Fix security issues

1. Redirect root to /workflows 2. High-severity bug 'application exposed to path traversal attack' Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Change-Id: Ib3ef429e7d75d87c23f4c00b63e0554b1e223273 Issue-ID: SDC-4278
author: vasraz <vasyl.razinkov@est.tech> 2022-11-23 14:58:02 +0000
committer: Michael Morris <michael.morris@est.tech> 2022-11-28 16:13:19 +0000
commit: c185851ae5df8f827922b924c11daa0ab4c10582 (patch)
tree: a4eb0abb7f3ff23ee83c53d4b2986b3a83b66e74
parent: 131e3ba9462e895f98e443847bf6dd381ca0dc34 (diff)
4 files changed, 48 insertions, 18 deletions
diff --git a/sdc-workflow-designer-ui/docker/Dockerfile b/sdc-workflow-designer-ui/docker/Dockerfile
index 2be5ea56..02c12050 100644
--- a/sdc-workflow-designer-ui/docker/Dockerfile
+++ b/sdc-workflow-designer-ui/docker/Dockerfile
@@ -8,6 +8,7 @@ USER root
 ARG ARTIFACT
 
 COPY org.onap.sdc.p12 org.onap.sdc.trust.jks ${JETTY_BASE}/etc/
+COPY rewrite-root-to-workflows.xml ${JETTY_BASE}/etc/
 
 ADD --chown=jetty:jetty ${ARTIFACT} ${JETTY_BASE}/webapps/
 RUN chown -R jetty:jetty ${JETTY_BASE}/webapps ${JETTY_BASE}/etc/
@@ -15,5 +16,5 @@ RUN chown -R jetty:jetty ${JETTY_BASE}/webapps ${JETTY_BASE}/etc/
 COPY --chown=jetty:jetty startup.sh .
 RUN chmod 744 startup.sh
 
-USER jetty 
+USER jetty
 ENTRYPOINT [ "./startup.sh" ]
diff --git a/sdc-workflow-designer-ui/docker/rewrite-root-to-workflows.xml b/sdc-workflow-designer-ui/docker/rewrite-root-to-workflows.xml
new file mode 100644
index 00000000..cbfe6d39
--- /dev/null
+++ b/sdc-workflow-designer-ui/docker/rewrite-root-to-workflows.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
+    "http://www.eclipse.org/jetty/configure_9_3.dtd">
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+    <Ref refid="Rewrite">
+        <Call name="addRule">
+            <Arg>
+                <New class="org.eclipse.jetty.rewrite.handler.RedirectPatternRule">
+                    <Set name="pattern" type="String"/>
+                    <Set name="location">/workflows</Set>
+                </New>
+            </Arg>
+        </Call>
+    </Ref>
+    <!-- ===================== -->
+    <!-- DefaultHandler config -->
+    <!-- ===================== -->
+    <Ref id="DefaultHandler">
+        <Set name="showContexts">false</Set>
+    </Ref>
+</Configure>
diff --git a/sdc-workflow-designer-ui/docker/startup.sh b/sdc-workflow-designer-ui/docker/startup.sh
index b2f2d516..9a5252fa 100644
--- a/sdc-workflow-designer-ui/docker/startup.sh
+++ b/sdc-workflow-designer-ui/docker/startup.sh
@@ -3,25 +3,29 @@
 # adding support for https
 HTTPS_ENABLED=${IS_HTTPS:-"false"}
 CLIENT_AUTH=${IS_CLIENT_AUTH:-"false"}
-if [ "$HTTPS_ENABLED" = "true" ]
-then
-    echo "enable ssl"
 
-    java -jar "${JETTY_HOME}/start.jar" --add-to-start=https,ssl \
-        jetty.sslContext.keyStorePath=$KEYSTORE_PATH \
-        jetty.sslContext.keyStorePassword=$KEYSTORE_PASS \
-	    jetty.sslContext.keyManagerPassword=$KEYSTORE_PASS \
-        jetty.sslContext.trustStorePath=$TRUSTSTORE_PATH \
-        jetty.sslContext.trustStorePassword=$TRUSTSTORE_PASS
+java -jar ${JETTY_HOME}/start.jar --create-startd --add-to-start=rewrite
 
-    echo "setting SSL environment variable"
+if [ "$HTTPS_ENABLED" = "true" ]; then
+  echo "enable ssl"
 
-    SSL_JAVA_OPTS=" -DkeystorePath=$JETTY_BASE/$KEYSTORE_PATH -DkeystorePassword=$KEYSTORE_PASS -DkeyManagerPassword=$KEYSTORE_PASS -DtruststorePath=$JETTY_BASE/$KEYSTORE_PATH -DtruststorePassword=$TRUSTSTORE_PASS -DsslTrustAll=$TRUST_ALL"
+  java -jar "${JETTY_HOME}/start.jar" --add-to-start=https,ssl \
+    jetty.sslContext.keyStorePath=$KEYSTORE_PATH \
+    jetty.sslContext.keyStorePassword=$KEYSTORE_PASS \
+    jetty.sslContext.keyManagerPassword=$KEYSTORE_PASS \
+    jetty.sslContext.trustStorePath=$TRUSTSTORE_PATH \
+    jetty.sslContext.trustStorePassword=$TRUSTSTORE_PASS
 
-    echo $SSL_JAVA_OPTS
+  echo "setting SSL environment variable"
+
+  SSL_JAVA_OPTS=" -DkeystorePath=$JETTY_BASE/$KEYSTORE_PATH -DkeystorePassword=$KEYSTORE_PASS -DkeyManagerPassword=$KEYSTORE_PASS -DtruststorePath=$JETTY_BASE/$KEYSTORE_PATH -DtruststorePassword=$TRUSTSTORE_PASS -DsslTrustAll=$TRUST_ALL"
+
+  echo $SSL_JAVA_OPTS
 
 else
-    echo "no ssl required"
+  echo "no ssl required"
 fi
-java $JAVA_OPTIONS -DproxyTo=$BACKEND $SSL_JAVA_OPTS -jar $JETTY_HOME/start.jar
 
+echo "etc/rewrite-root-to-workflows.xml" >>${JETTY_BASE}/start.d/rewrite.ini
+
+java ${JAVA_OPTIONS} -DproxyTo=${BACKEND} ${SSL_JAVA_OPTS} -jar ${JETTY_HOME}/start.jar
diff --git a/sdc-workflow-designer-ui/src/main/webapp/WEB-INF/web.xml b/sdc-workflow-designer-ui/src/main/webapp/WEB-INF/web.xml
index 279b405e..5022f471 100644
--- a/sdc-workflow-designer-ui/src/main/webapp/WEB-INF/web.xml
+++ b/sdc-workflow-designer-ui/src/main/webapp/WEB-INF/web.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
-         version="4.0">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
+    version="4.0">
 
     <servlet>
         <servlet-name>Backend Proxy</servlet-name>
@@ -16,4 +16,9 @@
         <url-pattern>/v1.0/activity-spec/*</url-pattern>
     </servlet-mapping>
 
+    <context-param>
+        <param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
+        <param-value>false</param-value>
+    </context-param>
+
 </web-app>
author	vasraz <vasyl.razinkov@est.tech>	2022-11-23 14:58:02 +0000
committer	Michael Morris <michael.morris@est.tech>	2022-11-28 16:13:19 +0000
commit	c185851ae5df8f827922b924c11daa0ab4c10582 (patch)
tree	a4eb0abb7f3ff23ee83c53d4b2986b3a83b66e74
parent	131e3ba9462e895f98e443847bf6dd381ca0dc34 (diff)