From 304033445a8333cd088910fc3e43ca9222237816 Mon Sep 17 00:00:00 2001
From: robertlo <wl849v@att.com>
Date: Mon, 8 Jan 2018 17:08:00 -0500
Subject: Harden code

Issue-ID: PORTAL-145

Harden code to address Open Redirect in Portal SDK

Change-Id: If7e923366be11b78c1359dfe5b8fc14a2927c668
Signed-off-by: robertlo <wl849v@att.com>
---
 .../onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java  | 5 +++--
 .../main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java   | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk')

diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
index 1303aad5..2ceb8e7c 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/crossapi/PortalRestAPIProxy.java
@@ -61,6 +61,7 @@ import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
 import org.onap.portalsdk.core.onboarding.util.PortalApiProperties;
 import org.onap.portalsdk.core.restful.domain.EcompRole;
 import org.onap.portalsdk.core.restful.domain.EcompUser;
+import org.owasp.esapi.ESAPI;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
@@ -305,12 +306,12 @@ public class PortalRestAPIProxy extends HttpServlet implements IPortalRestAPISer
 				}
 			} else {
 				String msg = "doPost: no match for request " + requestUri;
-				logger.warn(msg);
+				logger.warn( ESAPI.encoder().encodeForHTML(msg));
 				responseJson = buildJsonResponse(false, msg);
 				response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 			}
 		} catch (Exception ex) {
-			logger.error("doPost: Failed to process request " + requestUri, ex);
+			logger.error("doPost: Failed to process request " + ESAPI.encoder().encodeForHTML(requestUri), ex);
 			response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
 			responseJson = buildJsonResponse(ex);
 		}
diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java
index 2d491cfa..c1776959 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/util/SSOUtil.java
@@ -45,6 +45,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.owasp.esapi.ESAPI;
 
 public class SSOUtil {
 
@@ -69,7 +70,7 @@ public class SSOUtil {
 		try {
 			encodedAppURL = URLEncoder.encode(appURL, "UTF-8");
 		} catch (UnsupportedEncodingException ex) {
-			logger.error("getECOMPSSORedirectURL: Failed to encode app URL " + appURL, ex);
+			logger.error("getECOMPSSORedirectURL: Failed to encode app URL " + ESAPI.encoder().encodeForHTML(appURL), ex);
 		}
 		String portalURL = PortalApiProperties.getProperty(PortalApiConstants.ECOMP_REDIRECT_URL);
 		if (portalURL == null || portalURL.length() == 0) {
-- 
cgit 1.2.3-korg