Changed the code to not log user-controlled data.

Issue-ID: VNFSDK-834

Signed-off-by: sharath reddy <bs.reddy@huawei.com>
Change-Id: I18f52715a254500bf36d2b2b61d11ea63763d2db

1 files changed, 49 insertions, 15 deletions

diff --git a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java
index 1fc37427..8afc2593 100644
--- a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java
+++ b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java
@@ -21,9 +21,11 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Objects;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -33,7 +35,6 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 
-import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.eclipse.jetty.http.HttpStatus;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
@@ -87,7 +88,7 @@ public class PackageWrapper {
     }
 
     public Response updateValidateStatus(InputStream inputStream) throws IOException {
-        String reqParam = IOUtils.toString(inputStream);
+        String reqParam = new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
         LOG.info("updateValidateStatus request param:{}" , reqParam);
         if(StringUtils.isBlank(reqParam)) {
             LOG.error("The updateValidateStatus request params can't be null");
@@ -142,8 +143,11 @@ public class PackageWrapper {
             String type) {
         List<PackageData> dbresult = new ArrayList<>();
         List<PackageMeta> result = new ArrayList<>();
-        LOG.info("query package info.name:{} provider:{} version{} deletionPending{} type:{}" , name , provider , version
-                , deletionPending , type);
+        if (LOG.isInfoEnabled()) {
+            LOG.info("query package info.name:{} provider:{} version{} deletionPending{} type:{}" , loggerPatternBreaking(name) , loggerPatternBreaking(provider) , loggerPatternBreaking(version)
+                    , loggerPatternBreaking(deletionPending) , loggerPatternBreaking(type));
+        }
+
         try {
             dbresult = PackageManager.getInstance().queryPackage(name, provider, version, deletionPending, type);
             result = PackageWrapperUtil.packageDataList2PackageMetaList(dbresult);
@@ -154,6 +158,11 @@ public class PackageWrapper {
         }
     }
 
+    private String loggerPatternBreaking(String loggerInput) {
+        return Objects.nonNull(loggerInput) ? loggerInput.replaceAll("[\n\r\t]", "_") : StringUtils.EMPTY;
+
+    }
+
     /**
      * query package by id.
      *
@@ -205,8 +214,11 @@ public class PackageWrapper {
                 packageMeta.setDownloadUri(dowloadUri);
 
                 String jsonPackageMeta = ToolUtil.objectToString(packageMeta);
-                LOG.info("dest path is : {}" , path);
-                LOG.info("packageMeta = {}" , jsonPackageMeta);
+                if (LOG.isInfoEnabled()) {
+                    LOG.info("dest path is : {}" , loggerPatternBreaking(path));
+                    LOG.info("packageMeta = {}" , loggerPatternBreaking(jsonPackageMeta));
+                }
+
 
                 PackageData packageData = PackageWrapperUtil.getPackageData(packageMeta);
 
@@ -230,9 +242,12 @@ public class PackageWrapper {
                     PackageData packateDbData = PackageManager.getInstance().addPackage(packageData);
 
                     String jsonPackageDbData = ToolUtil.objectToString(packateDbData);
-                    LOG.info("Store package data to database succed ! packateDbData = {}"
-                            , jsonPackageDbData);
-                    LOG.info("upload package file end, fileName:{}" , fileName);
+                    if (LOG.isInfoEnabled()) {
+                        LOG.info("Store package data to database succed ! packateDbData = {}"
+                                , loggerPatternBreaking(jsonPackageDbData));
+                        LOG.info("upload package file end, fileName:{}" , loggerPatternBreaking(fileName));
+                    }
+
 
                     result.setCsarId(packateDbData.getCsarId());
 
@@ -275,7 +290,10 @@ public class PackageWrapper {
         String fileName = "temp_" + packageId + FILE_FORMAT;
         if(null != fileDetail) {
             String jsonFileDetail = ToolUtil.objectToString(fileDetail);
-            LOG.info("the fileDetail = {}" , jsonFileDetail);
+            if(LOG.isInfoEnabled()) {
+                LOG.info("the fileDetail = {}" , loggerPatternBreaking(jsonFileDetail));
+            }
+
 
             fileName = ToolUtil.processFileName(fileDetail.getFileName());
         }
@@ -286,7 +304,10 @@ public class PackageWrapper {
         if(head != null) {
             contentRange = head.getHeaderString(CommonConstant.HTTP_HEADER_CONTENT_RANGE);
         }
-        LOG.info("store package chunk file, fileName:{} contentRange:{}", fileName , contentRange);
+        if(LOG.isInfoEnabled()) {
+            LOG.info("store package chunk file, fileName:{} contentRange:{}", loggerPatternBreaking(fileName) , loggerPatternBreaking(contentRange));
+        }
+
         if(ToolUtil.isEmptyString(contentRange)) {
             int fileSize = uploadedInputStream.available();
             contentRange = "0-" + fileSize + "/" + fileSize;
@@ -354,7 +375,10 @@ public class PackageWrapper {
      * @return Response
      */
     public Response delPackage(String csarId) {
-        LOG.info("delete package  info.csarId:{}" , csarId);
+        if(LOG.isInfoEnabled()) {
+            LOG.info("delete package  info.csarId:{}" , loggerPatternBreaking(csarId));
+        }
+
         if(ToolUtil.isEmptyString(csarId)) {
             LOG.error("delete package  fail, csarid is null");
             return Response.serverError().build();
@@ -508,7 +532,11 @@ public class PackageWrapper {
      * @return
      */
     public Response getOnBoardingResult(String csarId, String operTypeId, String operId) {
-        LOG.info("getOnBoardingResult request csarId:{} operTypeId:{} operId:{}", csarId , operTypeId , operId);
+        if(LOG.isInfoEnabled()) {
+            LOG.info("getOnBoardingResult request csarId:{} operTypeId:{} operId:{}", loggerPatternBreaking(csarId) , loggerPatternBreaking(operTypeId) , loggerPatternBreaking(operId));
+        }
+
+
         try {
             PackageData packageData = PackageWrapperUtil.getPackageInfoById(csarId);
             if(null == packageData) {
@@ -563,14 +591,20 @@ public class PackageWrapper {
      * @return
      */
     public Response getOperResultByOperTypeId(String csarId, String operTypeId) {
-        LOG.error("getOnBoardingResult request : csarId:{} operTypeId:{}" , csarId , operTypeId);
+        if(LOG.isErrorEnabled()) {
+            LOG.error("getOnBoardingResult request : csarId:{} operTypeId:{}" , loggerPatternBreaking(csarId) , loggerPatternBreaking(operTypeId));
+        }
+
         if(null == csarId || null == operTypeId || csarId.isEmpty() || operTypeId.isEmpty()) {
             return Response.status(Status.BAD_REQUEST).build();
         }
 
         PackageData packageData = PackageWrapperUtil.getPackageInfoById(csarId);
         if(null == packageData) {
-            LOG.error("Failed to find package for PackageID:{}" , csarId);
+            if(LOG.isErrorEnabled()) {
+                LOG.error("Failed to find package for PackageID:{}" , loggerPatternBreaking(csarId));
+            }
+
             return Response.status(Status.PRECONDITION_FAILED).build();
         }