diff options
Diffstat (limited to 'ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime')
3 files changed, 29 insertions, 23 deletions
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java index 0693a1c7..285142f9 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportFormFields.java @@ -57,6 +57,8 @@ import org.onap.portalsdk.analytics.util.Utils; import org.onap.portalsdk.analytics.xmlobj.ColFilterType; import org.onap.portalsdk.analytics.xmlobj.DataColumnType; import org.onap.portalsdk.analytics.xmlobj.FormFieldType; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; public class ReportFormFields extends Vector { private int nextElemIdx = 0; @@ -96,17 +98,17 @@ public class ReportFormFields extends Vector { if(fieldSQL!=null) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0)) - fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0) - fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + fieldSQL = Utils.replaceInString(fieldSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } for (int i = 0; i < scheduleSessionParameters.length; i++) { //s_logger.debug(" Session " + " scheduleSessionParameters[i] " + scheduleSessionParameters[i].toUpperCase() + " " + request.getParameter(scheduleSessionParameters[i])); if(request.getParameter(scheduleSessionParameters[i])!=null && request.getParameter(scheduleSessionParameters[i]).trim().length()>0 ) - fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) ); + fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) )); if(request.getAttribute(scheduleSessionParameters[i])!=null && ((String)request.getAttribute(scheduleSessionParameters[i])).trim().length()>0 ) - fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", (String) request.getAttribute(scheduleSessionParameters[i]) ); + fieldSQL = Utils.replaceInString(fieldSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String) request.getAttribute(scheduleSessionParameters[i]) )); } @@ -129,16 +131,16 @@ public class ReportFormFields extends Vector { if(fieldDefaultSQL!=null) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0)) - fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0) - fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } for (int i = 0; i < scheduleSessionParameters.length; i++) { //s_logger.debug(" Session " + " scheduleSessionParameters[i] " + scheduleSessionParameters[i].toUpperCase() + " " + request.getParameter(scheduleSessionParameters[i])); if(request.getParameter(scheduleSessionParameters[i])!=null && request.getParameter(scheduleSessionParameters[i]).trim().length()>0 ) - fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) ); + fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) )); if(request.getAttribute(scheduleSessionParameters[i])!=null && ((String)request.getAttribute(scheduleSessionParameters[i])).trim().length()>0 ) - fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", (String) request.getAttribute(scheduleSessionParameters[i]) ); + fieldDefaultSQL = Utils.replaceInString(fieldDefaultSQL, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String) request.getAttribute(scheduleSessionParameters[i]) )); } @@ -158,9 +160,9 @@ public class ReportFormFields extends Vector { if(rangeStartDateSQL!=null) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff") && (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0)) - rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0) - rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + rangeStartDateSQL = Utils.replaceInString(rangeStartDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } for (int i = 0; i < sessionParameters.length; i++) { if (session.getAttribute(sessionParameters[i])!=null && ((String)session.getAttribute(sessionParameters[i])).length() > 0) @@ -170,13 +172,13 @@ public class ReportFormFields extends Vector { if(rangeEndDateSQL!=null) { for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff")&& (request.getParameter(reqParameters[i].toUpperCase())!=null && request.getParameter(reqParameters[i].toUpperCase()).length() > 0)) - rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); else if (request.getParameter(reqParameters[i])!=null && request.getParameter(reqParameters[i]).length() > 0) rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); } for (int i = 0; i < sessionParameters.length; i++) { if (session.getAttribute(sessionParameters[i])!=null && ((String)session.getAttribute(sessionParameters[i])).length() > 0) - rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + sessionParameters[i].toUpperCase()+"]", (String)session.getAttribute(sessionParameters[i]) ); + rangeEndDateSQL = Utils.replaceInString(rangeEndDateSQL, "[" + sessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), (String)session.getAttribute(sessionParameters[i]) )); } } String helpText = fft.getComment(); diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java index d5911cbb..c50581e4 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportParamValuesForPDFExcel.java @@ -52,6 +52,8 @@ import org.onap.portalsdk.analytics.util.AppConstants; import org.onap.portalsdk.analytics.util.DataSet; import org.onap.portalsdk.analytics.util.Utils; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; public class ReportParamValuesForPDFExcel extends Hashtable { @@ -154,10 +156,10 @@ public class ReportParamValuesForPDFExcel extends Hashtable { if(sql!=null && sql.trim().length()>0){ if(name.equals(ff.getFieldName())){ - sql = Utils.replaceInString(sql, "[VALUE]", value); + sql = Utils.replaceInString(sql, "[VALUE]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value)); } if(name.equals(ff1.getFieldName())){ - sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", value); + sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value)); } else continue; } @@ -175,10 +177,10 @@ public class ReportParamValuesForPDFExcel extends Hashtable { if(sql!=null && sql.trim().length()>0){ if(name.equals(ff.getFieldName())){ - sql = Utils.replaceInString(sql, "[VALUE]", value); + sql = Utils.replaceInString(sql, "[VALUE]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value)); } if(name.equals(ff1.getFieldName())){ - sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", value); + sql = Utils.replaceInString(sql, "["+ff1.getFieldDisplayName()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),value)); } else continue; } @@ -194,7 +196,7 @@ public class ReportParamValuesForPDFExcel extends Hashtable { if(name.length()<=0) name = ff.getFieldName(); value = rr.getParamValue(name); //debugLogger.debug("Name "+ name+ " value:" + value); - String paramValue = getParamValueForSQL(name, value); + String paramValue = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), getParamValueForSQL(name, value)); //debugLogger.debug("PDFEXCEL " + name+ " " + ff.getFieldName()+ " " + value + " " + sql +" "+ paramValue); if(name!=null && name.equals(ff.getFieldName())) sql = Utils.replaceInString(sql, "[VALUE]", paramValue); @@ -206,7 +208,7 @@ public class ReportParamValuesForPDFExcel extends Hashtable { FormField ff2 = null; for (Iterator iter1 = rff.iterator(); iter1.hasNext();) { ff2 = (FormField)iter1.next(); - sql = Utils.replaceInString(sql, "[" + ff2.getFieldDisplayName() +"]", getParamValue(ff2.getFieldName())); + sql = Utils.replaceInString(sql, "[" + ff2.getFieldDisplayName() +"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),getParamValue(ff2.getFieldName()))); } //debugLogger.debug("SQL Modified after replacing formfield" + sql); try { @@ -223,21 +225,21 @@ public class ReportParamValuesForPDFExcel extends Hashtable { //debugLogger.debug("B4 request " + sql); if(request != null ) { for (int i = 0; i < scheduleSessionParameters.length; i++) { - sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", request.getParameter(scheduleSessionParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + scheduleSessionParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(scheduleSessionParameters[i]) )); } for (int i = 0; i < reqParameters.length; i++) { if(!reqParameters[i].startsWith("ff")) { if (request.getParameter(reqParameters[i])!=null) { sql = Utils.replaceInString(sql, "[" + reqParameters[i]+"]", request.getParameter(reqParameters[i]) ); - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } else { sql = Utils.replaceInString(sql, "[" + reqParameters[i]+"]", request.getParameter(reqParameters[i].toUpperCase()) ); - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i].toUpperCase()) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i].toUpperCase()) )); } } else - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", request.getParameter(reqParameters[i]) ); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase()+"]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(reqParameters[i]) )); } } //debugLogger.debug("After request " + sql); diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java index f9d58fee..03c8214d 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ReportRuntime.java @@ -85,6 +85,8 @@ import org.onap.portalsdk.analytics.xmlobj.DataColumnType; import org.onap.portalsdk.analytics.xmlobj.FormFieldType; import org.onap.portalsdk.analytics.xmlobj.ObjectFactory; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; +import org.owasp.esapi.ESAPI; import com.fasterxml.jackson.databind.ObjectMapper; @@ -2455,7 +2457,7 @@ public class ReportRuntime extends ReportWrapper implements Cloneable, Serializa if (param.charAt(startIdx + 1) == '#') { // Parameter is a form field value String fieldId = param.substring(startIdx + 2, endIdx); - String fieldValue = request.getParameter(fieldId); + String fieldValue = ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(), request.getParameter(fieldId)); sql = Utils.replaceInString(sql, "[" + fieldId.toUpperCase()+"]", fieldValue ); } } |