From ed07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 Mon Sep 17 00:00:00 2001
From: st782s <statta@research.att.com>
Date: Wed, 22 Nov 2017 11:41:10 -0500
Subject: Harden code

Issue-ID: PORTAL-145,PORTAL-119
Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui

Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204
Signed-off-by: st782s <statta@research.att.com>
---
 .../controller/sample/BroadcastListController.java |   6 +-
 .../onap/portalapp/util/SecurityXssValidator.java  | 138 ++++++++++++---------
 2 files changed, 84 insertions(+), 60 deletions(-)

(limited to 'ecomp-sdk/epsdk-app-common/src/main')

diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
index fa1bcbeb..aeeaca56 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
@@ -47,6 +47,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.json.JSONObject;
 import org.onap.portalsdk.core.controller.RestrictedBaseController;
 import org.onap.portalsdk.core.domain.BroadcastMessage;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.service.BroadcastService;
 import org.onap.portalsdk.core.web.support.JsonMessage;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -62,6 +63,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 @Controller
 @RequestMapping("/")
 public class BroadcastListController extends RestrictedBaseController {
+	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(BroadcastListController.class);
 
 	@Autowired
 	private BroadcastService broadcastService;
@@ -86,7 +88,7 @@ public class BroadcastListController extends RestrictedBaseController {
 			JSONObject j = new JSONObject(msg);
 			response.getWriter().write(j.toString());
 		} catch (Exception e) {
-			e.printStackTrace();
+			logger.error(EELFLoggerDelegate.errorLogger, "getBroadcast() failed", e);
 		}
 
 	}
@@ -120,6 +122,7 @@ public class BroadcastListController extends RestrictedBaseController {
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
 			out.write(e.getMessage());
+			logger.error(EELFLoggerDelegate.errorLogger, "remove() failed", e);
 			return null;
 		}
 
@@ -154,6 +157,7 @@ public class BroadcastListController extends RestrictedBaseController {
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
 			out.write(e.getMessage());
+			logger.error(EELFLoggerDelegate.errorLogger, "toggleActive() failed", e);
 			return null;
 		}
 
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
index 3d2f741c..b51cb8db 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
@@ -43,6 +43,7 @@ import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.regex.Pattern;
 
+import org.apache.commons.lang.NotImplementedException;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
@@ -55,80 +56,78 @@ import org.owasp.esapi.codecs.MySQLCodec.Mode;
 
 public class SecurityXssValidator {
 	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
-	
+
 	private static final String MYSQL_DB = "mysql";
 	private static final String ORACLE_DB = "oracle";
-	private static final String MARIA_DB ="mariadb";
-	
-	
+	private static final String MARIA_DB = "mariadb";
+
 	static SecurityXssValidator validator = null;
 	private static Codec instance;
 	private static final Lock lock = new ReentrantLock();
-	
+
 	public static SecurityXssValidator getInstance() {
-		
-		if(validator == null) {
+
+		if (validator == null) {
 			lock.lock();
 			try {
-				if(validator == null)
-					validator =  new SecurityXssValidator();
+				if (validator == null)
+					validator = new SecurityXssValidator();
 			} finally {
 				lock.unlock();
 			}
 		}
-		
+
 		return validator;
 	}
-	
+
 	private SecurityXssValidator() {
 		// Avoid anything between script tags
-				XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE));
+
+		// avoid iframes
+		XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE));
 
-				// avoid iframes
-				XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE));
+		// Avoid anything in a src='...' type of expression
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
+				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
 
-				// Avoid anything in a src='...' type of expression
-				XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
-						Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
+				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
 
-				XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
-						Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)",
+				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
 
-				XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)",
-						Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		// Remove any lonesome </script> tag
+		XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE));
 
-				// Remove any lonesome </script> tag
-				XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE));
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", Pattern.CASE_INSENSITIVE));
 
-				// Remove any lonesome <script ...> tag
-				XSS_INPUT_PATTERNS
-						.add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", Pattern.CASE_INSENSITIVE));
 
-				// Avoid eval(...) expressions
-				XSS_INPUT_PATTERNS
-						.add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		// Remove any lonesome <script ...> tag
+		XSS_INPUT_PATTERNS
+				.add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
 
-				// Avoid expression(...) expressions
-				XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)",
-						Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		// Avoid eval(...) expressions
+		XSS_INPUT_PATTERNS
+				.add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
 
-				// Avoid javascript:... expressions
-				XSS_INPUT_PATTERNS.add(Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE));
+		// Avoid expression(...) expressions
+		XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)",
+				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
 
-				// Avoid vbscript:... expressions
-				XSS_INPUT_PATTERNS.add(Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE));
+		// Avoid javascript:... expressions
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", Pattern.CASE_INSENSITIVE));
 
-				// Avoid onload= expressions
-				XSS_INPUT_PATTERNS
-						.add(Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		// Avoid onload= expressions
+		XSS_INPUT_PATTERNS.add(
+				Pattern.compile(".*(onload(.*?)=).*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
 	}
-	
-	private  List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
-	
+
+	private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
 
 	/**
-	 * * This method takes a string and strips out any potential script
-	 * injections.
+	 * * This method takes a string and strips out any potential script injections.
 	 * 
 	 * @param value
 	 * @return String - the new "sanitized" string.
@@ -157,35 +156,56 @@ public class SecurityXssValidator {
 
 		return value;
 	}
-	
-	public  Codec getCodec() {
+
+	public Boolean denyXSS(String value) {
+		Boolean flag = Boolean.FALSE;
 		try {
-				if (null == instance) {
-					if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-							MYSQL_DB)|| StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-									MARIA_DB)) {
-						instance = new MySQLCodec(Mode.STANDARD);
-
-					} else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-							ORACLE_DB)) {
-						instance = new OracleCodec();
+			if (StringUtils.isNotBlank(value)) {
+				value = ESAPI.encoder().canonicalize(value);
+				for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
+					if (xssInputPattern.matcher(value).matches()) {
+						flag = Boolean.TRUE;
+						break;
 					}
+
 				}
-			
+			}
+
+		} catch (Exception e) {
+			logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
+		}
+
+		return flag;
+	}
+
+	public Codec getCodec() {
+		try {
+			if (null == instance) {
+				if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
+						|| StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+								MARIA_DB)) {
+					instance = new MySQLCodec(Mode.STANDARD);
+
+				} else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+						ORACLE_DB)) {
+					instance = new OracleCodec();
+				} else {
+					throw new NotImplementedException("Handling for data base \""
+							+ SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
+				}
+			}
 
 		} catch (Exception ex) {
-			System.out.println("Could not strip XSS from value = " + " | ex = " + ex.getMessage());
+			logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
 		}
 		return instance;
 
 	}
 
-
 	public List<Pattern> getXSS_INPUT_PATTERNS() {
 		return XSS_INPUT_PATTERNS;
 	}
 
-
 	public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
 		XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
 	}
-- 
cgit 1.2.3-korg