From c185851ae5df8f827922b924c11daa0ab4c10582 Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Wed, 23 Nov 2022 14:58:02 +0000
Subject: Fix security issues

1. Redirect root to /workflows
2. High-severity bug 'application exposed to path traversal attack'

Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: Ib3ef429e7d75d87c23f4c00b63e0554b1e223273
Issue-ID: SDC-4278
---
 sdc-workflow-designer-ui/docker/Dockerfile         |  3 +-
 .../docker/rewrite-root-to-workflows.xml           | 20 ++++++++++++++
 sdc-workflow-designer-ui/docker/startup.sh         | 32 ++++++++++++----------
 .../src/main/webapp/WEB-INF/web.xml                | 11 ++++++--
 4 files changed, 48 insertions(+), 18 deletions(-)
 create mode 100644 sdc-workflow-designer-ui/docker/rewrite-root-to-workflows.xml

diff --git a/sdc-workflow-designer-ui/docker/Dockerfile b/sdc-workflow-designer-ui/docker/Dockerfile
index 2be5ea56..02c12050 100644
--- a/sdc-workflow-designer-ui/docker/Dockerfile
+++ b/sdc-workflow-designer-ui/docker/Dockerfile
@@ -8,6 +8,7 @@ USER root
 ARG ARTIFACT
 
 COPY org.onap.sdc.p12 org.onap.sdc.trust.jks ${JETTY_BASE}/etc/
+COPY rewrite-root-to-workflows.xml ${JETTY_BASE}/etc/
 
 ADD --chown=jetty:jetty ${ARTIFACT} ${JETTY_BASE}/webapps/
 RUN chown -R jetty:jetty ${JETTY_BASE}/webapps ${JETTY_BASE}/etc/
@@ -15,5 +16,5 @@ RUN chown -R jetty:jetty ${JETTY_BASE}/webapps ${JETTY_BASE}/etc/
 COPY --chown=jetty:jetty startup.sh .
 RUN chmod 744 startup.sh
 
-USER jetty 
+USER jetty
 ENTRYPOINT [ "./startup.sh" ]
diff --git a/sdc-workflow-designer-ui/docker/rewrite-root-to-workflows.xml b/sdc-workflow-designer-ui/docker/rewrite-root-to-workflows.xml
new file mode 100644
index 00000000..cbfe6d39
--- /dev/null
+++ b/sdc-workflow-designer-ui/docker/rewrite-root-to-workflows.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
+    "http://www.eclipse.org/jetty/configure_9_3.dtd">
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+    <Ref refid="Rewrite">
+        <Call name="addRule">
+            <Arg>
+                <New class="org.eclipse.jetty.rewrite.handler.RedirectPatternRule">
+                    <Set name="pattern" type="String"/>
+                    <Set name="location">/workflows</Set>
+                </New>
+            </Arg>
+        </Call>
+    </Ref>
+    <!-- ===================== -->
+    <!-- DefaultHandler config -->
+    <!-- ===================== -->
+    <Ref id="DefaultHandler">
+        <Set name="showContexts">false</Set>
+    </Ref>
+</Configure>
diff --git a/sdc-workflow-designer-ui/docker/startup.sh b/sdc-workflow-designer-ui/docker/startup.sh
index b2f2d516..9a5252fa 100644
--- a/sdc-workflow-designer-ui/docker/startup.sh
+++ b/sdc-workflow-designer-ui/docker/startup.sh
@@ -3,25 +3,29 @@
 # adding support for https
 HTTPS_ENABLED=${IS_HTTPS:-"false"}
 CLIENT_AUTH=${IS_CLIENT_AUTH:-"false"}
-if [ "$HTTPS_ENABLED" = "true" ]
-then
-    echo "enable ssl"
 
-    java -jar "${JETTY_HOME}/start.jar" --add-to-start=https,ssl \
-        jetty.sslContext.keyStorePath=$KEYSTORE_PATH \
-        jetty.sslContext.keyStorePassword=$KEYSTORE_PASS \
-	    jetty.sslContext.keyManagerPassword=$KEYSTORE_PASS \
-        jetty.sslContext.trustStorePath=$TRUSTSTORE_PATH \
-        jetty.sslContext.trustStorePassword=$TRUSTSTORE_PASS
+java -jar ${JETTY_HOME}/start.jar --create-startd --add-to-start=rewrite
 
-    echo "setting SSL environment variable"
+if [ "$HTTPS_ENABLED" = "true" ]; then
+  echo "enable ssl"
 
-    SSL_JAVA_OPTS=" -DkeystorePath=$JETTY_BASE/$KEYSTORE_PATH -DkeystorePassword=$KEYSTORE_PASS -DkeyManagerPassword=$KEYSTORE_PASS -DtruststorePath=$JETTY_BASE/$KEYSTORE_PATH -DtruststorePassword=$TRUSTSTORE_PASS -DsslTrustAll=$TRUST_ALL"
+  java -jar "${JETTY_HOME}/start.jar" --add-to-start=https,ssl \
+    jetty.sslContext.keyStorePath=$KEYSTORE_PATH \
+    jetty.sslContext.keyStorePassword=$KEYSTORE_PASS \
+    jetty.sslContext.keyManagerPassword=$KEYSTORE_PASS \
+    jetty.sslContext.trustStorePath=$TRUSTSTORE_PATH \
+    jetty.sslContext.trustStorePassword=$TRUSTSTORE_PASS
 
-    echo $SSL_JAVA_OPTS
+  echo "setting SSL environment variable"
+
+  SSL_JAVA_OPTS=" -DkeystorePath=$JETTY_BASE/$KEYSTORE_PATH -DkeystorePassword=$KEYSTORE_PASS -DkeyManagerPassword=$KEYSTORE_PASS -DtruststorePath=$JETTY_BASE/$KEYSTORE_PATH -DtruststorePassword=$TRUSTSTORE_PASS -DsslTrustAll=$TRUST_ALL"
+
+  echo $SSL_JAVA_OPTS
 
 else
-    echo "no ssl required"
+  echo "no ssl required"
 fi
-java $JAVA_OPTIONS -DproxyTo=$BACKEND $SSL_JAVA_OPTS -jar $JETTY_HOME/start.jar
 
+echo "etc/rewrite-root-to-workflows.xml" >>${JETTY_BASE}/start.d/rewrite.ini
+
+java ${JAVA_OPTIONS} -DproxyTo=${BACKEND} ${SSL_JAVA_OPTS} -jar ${JETTY_HOME}/start.jar
diff --git a/sdc-workflow-designer-ui/src/main/webapp/WEB-INF/web.xml b/sdc-workflow-designer-ui/src/main/webapp/WEB-INF/web.xml
index 279b405e..5022f471 100644
--- a/sdc-workflow-designer-ui/src/main/webapp/WEB-INF/web.xml
+++ b/sdc-workflow-designer-ui/src/main/webapp/WEB-INF/web.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
-         version="4.0">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
+    version="4.0">
 
     <servlet>
         <servlet-name>Backend Proxy</servlet-name>
@@ -16,4 +16,9 @@
         <url-pattern>/v1.0/activity-spec/*</url-pattern>
     </servlet-mapping>
 
+    <context-param>
+        <param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
+        <param-value>false</param-value>
+    </context-param>
+
 </web-app>
-- 
cgit 1.2.3-korg