From ddb9d5a7637b382be9ac7a96ad023a983c41c342 Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Fri, 14 Oct 2022 13:35:39 +0100
Subject: Fix security risk 'Improper Input Validation'

Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c
Issue-ID: SDC-4189
---
 .../sdc/webseal/simulator/DataValidatorFilter.java |  62 ++++++
 .../org/openecomp/sdc/webseal/simulator/Login.java |   2 +-
 .../sdc/webseal/simulator/RequestsClient.java      | 233 +++++++++++----------
 .../openecomp/sdc/webseal/simulator/conf/Conf.java |   1 +
 .../src/main/webapp/WEB-INF/web.xml                |  10 +
 5 files changed, 192 insertions(+), 116 deletions(-)
 create mode 100644 utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java

(limited to 'utils/webseal-simulator')

diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java
new file mode 100644
index 0000000000..a226faf0eb
--- /dev/null
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/DataValidatorFilter.java
@@ -0,0 +1,62 @@
+/*
+ * ============LICENSE_START=======================================================
+ * SDC
+ * ================================================================================
+ * Copyright (C) 2022 Nordix Foundation. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.webseal.simulator;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.openecomp.sdc.common.filters.DataValidatorFilterAbstract;
+import org.openecomp.sdc.exception.NotAllowedSpecialCharsException;
+import org.openecomp.sdc.webseal.simulator.conf.Conf;
+
+/**
+ * Implement DataValidatorFilter for webseal.
+ * Extends {@link DataValidatorFilterAbstract}
+ */
+public class DataValidatorFilter extends DataValidatorFilterAbstract {
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+        throws IOException, ServletException, NotAllowedSpecialCharsException {
+        try {
+            super.doFilter(request, response, chain);
+        } catch (final NotAllowedSpecialCharsException e) {
+            // error handing to show 'Error: Special characters not allowed.'
+            ((HttpServletResponse) response).sendError(400, ERROR_SPECIAL_CHARACTERS_NOT_ALLOWED);
+        }
+    }
+
+    @Override
+    protected List<String> getDataValidatorFilterExcludedUrls() {
+        String dataValidatorFilterExcludedUrls = Conf.getInstance().getDataValidatorFilterExcludedUrls();
+        if (StringUtils.isNotBlank(dataValidatorFilterExcludedUrls)) {
+            return Arrays.asList(dataValidatorFilterExcludedUrls.split(","));
+        }
+        return new ArrayList<>();
+    }
+}
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java
index 32d8c2916d..292f4a30d4 100644
--- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/Login.java
@@ -113,7 +113,7 @@ public class Login extends HttpServlet {
     }
 
     @Override
-    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+    public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
 
         String userId = request.getParameter("userId");
         String password = request.getParameter("password");
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java
index 7aa48e62cf..e8c4631c65 100644
--- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/RequestsClient.java
@@ -7,9 +7,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -20,126 +20,129 @@
 
 package org.openecomp.sdc.webseal.simulator;
 
-import org.apache.commons.io.IOUtils;
-import org.openecomp.sdc.webseal.simulator.conf.Conf;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.*;
+import java.io.BufferedReader;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.PrintWriter;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.io.IOUtils;
+import org.openecomp.sdc.webseal.simulator.conf.Conf;
 
 public class RequestsClient extends HttpServlet {
 
-	private static final long serialVersionUID = 1L;
-
-	@Override
-	protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
-
-		String adminId = request.getParameter("adminId") != null ? request.getParameter("adminId") : "jh0003";
-		String createAll = request.getParameter("all");
-		String url = Conf.getInstance().getFeHost() + "/sdc1/feProxy/rest/v1/user";
-
-		PrintWriter writer = response.getWriter();
-		
-		int resultCode;
-		
-		if ("true".equals(createAll)) {
-			Map<String, User> users = Conf.getInstance().getUsers();
-			for (User user : users.values()) {
-				resultCode = createUser(response, user.getUserId(), user.getRole().toUpperCase(), user.getFirstName(), user.getLastName(), user.getEmail(), url, adminId);
-				writer.println("User "+ user.getFirstName() + " " + user.getLastName() + getResultMessage(resultCode) + "<br>");
-			}
-		} else {
-			String userId = request.getParameter("userId");
-			String role = request.getParameter("role").toUpperCase();
-			String firstName = request.getParameter("firstName");
-			String lastName = request.getParameter("lastName");
-			String email = request.getParameter("email");
-						
-			resultCode = createUser(response, userId, role, firstName, lastName, email, url, adminId);
-			
-			writer.println("User "+ firstName + " " + lastName +getResultMessage(resultCode));	
-		}
-
-		
-
-	}
-	
-	private String getResultMessage(int resultCode){
-		return 201 == resultCode? " created successfuly":" not created ("+ resultCode +")";
-	}
-
-	private int createUser(final HttpServletResponse response, String userId, String role, String firstName, String lastName, String email, String url, String adminId) throws IOException {
-		response.setContentType("text/html");
-
-		String body = "{\"firstName\":\"" + firstName + "\", \"lastName\":\"" + lastName + "\", \"userId\":\"" + userId + "\", \"email\":\"" + email + "\",\"role\":\"" + role + "\"}";
-
-		HashMap<String, String> headers = new HashMap<String, String>();
-		headers.put("Content-Type", "application/json");
-		headers.put("USER_ID", adminId);
-		return sendHttpPost(url, body, headers);
-	}
-
-	private int sendHttpPost(String url, String body, Map<String, String> headers) throws IOException {
-
-		String responseString = "";
-		URL obj = new URL(url);
-		HttpURLConnection con = (HttpURLConnection) obj.openConnection();
-
-		// add request method
-		con.setRequestMethod("POST");
-
-		// add request headers
-		if (headers != null) {
-			for (Entry<String, String> header : headers.entrySet()) {
-				String key = header.getKey();
-				String value = header.getValue();
-				con.setRequestProperty(key, value);
-			}
-		}
-
-		// Send post request
-		if (body != null) {
-			con.setDoOutput(true);
-			DataOutputStream wr = new DataOutputStream(con.getOutputStream());
-			wr.writeBytes(body);
-			wr.flush();
-			wr.close();
-		}
-
-		int responseCode = con.getResponseCode();
-		// logger.debug("Send POST http request, url: {}", url);
-		// logger.debug("Response Code: {}", responseCode);
-
-		StringBuilder response = new StringBuilder();
-		try {
-			BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
-			String inputLine;
-			while ((inputLine = in.readLine()) != null) {
-				response.append(inputLine);
-			}
-			in.close();
-		} catch (Exception e) {
-			// logger.debug("response body is null");
-		}
-
-		String result;
-
-		try {
-			result = IOUtils.toString(con.getErrorStream());
-			response.append(result);
-		} catch (Exception e2) {
-		}
-
-		con.disconnect();
-		return responseCode;
-
-	}
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
+
+        String adminId = request.getParameter("adminId") != null ? request.getParameter("adminId") : "jh0003";
+        String createAll = request.getParameter("all");
+        String url = Conf.getInstance().getFeHost() + "/sdc1/feProxy/rest/v1/user";
+
+        PrintWriter writer = response.getWriter();
+
+        int resultCode;
+
+        if ("true".equals(createAll)) {
+            Map<String, User> users = Conf.getInstance().getUsers();
+            for (User user : users.values()) {
+                resultCode = createUser(response, user.getUserId(), user.getRole().toUpperCase(), user.getFirstName(), user.getLastName(),
+                    user.getEmail(), url, adminId);
+                writer.println("User " + user.getFirstName() + " " + user.getLastName() + getResultMessage(resultCode) + "<br>");
+            }
+        } else {
+            String userId = request.getParameter("userId");
+            String role = request.getParameter("role").toUpperCase();
+            String firstName = request.getParameter("firstName");
+            String lastName = request.getParameter("lastName");
+            String email = request.getParameter("email");
+
+            resultCode = createUser(response, userId, role, firstName, lastName, email, url, adminId);
+
+            writer.println("User " + firstName + " " + lastName + getResultMessage(resultCode));
+        }
+
+    }
+
+    private String getResultMessage(int resultCode) {
+        return 201 == resultCode ? " created successfuly" : " not created (" + resultCode + ")";
+    }
+
+    private int createUser(final HttpServletResponse response, String userId, String role, String firstName, String lastName, String email,
+                           String url, String adminId) throws IOException {
+        response.setContentType("text/html");
+
+        String body = "{\"firstName\":\"" + firstName + "\", \"lastName\":\"" + lastName + "\", \"userId\":\"" + userId + "\", \"email\":\"" + email
+            + "\",\"role\":\"" + role + "\"}";
+
+        HashMap<String, String> headers = new HashMap<String, String>();
+        headers.put("Content-Type", "application/json");
+        headers.put("USER_ID", adminId);
+        return sendHttpPost(url, body, headers);
+    }
+
+    private int sendHttpPost(String url, String body, Map<String, String> headers) throws IOException {
+
+        String responseString = "";
+        URL obj = new URL(url);
+        HttpURLConnection con = (HttpURLConnection) obj.openConnection();
+
+        // add request method
+        con.setRequestMethod("POST");
+
+        // add request headers
+        if (headers != null) {
+            for (Entry<String, String> header : headers.entrySet()) {
+                String key = header.getKey();
+                String value = header.getValue();
+                con.setRequestProperty(key, value);
+            }
+        }
+
+        // Send post request
+        if (body != null) {
+            con.setDoOutput(true);
+            DataOutputStream wr = new DataOutputStream(con.getOutputStream());
+            wr.writeBytes(body);
+            wr.flush();
+            wr.close();
+        }
+
+        int responseCode = con.getResponseCode();
+        // logger.debug("Send POST http request, url: {}", url);
+        // logger.debug("Response Code: {}", responseCode);
+
+        StringBuilder response = new StringBuilder();
+        try {
+            BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
+            String inputLine;
+            while ((inputLine = in.readLine()) != null) {
+                response.append(inputLine);
+            }
+            in.close();
+        } catch (Exception e) {
+            // logger.debug("response body is null");
+        }
+
+        String result;
+
+        try {
+            result = IOUtils.toString(con.getErrorStream());
+            response.append(result);
+        } catch (Exception e2) {
+        }
+
+        con.disconnect();
+        return responseCode;
+
+    }
 
 }
diff --git a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
index eb498c975e..3ce7f23da7 100644
--- a/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
+++ b/utils/webseal-simulator/src/main/java/org/openecomp/sdc/webseal/simulator/conf/Conf.java
@@ -39,6 +39,7 @@ public class Conf {
     private Map<String, User> users = new HashMap<String, User>();
     private String portalCookieName;
     private String permittedAncestors; // Space separated list of permitted ancestors
+    private String dataValidatorFilterExcludedUrls; // Comma separated list of excluded URLs by the DataValidatorFilter
 
     private Conf() {
         initConf();
diff --git a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
index c23e265aae..08a32221b0 100644
--- a/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
+++ b/utils/webseal-simulator/src/main/webapp/WEB-INF/web.xml
@@ -38,6 +38,16 @@
         <url-pattern>/create</url-pattern>
     </servlet-mapping>
 
+    <filter>
+        <filter-name>dataValidatorFilter</filter-name>
+        <filter-class>org.openecomp.sdc.webseal.simulator.DataValidatorFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>dataValidatorFilter</filter-name>
+        <url-pattern>/login</url-pattern>
+        <url-pattern>/create</url-pattern>
+    </filter-mapping>
+
     <filter>
         <filter-name>contentSecurityPolicyHeaderFilter</filter-name>
         <filter-class>org.openecomp.sdc.webseal.simulator.ContentSecurityPolicyHeaderFilter</filter-class>
-- 
cgit 1.2.3-korg