diff options
author | vasraz <vasyl.razinkov@est.tech> | 2022-10-14 13:35:39 +0100 |
---|---|---|
committer | Michael Morris <michael.morris@est.tech> | 2022-10-18 08:27:16 +0000 |
commit | ddb9d5a7637b382be9ac7a96ad023a983c41c342 (patch) | |
tree | 4e551d6ce4348aed56f42b021bbe4fcfccc3cd15 /utils/webseal-simulator/src/main | |
parent | ccab3629426bdc6a87ca6102db3fdb23d4419b3e (diff) |
Fix security risk 'Improper Input Validation'
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c
Issue-ID: SDC-4189
Diffstat (limited to 'utils/webseal-simulator/src/main')
5 files changed, 192 insertions, 116 deletions
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java new file mode 100644 index 0000000000..a226faf0eb --- /dev/null +++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java @@ -0,0 +1,62 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.webseal.simulator; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.StringUtils; +import org.openecomp.sdc.common.filters.DataValidatorFilterAbstract; +import org.openecomp.sdc.exception.NotAllowedSpecialCharsException; +import org.openecomp.sdc.webseal.simulator.conf.Conf; + +/** + * Implement DataValidatorFilter for webseal. + * Extends {@link DataValidatorFilterAbstract} + */ +public class DataValidatorFilter extends DataValidatorFilterAbstract { + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException, NotAllowedSpecialCharsException { + try { + super.doFilter(request, response, chain); + } catch (final NotAllowedSpecialCharsException e) { + // error handing to show 'Error: Special characters not allowed.' + ((HttpServletResponse) response).sendError(400, ERROR_SPECIAL_CHARACTERS_NOT_ALLOWED); + } + } + + @Override + protected List<String> getDataValidatorFilterExcludedUrls() { + String dataValidatorFilterExcludedUrls = Conf.getInstance().getDataValidatorFilterExcludedUrls(); + if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) { + return Arrays.asList(dataValidatorFilterExcludedUrls.split(",")); + } + return new ArrayList<>(); + } +} diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java index 32d8c2916d..292f4a30d4 100644 --- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java +++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java @@ -113,7 +113,7 @@ public class Login extends HttpServlet { } @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException { String userId = request.getParameter("userId"); String password = request.getParameter("password"); diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java index 7aa48e62cf..e8c4631c65 100644 --- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java +++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -20,126 +20,129 @@ package org.openecomp.sdc.webseal.simulator; -import org.apache.commons.io.IOUtils; -import org.openecomp.sdc.webseal.simulator.conf.Conf; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.*; +import java.io.BufferedReader; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.PrintWriter; import java.net.HttpURLConnection; import java.net.URL; import java.util.HashMap; import java.util.Map; import java.util.Map.Entry; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.io.IOUtils; +import org.openecomp.sdc.webseal.simulator.conf.Conf; public class RequestsClient extends HttpServlet { - private static final long serialVersionUID = 1L; - - @Override - protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { - - String adminId = request.getParameter("adminId") != null ? request.getParameter("adminId") : "jh0003"; - String createAll = request.getParameter("all"); - String url = Conf.getInstance().getFeHost() + "/sdc1/feProxy/rest/v1/user"; - - PrintWriter writer = response.getWriter(); - - int resultCode; - - if ("true".equals(createAll)) { - Map<String, User> users = Conf.getInstance().getUsers(); - for (User user : users.values()) { - resultCode = createUser(response, user.getUserId(), user.getRole().toUpperCase(), user.getFirstName(), user.getLastName(), user.getEmail(), url, adminId); - writer.println("User "+ user.getFirstName() + " " + user.getLastName() + getResultMessage(resultCode) + "<br>"); - } - } else { - String userId = request.getParameter("userId"); - String role = request.getParameter("role").toUpperCase(); - String firstName = request.getParameter("firstName"); - String lastName = request.getParameter("lastName"); - String email = request.getParameter("email"); - - resultCode = createUser(response, userId, role, firstName, lastName, email, url, adminId); - - writer.println("User "+ firstName + " " + lastName +getResultMessage(resultCode)); - } - - - - } - - private String getResultMessage(int resultCode){ - return 201 == resultCode? " created successfuly":" not created ("+ resultCode +")"; - } - - private int createUser(final HttpServletResponse response, String userId, String role, String firstName, String lastName, String email, String url, String adminId) throws IOException { - response.setContentType("text/html"); - - String body = "{\"firstName\":\"" + firstName + "\", \"lastName\":\"" + lastName + "\", \"userId\":\"" + userId + "\", \"email\":\"" + email + "\",\"role\":\"" + role + "\"}"; - - HashMap<String, String> headers = new HashMap<String, String>(); - headers.put("Content-Type", "application/json"); - headers.put("USER_ID", adminId); - return sendHttpPost(url, body, headers); - } - - private int sendHttpPost(String url, String body, Map<String, String> headers) throws IOException { - - String responseString = ""; - URL obj = new URL(url); - HttpURLConnection con = (HttpURLConnection) obj.openConnection(); - - // add request method - con.setRequestMethod("POST"); - - // add request headers - if (headers != null) { - for (Entry<String, String> header : headers.entrySet()) { - String key = header.getKey(); - String value = header.getValue(); - con.setRequestProperty(key, value); - } - } - - // Send post request - if (body != null) { - con.setDoOutput(true); - DataOutputStream wr = new DataOutputStream(con.getOutputStream()); - wr.writeBytes(body); - wr.flush(); - wr.close(); - } - - int responseCode = con.getResponseCode(); - // logger.debug("Send POST http request, url: {}", url); - // logger.debug("Response Code: {}", responseCode); - - StringBuilder response = new StringBuilder(); - try { - BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream())); - String inputLine; - while ((inputLine = in.readLine()) != null) { - response.append(inputLine); - } - in.close(); - } catch (Exception e) { - // logger.debug("response body is null"); - } - - String result; - - try { - result = IOUtils.toString(con.getErrorStream()); - response.append(result); - } catch (Exception e2) { - } - - con.disconnect(); - return responseCode; - - } + private static final long serialVersionUID = 1L; + + @Override + protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws IOException { + + String adminId = request.getParameter("adminId") != null ? request.getParameter("adminId") : "jh0003"; + String createAll = request.getParameter("all"); + String url = Conf.getInstance().getFeHost() + "/sdc1/feProxy/rest/v1/user"; + + PrintWriter writer = response.getWriter(); + + int resultCode; + + if ("true".equals(createAll)) { + Map<String, User> users = Conf.getInstance().getUsers(); + for (User user : users.values()) { + resultCode = createUser(response, user.getUserId(), user.getRole().toUpperCase(), user.getFirstName(), user.getLastName(), + user.getEmail(), url, adminId); + writer.println("User " + user.getFirstName() + " " + user.getLastName() + getResultMessage(resultCode) + "<br>"); + } + } else { + String userId = request.getParameter("userId"); + String role = request.getParameter("role").toUpperCase(); + String firstName = request.getParameter("firstName"); + String lastName = request.getParameter("lastName"); + String email = request.getParameter("email"); + + resultCode = createUser(response, userId, role, firstName, lastName, email, url, adminId); + + writer.println("User " + firstName + " " + lastName + getResultMessage(resultCode)); + } + + } + + private String getResultMessage(int resultCode) { + return 201 == resultCode ? " created successfuly" : " not created (" + resultCode + ")"; + } + + private int createUser(final HttpServletResponse response, String userId, String role, String firstName, String lastName, String email, + String url, String adminId) throws IOException { + response.setContentType("text/html"); + + String body = "{\"firstName\":\"" + firstName + "\", \"lastName\":\"" + lastName + "\", \"userId\":\"" + userId + "\", \"email\":\"" + email + + "\",\"role\":\"" + role + "\"}"; + + HashMap<String, String> headers = new HashMap<String, String>(); + headers.put("Content-Type", "application/json"); + headers.put("USER_ID", adminId); + return sendHttpPost(url, body, headers); + } + + private int sendHttpPost(String url, String body, Map<String, String> headers) throws IOException { + + String responseString = ""; + URL obj = new URL(url); + HttpURLConnection con = (HttpURLConnection) obj.openConnection(); + + // add request method + con.setRequestMethod("POST"); + + // add request headers + if (headers != null) { + for (Entry<String, String> header : headers.entrySet()) { + String key = header.getKey(); + String value = header.getValue(); + con.setRequestProperty(key, value); + } + } + + // Send post request + if (body != null) { + con.setDoOutput(true); + DataOutputStream wr = new DataOutputStream(con.getOutputStream()); + wr.writeBytes(body); + wr.flush(); + wr.close(); + } + + int responseCode = con.getResponseCode(); + // logger.debug("Send POST http request, url: {}", url); + // logger.debug("Response Code: {}", responseCode); + + StringBuilder response = new StringBuilder(); + try { + BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream())); + String inputLine; + while ((inputLine = in.readLine()) != null) { + response.append(inputLine); + } + in.close(); + } catch (Exception e) { + // logger.debug("response body is null"); + } + + String result; + + try { + result = IOUtils.toString(con.getErrorStream()); + response.append(result); + } catch (Exception e2) { + } + + con.disconnect(); + return responseCode; + + } } diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java index eb498c975e..3ce7f23da7 100644 --- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java +++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java @@ -39,6 +39,7 @@ public class Conf { private Map<String, User> users = new HashMap<String, User>(); private String portalCookieName; private String permittedAncestors; // Space separated list of permitted ancestors + private String dataValidatorFilterExcludedUrls; // Comma separated list of excluded URLs by the DataValidatorFilter private Conf() { initConf(); diff --git a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml index c23e265aae..08a32221b0 100644 --- a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml +++ b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml @@ -39,6 +39,16 @@ </servlet-mapping> <filter> + <filter-name>dataValidatorFilter</filter-name> + <filter-class>org.openecomp.sdc.webseal.simulator.DataValidatorFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>dataValidatorFilter</filter-name> + <url-pattern>/login</url-pattern> + <url-pattern>/create</url-pattern> + </filter-mapping> + + <filter> <filter-name>contentSecurityPolicyHeaderFilter</filter-name> <filter-class>org.openecomp.sdc.webseal.simulator.ContentSecurityPolicyHeaderFilter</filter-class> <async-supported>true</async-supported> |