From 013779aedf93a6f6ff878c457de53e729540c252 Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Wed, 7 Sep 2022 18:45:20 +0100
Subject: Fix high-severity bug 'application exposed to path traversal attack'

Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I7f4b1e8d083cc39f8e57dcedddecc6af56fdc9c2
Issue-ID: SDC-4169
---
 .../notifications-fe/src/main/webapp/WEB-INF/web.xml        | 13 +++++++++----
 .../onboarding-rest-war/src/main/webapp/WEB-INF/web.xml     | 13 ++++++++-----
 2 files changed, 17 insertions(+), 9 deletions(-)

(limited to 'openecomp-be')

diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
index f0bad66222..9191a35786 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
@@ -1,8 +1,8 @@
 <web-app
-        xmlns="http://java.sun.com/xml/ns/javaee"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
-        version="3.0">
+    xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0">
 
 
     <!-- Spring -->
@@ -79,6 +79,11 @@
         <load-on-startup>1</load-on-startup>
     </servlet>
 
+    <context-param>
+        <param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
+        <param-value>false</param-value>
+    </context-param>
+
     <servlet-mapping>
         <servlet-name>spring-mapper</servlet-name>
         <url-pattern>/ws/*</url-pattern>
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
index 09d2fb16b4..3cbfb1325e 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
@@ -1,8 +1,8 @@
 <web-app
-        xmlns="http://java.sun.com/xml/ns/javaee"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
-        version="3.0">
+    xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0">
 
 
     <!-- Spring -->
@@ -16,7 +16,10 @@
         <param-value>org.openecomp.sdc.be.togglz.TogglzConfiguration</param-value>
     </context-param>
 
-
+    <context-param>
+        <param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
+        <param-value>false</param-value>
+    </context-param>
 
     <listener>
         <listener-class>org.openecomp.server.listeners.OnboardingAppStartupListener</listener-class>
-- 
cgit 1.2.3-korg