<name>ONAP Portal SDK Webapp for OpenSource</name>
<description>ONAP Portal SDK Web Application for public release</description>
@@ -25,6 +27,9 @@
<skipassembly>true</skipassembly>
<!-- Tests usually require some setup that maven cannot do, so skip. -->
<skiptests>true</skiptests>
+ <!-- Version number gets stored only here -->
+ <tomcat.download.path>http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.37/bin</tomcat.download.path>
+ <tomcat.download.name>apache-tomcat-8.0.37</tomcat.download.name>
</properties>
<!-- repositories are inherited from parent -->
@@ -39,7 +44,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
- <version>2.19.1</version>
+ <!-- parent specifies the <version>2.19.1</version> -->
<configuration>
<skipTests>${skiptests}</skipTests>
<includes>
@@ -104,15 +109,48 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
- <version>2.8</version>
+ <!-- parent specifies the<version>2.8</version> -->
<configuration>
<skip>true</skip>
</configuration>
</plugin>
+ <plugin>
+ <groupId>io.fabric8</groupId>
+ <artifactId>docker-maven-plugin</artifactId>
+ <version>0.22.0</version>
+ <configuration>
+ <verbose>true</verbose>
+ <images>
+ <image>
+ <name>onap/portal-sdk:${project.version}</name>
+ <build>
+ <from>frolvlad/alpine-oraclejdk8:slim</from>
+ <assembly>
+ <descriptorRef>artifact</descriptorRef>
+ </assembly>
+ <runCmds>
+ <!-- must be all on one line; use CDATA to turn off the Eclipse formatter -->
+ <run><![CDATA[wget -q ${tomcat.download.path}/${tomcat.download.name}.tar.gz]]></run>
+ <run>tar -xzf ${tomcat.download.name}.tar.gz</run>
+ <run>rm -f ${tomcat.download.name}.tar.gz</run>
+ <run>rm -fr ${tomcat.download.name}/webapps/[a-z]*</run>
+ <run>mkdir -p /opt</run>
+ <run>mv ${tomcat.download.name} /opt</run>
+ <run><![CDATA[mv /maven/*.war /opt/${tomcat.download.name}/webapps/ONAPPORTALSDK.war]]></run>
+ </runCmds>
+ <cmd>
+ <shell>/opt/${tomcat.download.name}/bin/catalina.sh run</shell>
+ </cmd>
+ </build>
+ </image>
+ </images>
+ </configuration>
+ </plugin>
+
</plugins>
</build>
-
+
<dependencies>
<!-- SDK overlay war -->
<dependency>
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
index b3ebed73..71ab7359 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -39,92 +39,70 @@
package org.onap.portalapp.filter;
import java.io.IOException;
-import javax.servlet.Filter;
+import java.io.UnsupportedEncodingException;
+
import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.onap.portalapp.util.SecurityXssValidator;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-
-public class SecurityXssFilter implements Filter {
-
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
- private SecurityXssValidator validator = SecurityXssValidator.getInstance();
-
- class SecurityRequestWrapper extends HttpServletRequestWrapper {
-
- public SecurityRequestWrapper(HttpServletRequest servletRequest) {
- super(servletRequest);
- }
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.ContentCachingRequestWrapper;
+import org.springframework.web.util.ContentCachingResponseWrapper;
+import org.springframework.web.util.WebUtils;
- @Override
- public String[] getParameterValues(String parameter) {
- String[] values = super.getParameterValues(parameter);
+public class SecurityXssFilter extends OncePerRequestFilter {
- if (values == null) {
- return null;
- }
-
- int count = values.length;
- String[] encodedValues = new String[count];
- for (int i = 0; i < count; i++) {
- encodedValues[i] = stripXss(values[i]);
-
- }
-
- return encodedValues;
- }
+ private static final String BAD_REQUEST = "BAD_REQUEST";
- private String stripXss(String value) {
-
-
- return validator.stripXSS(value);
- }
+ private SecurityXssValidator validator = SecurityXssValidator.getInstance();
- @Override
- public String getParameter(String parameter) {
- String value = super.getParameter(parameter);
- if (StringUtils.isNotBlank(value)) {
- value = stripXss(value);
+ private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
+ String payload = null;
+ ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
+ if (wrapper != null) {
+ byte[] buf = wrapper.getContentAsByteArray();
+ if (buf.length > 0) {
+ payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
}
- return value;
}
+ return payload;
+ }
- @Override
- public String getHeader(String name) {
- String value = super.getHeader(name);
- if (StringUtils.isNotBlank(value)) {
- value = stripXss(value);
+ private static String getResponseData(final HttpServletResponse response) throws IOException {
+ String payload = null;
+ ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
+ ContentCachingResponseWrapper.class);
+ if (wrapper != null) {
+ byte[] buf = wrapper.getContentAsByteArray();
+ if (buf.length > 0) {
+ payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
+ wrapper.copyBodyToResponse();
}
- return value;
}
- }
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
+ return payload;
}
@Override
- public void destroy() {
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
-
- try {
+ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+ throws ServletException, IOException {
+
+ if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
+
+ HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
+ HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
+ filterChain.doFilter(requestToCache, responseToCache);
+ String requestData = getRequestData(requestToCache);
+ String responseData = getResponseData(responseToCache);
+ if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
+ throw new SecurityException(BAD_REQUEST);
+ }
- chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response);
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e);
+ } else {
+ filterChain.doFilter(request, response);
}
- }
+ }
}
diff --git a/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties
new file mode 100644
index 00000000..aa3355d1
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties
@@ -0,0 +1,41 @@
+###
+# ============LICENSE_START==========================================
+# ONAP Portal SDK
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+###
+
+# Properties read by the ECOMP Framework library (epsdk-fw)
+
+cipher.enc.key = AGLDdG4D04BKm2IxIWEr8o== \ No newline at end of file