From 013779aedf93a6f6ff878c457de53e729540c252 Mon Sep 17 00:00:00 2001 From: vasraz Date: Wed, 7 Sep 2022 18:45:20 +0100 Subject: Fix high-severity bug 'application exposed to path traversal attack' Signed-off-by: Vasyl Razinkov Change-Id: I7f4b1e8d083cc39f8e57dcedddecc6af56fdc9c2 Issue-ID: SDC-4169 --- catalog-be/src/main/webapp/WEB-INF/web.xml | 45 ++-- catalog-fe/src/main/webapp/WEB-INF/web.xml | 230 +++++++++++---------- .../src/main/webapp/WEB-INF/web.xml | 14 +- .../src/main/webapp/WEB-INF/web.xml | 13 +- .../src/main/webapp/WEB-INF/web.xml | 13 +- .../webapp-heat-validation/WEB-INF/web.xml | 11 +- openecomp-ui/webapp-onboarding/WEB-INF/web.xml | 11 +- .../src/main/webapp/WEB-INF/web.xml | 78 +++---- 8 files changed, 228 insertions(+), 187 deletions(-) diff --git a/catalog-be/src/main/webapp/WEB-INF/web.xml b/catalog-be/src/main/webapp/WEB-INF/web.xml index ca71eee221..64763b27a8 100644 --- a/catalog-be/src/main/webapp/WEB-INF/web.xml +++ b/catalog-be/src/main/webapp/WEB-INF/web.xml @@ -1,7 +1,8 @@ - + jersey @@ -77,7 +78,8 @@ ECOMPServlet - org.onap.portalsdk.core.onboarding.crossapi.PortalRestAPIProxy + org.onap.portalsdk.core.onboarding.crossapi.PortalRestAPIProxy + 3 true @@ -174,22 +176,22 @@ /sdc/* - + + basicAuthFilter + /* + --> @@ -252,6 +254,11 @@ org.openecomp.sdc.be.togglz.TogglzConfiguration + + org.eclipse.jetty.servlet.Default.dirAllowed + false + + org.openecomp.sdc.be.listen.BEAppContextListener diff --git a/catalog-fe/src/main/webapp/WEB-INF/web.xml b/catalog-fe/src/main/webapp/WEB-INF/web.xml index 8f64a2b336..de133ac8ec 100644 --- a/catalog-fe/src/main/webapp/WEB-INF/web.xml +++ b/catalog-fe/src/main/webapp/WEB-INF/web.xml @@ -1,115 +1,121 @@ - - - - jersey - org.glassfish.jersey.servlet.ServletContainer - - jersey.config.server.provider.packages - org.openecomp.sdc.fe.servlets - - - - jersey.config.server.provider.classnames - org.glassfish.jersey.media.multipart.MultiPartFeature - - - com.sun.jersey.api.json.POJOMappingFeature - true - - 1 - true - - - - jersey - /rest/* - - - - ViewStatusMessages - ch.qos.logback.classic.ViewStatusMessagesServlet + + + + jersey + org.glassfish.jersey.servlet.ServletContainer + + jersey.config.server.provider.packages + org.openecomp.sdc.fe.servlets + + + + jersey.config.server.provider.classnames + org.glassfish.jersey.media.multipart.MultiPartFeature + + + com.sun.jersey.api.json.POJOMappingFeature + true + + 1 true - - - - ViewStatusMessages - /lbClassicStatus - - - - - FeProxy - org.openecomp.sdc.fe.servlets.FeProxyServlet - - 1 - true - - - - - - FeProxy - /feProxy/* - - - - Portal - org.openecomp.sdc.fe.servlets.PortalServlet - true - - - - Portal - /portal - - - - - AuditLogServletFilter - org.onap.logging.filter.base.AuditLogServletFilter - true - - - - - - - - - - - - - - - gzipFilter - org.openecomp.sdc.fe.filters.GzipFilter - true - - - - AuditLogServletFilter - /* - - - - - - - - - gzipFilter - *.jsgz - - - - org.openecomp.sdc.fe.listen.FEAppContextListener - - - - index.html - + + + + jersey + /rest/* + + + + ViewStatusMessages + ch.qos.logback.classic.ViewStatusMessagesServlet + true + + + + ViewStatusMessages + /lbClassicStatus + + + + + FeProxy + org.openecomp.sdc.fe.servlets.FeProxyServlet + + 1 + true + + + + + + FeProxy + /feProxy/* + + + + Portal + org.openecomp.sdc.fe.servlets.PortalServlet + true + + + + Portal + /portal + + + + org.eclipse.jetty.servlet.Default.dirAllowed + false + + + + + AuditLogServletFilter + org.onap.logging.filter.base.AuditLogServletFilter + true + + + + + + + + + + + + + + + gzipFilter + org.openecomp.sdc.fe.filters.GzipFilter + true + + + + AuditLogServletFilter + /* + + + + + + + + + gzipFilter + *.jsgz + + + + org.openecomp.sdc.fe.listen.FEAppContextListener + + + + index.html + diff --git a/dox-sequence-diagram-ui/src/main/webapp/WEB-INF/web.xml b/dox-sequence-diagram-ui/src/main/webapp/WEB-INF/web.xml index c723615a7a..01ca867b6d 100644 --- a/dox-sequence-diagram-ui/src/main/webapp/WEB-INF/web.xml +++ b/dox-sequence-diagram-ui/src/main/webapp/WEB-INF/web.xml @@ -1,14 +1,18 @@ - Amdocs ES6 Blueprint + Amdocs ES6 Blueprint - - index.html - + + index.html + + + org.eclipse.jetty.servlet.Default.dirAllowed + false + diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml index f0bad66222..9191a35786 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml @@ -1,8 +1,8 @@ + xmlns="http://java.sun.com/xml/ns/javaee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" + version="3.0"> @@ -79,6 +79,11 @@ 1 + + org.eclipse.jetty.servlet.Default.dirAllowed + false + + spring-mapper /ws/* diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml index 09d2fb16b4..3cbfb1325e 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml @@ -1,8 +1,8 @@ + xmlns="http://java.sun.com/xml/ns/javaee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" + version="3.0"> @@ -16,7 +16,10 @@ org.openecomp.sdc.be.togglz.TogglzConfiguration - + + org.eclipse.jetty.servlet.Default.dirAllowed + false + org.openecomp.server.listeners.OnboardingAppStartupListener diff --git a/openecomp-ui/webapp-heat-validation/WEB-INF/web.xml b/openecomp-ui/webapp-heat-validation/WEB-INF/web.xml index f84519eee3..013ab32715 100644 --- a/openecomp-ui/webapp-heat-validation/WEB-INF/web.xml +++ b/openecomp-ui/webapp-heat-validation/WEB-INF/web.xml @@ -1,8 +1,8 @@ + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" + version="3.0"> Heat-Validation @@ -24,6 +24,11 @@ + + org.eclipse.jetty.servlet.Default.dirAllowed + false + + js *.js diff --git a/openecomp-ui/webapp-onboarding/WEB-INF/web.xml b/openecomp-ui/webapp-onboarding/WEB-INF/web.xml index 7840279895..65b2bc4023 100644 --- a/openecomp-ui/webapp-onboarding/WEB-INF/web.xml +++ b/openecomp-ui/webapp-onboarding/WEB-INF/web.xml @@ -1,8 +1,8 @@ + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" + version="3.0"> ASDC @@ -29,6 +29,11 @@ *.js + + org.eclipse.jetty.servlet.Default.dirAllowed + false + + resources org.eclipse.jetty.servlet.DefaultServlet diff --git a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml index 7535e1bdf8..a293d3c883 100644 --- a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml +++ b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml @@ -1,40 +1,46 @@ - - - Archetype Created Web Application - - - Proxy - org.openecomp.sdc.webseal.simulator.SdcProxy - - - Proxy - /* - - - - Login - org.openecomp.sdc.webseal.simulator.Login - - - Login - /login - - - - CreateUser - org.openecomp.sdc.webseal.simulator.RequestsClient - - - CreateUser - /create - - - - login - + + + Archetype Created Web Application + + + Proxy + org.openecomp.sdc.webseal.simulator.SdcProxy + + + Proxy + /* + + + + org.eclipse.jetty.servlet.Default.dirAllowed + false + + + + Login + org.openecomp.sdc.webseal.simulator.Login + + + Login + /login + + + + CreateUser + org.openecomp.sdc.webseal.simulator.RequestsClient + + + CreateUser + /create + + + + login + -- cgit 1.2.3-korg