From e3982f6c2a13c903947a66d89e1af1ccbb161e5f Mon Sep 17 00:00:00 2001
From: "Christopher Lott (cl778h)" <clott@research.att.com>
Date: Fri, 20 Oct 2017 08:22:19 -0400
Subject: Role management; security vulnerabilities.

Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.

Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
---
 ecomp-sdk/epsdk-app-os/README.md                   |   2 +-
 ecomp-sdk/epsdk-app-os/pom.xml                     | 130 +++------------------
 .../onap/portalapp/filter/SecurityXssFilter.java   | 130 +++++++++++++++++++++
 .../epsdk-app-os/src/main/webapp/WEB-INF/web.xml   |  10 +-
 4 files changed, 153 insertions(+), 119 deletions(-)
 create mode 100644 ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java

(limited to 'ecomp-sdk/epsdk-app-os')

diff --git a/ecomp-sdk/epsdk-app-os/README.md b/ecomp-sdk/epsdk-app-os/README.md
index 1ac4a142..d9d7fb68 100644
--- a/ecomp-sdk/epsdk-app-os/README.md
+++ b/ecomp-sdk/epsdk-app-os/README.md
@@ -21,7 +21,7 @@ Version 1.4.0, <?day> <?month> 2017
 - PORTAL-90 Use approved ONAP license text
 - Portal-86 Remove application specific usages from tests and other files (rework)
 - Portal-104 Replaced the sql connector to maria db
-
+- Portal-127 Remove GreenSock license code from b2b library
 * Put new entries here *
 
 Version 1.3.0, 28 August 2017
diff --git a/ecomp-sdk/epsdk-app-os/pom.xml b/ecomp-sdk/epsdk-app-os/pom.xml
index 54bb65eb..469cf37a 100644
--- a/ecomp-sdk/epsdk-app-os/pom.xml
+++ b/ecomp-sdk/epsdk-app-os/pom.xml
@@ -4,142 +4,38 @@
 
 	<!-- This is the Maven project object model (POM) file for the open-source SDK web app.
 		 This is NOT the Portal - but it is developed and supported by the Portal team. -->
-	<groupId>org.onap.portal.sdk</groupId>
+
+	<parent>
+		<groupId>org.onap.portal.sdk</groupId>
+		<artifactId>epsdk-project</artifactId>
+		<version>1.4.0-SNAPSHOT</version>
+	</parent>
+
+        <!-- GroupId is inherited from parent -->
 	<artifactId>epsdk-app-os</artifactId>
-	<version>1.4.0-SNAPSHOT</version>
+        <!-- Version is inherited from parent -->
 	<packaging>war</packaging>
 	<name>ONAP Portal SDK Webapp for OpenSource</name>
 	<description>ONAP Portal SDK Web Application for public release</description>
 
-	<!-- OParent provides license audit, code audit, distribution management,
-                etc.  But jenkins build fails, so comment out for now.
-	<parent>
-		<groupId>org.onap.oparent</groupId>
-		<artifactId>oparent</artifactId>
-		<version>0.1.0</version>
-		<relativePath/>
-	</parent>
-	-->
-
 	<properties>
-		<encoding>UTF-8</encoding>
-		<epsdk.version>1.4.0-SNAPSHOT</epsdk.version>
-		<springframework.version>4.2.0.RELEASE</springframework.version>
-		<hibernate.version>4.3.11.Final</hibernate.version>
+		<!-- This determines the EPSDK library versions, helpful for testing -->
+		<epsdk.version>${project.version}</epsdk.version>
 		<!-- Skip assembling the zip; assemble via mvn -Dskipassembly=false .. -->
 		<skipassembly>true</skipassembly>
 		<!-- Tests usually require some setup that maven cannot do, so skip. -->
 		<skiptests>true</skiptests>
 	</properties>
 
-	<repositories>
-		<repository>
-			<id>onap-releases</id>
-			<name>ONAP - Release Repository</name>
-			<url>https://nexus.onap.org/content/repositories/releases</url>
-		</repository>
-		<repository>
-			<id>onap-staging</id>
-			<name>ONAP - Staging Repository</name>
-			<url>https://nexus.onap.org/content/repositories/staging</url>
-		</repository>
-		<repository>
-			<id>onap-snapshots</id>
-			<name>ONAP - Snapshot Repository</name>
-			<url>https://nexus.onap.org/content/repositories/snapshots</url>
-		</repository>
-		<repository>
- 			<id>onap-public</id>
-			<name>ONAP public Repository</name>
-			<url>https://nexus.onap.org/content/groups/public</url>
-		</repository>
-	</repositories>
-	<pluginRepositories>
-		<pluginRepository>
-			<id>releases</id>
-			<name>ONAP - Release Repository</name>
-			<url>https://nexus.onap.org/content/repositories/releases</url>
-		</pluginRepository>
-		<pluginRepository>
-			<id>staging</id>
-			<name>ONAP - Staging Repository</name>
-			<url>https://nexus.onap.org/content/repositories/staging</url>
-		</pluginRepository>
-		<pluginRepository>
-			<id>snapshots</id>
-			<name>ONAP - Snapshot Repository</name>
-			<url>https://nexus.onap.org/content/repositories/snapshots</url>
-		</pluginRepository>
-	</pluginRepositories>
+	<!-- repositories are inherited from parent -->
 
-	<profiles>
-		<!-- disable doclint, a new feature in Java 8, when generating javadoc -->
-		<profile>
-			<id>doclint-java8-disable</id>
-			<activation>
-				<jdk>[1.8,)</jdk>
-			</activation>
-			<build>
-				<plugins>
-					<plugin>
-						<groupId>org.apache.maven.plugins</groupId>
-						<artifactId>maven-javadoc-plugin</artifactId>
-						<version>2.10.4</version>
-						<configuration>
-							<additionalparam>-Xdoclint:none</additionalparam>
-						</configuration>
-					</plugin>
-				</plugins>
-			</build>
-		</profile>
-	</profiles>
+	<!-- profiles are inherited from parent -->
 
 	<build>
 		<!-- The war file name carries no version number -->
 		<finalName>${project.artifactId}</finalName>
 
-		<pluginManagement>
-			<plugins>
-				<!-- Silence Eclipse/m2e complaints about checkstyle plugin brought in by OParent -->
-				<plugin>
-					<groupId>org.eclipse.m2e</groupId>
-					<artifactId>lifecycle-mapping</artifactId>
-					<version>1.0.0</version>
-					<configuration>
-						<lifecycleMappingMetadata>
-							<pluginExecutions>
-								<pluginExecution>
-									<pluginExecutionFilter>
-										<groupId>org.apache.maven.plugins</groupId>
-										<artifactId>maven-checkstyle-plugin</artifactId>
-										<versionRange>2.17,)</versionRange>
-										<goals>
-											<goal>check</goal>
-										</goals>
-									</pluginExecutionFilter>
-									<action>
-										<ignore />
-									</action>
-								</pluginExecution>
-							</pluginExecutions>
-						</lifecycleMappingMetadata>
-					</configuration>
-				</plugin>
-			</plugins>
-		</pluginManagement>
-
 		<plugins>
-			<!-- Compile to Java 1.8 class output format -->
-			<plugin>
-				<groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.1</version>
-				<configuration>
-					<source>1.8</source>
-					<target>1.8</target>
-				</configuration>
-			</plugin>
-
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
new file mode 100644
index 00000000..b3ebed73
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -0,0 +1,130 @@
+
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalapp.filter;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import org.apache.commons.lang.StringUtils;
+import org.onap.portalapp.util.SecurityXssValidator;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+
+public class SecurityXssFilter implements Filter {
+
+	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
+
+	private SecurityXssValidator validator  = SecurityXssValidator.getInstance();
+	
+	class SecurityRequestWrapper extends HttpServletRequestWrapper {
+
+		public SecurityRequestWrapper(HttpServletRequest servletRequest) {
+			super(servletRequest);
+		}
+
+		@Override
+		public String[] getParameterValues(String parameter) {
+			String[] values = super.getParameterValues(parameter);
+
+			if (values == null) {
+				return null;
+			}
+
+			int count = values.length;
+			String[] encodedValues = new String[count];
+			for (int i = 0; i < count; i++) {
+				encodedValues[i] = stripXss(values[i]);
+				
+			}
+
+			return encodedValues;
+		}
+
+		private String stripXss(String value) {
+			
+			
+			return validator.stripXSS(value);
+		}
+
+		@Override
+		public String getParameter(String parameter) {
+			String value = super.getParameter(parameter);
+			if (StringUtils.isNotBlank(value)) {
+				value = stripXss(value);
+			}
+			return value;
+		}
+
+		@Override
+		public String getHeader(String name) {
+			String value = super.getHeader(name);
+			if (StringUtils.isNotBlank(value)) {
+				value = stripXss(value);
+			}
+			return value;
+		}
+	}
+	
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+	}
+
+	@Override
+	public void destroy() {
+	}
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+			throws IOException, ServletException {
+
+		try {
+
+			chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response);
+		} catch (Exception e) {
+			logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e);
+		}
+	}
+
+}
diff --git a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
index 0290f1fc..7441508a 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
+++ b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
@@ -10,8 +10,16 @@
 	<distributable />
 
 	<session-config>
-		<session-timeout>7</session-timeout>
+		<session-timeout>30</session-timeout>
 		<tracking-mode>COOKIE</tracking-mode>
 	</session-config>
+	<filter>
+    <filter-name>SecurityXssFilter</filter-name>
+    <filter-class>org.onap.portalapp.filtersss.SecurityXssFilter</filter-class>
+   </filter> 
+    <filter-mapping>
+    <filter-name>SecurityXssFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
 
 </web-app>
\ No newline at end of file
-- 
cgit 1.2.3-korg