summaryrefslogtreecommitdiffstats
path: root/utils/webseal-simulator
diff options
context:
space:
mode:
authorvasraz <vasyl.razinkov@est.tech>2022-10-14 13:35:39 +0100
committerMichael Morris <michael.morris@est.tech>2022-10-18 08:27:16 +0000
commitddb9d5a7637b382be9ac7a96ad023a983c41c342 (patch)
tree4e551d6ce4348aed56f42b021bbe4fcfccc3cd15 /utils/webseal-simulator
parentccab3629426bdc6a87ca6102db3fdb23d4419b3e (diff)
Fix security risk 'Improper Input Validation'
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c Issue-ID: SDC-4189
Diffstat (limited to 'utils/webseal-simulator')
-rw-r--r--utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java62
-rw-r--r--utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java2
-rw-r--r--utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java233
-rw-r--r--utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java1
-rw-r--r--utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml10
5 files changed, 192 insertions, 116 deletions
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java
new file mode 100644
index 0000000000..a226faf0eb
--- /dev/null
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java
@@ -0,0 +1,62 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.webseal.simulator;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.openecomp.sdc.common.filters.DataValidatorFilterAbstract;
+import org.openecomp.sdc.exception.NotAllowedSpecialCharsException;
+import org.openecomp.sdc.webseal.simulator.conf.Conf;
+
+/**
+ * Implement DataValidatorFilter for webseal.
+ * Extends {@link DataValidatorFilterAbstract}
+ */
+public class DataValidatorFilter extends DataValidatorFilterAbstract {
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException, NotAllowedSpecialCharsException {
+ try {
+ super.doFilter(request, response, chain);
+ } catch (final NotAllowedSpecialCharsException e) {
+ // error handing to show 'Error: Special characters not allowed.'
+ ((HttpServletResponse) response).sendError(400, ERROR_SPECIAL_CHARACTERS_NOT_ALLOWED);
+ }
+ }
+
+ @Override
+ protected List<String> getDataValidatorFilterExcludedUrls() {
+ String dataValidatorFilterExcludedUrls = Conf.getInstance().getDataValidatorFilterExcludedUrls();
+ if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) {
+ return Arrays.asList(dataValidatorFilterExcludedUrls.split(","));
+ }
+ return new ArrayList<>();
+ }
+}
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java
index 32d8c2916d..292f4a30d4 100644
--- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java
@@ -113,7 +113,7 @@ public class Login extends HttpServlet {
}
@Override
- public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+ public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
String userId = request.getParameter("userId");
String password = request.getParameter("password");
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java
index 7aa48e62cf..e8c4631c65 100644
--- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java
@@ -7,9 +7,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -20,126 +20,129 @@
package org.openecomp.sdc.webseal.simulator;
-import org.apache.commons.io.IOUtils;
-import org.openecomp.sdc.webseal.simulator.conf.Conf;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.*;
+import java.io.BufferedReader;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.PrintWriter;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.io.IOUtils;
+import org.openecomp.sdc.webseal.simulator.conf.Conf;
public class RequestsClient extends HttpServlet {
- private static final long serialVersionUID = 1L;
-
- @Override
- protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
-
- String adminId = request.getParameter("adminId") != null ? request.getParameter("adminId") : "jh0003";
- String createAll = request.getParameter("all");
- String url = Conf.getInstance().getFeHost() + "/sdc1/feProxy/rest/v1/user";
-
- PrintWriter writer = response.getWriter();
-
- int resultCode;
-
- if ("true".equals(createAll)) {
- Map<String, User> users = Conf.getInstance().getUsers();
- for (User user : users.values()) {
- resultCode = createUser(response, user.getUserId(), user.getRole().toUpperCase(), user.getFirstName(), user.getLastName(), user.getEmail(), url, adminId);
- writer.println("User "+ user.getFirstName() + " " + user.getLastName() + getResultMessage(resultCode) + "<br>");
- }
- } else {
- String userId = request.getParameter("userId");
- String role = request.getParameter("role").toUpperCase();
- String firstName = request.getParameter("firstName");
- String lastName = request.getParameter("lastName");
- String email = request.getParameter("email");
-
- resultCode = createUser(response, userId, role, firstName, lastName, email, url, adminId);
-
- writer.println("User "+ firstName + " " + lastName +getResultMessage(resultCode));
- }
-
-
-
- }
-
- private String getResultMessage(int resultCode){
- return 201 == resultCode? " created successfuly":" not created ("+ resultCode +")";
- }
-
- private int createUser(final HttpServletResponse response, String userId, String role, String firstName, String lastName, String email, String url, String adminId) throws IOException {
- response.setContentType("text/html");
-
- String body = "{\"firstName\":\"" + firstName + "\", \"lastName\":\"" + lastName + "\", \"userId\":\"" + userId + "\", \"email\":\"" + email + "\",\"role\":\"" + role + "\"}";
-
- HashMap<String, String> headers = new HashMap<String, String>();
- headers.put("Content-Type", "application/json");
- headers.put("USER_ID", adminId);
- return sendHttpPost(url, body, headers);
- }
-
- private int sendHttpPost(String url, String body, Map<String, String> headers) throws IOException {
-
- String responseString = "";
- URL obj = new URL(url);
- HttpURLConnection con = (HttpURLConnection) obj.openConnection();
-
- // add request method
- con.setRequestMethod("POST");
-
- // add request headers
- if (headers != null) {
- for (Entry<String, String> header : headers.entrySet()) {
- String key = header.getKey();
- String value = header.getValue();
- con.setRequestProperty(key, value);
- }
- }
-
- // Send post request
- if (body != null) {
- con.setDoOutput(true);
- DataOutputStream wr = new DataOutputStream(con.getOutputStream());
- wr.writeBytes(body);
- wr.flush();
- wr.close();
- }
-
- int responseCode = con.getResponseCode();
- // logger.debug("Send POST http request, url: {}", url);
- // logger.debug("Response Code: {}", responseCode);
-
- StringBuilder response = new StringBuilder();
- try {
- BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
- String inputLine;
- while ((inputLine = in.readLine()) != null) {
- response.append(inputLine);
- }
- in.close();
- } catch (Exception e) {
- // logger.debug("response body is null");
- }
-
- String result;
-
- try {
- result = IOUtils.toString(con.getErrorStream());
- response.append(result);
- } catch (Exception e2) {
- }
-
- con.disconnect();
- return responseCode;
-
- }
+ private static final long serialVersionUID = 1L;
+
+ @Override
+ protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
+
+ String adminId = request.getParameter("adminId") != null ? request.getParameter("adminId") : "jh0003";
+ String createAll = request.getParameter("all");
+ String url = Conf.getInstance().getFeHost() + "/sdc1/feProxy/rest/v1/user";
+
+ PrintWriter writer = response.getWriter();
+
+ int resultCode;
+
+ if ("true".equals(createAll)) {
+ Map<String, User> users = Conf.getInstance().getUsers();
+ for (User user : users.values()) {
+ resultCode = createUser(response, user.getUserId(), user.getRole().toUpperCase(), user.getFirstName(), user.getLastName(),
+ user.getEmail(), url, adminId);
+ writer.println("User " + user.getFirstName() + " " + user.getLastName() + getResultMessage(resultCode) + "<br>");
+ }
+ } else {
+ String userId = request.getParameter("userId");
+ String role = request.getParameter("role").toUpperCase();
+ String firstName = request.getParameter("firstName");
+ String lastName = request.getParameter("lastName");
+ String email = request.getParameter("email");
+
+ resultCode = createUser(response, userId, role, firstName, lastName, email, url, adminId);
+
+ writer.println("User " + firstName + " " + lastName + getResultMessage(resultCode));
+ }
+
+ }
+
+ private String getResultMessage(int resultCode) {
+ return 201 == resultCode ? " created successfuly" : " not created (" + resultCode + ")";
+ }
+
+ private int createUser(final HttpServletResponse response, String userId, String role, String firstName, String lastName, String email,
+ String url, String adminId) throws IOException {
+ response.setContentType("text/html");
+
+ String body = "{\"firstName\":\"" + firstName + "\", \"lastName\":\"" + lastName + "\", \"userId\":\"" + userId + "\", \"email\":\"" + email
+ + "\",\"role\":\"" + role + "\"}";
+
+ HashMap<String, String> headers = new HashMap<String, String>();
+ headers.put("Content-Type", "application/json");
+ headers.put("USER_ID", adminId);
+ return sendHttpPost(url, body, headers);
+ }
+
+ private int sendHttpPost(String url, String body, Map<String, String> headers) throws IOException {
+
+ String responseString = "";
+ URL obj = new URL(url);
+ HttpURLConnection con = (HttpURLConnection) obj.openConnection();
+
+ // add request method
+ con.setRequestMethod("POST");
+
+ // add request headers
+ if (headers != null) {
+ for (Entry<String, String> header : headers.entrySet()) {
+ String key = header.getKey();
+ String value = header.getValue();
+ con.setRequestProperty(key, value);
+ }
+ }
+
+ // Send post request
+ if (body != null) {
+ con.setDoOutput(true);
+ DataOutputStream wr = new DataOutputStream(con.getOutputStream());
+ wr.writeBytes(body);
+ wr.flush();
+ wr.close();
+ }
+
+ int responseCode = con.getResponseCode();
+ // logger.debug("Send POST http request, url: {}", url);
+ // logger.debug("Response Code: {}", responseCode);
+
+ StringBuilder response = new StringBuilder();
+ try {
+ BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
+ String inputLine;
+ while ((inputLine = in.readLine()) != null) {
+ response.append(inputLine);
+ }
+ in.close();
+ } catch (Exception e) {
+ // logger.debug("response body is null");
+ }
+
+ String result;
+
+ try {
+ result = IOUtils.toString(con.getErrorStream());
+ response.append(result);
+ } catch (Exception e2) {
+ }
+
+ con.disconnect();
+ return responseCode;
+
+ }
}
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
index eb498c975e..3ce7f23da7 100644
--- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
@@ -39,6 +39,7 @@ public class Conf {
private Map<String, User> users = new HashMap<String, User>();
private String portalCookieName;
private String permittedAncestors; // Space separated list of permitted ancestors
+ private String dataValidatorFilterExcludedUrls; // Comma separated list of excluded URLs by the DataValidatorFilter
private Conf() {
initConf();
diff --git a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
index c23e265aae..08a32221b0 100644
--- a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
+++ b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
@@ -39,6 +39,16 @@
</servlet-mapping>
<filter>
+ <filter-name>dataValidatorFilter</filter-name>
+ <filter-class>org.openecomp.sdc.webseal.simulator.DataValidatorFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>dataValidatorFilter</filter-name>
+ <url-pattern>/login</url-pattern>
+ <url-pattern>/create</url-pattern>
+ </filter-mapping>
+
+ <filter>
<filter-name>contentSecurityPolicyHeaderFilter</filter-name>
<filter-class>org.openecomp.sdc.webseal.simulator.ContentSecurityPolicyHeaderFilter</filter-class>
<async-supported>true</async-supported>