From 013779aedf93a6f6ff878c457de53e729540c252 Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Wed, 7 Sep 2022 18:45:20 +0100
Subject: Fix high-severity bug 'application exposed to path traversal attack'

Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I7f4b1e8d083cc39f8e57dcedddecc6af56fdc9c2
Issue-ID: SDC-4169
---
 catalog-fe/src/main/webapp/WEB-INF/web.xml | 230 +++++++++++++++--------------
 1 file changed, 118 insertions(+), 112 deletions(-)

(limited to 'catalog-fe')

diff --git a/catalog-fe/src/main/webapp/WEB-INF/web.xml b/catalog-fe/src/main/webapp/WEB-INF/web.xml
index 8f64a2b336..de133ac8ec 100644
--- a/catalog-fe/src/main/webapp/WEB-INF/web.xml
+++ b/catalog-fe/src/main/webapp/WEB-INF/web.xml
@@ -1,115 +1,121 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
-	version="3.0">
-
-	<servlet>
-		<servlet-name>jersey</servlet-name>
-		<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
-		<init-param>
-			<param-name>jersey.config.server.provider.packages</param-name>
-			<param-value>org.openecomp.sdc.fe.servlets</param-value>
-		</init-param>
-
-		<init-param>
-			<param-name>jersey.config.server.provider.classnames</param-name>
-			<param-value>org.glassfish.jersey.media.multipart.MultiPartFeature</param-value>
-		</init-param>
-		<init-param>
-			<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
-			<param-value>true</param-value>
-		</init-param>
-		<load-on-startup>1</load-on-startup>
-		<async-supported>true</async-supported>
-	</servlet>
-
-	<servlet-mapping>
-		<servlet-name>jersey</servlet-name>
-		<url-pattern>/rest/*</url-pattern>
-	</servlet-mapping>
-
-	<servlet>
-		<servlet-name>ViewStatusMessages</servlet-name>
-		<servlet-class>ch.qos.logback.classic.ViewStatusMessagesServlet</servlet-class>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0">
+
+    <servlet>
+        <servlet-name>jersey</servlet-name>
+        <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
+        <init-param>
+            <param-name>jersey.config.server.provider.packages</param-name>
+            <param-value>org.openecomp.sdc.fe.servlets</param-value>
+        </init-param>
+
+        <init-param>
+            <param-name>jersey.config.server.provider.classnames</param-name>
+            <param-value>org.glassfish.jersey.media.multipart.MultiPartFeature</param-value>
+        </init-param>
+        <init-param>
+            <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
+            <param-value>true</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
         <async-supported>true</async-supported>
-	</servlet>
-
-	<servlet-mapping>
-		<servlet-name>ViewStatusMessages</servlet-name>
-		<url-pattern>/lbClassicStatus</url-pattern>
-	</servlet-mapping>
-
-	<!-- Fe Proxy Servlet -->
-	<servlet>
-		<servlet-name>FeProxy</servlet-name>
-		<servlet-class>org.openecomp.sdc.fe.servlets.FeProxyServlet</servlet-class>
-
-		<load-on-startup>1</load-on-startup>
-		<async-supported>true</async-supported>
-
-
-	</servlet>
-
-	<servlet-mapping>
-		<servlet-name>FeProxy</servlet-name>
-		<url-pattern>/feProxy/*</url-pattern>
-	</servlet-mapping>
-
-	<servlet>
-		<servlet-name>Portal</servlet-name>
-		<servlet-class>org.openecomp.sdc.fe.servlets.PortalServlet</servlet-class>
-		<async-supported>true</async-supported>
-	</servlet>
-
-	<servlet-mapping>
-		<servlet-name>Portal</servlet-name>
-		<url-pattern>/portal</url-pattern>
-	</servlet-mapping>
-
-	
-	<filter>
-		<filter-name>AuditLogServletFilter</filter-name>
-		<filter-class>org.onap.logging.filter.base.AuditLogServletFilter</filter-class>
-		<async-supported>true</async-supported>
-	</filter>
-
-<!--	<filter>-->
-<!--		<filter-name>SecurityFilter</filter-name>-->
-<!--		<filter-class>org.openecomp.sdc.fe.filters.SecurityFilter</filter-class>-->
-<!--        <async-supported>true</async-supported>-->
-<!--        <init-param>-->
-<!--            <param-name>excludedUrls</param-name>-->
-<!--            &lt;!&ndash; Comma separated list of excluded servlet URLs  &ndash;&gt;-->
-<!--            <param-value>/config,/configmgr,/rest</param-value>-->
-<!--        </init-param>-->
-<!--	</filter>-->
-
-	 <filter>
-	   <filter-name>gzipFilter</filter-name>
-	   <filter-class>org.openecomp.sdc.fe.filters.GzipFilter</filter-class>
-       <async-supported>true</async-supported>
-	 </filter>
-
-	<filter-mapping>
-		<filter-name>AuditLogServletFilter</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
-
-<!--	<filter-mapping>-->
-<!--		<filter-name>SecurityFilter</filter-name>-->
-<!--		<url-pattern>/*</url-pattern>-->
-<!--    </filter-mapping>-->
-
-	<filter-mapping>
-	   	<filter-name>gzipFilter</filter-name>
-	   	<url-pattern>*.jsgz</url-pattern>
-	</filter-mapping>
-
-	<listener>
-		<listener-class>org.openecomp.sdc.fe.listen.FEAppContextListener</listener-class>
-	</listener>
-
-	<welcome-file-list>
-		<welcome-file>index.html</welcome-file>
-	</welcome-file-list>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>jersey</servlet-name>
+        <url-pattern>/rest/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>ViewStatusMessages</servlet-name>
+        <servlet-class>ch.qos.logback.classic.ViewStatusMessagesServlet</servlet-class>
+        <async-supported>true</async-supported>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>ViewStatusMessages</servlet-name>
+        <url-pattern>/lbClassicStatus</url-pattern>
+    </servlet-mapping>
+
+    <!-- Fe Proxy Servlet -->
+    <servlet>
+        <servlet-name>FeProxy</servlet-name>
+        <servlet-class>org.openecomp.sdc.fe.servlets.FeProxyServlet</servlet-class>
+
+        <load-on-startup>1</load-on-startup>
+        <async-supported>true</async-supported>
+
+
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>FeProxy</servlet-name>
+        <url-pattern>/feProxy/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet>
+        <servlet-name>Portal</servlet-name>
+        <servlet-class>org.openecomp.sdc.fe.servlets.PortalServlet</servlet-class>
+        <async-supported>true</async-supported>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>Portal</servlet-name>
+        <url-pattern>/portal</url-pattern>
+    </servlet-mapping>
+
+    <context-param>
+        <param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
+        <param-value>false</param-value>
+    </context-param>
+
+
+    <filter>
+        <filter-name>AuditLogServletFilter</filter-name>
+        <filter-class>org.onap.logging.filter.base.AuditLogServletFilter</filter-class>
+        <async-supported>true</async-supported>
+    </filter>
+
+    <!--	<filter>-->
+    <!--		<filter-name>SecurityFilter</filter-name>-->
+    <!--		<filter-class>org.openecomp.sdc.fe.filters.SecurityFilter</filter-class>-->
+    <!--        <async-supported>true</async-supported>-->
+    <!--        <init-param>-->
+    <!--            <param-name>excludedUrls</param-name>-->
+    <!--            &lt;!&ndash; Comma separated list of excluded servlet URLs  &ndash;&gt;-->
+    <!--            <param-value>/config,/configmgr,/rest</param-value>-->
+    <!--        </init-param>-->
+    <!--	</filter>-->
+
+    <filter>
+        <filter-name>gzipFilter</filter-name>
+        <filter-class>org.openecomp.sdc.fe.filters.GzipFilter</filter-class>
+        <async-supported>true</async-supported>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>AuditLogServletFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <!--	<filter-mapping>-->
+    <!--		<filter-name>SecurityFilter</filter-name>-->
+    <!--		<url-pattern>/*</url-pattern>-->
+    <!--    </filter-mapping>-->
+
+    <filter-mapping>
+        <filter-name>gzipFilter</filter-name>
+        <url-pattern>*.jsgz</url-pattern>
+    </filter-mapping>
+
+    <listener>
+        <listener-class>org.openecomp.sdc.fe.listen.FEAppContextListener</listener-class>
+    </listener>
+
+    <welcome-file-list>
+        <welcome-file>index.html</welcome-file>
+    </welcome-file-list>
 </web-app>
-- 
cgit 1.2.3-korg