From 304033445a8333cd088910fc3e43ca9222237816 Mon Sep 17 00:00:00 2001 From: robertlo Date: Mon, 8 Jan 2018 17:08:00 -0500 Subject: Harden code Issue-ID: PORTAL-145 Harden code to address Open Redirect in Portal SDK Change-Id: If7e923366be11b78c1359dfe5b8fc14a2927c668 Signed-off-by: robertlo --- .../src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp | 6 ------ .../app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html | 6 ------ .../directives/dashboard/WidgetSettingsRaptorReportCtrl.js | 5 +++-- .../onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java | 4 +--- .../onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java | 5 +++-- .../main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java | 3 ++- .../org/onap/portalsdk/workflow/controllers/WorkflowController.java | 2 +- 7 files changed, 10 insertions(+), 21 deletions(-) diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp index f392ed56..42b7d9ba 100644 --- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp +++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/jsp/webrtc/collaboration.jsp @@ -477,12 +477,6 @@
- diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html index cca54a6b..f2bd0bc9 100644 --- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html +++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/collaboration.html @@ -149,12 +149,6 @@
- diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/view-models/reportdashboard-page/src/components/directives/dashboard/WidgetSettingsRaptorReportCtrl.js b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/view-models/reportdashboard-page/src/components/directives/dashboard/WidgetSettingsRaptorReportCtrl.js index fd6a0b02..4aabe3ad 100644 --- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/view-models/reportdashboard-page/src/components/directives/dashboard/WidgetSettingsRaptorReportCtrl.js +++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/view-models/reportdashboard-page/src/components/directives/dashboard/WidgetSettingsRaptorReportCtrl.js @@ -173,8 +173,9 @@ angular.module('ui.dashboard') function(response) { console.log(response.data); $scope.showChart = true; - document.getElementById('chartiframe').contentWindow.document.write(response.data); - document.getElementById('chartiframe').contentWindow.document.close(); + var chartiframe = document.getElementById('chartiframe'); + chartiframe.contentWindow.document.write(response.data); + chartiframe.contentWindow.document.close(); }); } else { $scope.showChart = false; diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java index a6b98fdf..1c32ad80 100644 --- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java +++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java @@ -102,7 +102,6 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter { // "/context/single_signon.htm" final String redirectUrl = request.getContextPath() + singleSignonPrefix + "redirectToPortal=Yes&" + forwardUrlParm; - validateDomain(redirectUrl); logger.debug(EELFLoggerDelegate.debugLogger, "preHandle: session is expired, redirecting to {}", redirectUrl); response.sendRedirect(redirectUrl); @@ -112,7 +111,6 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter { // Redirect to an absolute path in the webapp; e.g., // "/context/single_signon.htm" final String redirectUrl = request.getContextPath() + singleSignonPrefix + forwardUrlParm; - validateDomain(redirectUrl); logger.debug(EELFLoggerDelegate.debugLogger, "preHandle: took exception {}, redirecting to {}", ex.getMessage(), redirectUrl); response.sendRedirect(redirectUrl); @@ -125,7 +123,7 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter { return super.preHandle(request, response, handler); } - private void validateDomain(final String redirectUrl) throws MalformedURLException { + public void validateDomain(final String redirectUrl) throws MalformedURLException { if (StringUtils.isNotBlank(redirectUrl)) { String hostName = new URL(redirectUrl).getHost(); if (StringUtils.isNotBlank(hostName) diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java index 1303aad5..2ceb8e7c 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java @@ -61,6 +61,7 @@ import org.onap.portalsdk.core.onboarding.util.PortalApiConstants; import org.onap.portalsdk.core.onboarding.util.PortalApiProperties; import org.onap.portalsdk.core.restful.domain.EcompRole; import org.onap.portalsdk.core.restful.domain.EcompUser; +import org.owasp.esapi.ESAPI; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.core.type.TypeReference; @@ -305,12 +306,12 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer } } else { String msg = "doPost: no match for request " + requestUri; - logger.warn(msg); + logger.warn( ESAPI.encoder().encodeForHTML(msg)); responseJson = buildJsonResponse(false, msg); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } catch (Exception ex) { - logger.error("doPost: Failed to process request " + requestUri, ex); + logger.error("doPost: Failed to process request " + ESAPI.encoder().encodeForHTML(requestUri), ex); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); responseJson = buildJsonResponse(ex); } diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java index 2d491cfa..c1776959 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java @@ -45,6 +45,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.owasp.esapi.ESAPI; public class SSOUtil { @@ -69,7 +70,7 @@ public class SSOUtil { try { encodedAppURL = URLEncoder.encode(appURL, "UTF-8"); } catch (UnsupportedEncodingException ex) { - logger.error("getECOMPSSORedirectURL: Failed to encode app URL " + appURL, ex); + logger.error("getECOMPSSORedirectURL: Failed to encode app URL " + ESAPI.encoder().encodeForHTML(appURL), ex); } String portalURL = PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REDIRECT_URL); if (portalURL == null || portalURL.length() == 0) { diff --git a/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java b/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java index b4ceb6f2..8df42ed0 100644 --- a/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java +++ b/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java @@ -103,7 +103,7 @@ public class WorkflowController extends RestrictedBaseController { response.setCharacterEncoding("UTF-8"); request.setCharacterEncoding("UTF-8"); PrintWriter out = response.getWriter(); - out.write("An error occurred while removing Role in the toggleRole()"); + out.write("An error occurred while saving the CronJob : saveCronJob()"); } } -- cgit 1.2.3-korg