Fix high-severity bug 'application exposed to path traversal attack'

[sdc.git] / catalog-be / src / main / webapp / WEB-INF / web.xml

diff --git a/catalog-be/src/main/webapp/WEB-INF/web.xml b/catalog-be/src/main/webapp/WEB-INF/web.xml
index ca71eee..64763b2 100644 (file)
--- a/catalog-be/src/main/webapp/WEB-INF/web.xml
+++ b/catalog-be/src/main/webapp/WEB-INF/web.xml
@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
-         version="3.0">
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0">
 
     <servlet>
         <servlet-name>jersey</servlet-name>
@@ -77,7 +78,8 @@
     <!-- ECOMP Portal -->
     <servlet>
         <servlet-name>ECOMPServlet</servlet-name>
-        <servlet-class>org.onap.portalsdk.core.onboarding.crossapi.PortalRestAPIProxy</servlet-class>
+        <servlet-class>org.onap.portalsdk.core.onboarding.crossapi.PortalRestAPIProxy
+        </servlet-class>
         <load-on-startup>3</load-on-startup>
         <async-supported>true</async-supported>
     </servlet>
@@ -174,22 +176,22 @@
         <url-pattern>/sdc/*</url-pattern>
     </filter-mapping>
 
-<!--
-    <filter>
-        <filter-name>basicAuthFilter</filter-name>
-        <filter-class>
-            org.openecomp.sdc.be.filters.BasicAuthenticationFilter
-        </filter-class>
-        <init-param>
-            <param-name>excludedUrls</param-name>
-            <param-value>/sdc2/rest/healthCheck,/sdc2/rest/v1/user,/sdc2/rest/v1/user/jh0003,/sdc2/rest/v1/screen,/sdc2/rest/v1/consumers,/sdc2/rest/v1/catalog/uploadType/datatypes,/sdc2/rest/v1/catalog/upload/multipart</param-value>
-        </init-param>
-    </filter>
+    <!--
+        <filter>
+            <filter-name>basicAuthFilter</filter-name>
+            <filter-class>
+                org.openecomp.sdc.be.filters.BasicAuthenticationFilter
+            </filter-class>
+            <init-param>
+                <param-name>excludedUrls</param-name>
+                <param-value>/sdc2/rest/healthCheck,/sdc2/rest/v1/user,/sdc2/rest/v1/user/jh0003,/sdc2/rest/v1/screen,/sdc2/rest/v1/consumers,/sdc2/rest/v1/catalog/uploadType/datatypes,/sdc2/rest/v1/catalog/upload/multipart</param-value>
+            </init-param>
+        </filter>
 
-    <filter-mapping>
-        <filter-name>basicAuthFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>-->
+        <filter-mapping>
+            <filter-name>basicAuthFilter</filter-name>
+            <url-pattern>/*</url-pattern>
+        </filter-mapping>-->
 
     <!--    <filter>-->
     <!--        <filter-name>beRestrictionAccessFilter</filter-name>-->
@@ -252,6 +254,11 @@
         <param-value>org.openecomp.sdc.be.togglz.TogglzConfiguration</param-value>
     </context-param>
 
+    <context-param>
+        <param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
+        <param-value>false</param-value>
+    </context-param>
+
     <listener>
         <listener-class>org.openecomp.sdc.be.listen.BEAppContextListener</listener-class>
     </listener>