From ddb9d5a7637b382be9ac7a96ad023a983c41c342 Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Fri, 14 Oct 2022 13:35:39 +0100
Subject: Fix security risk 'Improper Input Validation'

Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c
Issue-ID: SDC-4189
---
 .../src/main/webapp/WEB-INF/web.xml                | 28 ++++++---
 .../src/main/webapp/WEB-INF/beans-services.xml     |  2 +-
 .../src/main/webapp/WEB-INF/web.xml                | 52 ++++++++++------
 .../templates/default/configuration.yaml.erb       |  3 +
 .../sdc/common/errors/DefaultExceptionMapper.java  | 16 +++++
 .../sdc/common/filters/DataValidatorFilter.java    | 71 ++++++++++++++++++++++
 openecomp-be/tools/migration/README                |  2 +-
 7 files changed, 142 insertions(+), 32 deletions(-)
 create mode 100644 openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java

(limited to 'openecomp-be')

diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
index b51399ca54..f0291cb060 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/notifications-fe/src/main/webapp/WEB-INF/web.xml
@@ -14,6 +14,15 @@
         <listener-class>org.openecomp.server.listeners.OnboardingAppStartupListener</listener-class>
     </listener>
 
+    <filter>
+        <filter-name>dataValidatorFilter</filter-name>
+        <filter-class>org.openecomp.sdc.common.filters.DataValidatorFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>dataValidatorFilter</filter-name>
+        <url-pattern>/v1.0/*</url-pattern>
+    </filter-mapping>
+
     <filter>
         <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
         <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class>
@@ -54,6 +63,7 @@
         <filter-name>RestrictionAccessFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
+
     <!-- Spring WS Mapping -->
     <servlet>
         <servlet-name>spring-mapper</servlet-name>
@@ -62,10 +72,13 @@
         </servlet-class>
         <load-on-startup>1</load-on-startup>
     </servlet>
+    <servlet-mapping>
+        <servlet-name>spring-mapper</servlet-name>
+        <url-pattern>/ws/*</url-pattern>
+    </servlet-mapping>
     <!-- CXF -->
     <servlet>
         <servlet-name>CXFServlet</servlet-name>
-        <display-name>CXF Servlet</display-name>
         <servlet-class>
             org.apache.cxf.transport.servlet.CXFServlet
         </servlet-class>
@@ -87,19 +100,14 @@
         </init-param>
         <load-on-startup>1</load-on-startup>
     </servlet>
+    <servlet-mapping>
+        <servlet-name>CXFServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
 
     <context-param>
         <param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
         <param-value>false</param-value>
     </context-param>
 
-    <servlet-mapping>
-        <servlet-name>spring-mapper</servlet-name>
-        <url-pattern>/ws/*</url-pattern>
-    </servlet-mapping>
-    <servlet-mapping>
-        <servlet-name>CXFServlet</servlet-name>
-        <url-pattern>/*</url-pattern>
-    </servlet-mapping>
-
 </web-app>
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml
index 9c2aa51a28..15251436d6 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/beans-services.xml
@@ -104,4 +104,4 @@
         </jaxrs:outInterceptors>
     </jaxrs:server>
 
-</beans>
\ No newline at end of file
+</beans>
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
index eb8bd9e93f..31400f878e 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/onboarding-rest-war/src/main/webapp/WEB-INF/web.xml
@@ -24,9 +24,19 @@
         <listener-class>org.openecomp.server.listeners.OnboardingAppStartupListener</listener-class>
     </listener>
 
+    <filter>
+        <filter-name>dataValidatorFilter</filter-name>
+        <filter-class>org.openecomp.sdc.common.filters.DataValidatorFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>dataValidatorFilter</filter-name>
+        <url-pattern>/v1.0/*</url-pattern>
+    </filter-mapping>
+
     <filter>
         <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
-        <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter</filter-class>
+        <filter-class>org.openecomp.sdc.common.filters.ContentSecurityPolicyHeaderFilter
+        </filter-class>
         <async-supported>true</async-supported>
     </filter>
     <filter-mapping>
@@ -41,9 +51,6 @@
     <filter-mapping>
         <filter-name>PermissionsFilter</filter-name>
         <url-pattern>/v1.0/vendor-license-models/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>PermissionsFilter</filter-name>
         <url-pattern>/v1.0/vendor-software-products/*</url-pattern>
     </filter-mapping>
 
@@ -63,6 +70,10 @@
             <param-value>*</param-value>
         </init-param>
     </filter>
+    <filter-mapping>
+        <filter-name>cross-origin</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
 
     <filter>
         <filter-name>RestrictionAccessFilter</filter-name>
@@ -73,34 +84,34 @@
         <filter-name>RestrictionAccessFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
+
     <filter>
         <filter-name>BasicAuth</filter-name>
         <filter-class>org.openecomp.server.filters.BasicAuthenticationFilter</filter-class>
     </filter>
-    <filter>
-        <filter-name>AuthN</filter-name>
-        <filter-class>org.openecomp.server.filters.ActionAuthenticationFilter</filter-class>
-    </filter>
-    <filter>
-        <filter-name>AuthZ</filter-name>
-        <filter-class>org.openecomp.server.filters.ActionAuthorizationFilter</filter-class>
-    </filter>
-    <filter-mapping>
-        <filter-name>cross-origin</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
     <filter-mapping>
         <filter-name>BasicAuth</filter-name>
         <url-pattern>/1.0/*</url-pattern>
     </filter-mapping>
+
+    <filter>
+        <filter-name>AuthN</filter-name>
+        <filter-class>org.openecomp.server.filters.ActionAuthenticationFilter</filter-class>
+    </filter>
     <filter-mapping>
         <filter-name>AuthN</filter-name>
         <url-pattern>/workflow/v1.0/actions/*</url-pattern>
     </filter-mapping>
+
+    <filter>
+        <filter-name>AuthZ</filter-name>
+        <filter-class>org.openecomp.server.filters.ActionAuthorizationFilter</filter-class>
+    </filter>
     <filter-mapping>
         <filter-name>AuthZ</filter-name>
         <url-pattern>/workflow/v1.0/actions/*</url-pattern>
     </filter-mapping>
+
     <filter>
         <filter-name>SessionContextFilter</filter-name>
         <filter-class>org.openecomp.server.filters.OnboardingSessionContextFilter</filter-class>
@@ -109,6 +120,7 @@
         <filter-name>SessionContextFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
+
     <!-- Spring WS Mapping -->
     <servlet>
         <servlet-name>spring-mapper</servlet-name>
@@ -117,6 +129,10 @@
         </servlet-class>
         <load-on-startup>1</load-on-startup>
     </servlet>
+    <servlet-mapping>
+        <servlet-name>spring-mapper</servlet-name>
+        <url-pattern>/ws/*</url-pattern>
+    </servlet-mapping>
     <!-- CXF -->
     <servlet>
         <servlet-name>CXFServlet</servlet-name>
@@ -141,10 +157,6 @@
         </init-param>
         <load-on-startup>1</load-on-startup>
     </servlet>
-    <servlet-mapping>
-        <servlet-name>spring-mapper</servlet-name>
-        <url-pattern>/ws/*</url-pattern>
-    </servlet-mapping>
     <servlet-mapping>
         <servlet-name>CXFServlet</servlet-name>
         <url-pattern>/*</url-pattern>
diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
index 93e0be9467..142977c078 100644
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/chef-repo/cookbooks/sdc-onboard-backend/templates/default/configuration.yaml.erb
@@ -72,3 +72,6 @@ externalCsarStore:
 
 #Space separated list of permitted ancestors
 permittedAncestors: <%= @permittedAncestors %>
+
+# Comma separated list of excluded URLs by the DataValidatorFilter
+dataValidatorFilterExcludedUrls: "/healthCheck,/followed,/authorize"
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java
index a059434709..4ad6fd7874 100644
--- a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java
+++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/errors/DefaultExceptionMapper.java
@@ -16,10 +16,12 @@
 package org.openecomp.sdc.common.errors;
 
 import com.fasterxml.jackson.databind.JsonMappingException;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import javax.servlet.http.HttpServletResponse;
 import javax.validation.ConstraintViolation;
 import javax.validation.ConstraintViolationException;
 import javax.validation.Path;
@@ -29,8 +31,12 @@ import javax.ws.rs.core.Response.Status;
 import javax.ws.rs.ext.ExceptionMapper;
 import org.apache.commons.collections4.CollectionUtils;
 import org.hibernate.validator.internal.engine.path.PathImpl;
+import org.onap.sdc.security.RepresentationUtils;
 import org.openecomp.core.utilities.file.FileUtils;
 import org.openecomp.core.utilities.json.JsonUtil;
+import org.openecomp.sdc.exception.NotAllowedSpecialCharsException;
+import org.openecomp.sdc.exception.ResponseFormat;
+import org.openecomp.sdc.exception.ServiceException;
 import org.openecomp.sdc.logging.api.Logger;
 import org.openecomp.sdc.logging.api.LoggerFactory;
 
@@ -113,4 +119,14 @@ public class DefaultExceptionMapper implements ExceptionMapper<Exception> {
     private Object toEntity(final Status status, final ErrorCode code) {
         return new ErrorCodeAndMessage(status, code);
     }
+
+    public void writeToResponse(final NotAllowedSpecialCharsException e, final HttpServletResponse httpResponse) throws IOException {
+        final ResponseFormat responseFormat = new ResponseFormat(400);
+        responseFormat.setServiceException(new ServiceException(e.getErrorId(), e.getMessage(), new String[0]));
+        httpResponse.setStatus(responseFormat.getStatus());
+        httpResponse.setContentType("application/json");
+        httpResponse.setCharacterEncoding("UTF-8");
+        httpResponse.getWriter().write(RepresentationUtils.toRepresentation(responseFormat.getRequestError()));
+    }
+
 }
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java
new file mode 100644
index 0000000000..6e3f665762
--- /dev/null
+++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/filters/DataValidatorFilter.java
@@ -0,0 +1,71 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.common.filters;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.openecomp.sdc.common.CommonConfigurationManager;
+import org.openecomp.sdc.common.errors.DefaultExceptionMapper;
+import org.openecomp.sdc.exception.NotAllowedSpecialCharsException;
+
+/**
+ * Implements DataValidatorFilter for onboarding.
+ * Extends {@link DataValidatorFilterAbstract}
+ */
+public class DataValidatorFilter extends DataValidatorFilterAbstract {
+
+    private final DefaultExceptionMapper defaultExceptionMapper;
+
+    public DataValidatorFilter() {
+        defaultExceptionMapper = new DefaultExceptionMapper();
+    }
+
+    @Override
+    public void doFilter(final ServletRequest request, ServletResponse response, final FilterChain chain)
+        throws IOException, ServletException, NotAllowedSpecialCharsException {
+        try {
+            super.doFilter(request, response, chain);
+        } catch (final NotAllowedSpecialCharsException e) {
+            defaultExceptionMapper.writeToResponse(e, (HttpServletResponse) response);
+        }
+    }
+
+    @Override
+    protected List<String> getDataValidatorFilterExcludedUrls() {
+        final CommonConfigurationManager commonConfigurationManager = CommonConfigurationManager.getInstance();
+        if (commonConfigurationManager != null) {
+            final String dataValidatorFilterExcludedUrls = commonConfigurationManager.getConfigValue(DATA_VALIDATOR_FILTER_EXCLUDED_URLS, "");
+            if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) {
+                return Arrays.asList(dataValidatorFilterExcludedUrls.split(","));
+            }
+        }
+        return new ArrayList<>();
+    }
+
+}
diff --git a/openecomp-be/tools/migration/README b/openecomp-be/tools/migration/README
index 2245aafb99..74f62f5050 100644
--- a/openecomp-be/tools/migration/README
+++ b/openecomp-be/tools/migration/README
@@ -42,7 +42,7 @@ Usage -
 		The migration result will be listed in a CSV file: upgradereport.csv
 		"None" is an indication that the VSP was not in a checkout status prior to the upgrade.
 
-	Exmample for a valid output:
+	Example for a valid output:
 
 		Name: VSP-OK, Id: 9DB0E1563B22481D911ECD33989E1FDD, Vendor: ABC, locked by: None, status not started
 		Service VSP-OK was tested and does not need a migration
-- 
cgit 1.2.3-korg