From ddb9d5a7637b382be9ac7a96ad023a983c41c342 Mon Sep 17 00:00:00 2001 From: vasraz Date: Fri, 14 Oct 2022 13:35:39 +0100 Subject: Fix security risk 'Improper Input Validation' Signed-off-by: Vasyl Razinkov Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c Issue-ID: SDC-4189 --- .../sdc/common/errors/DefaultExceptionMapper.java | 16 +++++ .../sdc/common/filters/DataValidatorFilter.java | 71 ++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java (limited to 'openecomp-be/lib') diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java index a059434709..4ad6fd7874 100644 --- a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java +++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java @@ -16,10 +16,12 @@ package org.openecomp.sdc.common.errors; import com.fasterxml.jackson.databind.JsonMappingException; +import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Map; import java.util.Set; +import javax.servlet.http.HttpServletResponse; import javax.validation.ConstraintViolation; import javax.validation.ConstraintViolationException; import javax.validation.Path; @@ -29,8 +31,12 @@ import javax.ws.rs.core.Response.Status; import javax.ws.rs.ext.ExceptionMapper; import org.apache.commons.collections4.CollectionUtils; import org.hibernate.validator.internal.engine.path.PathImpl; +import org.onap.sdc.security.RepresentationUtils; import org.openecomp.core.utilities.file.FileUtils; import org.openecomp.core.utilities.json.JsonUtil; +import org.openecomp.sdc.exception.NotAllowedSpecialCharsException; +import org.openecomp.sdc.exception.ResponseFormat; +import org.openecomp.sdc.exception.ServiceException; import org.openecomp.sdc.logging.api.Logger; import org.openecomp.sdc.logging.api.LoggerFactory; @@ -113,4 +119,14 @@ public class DefaultExceptionMapper implements ExceptionMapper { private Object toEntity(final Status status, final ErrorCode code) { return new ErrorCodeAndMessage(status, code); } + + public void writeToResponse(final NotAllowedSpecialCharsException e, final HttpServletResponse httpResponse) throws IOException { + final ResponseFormat responseFormat = new ResponseFormat(400); + responseFormat.setServiceException(new ServiceException(e.getErrorId(), e.getMessage(), new String[0])); + httpResponse.setStatus(responseFormat.getStatus()); + httpResponse.setContentType("application/json"); + httpResponse.setCharacterEncoding("UTF-8"); + httpResponse.getWriter().write(RepresentationUtils.toRepresentation(responseFormat.getRequestError())); + } + } diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java new file mode 100644 index 0000000000..6e3f665762 --- /dev/null +++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java @@ -0,0 +1,71 @@ +/* + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2022 Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.common.filters; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.StringUtils; +import org.openecomp.sdc.common.CommonConfigurationManager; +import org.openecomp.sdc.common.errors.DefaultExceptionMapper; +import org.openecomp.sdc.exception.NotAllowedSpecialCharsException; + +/** + * Implements DataValidatorFilter for onboarding. + * Extends {@link DataValidatorFilterAbstract} + */ +public class DataValidatorFilter extends DataValidatorFilterAbstract { + + private final DefaultExceptionMapper defaultExceptionMapper; + + public DataValidatorFilter() { + defaultExceptionMapper = new DefaultExceptionMapper(); + } + + @Override + public void doFilter(final ServletRequest request, ServletResponse response, final FilterChain chain) + throws IOException, ServletException, NotAllowedSpecialCharsException { + try { + super.doFilter(request, response, chain); + } catch (final NotAllowedSpecialCharsException e) { + defaultExceptionMapper.writeToResponse(e, (HttpServletResponse) response); + } + } + + @Override + protected List getDataValidatorFilterExcludedUrls() { + final CommonConfigurationManager commonConfigurationManager = CommonConfigurationManager.getInstance(); + if (commonConfigurationManager != null) { + final String dataValidatorFilterExcludedUrls = commonConfigurationManager.getConfigValue(DATA_VALIDATOR_FILTER_EXCLUDED_URLS, ""); + if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) { + return Arrays.asList(dataValidatorFilterExcludedUrls.split(",")); + } + } + return new ArrayList<>(); + } + +} -- cgit 1.2.3-korg