From ddb9d5a7637b382be9ac7a96ad023a983c41c342 Mon Sep 17 00:00:00 2001 From: vasraz Date: Fri, 14 Oct 2022 13:35:39 +0100 Subject: Fix security risk 'Improper Input Validation' Signed-off-by: Vasyl Razinkov Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c Issue-ID: SDC-4189 --- .../sdc/fe/filters/DataValidatorFilter.java | 70 ++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/DataValidatorFilter.java (limited to 'catalog-fe') diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/DataValidatorFilter.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/DataValidatorFilter.java new file mode 100644 index 0000000000..5b82a3c15c --- /dev/null +++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/filters/DataValidatorFilter.java @@ -0,0 +1,70 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.fe.filters; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.StringUtils; +import org.openecomp.sdc.common.filters.DataValidatorFilterAbstract; +import org.openecomp.sdc.exception.NotAllowedSpecialCharsException; +import org.openecomp.sdc.fe.config.Configuration; +import org.openecomp.sdc.fe.config.ConfigurationManager; + +/** + * Implement DataValidatorFilter for front-end. + * Extends {@link DataValidatorFilterAbstract} + */ +public class DataValidatorFilter extends DataValidatorFilterAbstract { + + @Override + public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) + throws IOException, ServletException, NotAllowedSpecialCharsException { + try { + super.doFilter(request, response, chain); + } catch (final NotAllowedSpecialCharsException e) { + // error handing to show 'Error: Special characters not allowed.' + ((HttpServletResponse) response).sendError(400, DataValidatorFilter.ERROR_SPECIAL_CHARACTERS_NOT_ALLOWED); + } + + } + + @Override + protected List getDataValidatorFilterExcludedUrls() { + final ConfigurationManager configurationManager = ConfigurationManager.getConfigurationManager(); + if (configurationManager != null) { + final Configuration configuration = configurationManager.getConfiguration(); + if (configuration != null) { + final String dataValidatorFilterExcludedUrls = configuration.getDataValidatorFilterExcludedUrls(); + if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) { + return Arrays.asList(dataValidatorFilterExcludedUrls.split(",")); + } + } + } + return new ArrayList<>(); + } +} -- cgit 1.2.3-korg