From e3982f6c2a13c903947a66d89e1af1ccbb161e5f Mon Sep 17 00:00:00 2001
From: "Christopher Lott (cl778h)" <clott@research.att.com>
Date: Fri, 20 Oct 2017 08:22:19 -0400
Subject: Role management; security vulnerabilities.

Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.

Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
---
 .../onap/portalapp/filter/SecurityXssFilter.java   | 130 +++++++++++++++++++++
 1 file changed, 130 insertions(+)
 create mode 100644 ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java

(limited to 'ecomp-sdk/epsdk-app-os/src/main/java/org/onap')

diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
new file mode 100644
index 00000000..b3ebed73
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -0,0 +1,130 @@
+
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalapp.filter;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import org.apache.commons.lang.StringUtils;
+import org.onap.portalapp.util.SecurityXssValidator;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+
+public class SecurityXssFilter implements Filter {
+
+	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
+
+	private SecurityXssValidator validator  = SecurityXssValidator.getInstance();
+	
+	class SecurityRequestWrapper extends HttpServletRequestWrapper {
+
+		public SecurityRequestWrapper(HttpServletRequest servletRequest) {
+			super(servletRequest);
+		}
+
+		@Override
+		public String[] getParameterValues(String parameter) {
+			String[] values = super.getParameterValues(parameter);
+
+			if (values == null) {
+				return null;
+			}
+
+			int count = values.length;
+			String[] encodedValues = new String[count];
+			for (int i = 0; i < count; i++) {
+				encodedValues[i] = stripXss(values[i]);
+				
+			}
+
+			return encodedValues;
+		}
+
+		private String stripXss(String value) {
+			
+			
+			return validator.stripXSS(value);
+		}
+
+		@Override
+		public String getParameter(String parameter) {
+			String value = super.getParameter(parameter);
+			if (StringUtils.isNotBlank(value)) {
+				value = stripXss(value);
+			}
+			return value;
+		}
+
+		@Override
+		public String getHeader(String name) {
+			String value = super.getHeader(name);
+			if (StringUtils.isNotBlank(value)) {
+				value = stripXss(value);
+			}
+			return value;
+		}
+	}
+	
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+	}
+
+	@Override
+	public void destroy() {
+	}
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+			throws IOException, ServletException {
+
+		try {
+
+			chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response);
+		} catch (Exception e) {
+			logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e);
+		}
+	}
+
+}
-- 
cgit 1.2.3-korg