From e3982f6c2a13c903947a66d89e1af1ccbb161e5f Mon Sep 17 00:00:00 2001
From: "Christopher Lott (cl778h)" <clott@research.att.com>
Date: Fri, 20 Oct 2017 08:22:19 -0400
Subject: Role management; security vulnerabilities.

Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.

Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
---
 .../onap/portalapp/controller/core/RoleListController.java  | 10 +++++++++-
 .../portalapp/controller/sample/ElementModelController.java | 13 +++++++------
 2 files changed, 16 insertions(+), 7 deletions(-)

(limited to 'ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller')

diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
index e7682809..b89cb43c 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
@@ -50,6 +50,8 @@ import org.onap.portalsdk.core.controller.RestrictedBaseController;
 import org.onap.portalsdk.core.domain.Role;
 import org.onap.portalsdk.core.domain.User;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
+import org.onap.portalsdk.core.onboarding.util.PortalApiProperties;
 import org.onap.portalsdk.core.service.RoleService;
 import org.onap.portalsdk.core.web.support.JsonMessage;
 import org.onap.portalsdk.core.web.support.UserUtils;
@@ -73,6 +75,11 @@ public class RoleListController extends RestrictedBaseController {
 	private RoleService service;
 
 	private String viewName;
+	
+	private static final String isAccessCentralized = PortalApiProperties
+			.getProperty(PortalApiConstants.ROLE_ACCESS_CENTRALIZED);
+	private static final String isCentralized = "remote";
+
 
 	@RequestMapping(value = { "/role_list" }, method = RequestMethod.GET)
 	public ModelAndView getRoleList(HttpServletRequest request) {
@@ -151,8 +158,9 @@ public class RoleListController extends RestrictedBaseController {
 			Role role = mapper.readValue(root.get("role").toString(), Role.class);
 
 			Role domainRole = service.getRole(user.getOrgUserId(), role.getId());
-
+			if (!isCentralized.equals(isAccessCentralized)) {
 			service.deleteDependcyRoleRecord(user.getOrgUserId(), role.getId());
+			}
 			service.deleteRole(user.getOrgUserId(), domainRole);
 			logger.info(EELFLoggerDelegate.auditLogger, "Remove role " + domainRole.getId());
 
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java
index 34e4db7d..aa327850 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/ElementModelController.java
@@ -40,6 +40,7 @@ package org.onap.portalapp.controller.sample;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.io.FilenameUtils;
 import org.onap.portalsdk.core.controller.RestrictedBaseController;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.service.ElementLinkService;
@@ -57,11 +58,11 @@ public class ElementModelController extends RestrictedBaseController {
 	@RequestMapping(value = { "/elementMapLayout" }, method = RequestMethod.GET, produces = "text/plain")
 	public String layout(HttpServletRequest request, HttpServletResponse response) throws Exception {
 
-		String collapseDomains = request.getParameter("collapsedDomains");
-		String expandDomains = request.getParameter("expandedDomains");
+		String collapseDomains =  FilenameUtils.normalize(request.getParameter("collapsedDomains"));
+		String expandDomains =  FilenameUtils.normalize(request.getParameter("expandedDomains"));
 
-		String contentFileName = request.getParameter("contentFileName");
-		String layoutFileName = request.getParameter("layoutFileName");
+		String contentFileName =  FilenameUtils.normalize(request.getParameter("contentFileName"));
+		String layoutFileName =  FilenameUtils.normalize(request.getParameter("layoutFileName"));
 
 		final String realPath = request.getServletContext().getRealPath("/");
 		logger.debug(EELFLoggerDelegate.debugLogger, "layout: servlet context real path: {}", realPath);
@@ -76,8 +77,8 @@ public class ElementModelController extends RestrictedBaseController {
 	@RequestMapping(value = { "/elementMapLink" }, method = RequestMethod.GET, produces = "text/plain")
 	public String callflow(HttpServletRequest request, HttpServletResponse response) throws Exception {
 
-		String callFlowName = request.getParameter("callFlowName");
-		String callFlowStep = request.getParameter("callFlowStep");
+		String callFlowName = FilenameUtils.normalize(request.getParameter("callFlowName"));
+		String callFlowStep = FilenameUtils.normalize(request.getParameter("callFlowStep"));
 
 		final String realPath = request.getServletContext().getRealPath("/");
 		logger.debug(EELFLoggerDelegate.debugLogger, "callflow: servlet context real path: {}", realPath);
-- 
cgit 1.2.3-korg