From 3cea65c213e29b9086e9a2e4aae910cff00e7a93 Mon Sep 17 00:00:00 2001 From: sm921c Date: Wed, 4 Apr 2018 15:09:15 -0400 Subject: security and Pom chanages Issue-ID: PORTAL-155 provided fixes for security issues Change-Id: I00a06dffe4c6efecff57272949fea9d0a614018c Signed-off-by: sm921c --- ecomp-sdk/epsdk-analytics/pom.xml | 10 +- .../portalsdk/analytics/model/SearchHandler.java | 2 +- ecomp-sdk/epsdk-app-common/pom.xml | 82 ++++++++++++++- ecomp-sdk/epsdk-app-os/README.md | 1 + ecomp-sdk/epsdk-app-os/pom.xml | 14 ++- .../onap/portalapp/filter/SecurityXssFilter.java | 21 ++++ ecomp-sdk/epsdk-app-overlay/pom.xml | 28 +++++- ecomp-sdk/epsdk-core/README.md | 2 +- ecomp-sdk/epsdk-core/pom.xml | 111 ++++++++++++++++++--- ecomp-sdk/epsdk-fw/pom.xml | 40 +++++++- .../portalsdk/core/onboarding/util/CipherUtil.java | 4 +- ecomp-sdk/epsdk-workflow/pom.xml | 8 +- ecomp-sdk/pom.xml | 4 +- 13 files changed, 283 insertions(+), 44 deletions(-) diff --git a/ecomp-sdk/epsdk-analytics/pom.xml b/ecomp-sdk/epsdk-analytics/pom.xml index 76e0df1b..143a6ac9 100644 --- a/ecomp-sdk/epsdk-analytics/pom.xml +++ b/ecomp-sdk/epsdk-analytics/pom.xml @@ -5,7 +5,7 @@ org.onap.portal.sdk epsdk-project - 2.1.0 + 2.1.1 @@ -56,17 +56,17 @@ com.fasterxml.jackson.core jackson-annotations - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-core - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-databind - 2.6.3 + 2.8.10 @@ -142,7 +142,7 @@ org.apache.poi poi-ooxml - 3.5-FINAL + 3.15 commons-logging diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java index 863f510c..9f44bac7 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java @@ -295,7 +295,7 @@ public class SearchHandler extends org.onap.portalsdk.analytics.RaptorObject { } else { rep_name_sql = " AND UPPER(cr.title) LIKE UPPER('%%') "; } - sql = sql.replace("[fReportName]",rep_name_sql); + sql = sql.replace("[fReportName]", ESAPI.encoder().canonicalize(rep_name_sql)); if (menuId.length() > 0){ /*sql += "AND INSTR('|'||cr.menu_id||'|', '|'||'" + menuId + "'||'|') > 0 " diff --git a/ecomp-sdk/epsdk-app-common/pom.xml b/ecomp-sdk/epsdk-app-common/pom.xml index 8252897e..af010a73 100644 --- a/ecomp-sdk/epsdk-app-common/pom.xml +++ b/ecomp-sdk/epsdk-app-common/pom.xml @@ -5,7 +5,7 @@ org.onap.portal.sdk epsdk-project - 2.1.0 + 2.1.1 @@ -129,17 +129,17 @@ com.fasterxml.jackson.core jackson-annotations - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-core - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-databind - 2.6.3 + 2.8.10 com.mchange @@ -172,6 +172,12 @@ org.elasticsearch elasticsearch 2.2.0 + + + org.apache.lucene + lucene-queryparser + + org.json @@ -236,6 +242,24 @@ org.owasp.esapi esapi 2.1.0 + + + commons-beanutils + commons-beanutils-core + + + commons-httpclient + commons-httpclient + + + xerces + xercesImpl + + + commons-collections + commons-collections + + @@ -244,5 +268,55 @@ ${jacoco.version} runtime + + com.thoughtworks.xstream + xstream + 1.4.10 + + + org.apache.wicket + wicket-core + 1.5.16 + + + ch.qos.logback + logback-core + 1.2.3 + + + ch.qos.logback + logback-classic + 1.2.3 + + + commons-fileupload + commons-fileupload + 1.3.3 + + + commons-beanutils + commons-beanutils + 1.9.3 + + + org.apache.httpcomponents + httpclient + 4.5.3 + + + xalan + xalan + 2.7.2 + + + xerces + xercesImpl + 2.11.0.SP5 + + + commons-collections + commons-collections + 3.2.2 + diff --git a/ecomp-sdk/epsdk-app-os/README.md b/ecomp-sdk/epsdk-app-os/README.md index f74d043f..7304bd1c 100644 --- a/ecomp-sdk/epsdk-app-os/README.md +++ b/ecomp-sdk/epsdk-app-os/README.md @@ -18,6 +18,7 @@ Version 2.1.0 - PORTAL 160 Refer epsdk-app-common - PORTAL 159 Refer epsdk-app-common - PORTAL 136 Junits for SDK +- PORTAL 155 Review security issues: portal Version 1.4.0 - PORTAL-19 Rename Java package base to org.onap diff --git a/ecomp-sdk/epsdk-app-os/pom.xml b/ecomp-sdk/epsdk-app-os/pom.xml index 059c5ea0..5ce068b9 100644 --- a/ecomp-sdk/epsdk-app-os/pom.xml +++ b/ecomp-sdk/epsdk-app-os/pom.xml @@ -10,7 +10,7 @@ org.onap.portal.sdk epsdk-project - 2.1.0 + 2.1.1 @@ -252,17 +252,17 @@ com.fasterxml.jackson.core jackson-annotations - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-core - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-databind - 2.6.3 + 2.8.10 com.mchange @@ -295,6 +295,12 @@ org.elasticsearch elasticsearch 2.2.0 + + + org.apache.lucene + lucene-queryparser + + org.json diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java index aad01286..be3b685d 100644 --- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -44,6 +44,9 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStreamReader; import java.nio.charset.StandardCharsets; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; import javax.servlet.FilterChain; import javax.servlet.ReadListener; @@ -73,9 +76,27 @@ public class SecurityXssFilter extends OncePerRequestFilter { public class RequestWrapper extends HttpServletRequestWrapper { private ByteArrayOutputStream cachedBytes; + + private Map parameter = new HashMap(); + + @SuppressWarnings("unchecked") public RequestWrapper(HttpServletRequest request) { super(request); + Enumeration parameterNames = request.getParameterNames(); + while (parameterNames.hasMoreElements()) { + String paramName = parameterNames.nextElement(); + String paramValue = request.getParameter(paramName); + parameter.put(paramName,paramValue); + } + } + + @Override + public String getParameter(String name) { + if (parameter != null) { + return (String) parameter.get(name); + } + return null; } @Override diff --git a/ecomp-sdk/epsdk-app-overlay/pom.xml b/ecomp-sdk/epsdk-app-overlay/pom.xml index 8415cf49..a0b000a7 100644 --- a/ecomp-sdk/epsdk-app-overlay/pom.xml +++ b/ecomp-sdk/epsdk-app-overlay/pom.xml @@ -5,7 +5,7 @@ org.onap.portal.sdk epsdk-project - 2.1.0 + 2.1.1 @@ -43,9 +43,29 @@ 3.1.0 - javax.servlet - jstl - 1.2 + org.apache.taglibs + taglibs-standard-spec + 1.2.5 + + + org.apache.taglibs + taglibs-standard-impl + 1.2.5 + + + org.apache.taglibs + taglibs-standard-spec + 1.2.5 + + + org.apache.taglibs + taglibs-standard-impl + 1.2.5 + + + org.apache.taglibs + taglibs-standard-jstlel + 1.2.5 diff --git a/ecomp-sdk/epsdk-core/README.md b/ecomp-sdk/epsdk-core/README.md index b773ef5c..55cf69fd 100644 --- a/ecomp-sdk/epsdk-core/README.md +++ b/ecomp-sdk/epsdk-core/README.md @@ -7,7 +7,7 @@ which is distributed as epsdk-core-N.N.N.jar. This library requires Hibernate and Spring, and provides many features such as data access, session management, logging, on-boarding and more. Most of these features are demonstrated in the -ONAP SDK web application. +ECOMP SDK web application. ## Release Notes diff --git a/ecomp-sdk/epsdk-core/pom.xml b/ecomp-sdk/epsdk-core/pom.xml index c47effa6..85b60ddc 100644 --- a/ecomp-sdk/epsdk-core/pom.xml +++ b/ecomp-sdk/epsdk-core/pom.xml @@ -5,7 +5,7 @@ org.onap.portal.sdk epsdk-project - 2.1.0 + 2.1.1 @@ -124,10 +124,6 @@ org.slf4j log4j-over-slf4j - - ch.qos.logback - logback-classic - @@ -167,9 +163,29 @@ 2.3.1 - javax.servlet - jstl - 1.2 + org.apache.taglibs + taglibs-standard-spec + 1.2.5 + + + org.apache.taglibs + taglibs-standard-impl + 1.2.5 + + + org.apache.taglibs + taglibs-standard-spec + 1.2.5 + + + org.apache.taglibs + taglibs-standard-impl + 1.2.5 + + + org.apache.taglibs + taglibs-standard-jstlel + 1.2.5 @@ -209,17 +225,17 @@ com.fasterxml.jackson.core jackson-annotations - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-core - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-databind - 2.6.3 + 2.8.10 @@ -294,8 +310,8 @@ org.bouncycastle - bcprov-jdk16 - 1.45 + bcprov-jdk15on + 1.59 @@ -303,6 +319,12 @@ org.elasticsearch elasticsearch 2.2.0 + + + org.apache.lucene + lucene-queryparser + + io.searchbox @@ -326,6 +348,20 @@ org.owasp.esapi esapi 2.1.0.1 + + + commons-beanutils + commons-beanutils-core + + + commons-httpclient + commons-httpclient + + + xerces + xercesImpl + + @@ -346,6 +382,10 @@ org.slf4j slf4j-log4j12 + + org.apache.httpcomponents + httpclient + @@ -355,6 +395,51 @@ ${jacoco.version} runtime + + com.thoughtworks.xstream + xstream + 1.4.10 + + + org.apache.wicket + wicket-core + 1.5.16 + + + ch.qos.logback + logback-core + 1.2.3 + + + ch.qos.logback + logback-classic + 1.2.3 + + + commons-fileupload + commons-fileupload + 1.3.3 + + + commons-beanutils + commons-beanutils + 1.9.3 + + + org.apache.httpcomponents + httpclient + 4.5.3 + + + xalan + xalan + 2.7.2 + + + xerces + xercesImpl + 2.11.0.SP5 + diff --git a/ecomp-sdk/epsdk-fw/pom.xml b/ecomp-sdk/epsdk-fw/pom.xml index 2eb62648..9f2929b5 100644 --- a/ecomp-sdk/epsdk-fw/pom.xml +++ b/ecomp-sdk/epsdk-fw/pom.xml @@ -6,7 +6,7 @@ org.onap.portal.sdk epsdk-project - 2.1.0 + 2.1.1 @@ -75,12 +75,12 @@ com.fasterxml.jackson.core jackson-annotations - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-databind - 2.6.3 + 2.8.10 org.owasp.esapi @@ -91,6 +91,22 @@ log4j log4j + + xerces + xercesImpl + + + xalan + xalan + + + commons-beanutils + commons-beanutils + + + commons-httpclient + commons-httpclient + @@ -115,7 +131,7 @@ ch.qos.logback logback-classic - 1.1.1 + 1.2.3 test @@ -123,6 +139,12 @@ resteasy-spring ${resteasy.version} test + + + org.apache.httpcomponents + httpclient + + org.jboss.resteasy @@ -160,6 +182,16 @@ runtime test ${jacoco.version} + + + commons-fileupload + commons-fileupload + 1.3.3 + + + commons-beanutils + commons-beanutils + 1.9.3 diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java index ba95d870..eef88b4b 100644 --- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java +++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/CipherUtil.java @@ -263,7 +263,7 @@ public class CipherUtil { return CipherUtil.decryptPKC(encryptedText, keyString); } - public static void main(String[] args) throws CipherUtilException { +/* public static void main(String[] args) throws CipherUtilException { String testValue = "Welcome123"; String encrypted; @@ -290,6 +290,6 @@ public class CipherUtil { System.out.println("Encrypted Text" + encrypted); } } - } + }*/ } diff --git a/ecomp-sdk/epsdk-workflow/pom.xml b/ecomp-sdk/epsdk-workflow/pom.xml index c187fe1a..51ffc7ef 100644 --- a/ecomp-sdk/epsdk-workflow/pom.xml +++ b/ecomp-sdk/epsdk-workflow/pom.xml @@ -5,7 +5,7 @@ org.onap.portal.sdk epsdk-project - 2.1.0 + 2.1.1 @@ -30,17 +30,17 @@ com.fasterxml.jackson.core jackson-annotations - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-core - 2.6.3 + 2.8.10 com.fasterxml.jackson.core jackson-databind - 2.6.3 + 2.8.10 javax.servlet diff --git a/ecomp-sdk/pom.xml b/ecomp-sdk/pom.xml index 9046f458..b2abfdb7 100644 --- a/ecomp-sdk/pom.xml +++ b/ecomp-sdk/pom.xml @@ -14,7 +14,7 @@ org.onap.portal.sdk epsdk-project - 2.1.0 + 2.1.1 pom portal-sdk https://wiki.onap.org/display/DW/Portal @@ -31,7 +31,7 @@ UTF-8 - 4.2.0.RELEASE + 4.2.3.RELEASE 4.3.11.Final false https://nexus.onap.org -- cgit 1.2.3-korg