diff options
| author |   vasraz <vasyl.razinkov@est.tech> | 2022-10-14 13:35:39 +0100 |
|---|---|---|
| committer |   Michael Morris <michael.morris@est.tech> | 2022-10-18 08:27:16 +0000 |
| commit | ddb9d5a7637b382be9ac7a96ad023a983c41c342 (patch) | |
| tree | 4e551d6ce4348aed56f42b021bbe4fcfccc3cd15 /openecomp-be | |
| parent | ccab3629426bdc6a87ca6102db3fdb23d4419b3e (diff) | |
Fix security risk 'Improper Input Validation'
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c
Issue-ID: SDC-4189
Diffstat (limited to 'openecomp-be')
7 files changed, 142 insertions, 32 deletions
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml index b51399ca54..f0291cb060 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml @@ -15,6 +15,15 @@ </listener> <filter> + <filter-name>dataValidatorFilter</filter-name> + <filter-class>org.openecomp.sdc.common.filters.DataValidatorFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>dataValidatorFilter</filter-name> + <url-pattern>/v1.0/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>contentSecurityPolicyHeaderFilter</filter-name> <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class> <async-supported>true</async-supported> @@ -54,6 +63,7 @@ <filter-name>RestrictionAccessFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> + <!-- Spring WS Mapping --> <servlet> <servlet-name>spring-mapper</servlet-name> @@ -62,10 +72,13 @@ </servlet-class> <load-on-startup>1</load-on-startup> </servlet> + <servlet-mapping> + <servlet-name>spring-mapper</servlet-name> + <url-pattern>/ws/*</url-pattern> + </servlet-mapping> <!-- CXF --> <servlet> <servlet-name>CXFServlet</servlet-name> - <display-name>CXF Servlet</display-name> <servlet-class> org.apache.cxf.transport.servlet.CXFServlet </servlet-class> @@ -87,19 +100,14 @@ </init-param> <load-on-startup>1</load-on-startup> </servlet> + <servlet-mapping> + <servlet-name>CXFServlet</servlet-name> + <url-pattern>/*</url-pattern> + </servlet-mapping> <context-param> <param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name> <param-value>false</param-value> </context-param> - <servlet-mapping> - <servlet-name>spring-mapper</servlet-name> - <url-pattern>/ws/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>CXFServlet</servlet-name> - <url-pattern>/*</url-pattern> - </servlet-mapping> - </web-app> diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml index 9c2aa51a28..15251436d6 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml @@ -104,4 +104,4 @@ </jaxrs:outInterceptors> </jaxrs:server> -</beans>
\ No newline at end of file +</beans> diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml index eb8bd9e93f..31400f878e 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml @@ -25,8 +25,18 @@ </listener> <filter> + <filter-name>dataValidatorFilter</filter-name> + <filter-class>org.openecomp.sdc.common.filters.DataValidatorFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>dataValidatorFilter</filter-name> + <url-pattern>/v1.0/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>contentSecurityPolicyHeaderFilter</filter-name> - <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class> + <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter + </filter-class> <async-supported>true</async-supported> </filter> <filter-mapping> @@ -41,9 +51,6 @@ <filter-mapping> <filter-name>PermissionsFilter</filter-name> <url-pattern>/v1.0/vendor-license-models/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>PermissionsFilter</filter-name> <url-pattern>/v1.0/vendor-software-products/*</url-pattern> </filter-mapping> @@ -63,6 +70,10 @@ <param-value>*</param-value> </init-param> </filter> + <filter-mapping> + <filter-name>cross-origin</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> <filter> <filter-name>RestrictionAccessFilter</filter-name> @@ -73,34 +84,34 @@ <filter-name>RestrictionAccessFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> + <filter> <filter-name>BasicAuth</filter-name> <filter-class>org.openecomp.server.filters.BasicAuthenticationFilter</filter-class> </filter> - <filter> - <filter-name>AuthN</filter-name> - <filter-class>org.openecomp.server.filters.ActionAuthenticationFilter</filter-class> - </filter> - <filter> - <filter-name>AuthZ</filter-name> - <filter-class>org.openecomp.server.filters.ActionAuthorizationFilter</filter-class> - </filter> - <filter-mapping> - <filter-name>cross-origin</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> <filter-mapping> <filter-name>BasicAuth</filter-name> <url-pattern>/1.0/*</url-pattern> </filter-mapping> + + <filter> + <filter-name>AuthN</filter-name> + <filter-class>org.openecomp.server.filters.ActionAuthenticationFilter</filter-class> + </filter> <filter-mapping> <filter-name>AuthN</filter-name> <url-pattern>/workflow/v1.0/actions/*</url-pattern> </filter-mapping> + + <filter> + <filter-name>AuthZ</filter-name> + <filter-class>org.openecomp.server.filters.ActionAuthorizationFilter</filter-class> + </filter> <filter-mapping> <filter-name>AuthZ</filter-name> <url-pattern>/workflow/v1.0/actions/*</url-pattern> </filter-mapping> + <filter> <filter-name>SessionContextFilter</filter-name> <filter-class>org.openecomp.server.filters.OnboardingSessionContextFilter</filter-class> @@ -109,6 +120,7 @@ <filter-name>SessionContextFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> + <!-- Spring WS Mapping --> <servlet> <servlet-name>spring-mapper</servlet-name> @@ -117,6 +129,10 @@ </servlet-class> <load-on-startup>1</load-on-startup> </servlet> + <servlet-mapping> + <servlet-name>spring-mapper</servlet-name> + <url-pattern>/ws/*</url-pattern> + </servlet-mapping> <!-- CXF --> <servlet> <servlet-name>CXFServlet</servlet-name> @@ -142,10 +158,6 @@ <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> - <servlet-name>spring-mapper</servlet-name> - <url-pattern>/ws/*</url-pattern> - </servlet-mapping> - <servlet-mapping> <servlet-name>CXFServlet</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb index 93e0be9467..142977c078 100644 --- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb +++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb @@ -72,3 +72,6 @@ externalCsarStore: #Space separated list of permitted ancestors permittedAncestors: <%= @permittedAncestors %> + +# Comma separated list of excluded URLs by the DataValidatorFilter +dataValidatorFilterExcludedUrls: "/healthCheck,/followed,/authorize" diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java index a059434709..4ad6fd7874 100644 --- a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java +++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java @@ -16,10 +16,12 @@ package org.openecomp.sdc.common.errors; import com.fasterxml.jackson.databind.JsonMappingException; +import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Map; import java.util.Set; +import javax.servlet.http.HttpServletResponse; import javax.validation.ConstraintViolation; import javax.validation.ConstraintViolationException; import javax.validation.Path; @@ -29,8 +31,12 @@ import javax.ws.rs.core.Response.Status; import javax.ws.rs.ext.ExceptionMapper; import org.apache.commons.collections4.CollectionUtils; import org.hibernate.validator.internal.engine.path.PathImpl; +import org.onap.sdc.security.RepresentationUtils; import org.openecomp.core.utilities.file.FileUtils; import org.openecomp.core.utilities.json.JsonUtil; +import org.openecomp.sdc.exception.NotAllowedSpecialCharsException; +import org.openecomp.sdc.exception.ResponseFormat; +import org.openecomp.sdc.exception.ServiceException; import org.openecomp.sdc.logging.api.Logger; import org.openecomp.sdc.logging.api.LoggerFactory; @@ -113,4 +119,14 @@ public class DefaultExceptionMapper implements ExceptionMapper<Exception> { private Object toEntity(final Status status, final ErrorCode code) { return new ErrorCodeAndMessage(status, code); } + + public void writeToResponse(final NotAllowedSpecialCharsException e, final HttpServletResponse httpResponse) throws IOException { + final ResponseFormat responseFormat = new ResponseFormat(400); + responseFormat.setServiceException(new ServiceException(e.getErrorId(), e.getMessage(), new String[0])); + httpResponse.setStatus(responseFormat.getStatus()); + httpResponse.setContentType("application/json"); + httpResponse.setCharacterEncoding("UTF-8"); + httpResponse.getWriter().write(RepresentationUtils.toRepresentation(responseFormat.getRequestError())); + } + } diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java new file mode 100644 index 0000000000..6e3f665762 --- /dev/null +++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java @@ -0,0 +1,71 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.common.filters; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.StringUtils; +import org.openecomp.sdc.common.CommonConfigurationManager; +import org.openecomp.sdc.common.errors.DefaultExceptionMapper; +import org.openecomp.sdc.exception.NotAllowedSpecialCharsException; + +/** + * Implements DataValidatorFilter for onboarding. + * Extends {@link DataValidatorFilterAbstract} + */ +public class DataValidatorFilter extends DataValidatorFilterAbstract { + + private final DefaultExceptionMapper defaultExceptionMapper; + + public DataValidatorFilter() { + defaultExceptionMapper = new DefaultExceptionMapper(); + } + + @Override + public void doFilter(final ServletRequest request, ServletResponse response, final FilterChain chain) + throws IOException, ServletException, NotAllowedSpecialCharsException { + try { + super.doFilter(request, response, chain); + } catch (final NotAllowedSpecialCharsException e) { + defaultExceptionMapper.writeToResponse(e, (HttpServletResponse) response); + } + } + + @Override + protected List<String> getDataValidatorFilterExcludedUrls() { + final CommonConfigurationManager commonConfigurationManager = CommonConfigurationManager.getInstance(); + if (commonConfigurationManager != null) { + final String dataValidatorFilterExcludedUrls = commonConfigurationManager.getConfigValue(DATA_VALIDATOR_FILTER_EXCLUDED_URLS, ""); + if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) { + return Arrays.asList(dataValidatorFilterExcludedUrls.split(",")); + } + } + return new ArrayList<>(); + } + +} diff --git a/openecomp-be/tools/migration/README b/openecomp-be/tools/migration/README index 2245aafb99..74f62f5050 100644 --- a/openecomp-be/tools/migration/README +++ b/openecomp-be/tools/migration/README @@ -42,7 +42,7 @@ Usage - The migration result will be listed in a CSV file: upgradereport.csv "None" is an indication that the VSP was not in a checkout status prior to the upgrade. - Exmample for a valid output: + Example for a valid output: Name: VSP-OK, Id: 9DB0E1563B22481D911ECD33989E1FDD, Vendor: ABC, locked by: None, status not started Service VSP-OK was tested and does not need a migration |