import org.apache.commons.compress.utils.IOUtils;
import org.onap.policy.common.logging.flexlogger.FlexLogger;
import org.onap.policy.common.logging.flexlogger.Logger;
+import org.onap.policy.pap.xacml.rest.DisctionaryNames;
import org.onap.policy.rest.dao.CommonClassDao;
import org.onap.policy.rest.jpa.ActionList;
import org.onap.policy.rest.jpa.ActionPolicyDict;
response.getWriter().write("Error");
return;
}
+
+ // fix Fortify Path Manipulation issue
+ if(!isValidDictionaryName(dictionaryName)){
+ LOGGER.error("dictionaryName is invalid");
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ response.getWriter().write("Error");
+ return;
+ }
boolean dictionaryImportExists = false;
try{
if(dictionaryName.startsWith("ActionPolicyDictionary")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- ActionPolicyDict attribute = new ActionPolicyDict("", userId);
+ ActionPolicyDict attribute = new ActionPolicyDict();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("OnapName")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- OnapName attribute = new OnapName("", userId);
+ OnapName attribute = new OnapName();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("VNFType")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- VNFType attribute = new VNFType("", userId);
+ VNFType attribute = new VNFType();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("VSCLAction")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- VSCLAction attribute = new VSCLAction("", userId);
+ VSCLAction attribute = new VSCLAction();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("ClosedLoopSite")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- ClosedLoopSite attribute = new ClosedLoopSite("", userId);
+ ClosedLoopSite attribute = new ClosedLoopSite();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("PEPOptions")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- PEPOptions attribute = new PEPOptions("", userId);
+ PEPOptions attribute = new PEPOptions();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("VarbindDictionary")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- VarbindDictionary attribute = new VarbindDictionary("", userId);
+ VarbindDictionary attribute = new VarbindDictionary();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("Settings")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- DecisionSettings attribute = new DecisionSettings("", userId);
+ DecisionSettings attribute = new DecisionSettings();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("PrefixList")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- PrefixList attribute = new PrefixList("", userId);
+ PrefixList attribute = new PrefixList();
String[] rows = dictSheet.get(i);
for (int j=0 ; j<rows.length; j++ ){
if(("prefixListName").equalsIgnoreCase(dictSheet.get(0)[j]) || ("PrefixList Name").equalsIgnoreCase(dictSheet.get(0)[j])){
if(dictionaryName.startsWith("SecurityZone")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- SecurityZone attribute = new SecurityZone("", userId);
+ SecurityZone attribute = new SecurityZone();
String[] rows = dictSheet.get(i);
for (int j=0 ; j<rows.length; j++ ){
if(("zoneName").equalsIgnoreCase(dictSheet.get(0)[j]) || ("Zone Name").equalsIgnoreCase(dictSheet.get(0)[j])){
if(dictionaryName.startsWith("Zone")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- Zone attribute = new Zone("", userId);
+ Zone attribute = new Zone();
String[] rows = dictSheet.get(i);
for (int j=0 ; j<rows.length; j++ ){
if(("zoneName").equalsIgnoreCase(dictSheet.get(0)[j]) || ("Zone Name").equalsIgnoreCase(dictSheet.get(0)[j])){
if(dictionaryName.startsWith("ServiceList")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- ServiceList attribute = new ServiceList("", userId);
+ ServiceList attribute = new ServiceList();
String[] rows = dictSheet.get(i);
for (int j=0 ; j<rows.length; j++ ){
if(("serviceName").equalsIgnoreCase(dictSheet.get(0)[j]) || ("Service Name").equalsIgnoreCase(dictSheet.get(0)[j])){
if(dictionaryName.startsWith("ServiceGroup")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- GroupServiceList attribute = new GroupServiceList("", userId);
+ GroupServiceList attribute = new GroupServiceList();
String[] rows = dictSheet.get(i);
for (int j=0 ; j<rows.length; j++ ){
if(("name").equalsIgnoreCase(dictSheet.get(0)[j]) || ("Group Name").equalsIgnoreCase(dictSheet.get(0)[j])){
if(dictionaryName.startsWith("AddressGroup")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- AddressGroup attribute = new AddressGroup("", userId);
+ AddressGroup attribute = new AddressGroup();
String[] rows = dictSheet.get(i);
for (int j=0 ; j<rows.length; j++ ){
if(("name").equalsIgnoreCase(dictSheet.get(0)[j]) || ("Group Name").equalsIgnoreCase(dictSheet.get(0)[j])){
if(dictionaryName.startsWith("ProtocolList")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- ProtocolList attribute = new ProtocolList("", userId);
+ ProtocolList attribute = new ProtocolList();
String[] rows = dictSheet.get(i);
for (int j=0 ; j<rows.length; j++ ){
if(("protocolName").equalsIgnoreCase(dictSheet.get(0)[j]) || ("Protocol Name").equalsIgnoreCase(dictSheet.get(0)[j])){
if(dictionaryName.startsWith("ActionList")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- ActionList attribute = new ActionList("", userId);
+ ActionList attribute = new ActionList();
String[] rows = dictSheet.get(i);
for (int j=0 ; j<rows.length; j++ ){
if(("actionName").equalsIgnoreCase(dictSheet.get(0)[j]) || ("Action Name").equalsIgnoreCase(dictSheet.get(0)[j])){
if(dictionaryName.startsWith("TermList")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- TermList attribute = new TermList("", userId);
+ TermList attribute = new TermList();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
if(dictionaryName.startsWith("SearchCriteria")){
dictionaryImportExists = true;
for(int i = 1; i< dictSheet.size(); i++){
- DescriptiveScope attribute = new DescriptiveScope("", userId);
+ DescriptiveScope attribute = new DescriptiveScope();
UserInfo userinfo = new UserInfo();
userinfo.setUserLoginId(userId);
attribute.setUserCreatedBy(userinfo);
response.getWriter().write("Error");
}
}
+
+ public boolean isValidDictionaryName(String dictionaryName){
+
+ if(dictionaryName.startsWith(DisctionaryNames.Attribute.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ActionPolicyDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.OnapName.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.MSPolicyDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.VNFType.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.VSCLAction.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ClosedLoopService.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ClosedLoopSite.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.PEPOptions.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.VarbindDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.BRMSParamDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.BRMSControllerDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.BRMSDependencyDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.Settings.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.PrefixList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.SecurityZone.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.Zone.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ServiceList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ServiceGroup.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.AddressGroup.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ProtocolList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ActionList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.TermList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.SearchCriteria.toString())){
+ return true;
+ }
+ return false;
+ }
}
\ No newline at end of file