From e22eec55bf0815dd1c303ac5fb1c6e6f211a70f0 Mon Sep 17 00:00:00 2001
From: "Christopher Lott (cl778h)" <clott@research.att.com>
Date: Wed, 25 Oct 2017 09:55:06 -0400
Subject: Repair security filters

Revise app web.xml to remove typo in Java package name.
Also drop unneeded test class.

Issue: PORTAL-135
Change-Id: I49662928c5eed38520e9a9c5f839385148aef0fa
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
---
 .../analytics/controller/ActionHandler.java        |   4 +-
 .../portalsdk/analytics/model/ReportHandler.java   |   3 +-
 .../analytics/model/runtime/ChartD3Helper.java     |  18 ++--
 .../epsdk-app-os/src/main/webapp/WEB-INF/web.xml   |   2 +-
 .../onap/portalsdk/core/util/EncDecUtilTest.java   | 109 ---------------------
 ecomp-sdk/pom.xml                                  |  13 +++
 6 files changed, 27 insertions(+), 122 deletions(-)
 delete mode 100644 ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/util/EncDecUtilTest.java

diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java
index 36c9d526..ba455899 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/controller/ActionHandler.java
@@ -1949,12 +1949,12 @@ public class ActionHandler extends org.onap.portalsdk.analytics.RaptorObject {
         logger.debug(EELFLoggerDelegate.debugLogger, ("Command Executed "));
         //Connection connection = DbUtils.getConnection();
         Enumeration enum1 = rr.getParamKeys();
-        String value = "", key = "";
+        String value = "";
         String paramStr = "";
         StringBuffer paramBuffer = new StringBuffer();
         if(enum1!=null) {
             for (; enum1.hasMoreElements();) {
-                 key = (String) enum1.nextElement();
+            	String key = (String) enum1.nextElement();
                  value = rr.getParamValue(key);
                  paramBuffer.append(key+":"+value+" ");
             }
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java
index b4c6faac..0afd354e 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/ReportHandler.java
@@ -167,6 +167,7 @@ import org.onap.portalsdk.analytics.xmlobj.Reports;
 import org.onap.portalsdk.analytics.xmlobj.SemaphoreList;
 import org.onap.portalsdk.analytics.xmlobj.SemaphoreType;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.owasp.esapi.ESAPI;
 
 import com.lowagie.text.Document;
 import com.lowagie.text.Paragraph;
@@ -3712,7 +3713,7 @@ public class ReportHandler extends org.onap.portalsdk.analytics.RaptorObject {
 	                	//strBuf.append("Run-time Parameters\n");
 	                }
 	                	csvOut.print("\"" + value.getId() +":" + "\",");
-	                	valueName = nvl(value.getName());
+	                	valueName = ESAPI.encoder().canonicalize(nvl(value.getName()));
 	                	if(valueName.indexOf("~")!= -1 && valueName.startsWith("(")) {
 	                		csvOut.print("\"'" + valueName.replaceAll("~",",")+ "'\",");
 	                	} else {
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ChartD3Helper.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ChartD3Helper.java
index 1a8da8d0..f5c641a4 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ChartD3Helper.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/runtime/ChartD3Helper.java
@@ -61,6 +61,7 @@ import java.util.regex.Pattern;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.time.DateUtils;
 import org.onap.portalsdk.analytics.error.RaptorException;
 import org.onap.portalsdk.analytics.model.ReportHandler;
@@ -1932,29 +1933,28 @@ public class ChartD3Helper {
 					wholeScript.append("<script> \n");
 
 					wholeScript.append("historicalBarChart = [ \n");
-					 double TOTAL = 0;
-					 double VALUE = 0;
+					 double total = 0;
+					 double value = 0;
 					 int flagNull = 0;
-					 String KEY = "";
 					 String COLOR = "";
 					 TreeSet<String> colorList = new TreeSet<String>();
 					 for (int i = 0; i < ds.getRowCount(); i++) {
-						 VALUE = 0;
+						 value = 0;
 						 try {
-						  VALUE = Double.parseDouble(ds.getString(i, 2));
-						  TOTAL = TOTAL+VALUE;
+							 value = Double.parseDouble(ds.getString(i, 2));
+						  total = total+value;
 						 } catch (NumberFormatException ex) {
 							 flagNull = 1;
 						 }
-						 KEY = ds.getString(i, 0);
+						 String key = ds.getString(i, 0);
 						 try {
 							 if(ds.getString(i, "chart_color")!=null) {
-								 colorList.add(KEY+"|"+ds.getString(i,  "chart_color"));					 
+								 colorList.add(key+"|"+ds.getString(i,  "chart_color"));					 
 							 }
 						 } catch (ArrayIndexOutOfBoundsException ex) {
 							 //System.out.println("No Chart Color");
 						 }
-						 wholeScript.append("{ \""+ "key" +"\":\""+ KEY+"\", \""+ "y" +"\":"+VALUE+"}, \n");
+						 wholeScript.append("{ \""+ "key" +"\":\""+ key+"\", \""+ "y" +"\":"+value+"}, \n");
 						 
 					 }
 					 StringBuffer color = new StringBuffer("");
diff --git a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
index 7441508a..f5039df4 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
+++ b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
@@ -15,7 +15,7 @@
 	</session-config>
 	<filter>
     <filter-name>SecurityXssFilter</filter-name>
-    <filter-class>org.onap.portalapp.filtersss.SecurityXssFilter</filter-class>
+    <filter-class>org.onap.portalapp.filter.SecurityXssFilter</filter-class>
    </filter> 
     <filter-mapping>
     <filter-name>SecurityXssFilter</filter-name>
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/util/EncDecUtilTest.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/util/EncDecUtilTest.java
deleted file mode 100644
index 926ed347..00000000
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/util/EncDecUtilTest.java
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * ============LICENSE_START==========================================
- * ONAP Portal SDK
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- */
-package org.onap.portalsdk.core.util;
-
-import java.io.UnsupportedEncodingException;
-import java.security.AlgorithmParameters;
-import java.security.GeneralSecurityException;
-import java.security.SecureRandom;
-
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import org.apache.commons.codec.binary.Base64;
-
-public class EncDecUtilTest {
-
-	private static final String WORD = "test";
-	private static final String SALT = "r n�HN~��|f��X�";
-	private static final int ITERATIONS = 65536;
-	private static final int KEY_SIZE = 256;
-	private byte[] ivBytes;
-
-	public String encrypt(String plainText) throws UnsupportedEncodingException, GeneralSecurityException {
-
-		// get salt
-		// salt = generateSalt();
-		byte[] saltBytes = SALT.getBytes("UTF-8");
-
-		// Derive the key
-		SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
-		PBEKeySpec spec = new PBEKeySpec(WORD.toCharArray(), saltBytes, ITERATIONS, KEY_SIZE);
-
-		SecretKey secretKey = factory.generateSecret(spec);
-		SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), "AES");
-
-		// encrypt the message
-		Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-		cipher.init(Cipher.ENCRYPT_MODE, secret);
-		AlgorithmParameters params = cipher.getParameters();
-		ivBytes = params.getParameterSpec(IvParameterSpec.class).getIV();
-		byte[] encryptedTextBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
-		return Base64.encodeBase64String(encryptedTextBytes);
-	}
-
-	public String decrypt(String encryptedText) throws UnsupportedEncodingException, GeneralSecurityException  {
-		byte[] saltBytes = SALT.getBytes("UTF-8");
-		byte[] encryptedTextBytes = Base64.decodeBase64(encryptedText);
-
-		// Derive the key
-		SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
-		PBEKeySpec spec = new PBEKeySpec(WORD.toCharArray(), saltBytes, ITERATIONS, KEY_SIZE);
-
-		SecretKey secretKey = factory.generateSecret(spec);
-		SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), "AES");
-
-		// Decrypt the message
-		Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-		cipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(ivBytes));
-
-		byte[] decryptedTextBytes = cipher.doFinal(encryptedTextBytes);
-		return new String(decryptedTextBytes);
-	}
-
-	public String generateSalt() {
-		SecureRandom random = new SecureRandom();
-		byte [] bytes = new byte[20];
-		random.nextBytes(bytes);
-		return new String(bytes);
-	}
-}
\ No newline at end of file
diff --git a/ecomp-sdk/pom.xml b/ecomp-sdk/pom.xml
index bb390560..8cae0a58 100644
--- a/ecomp-sdk/pom.xml
+++ b/ecomp-sdk/pom.xml
@@ -134,6 +134,19 @@
 						</lifecycleMappingMetadata>
 					</configuration>
 				</plugin>
+				<!-- maven-site-plugin config is provided by OParent -->
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-site-plugin</artifactId>
+					<version>3.6</version>
+					<dependencies>
+						<dependency>
+							<groupId>org.apache.maven.wagon</groupId>
+							<artifactId>wagon-webdav-jackrabbit</artifactId>
+							<version>2.10</version>
+						</dependency>
+					</dependencies>
+				</plugin>
 			</plugins>
 		</pluginManagement>
 
-- 
cgit 1.2.3-korg