aboutsummaryrefslogtreecommitdiffstats
path: root/openecomp-be
diff options
context:
space:
mode:
authorvasraz <vasyl.razinkov@est.tech>2022-10-14 13:35:39 +0100
committerMichael Morris <michael.morris@est.tech>2022-10-18 08:27:16 +0000
commitddb9d5a7637b382be9ac7a96ad023a983c41c342 (patch)
tree4e551d6ce4348aed56f42b021bbe4fcfccc3cd15 /openecomp-be
parentccab3629426bdc6a87ca6102db3fdb23d4419b3e (diff)
Fix security risk 'Improper Input Validation'
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c Issue-ID: SDC-4189
Diffstat (limited to 'openecomp-be')
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml28
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml2
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml52
-rw-r--r--openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb3
-rw-r--r--openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java16
-rw-r--r--openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java71
-rw-r--r--openecomp-be/tools/migration/README2
7 files changed, 142 insertions, 32 deletions
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
index b51399ca54..f0291cb060 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
@@ -15,6 +15,15 @@
</listener>
<filter>
+ <filter-name>dataValidatorFilter</filter-name>
+ <filter-class>org.openecomp.sdc.common.filters.DataValidatorFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>dataValidatorFilter</filter-name>
+ <url-pattern>/v1.0/*</url-pattern>
+ </filter-mapping>
+
+ <filter>
<filter-name>contentSecurityPolicyHeaderFilter</filter-name>
<filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class>
<async-supported>true</async-supported>
@@ -54,6 +63,7 @@
<filter-name>RestrictionAccessFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
+
<!-- Spring WS Mapping -->
<servlet>
<servlet-name>spring-mapper</servlet-name>
@@ -62,10 +72,13 @@
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
+ <servlet-mapping>
+ <servlet-name>spring-mapper</servlet-name>
+ <url-pattern>/ws/*</url-pattern>
+ </servlet-mapping>
<!-- CXF -->
<servlet>
<servlet-name>CXFServlet</servlet-name>
- <display-name>CXF Servlet</display-name>
<servlet-class>
org.apache.cxf.transport.servlet.CXFServlet
</servlet-class>
@@ -87,19 +100,14 @@
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
+ <servlet-mapping>
+ <servlet-name>CXFServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
<context-param>
<param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
<param-value>false</param-value>
</context-param>
- <servlet-mapping>
- <servlet-name>spring-mapper</servlet-name>
- <url-pattern>/ws/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>CXFServlet</servlet-name>
- <url-pattern>/*</url-pattern>
- </servlet-mapping>
-
</web-app>
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml
index 9c2aa51a28..15251436d6 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml
@@ -104,4 +104,4 @@
</jaxrs:outInterceptors>
</jaxrs:server>
-</beans> \ No newline at end of file
+</beans>
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
index eb8bd9e93f..31400f878e 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
@@ -25,8 +25,18 @@
</listener>
<filter>
+ <filter-name>dataValidatorFilter</filter-name>
+ <filter-class>org.openecomp.sdc.common.filters.DataValidatorFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>dataValidatorFilter</filter-name>
+ <url-pattern>/v1.0/*</url-pattern>
+ </filter-mapping>
+
+ <filter>
<filter-name>contentSecurityPolicyHeaderFilter</filter-name>
- <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class>
+ <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter
+ </filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
@@ -41,9 +51,6 @@
<filter-mapping>
<filter-name>PermissionsFilter</filter-name>
<url-pattern>/v1.0/vendor-license-models/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>PermissionsFilter</filter-name>
<url-pattern>/v1.0/vendor-software-products/*</url-pattern>
</filter-mapping>
@@ -63,6 +70,10 @@
<param-value>*</param-value>
</init-param>
</filter>
+ <filter-mapping>
+ <filter-name>cross-origin</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter>
<filter-name>RestrictionAccessFilter</filter-name>
@@ -73,34 +84,34 @@
<filter-name>RestrictionAccessFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
+
<filter>
<filter-name>BasicAuth</filter-name>
<filter-class>org.openecomp.server.filters.BasicAuthenticationFilter</filter-class>
</filter>
- <filter>
- <filter-name>AuthN</filter-name>
- <filter-class>org.openecomp.server.filters.ActionAuthenticationFilter</filter-class>
- </filter>
- <filter>
- <filter-name>AuthZ</filter-name>
- <filter-class>org.openecomp.server.filters.ActionAuthorizationFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>cross-origin</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
<filter-mapping>
<filter-name>BasicAuth</filter-name>
<url-pattern>/1.0/*</url-pattern>
</filter-mapping>
+
+ <filter>
+ <filter-name>AuthN</filter-name>
+ <filter-class>org.openecomp.server.filters.ActionAuthenticationFilter</filter-class>
+ </filter>
<filter-mapping>
<filter-name>AuthN</filter-name>
<url-pattern>/workflow/v1.0/actions/*</url-pattern>
</filter-mapping>
+
+ <filter>
+ <filter-name>AuthZ</filter-name>
+ <filter-class>org.openecomp.server.filters.ActionAuthorizationFilter</filter-class>
+ </filter>
<filter-mapping>
<filter-name>AuthZ</filter-name>
<url-pattern>/workflow/v1.0/actions/*</url-pattern>
</filter-mapping>
+
<filter>
<filter-name>SessionContextFilter</filter-name>
<filter-class>org.openecomp.server.filters.OnboardingSessionContextFilter</filter-class>
@@ -109,6 +120,7 @@
<filter-name>SessionContextFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
+
<!-- Spring WS Mapping -->
<servlet>
<servlet-name>spring-mapper</servlet-name>
@@ -117,6 +129,10 @@
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
+ <servlet-mapping>
+ <servlet-name>spring-mapper</servlet-name>
+ <url-pattern>/ws/*</url-pattern>
+ </servlet-mapping>
<!-- CXF -->
<servlet>
<servlet-name>CXFServlet</servlet-name>
@@ -142,10 +158,6 @@
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
- <servlet-name>spring-mapper</servlet-name>
- <url-pattern>/ws/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
index 93e0be9467..142977c078 100644
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
@@ -72,3 +72,6 @@ externalCsarStore:
#Space separated list of permitted ancestors
permittedAncestors: <%= @permittedAncestors %>
+
+# Comma separated list of excluded URLs by the DataValidatorFilter
+dataValidatorFilterExcludedUrls: "/healthCheck,/followed,/authorize"
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java
index a059434709..4ad6fd7874 100644
--- a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java
+++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java
@@ -16,10 +16,12 @@
package org.openecomp.sdc.common.errors;
import com.fasterxml.jackson.databind.JsonMappingException;
+import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import javax.servlet.http.HttpServletResponse;
import javax.validation.ConstraintViolation;
import javax.validation.ConstraintViolationException;
import javax.validation.Path;
@@ -29,8 +31,12 @@ import javax.ws.rs.core.Response.Status;
import javax.ws.rs.ext.ExceptionMapper;
import org.apache.commons.collections4.CollectionUtils;
import org.hibernate.validator.internal.engine.path.PathImpl;
+import org.onap.sdc.security.RepresentationUtils;
import org.openecomp.core.utilities.file.FileUtils;
import org.openecomp.core.utilities.json.JsonUtil;
+import org.openecomp.sdc.exception.NotAllowedSpecialCharsException;
+import org.openecomp.sdc.exception.ResponseFormat;
+import org.openecomp.sdc.exception.ServiceException;
import org.openecomp.sdc.logging.api.Logger;
import org.openecomp.sdc.logging.api.LoggerFactory;
@@ -113,4 +119,14 @@ public class DefaultExceptionMapper implements ExceptionMapper<Exception> {
private Object toEntity(final Status status, final ErrorCode code) {
return new ErrorCodeAndMessage(status, code);
}
+
+ public void writeToResponse(final NotAllowedSpecialCharsException e, final HttpServletResponse httpResponse) throws IOException {
+ final ResponseFormat responseFormat = new ResponseFormat(400);
+ responseFormat.setServiceException(new ServiceException(e.getErrorId(), e.getMessage(), new String[0]));
+ httpResponse.setStatus(responseFormat.getStatus());
+ httpResponse.setContentType("application/json");
+ httpResponse.setCharacterEncoding("UTF-8");
+ httpResponse.getWriter().write(RepresentationUtils.toRepresentation(responseFormat.getRequestError()));
+ }
+
}
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java
new file mode 100644
index 0000000000..6e3f665762
--- /dev/null
+++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java
@@ -0,0 +1,71 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.common.filters;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.openecomp.sdc.common.CommonConfigurationManager;
+import org.openecomp.sdc.common.errors.DefaultExceptionMapper;
+import org.openecomp.sdc.exception.NotAllowedSpecialCharsException;
+
+/**
+ * Implements DataValidatorFilter for onboarding.
+ * Extends {@link DataValidatorFilterAbstract}
+ */
+public class DataValidatorFilter extends DataValidatorFilterAbstract {
+
+ private final DefaultExceptionMapper defaultExceptionMapper;
+
+ public DataValidatorFilter() {
+ defaultExceptionMapper = new DefaultExceptionMapper();
+ }
+
+ @Override
+ public void doFilter(final ServletRequest request, ServletResponse response, final FilterChain chain)
+ throws IOException, ServletException, NotAllowedSpecialCharsException {
+ try {
+ super.doFilter(request, response, chain);
+ } catch (final NotAllowedSpecialCharsException e) {
+ defaultExceptionMapper.writeToResponse(e, (HttpServletResponse) response);
+ }
+ }
+
+ @Override
+ protected List<String> getDataValidatorFilterExcludedUrls() {
+ final CommonConfigurationManager commonConfigurationManager = CommonConfigurationManager.getInstance();
+ if (commonConfigurationManager != null) {
+ final String dataValidatorFilterExcludedUrls = commonConfigurationManager.getConfigValue(DATA_VALIDATOR_FILTER_EXCLUDED_URLS, "");
+ if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) {
+ return Arrays.asList(dataValidatorFilterExcludedUrls.split(","));
+ }
+ }
+ return new ArrayList<>();
+ }
+
+}
diff --git a/openecomp-be/tools/migration/README b/openecomp-be/tools/migration/README
index 2245aafb99..74f62f5050 100644
--- a/openecomp-be/tools/migration/README
+++ b/openecomp-be/tools/migration/README
@@ -42,7 +42,7 @@ Usage -
The migration result will be listed in a CSV file: upgradereport.csv
"None" is an indication that the VSP was not in a checkout status prior to the upgrade.
- Exmample for a valid output:
+ Example for a valid output:
Name: VSP-OK, Id: 9DB0E1563B22481D911ECD33989E1FDD, Vendor: ABC, locked by: None, status not started
Service VSP-OK was tested and does not need a migration