diff options
author | st782s <statta@research.att.com> | 2017-11-22 11:41:10 -0500 |
---|---|---|
committer | Sunder Tattavarada <statta@research.att.com> | 2017-11-28 20:24:36 +0000 |
commit | ed07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 (patch) | |
tree | ee4a6e53f01f15057f32b86f271c9b6d02b25615 /ecomp-sdk/epsdk-app-os | |
parent | 418d7273d6d8f6fed2698df89c9910be8498a677 (diff) |
Harden code
Issue-ID: PORTAL-145,PORTAL-119
Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui
Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204
Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-os')
7 files changed, 217 insertions, 99 deletions
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql new file mode 100644 index 00000000..abc21a3a --- /dev/null +++ b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql @@ -0,0 +1,12 @@ +-- --------------------------------------------------------------------------------------------------------------- +-- This script adds tables for the OPEN-SOURCE version 2.1.0 of the ECOMP SDK application database. +-- The DDL COMMON script must be executed first! +-- --------------------------------------------------------------------------------------------------------------- + +SET FOREIGN_KEY_CHECKS=1; + +USE ecomp_sdk; + +-- No additional tables required at this time + +commit; diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql new file mode 100644 index 00000000..cb4a3085 --- /dev/null +++ b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql @@ -0,0 +1,39 @@ +-- --------------------------------------------------------------------------------------------------------------- +-- This script populates tables in the OPEN-SOURCE version 2.1.0 of the ECOMP SDK application database. +-- The DML COMMON script must be executed first! +-- --------------------------------------------------------------------------------------------------------------- + +SET FOREIGN_KEY_CHECKS=1; +USE ecomp_sdk; + +-- fn_menu +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (1, 'Root', NULL, 10, NULL, 'menu_home', 'N', NULL, NULL, NULL, NULL, 'APP', 'N', NULL); -- we need even though it's inactive +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (5000, 'Sample Pages', 1, 30, 'sample.htm', 'menu_sample', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-documents-book'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (2, 'Home', 1, 10, 'welcome.htm', 'menu_home', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-building-home'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (8, 'Reports', 1, 40, 'report.htm', 'menu_reports', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-misc-piechart'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (9, 'Profile', 1, 90, 'userProfile', 'menu_profile', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-people-oneperson'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (10, 'Admin', 1, 110, 'role_list.htm', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-content-star'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (84, 'All Reports', 8, 50, 'report', 'menu_reports', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/reports.png'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) values (87, 'Create Reports', 8, 120, 'report#/report_wizard', 'menu_reports', 'Y', NULL, 'r_action=report.create', NULL, NULL, 'APP', 'N', NULL); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) values (88, 'Sample Dashboard', 8, 130, 'report_dashboard', 'menu_reports', 'N', NULL, NULL, NULL, NULL, 'APP', 'N', NULL); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (89, 'Import', 8, 140, 'report#/report_import', 'menu_reports', 'N', null, null, null, null, 'APP', 'N', null); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (94, 'Self', 9, 40,'userProfile#/self_profile', 'menu_profile', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/profile.png'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (101, 'Roles', 10, 20, 'admin#/admin', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/users.png'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (102, 'Role Functions', 10, 30, 'admin#/role_function_list', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', NULL); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (105, 'Cache Admin', 10, 40, 'admin#/jcs_admin', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/cache.png'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (108, 'Usage', 10, 80, 'admin#/usage_list', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/users.png'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (121, 'Collaboration', 5000, 100, 'samplePage#/collaborate_list', 'menu_sample', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/bubble.png'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (930, 'Search', 9, 15, 'userProfile', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/search_profile.png'); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (150022, 'Menus', 10, 60, 'admin#/admin_menu_edit', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', NULL); +INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (150038,'Notebook',5000,135,'samplePage#/notebook','menu_sample','Y',NULL,NULL,NULL,NULL,'APP','N',NULL); + +-- fn_user +Insert into fn_user (USER_ID,ORG_ID,MANAGER_ID,FIRST_NAME,MIDDLE_NAME,LAST_NAME,PHONE,FAX,CELLULAR,EMAIL,ADDRESS_ID,ALERT_METHOD_CD,HRID,ORG_USER_ID,ORG_CODE,LOGIN_ID,LOGIN_PWD,LAST_LOGIN_DATE,ACTIVE_YN,CREATED_ID,CREATED_DATE,MODIFIED_ID,MODIFIED_DATE,IS_INTERNAL_YN,ADDRESS_LINE_1,ADDRESS_LINE_2,CITY,STATE_CD,ZIP_CODE,COUNTRY_CD,LOCATION_CLLI,ORG_MANAGER_USERID,COMPANY,DEPARTMENT_NAME,JOB_TITLE,TIMEZONE,DEPARTMENT,BUSINESS_UNIT,BUSINESS_UNIT_NAME,COST_CENTER,FIN_LOC_CODE,SILO_STATUS) values (1,null,null,'Demo',null,'User',null,null,null,'demo@email.com',null,null,null,'demo',null,'demo','demo',str_to_date('24-OCT-16','%d-%M-%Y'),'Y',null,str_to_date('17-OCT-16','%d-%M-%Y'),1,str_to_date('24-OCT-16','%d-%M-%Y'),'N',null,null,null,'NJ',null,'US',null,null,null,null,null,10,null,null,null,null,null,null); + +-- fn_app +Insert into fn_app (APP_ID,APP_NAME,APP_IMAGE_URL,APP_DESCRIPTION,APP_NOTES,APP_URL,APP_ALTERNATE_URL,APP_REST_ENDPOINT,ML_APP_NAME,ML_APP_ADMIN_ID,MOTS_ID,APP_PASSWORD,OPEN,ENABLED,THUMBNAIL,APP_USERNAME,UEB_KEY,UEB_SECRET,UEB_TOPIC_NAME) VALUES (1,'Default',null,'Some Default Description','Some Default Note',null,null,null,'ECPP','?','1','okYTaDrhzibcbGVq5mjkVQ==','N','N',null,'Default',null,null,'ECOMP-PORTAL-INBOX'); + +-- fn_user_role +Insert into fn_user_role (USER_ID,ROLE_ID,PRIORITY,APP_ID) values (1,1,null,1); + +commit; diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/readme b/ecomp-sdk/epsdk-app-os/db-scripts/readme new file mode 100644 index 00000000..47f2fe1a --- /dev/null +++ b/ecomp-sdk/epsdk-app-os/db-scripts/readme @@ -0,0 +1,34 @@ +* This Readme file contains a description of open source scripts located in + + epsdk-app-os / db-scripts / + +*************************************************************************************************************************************** + +Directions: + +DDL +For ONAP Amsterdam instance run EcompSdkDDLMySql_1710_Common.sql add script EcompSdkDDLMySql_1710_OS.sql. + +EcompSdkDDLMySql_1710_Common.sql - this is the DDL entries that both Opensource and AT&T have in common +EcompSdkDDLMySql_1710_OS.sql - this is the specific DDL entries that only OS needs, empty placeholder + +For ONAP Beijing instance run EcompSdkDDLMySql_2_1_Common.sql add script EcompSdkDDLMySql_2_1_OS.sql. + +EcompSdkDDLMySql_2_1_Common.sql - this is the DDL entries that both Opensource and AT&T have in common +EcompSdkDDLMySql_2_1_OS.sql - this is the specific DDL entries that only OS needs, empty placeholder + +DML +For an ONAP Amsterdam instance run script EcompSdkDMLMySql_1710_Common.sql and script EcompSdkDMLMySql_1710_OS.sql. + +EcompSdkDMLMySql_1707_Common.sql - common DML entries +EcompSdkDMLMySql_1707_OS.sql - DML entries for Opensource needs + +For an ONAP Beijing instance run script EcompSdkDMLMySql_2_1_Common.sql and script EcompSdkDMLMySql_2_1_OS.sql. + +EcompSdkDMLMySql_2_1_Common.sql - common DML entries +EcompSdkDMLMySql_2_1_OS.sql - DML entries for Opensource needs + +Our Existing Partner Apps can call the following scripts to upgrade from earlier version + +EcompSdkMySql_Upgrade_1707_to_1710_Common.sql +EcompSdkMySql_Rollback_1710_to_1707_Common.sql diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt b/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt deleted file mode 100644 index 093f77cc..00000000 --- a/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt +++ /dev/null @@ -1,24 +0,0 @@ -This Readme file contains a description of open source scripts located in - - epsdk-app-os / db-scripts / - -*************************************************************************************************************************************** - -Directions: - -DDL -For ONAP instance run EcompSdkDDLMySql_1710_Common.sql add script EcompSdkDDLMySql_1710_OS.sql. - -EcompSdkDDLMySql_1710_Common.sql - this is the DDL entries that both Opensource and AT&T have in common -EcompSdkDDLMySql_1710_OS.sql - this is the specific DDL entries that only OS needs - -DML -For an ONAP instance run script EcompSdkDMLMySql_1710_Common.sql and script EcompSdkDMLMySql_1710_OS.sql. - -EcompSdkDMLMySql_1707_Common.sql - common DML entries -EcompSdkDMLMySql_1707_OS.sql - DML entries for Opensource needs - -Our Existing Partner Apps can call the following scripts to upgrade from earlier version - -EcompSdkMySql_Upgrade_1707_to_1710_Common.sql -EcompSdkMySql_Rollback_1710_to_1707_Common.sql diff --git a/ecomp-sdk/epsdk-app-os/pom.xml b/ecomp-sdk/epsdk-app-os/pom.xml index dc8e9d94..db0a455f 100644 --- a/ecomp-sdk/epsdk-app-os/pom.xml +++ b/ecomp-sdk/epsdk-app-os/pom.xml @@ -1,9 +1,11 @@ <?xml version="1.0"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> - <!-- This is the Maven project object model (POM) file for the open-source SDK web app. - This is NOT the Portal - but it is developed and supported by the Portal team. --> + <!-- This is the Maven project object model (POM) file for the open-source + SDK web app. This is NOT the Portal - but it is developed and supported by + the Portal team. --> <parent> <groupId>org.onap.portal.sdk</groupId> @@ -11,9 +13,9 @@ <version>2.1.0-SNAPSHOT</version> </parent> - <!-- GroupId is inherited from parent --> + <!-- GroupId is inherited from parent --> <artifactId>epsdk-app-os</artifactId> - <!-- Version is inherited from parent --> + <!-- Version is inherited from parent --> <packaging>war</packaging> <name>ONAP Portal SDK Webapp for OpenSource</name> <description>ONAP Portal SDK Web Application for public release</description> @@ -25,6 +27,9 @@ <skipassembly>true</skipassembly> <!-- Tests usually require some setup that maven cannot do, so skip. --> <skiptests>true</skiptests> + <!-- Version number gets stored only here --> + <tomcat.download.path>http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.37/bin</tomcat.download.path> + <tomcat.download.name>apache-tomcat-8.0.37</tomcat.download.name> </properties> <!-- repositories are inherited from parent --> @@ -39,7 +44,7 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-surefire-plugin</artifactId> - <version>2.19.1</version> + <!-- parent specifies the <version>2.19.1</version> --> <configuration> <skipTests>${skiptests}</skipTests> <includes> @@ -104,15 +109,48 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-deploy-plugin</artifactId> - <version>2.8</version> + <!-- parent specifies the<version>2.8</version> --> <configuration> <skip>true</skip> </configuration> </plugin> + <plugin> + <groupId>io.fabric8</groupId> + <artifactId>docker-maven-plugin</artifactId> + <version>0.22.0</version> + <configuration> + <verbose>true</verbose> + <images> + <image> + <name>onap/portal-sdk:${project.version}</name> + <build> + <from>frolvlad/alpine-oraclejdk8:slim</from> + <assembly> + <descriptorRef>artifact</descriptorRef> + </assembly> + <runCmds> + <!-- must be all on one line; use CDATA to turn off the Eclipse formatter --> + <run><![CDATA[wget -q ${tomcat.download.path}/${tomcat.download.name}.tar.gz]]></run> + <run>tar -xzf ${tomcat.download.name}.tar.gz</run> + <run>rm -f ${tomcat.download.name}.tar.gz</run> + <run>rm -fr ${tomcat.download.name}/webapps/[a-z]*</run> + <run>mkdir -p /opt</run> + <run>mv ${tomcat.download.name} /opt</run> + <run><![CDATA[mv /maven/*.war /opt/${tomcat.download.name}/webapps/ONAPPORTALSDK.war]]></run> + </runCmds> + <cmd> + <shell>/opt/${tomcat.download.name}/bin/catalina.sh run</shell> + </cmd> + </build> + </image> + </images> + </configuration> + </plugin> + </plugins> </build> - + <dependencies> <!-- SDK overlay war --> <dependency> diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java index b3ebed73..71ab7359 100644 --- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -39,92 +39,70 @@ package org.onap.portalapp.filter; import java.io.IOException; -import javax.servlet.Filter; +import java.io.UnsupportedEncodingException; + import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; +import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; import org.onap.portalapp.util.SecurityXssValidator; -import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; - -public class SecurityXssFilter implements Filter { - - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); - - private SecurityXssValidator validator = SecurityXssValidator.getInstance(); - - class SecurityRequestWrapper extends HttpServletRequestWrapper { - - public SecurityRequestWrapper(HttpServletRequest servletRequest) { - super(servletRequest); - } +import org.springframework.web.filter.OncePerRequestFilter; +import org.springframework.web.util.ContentCachingRequestWrapper; +import org.springframework.web.util.ContentCachingResponseWrapper; +import org.springframework.web.util.WebUtils; - @Override - public String[] getParameterValues(String parameter) { - String[] values = super.getParameterValues(parameter); +public class SecurityXssFilter extends OncePerRequestFilter { - if (values == null) { - return null; - } - - int count = values.length; - String[] encodedValues = new String[count]; - for (int i = 0; i < count; i++) { - encodedValues[i] = stripXss(values[i]); - - } - - return encodedValues; - } + private static final String BAD_REQUEST = "BAD_REQUEST"; - private String stripXss(String value) { - - - return validator.stripXSS(value); - } + private SecurityXssValidator validator = SecurityXssValidator.getInstance(); - @Override - public String getParameter(String parameter) { - String value = super.getParameter(parameter); - if (StringUtils.isNotBlank(value)) { - value = stripXss(value); + private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException { + String payload = null; + ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); } - return value; } + return payload; + } - @Override - public String getHeader(String name) { - String value = super.getHeader(name); - if (StringUtils.isNotBlank(value)) { - value = stripXss(value); + private static String getResponseData(final HttpServletResponse response) throws IOException { + String payload = null; + ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response, + ContentCachingResponseWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); + wrapper.copyBodyToResponse(); } - return value; } - } - - @Override - public void init(FilterConfig filterConfig) throws ServletException { + return payload; } @Override - public void destroy() { - } - - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) - throws IOException, ServletException { - - try { + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + + if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) { + + HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request); + HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response); + filterChain.doFilter(requestToCache, responseToCache); + String requestData = getRequestData(requestToCache); + String responseData = getResponseData(responseToCache); + if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { + throw new SecurityException(BAD_REQUEST); + } - chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response); - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e); + } else { + filterChain.doFilter(request, response); } - } + } } diff --git a/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties new file mode 100644 index 00000000..aa3355d1 --- /dev/null +++ b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties @@ -0,0 +1,41 @@ +### +# ============LICENSE_START========================================== +# ONAP Portal SDK +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +### + +# Properties read by the ECOMP Framework library (epsdk-fw) + +cipher.enc.key = AGLDdG4D04BKm2IxIWEr8o==
\ No newline at end of file |