From e3982f6c2a13c903947a66d89e1af1ccbb161e5f Mon Sep 17 00:00:00 2001 From: "Christopher Lott (cl778h)" Date: Fri, 20 Oct 2017 08:22:19 -0400 Subject: Role management; security vulnerabilities. Extend user/role management interface to allow role deletion. Add filters to defend against common web Javascript attacks. Drop Greensock code with unusable license. Use OParent in EPSDK web application. Issue: US324470, US342324, PORTAL-127 Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142 Signed-off-by: Christopher Lott (cl778h) --- .../analytics/system/fusion/controller/FileServletController.java | 3 ++- .../analytics/system/fusion/web/RaptorControllerAsync.java | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion') diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java index 1d1fdd84..b6c985a5 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/controller/FileServletController.java @@ -58,6 +58,7 @@ import javax.servlet.http.HttpServletResponse; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.service.DataAccessService; +import org.owasp.esapi.ESAPI; import org.springframework.web.servlet.ModelAndView;; @@ -175,7 +176,7 @@ public class FileServletController { response.setContentLength((int) outStream.length); response.setContentType("application/octet-stream"); response.setHeader("Content-disposition", "attachment; filename=\"" - + name + "\""); + + ESAPI.encoder().canonicalize(name) + "\""); copyStream(response, outStream); } catch (Exception ex) { if (os == null) diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java index 8165801c..8478c73c 100644 --- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java +++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java @@ -105,7 +105,9 @@ import org.onap.portalsdk.analytics.xmlobj.PredefinedValueList; import org.onap.portalsdk.core.controller.RestrictedBaseController; import org.onap.portalsdk.core.domain.User; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.util.SecurityCodecUtil; import org.onap.portalsdk.core.web.support.UserUtils; +import org.owasp.esapi.ESAPI; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -1415,10 +1417,10 @@ public class RaptorControllerAsync extends RestrictedBaseController { for (int i = 0; i < reqParameters.length; i++) { if (!reqParameters[i].startsWith("ff")) sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", - request.getParameter(reqParameters[i].toUpperCase())); + ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i].toUpperCase()))); else - sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", - request.getParameter(reqParameters[i])); + sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]", + ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i]))); } } if (session != null) { -- cgit 1.2.3-korg