From ddb9d5a7637b382be9ac7a96ad023a983c41c342 Mon Sep 17 00:00:00 2001 From: vasraz Date: Fri, 14 Oct 2022 13:35:39 +0100 Subject: Fix security risk 'Improper Input Validation' Signed-off-by: Vasyl Razinkov Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c Issue-ID: SDC-4189 --- .../ByActionStatusComponentException.java | 6 +- .../sdc/be/filters/BeRestrictionAccessFilter.java | 2 +- .../sdc/be/filters/DataValidatorFilter.java | 64 ++++++++++++++++++++++ .../openecomp/sdc/be/filters/GatewayFilter.java | 2 +- .../sdc/be/servlets/BeGenericServlet.java | 4 +- .../servlets/exception/StorageExceptionMapper.java | 2 +- 6 files changed, 70 insertions(+), 10 deletions(-) create mode 100644 catalog-be/src/main/java/org/openecomp/sdc/be/filters/DataValidatorFilter.java (limited to 'catalog-be/src/main/java') diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/exceptions/ByActionStatusComponentException.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/exceptions/ByActionStatusComponentException.java index e973fe4bf3..bd0e6bb20c 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/exceptions/ByActionStatusComponentException.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/exceptions/ByActionStatusComponentException.java @@ -20,12 +20,14 @@ package org.openecomp.sdc.be.components.impl.exceptions; import java.util.Arrays; +import lombok.Getter; import org.openecomp.sdc.be.components.impl.ResponseFormatManager; import org.openecomp.sdc.be.dao.api.ActionStatus; import org.openecomp.sdc.exception.ResponseFormat; public class ByActionStatusComponentException extends ComponentException { + @Getter private final ActionStatus actionStatus; private final String[] params; @@ -35,10 +37,6 @@ public class ByActionStatusComponentException extends ComponentException { this.params = params.clone(); } - public ActionStatus getActionStatus() { - return actionStatus; - } - public String[] getParams() { return params.clone(); } diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeRestrictionAccessFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeRestrictionAccessFilter.java index e40dfe408f..0e8f9452be 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeRestrictionAccessFilter.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/BeRestrictionAccessFilter.java @@ -33,7 +33,7 @@ import org.springframework.stereotype.Component; @Component("beRestrictionAccessFilter") public class BeRestrictionAccessFilter extends RestrictionAccessFilter { - private static final Logger log = Logger.getLogger(RestrictionAccessFilter.class.getName()); + private static final Logger log = Logger.getLogger(BeRestrictionAccessFilter.class.getName()); public BeRestrictionAccessFilter(FilterConfiguration configuration, ThreadLocalUtils threadLocalUtils, PortalClient portalClient) { super(configuration, threadLocalUtils, portalClient); diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/DataValidatorFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/DataValidatorFilter.java new file mode 100644 index 0000000000..2cdbf93d48 --- /dev/null +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/DataValidatorFilter.java @@ -0,0 +1,64 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.filters; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import org.apache.commons.lang3.StringUtils; +import org.openecomp.sdc.be.components.impl.exceptions.ByActionStatusComponentException; +import org.openecomp.sdc.be.config.ConfigurationManager; +import org.openecomp.sdc.be.dao.api.ActionStatus; +import org.openecomp.sdc.common.filters.DataValidatorFilterAbstract; +import org.openecomp.sdc.common.util.DataValidator; +import org.openecomp.sdc.exception.NotAllowedSpecialCharsException; + +/** + * Implement DataValidatorFilter for back-end. + * Extends {@link DataValidatorFilterAbstract} + */ +public class DataValidatorFilter extends DataValidatorFilterAbstract { + + @Override + public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { + try { + super.doFilter(request, response, chain); + } catch (NotAllowedSpecialCharsException e) { + throw new ByActionStatusComponentException(ActionStatus.NOT_PERMITTED_SPECIAL_CHARS); + } + } + + @Override + protected List getDataValidatorFilterExcludedUrls() { + final String dataValidatorFilterExcludedUrls = ConfigurationManager.getConfigurationManager().getConfiguration() + .getDataValidatorFilterExcludedUrls(); + if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) { + return Arrays.asList(dataValidatorFilterExcludedUrls.split(",")); + } + return new ArrayList<>(); + } + +} diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/GatewayFilter.java b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/GatewayFilter.java index c5f0881caa..b675ec9a6e 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/filters/GatewayFilter.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/filters/GatewayFilter.java @@ -44,7 +44,7 @@ import org.springframework.stereotype.Component; @Component("gatewayFilter") public class GatewayFilter implements Filter { - private static final Logger log = Logger.getLogger(BeServletFilter.class); + private static final Logger log = Logger.getLogger(GatewayFilter.class); private Configuration.CookieConfig authCookieConf; private Configuration config; @Autowired diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/BeGenericServlet.java b/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/BeGenericServlet.java index 7bec5d5f09..7c9101df82 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/BeGenericServlet.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/BeGenericServlet.java @@ -321,10 +321,8 @@ public class BeGenericServlet extends BasicServlet { protected String propertyToJson(Map.Entry property) { JSONObject root = new JSONObject(); - String propertyName = property.getKey(); PropertyDefinition propertyDefinition = property.getValue(); - JSONObject propertyDefinitionO = getPropertyDefinitionJSONObject(propertyDefinition); - root.put(propertyName, propertyDefinitionO); + root.put(property.getKey(), getPropertyDefinitionJSONObject(propertyDefinition)); propertyDefinition.getType(); return root.toString(); } diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/exception/StorageExceptionMapper.java b/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/exception/StorageExceptionMapper.java index 18e5a15497..f89a1348db 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/exception/StorageExceptionMapper.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/servlets/exception/StorageExceptionMapper.java @@ -35,7 +35,7 @@ import org.springframework.stereotype.Component; @Provider public class StorageExceptionMapper implements ExceptionMapper { - private static final Logger log = Logger.getLogger(DefaultExceptionMapper.class); + private static final Logger log = Logger.getLogger(StorageExceptionMapper.class); private final Gson gson = new GsonBuilder().setPrettyPrinting().create(); private final ComponentsUtils componentsUtils; -- cgit 1.2.3-korg