Sonarqube bugs and security hotspot fixes for A&AI component aai-resources

Issue-ID: AAI-4185
Change-Id: Iade776e342dc63a7eb1197714d6bc65e17d89466
Signed-off-by: akshay.khairnar@t-systems.com <akshay.khairnar@t-systems.com>

diff --git a/aai-resources/src/main/java/org/onap/aai/interceptors/pre/AuthInterceptor.java b/aai-resources/src/main/java/org/onap/aai/interceptors/pre/AuthInterceptor.java
index a81002a..63366dd 100644 (file)
--- a/aai-resources/src/main/java/org/onap/aai/interceptors/pre/AuthInterceptor.java
+++ b/aai-resources/src/main/java/org/onap/aai/interceptors/pre/AuthInterceptor.java
@@ -48,15 +48,15 @@ import lombok.RequiredArgsConstructor;
 @Priority(AAIRequestFilterPriority.AUTHORIZATION)
 public class AuthInterceptor extends AAIContainerFilter implements ContainerRequestFilter {
 
-  private static final Pattern PATTERN_ECHO = Pattern.compile("^.*/util/echo$");
-  private static final Pattern PATTERN_ACTUATOR = Pattern.compile("^.*/actuator/.*$");
+  private static final String ECHO_SEGMENT = "/util/echo";
+  private static final String ACTUATOR_SEGMENT = "/actuator/";
   private static final AAIException AAI_EXCEPTION = new AAIException("AAI_3300");
   private final AuthorizationService authorizationService;
 
   @Override
   public void filter(ContainerRequestContext requestContext) throws IOException {
     String path = requestContext.getUriInfo().getRequestUri().getPath();
-    if (PATTERN_ECHO.matcher(path).matches() || PATTERN_ACTUATOR.matcher(path).matches()) {
+    if (path.endsWith(ECHO_SEGMENT) || path.contains(ACTUATOR_SEGMENT)) {
       return;
     }
 

diff --git a/aai-resources/src/main/java/org/onap/aai/interceptors/pre/VersionInterceptor.java b/aai-resources/src/main/java/org/onap/aai/interceptors/pre/VersionInterceptor.java
index cdada62..63443d3 100644 (file)
--- a/aai-resources/src/main/java/org/onap/aai/interceptors/pre/VersionInterceptor.java
+++ b/aai-resources/src/main/java/org/onap/aai/interceptors/pre/VersionInterceptor.java
@@ -43,7 +43,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 @Priority(AAIRequestFilterPriority.VERSION)
 public class VersionInterceptor extends AAIContainerFilter implements ContainerRequestFilter {
 
-    public static final Pattern EXTRACT_VERSION_PATTERN = Pattern.compile("^(v[1-9][0-9]*).*$");
+    public static final Pattern EXTRACT_VERSION_PATTERN = Pattern.compile("^(v[1-9][0-9]*)(?>.{0,2048})$");
 
     private final Set<String> allowedVersions;
 

diff --git a/aai-resources/src/main/java/org/onap/aai/rest/BulkConsumer.java b/aai-resources/src/main/java/org/onap/aai/rest/BulkConsumer.java
index 3f99e7e..2b89697 100644 (file)
--- a/aai-resources/src/main/java/org/onap/aai/rest/BulkConsumer.java
+++ b/aai-resources/src/main/java/org/onap/aai/rest/BulkConsumer.java
@@ -353,8 +353,8 @@ public abstract class BulkConsumer extends RESTAPI {
 
                     UriComponents uriComponents =
                             UriComponentsBuilder.fromUriString(itemURIfield.getAsString()).build();
-                    if (uriComponents.getPath() != null
-                            && uriComponents.getPath().endsWith("/relationship-list/relationship")) {
+                    String path = uriComponents.getPath();
+                    if (path != null && path.endsWith("/relationship-list/relationship")) {
                         if (method.equals(HttpMethod.PUT)) {
                             bulkOperation.setHttpMethod(HttpMethod.PUT_EDGE);
                         } else if (method.equals(HttpMethod.DELETE)) {

diff --git a/aai-resources/src/main/java/org/onap/aai/tenantisolation/DataImportTasks.java b/aai-resources/src/main/java/org/onap/aai/tenantisolation/DataImportTasks.java
index ede04b7..74f3f0e 100644 (file)
--- a/aai-resources/src/main/java/org/onap/aai/tenantisolation/DataImportTasks.java
+++ b/aai-resources/src/main/java/org/onap/aai/tenantisolation/DataImportTasks.java
@@ -110,8 +110,9 @@ public class DataImportTasks {
         }
 
         // clean up
-        payloadFile.delete();
-
+        if (!payloadFile.delete()) {
+            log.warn("Failed to delete payload file: {}", payloadFile.getAbsolutePath());
+        }
     }
 
     /**
@@ -125,17 +126,22 @@ public class DataImportTasks {
 
         int count = 0;
         try {
-            process = new ProcessBuilder().command("bash", "-c", "ps -ef | grep 'addManualData'").start();
+            process = new ProcessBuilder().command("/bin/bash", "-c", "ps -ef | grep 'addManualData'").start();
             InputStream is = process.getInputStream();
             InputStreamReader isr = new InputStreamReader(is);
             BufferedReader br = new BufferedReader(isr);
 
-            while (br.readLine() != null) {
+            String line;
+            while ((line = br.readLine()) != null) {
                 count++;
             }
 
             int exitVal = process.waitFor();
             log.info("Check if dataImport is running returned: " + exitVal);
+        } catch (InterruptedException ie) {
+            Thread.currentThread().interrupt();
+            log.warn("Thread interrupted while checking if dataImport is running", ie);
+            return false;
         } catch (Exception e) {
             ErrorLogHelper.logError("AAI_8002",
                     "Exception while running the check to see if dataImport is running  " + e.getMessage());
@@ -172,8 +178,11 @@ public class DataImportTasks {
                 if (!foundTheLatestPayload && isTargzExtension(f.getAbsolutePath())) {
                     payloadFile = f;
                     foundTheLatestPayload = true;
-                } else // delete all files except the latest payload file!
-                    f.delete();
+                } else {
+                    if (!f.delete()) {
+                        log.warn("Failed to delete old payload file: {}", f.getAbsolutePath());
+                    }
+                }
             }
         } else {
             if (isTargzExtension(allFilesArr[0].getAbsolutePath()))
@@ -219,9 +228,13 @@ public class DataImportTasks {
 
         try {
             process =
-                    new ProcessBuilder().command("bash", "-c", "gzip –d < " + payLoadFileName + " | tar xf -").start();
+                    new ProcessBuilder().command("/bin/bash", "-c", "gzip –d < " + payLoadFileName + " | tar xf -").start();
             int exitVal = process.waitFor();
             log.info("gzip -d returned: " + exitVal);
+        } catch (InterruptedException ie) {
+            Thread.currentThread().interrupt();
+            log.warn("Thread interrupted while running the unzip {}", payLoadFileName, ie);
+            return false;
         } catch (Exception e) {
             ErrorLogHelper.logError("AAI_8002", "Exception while running the unzip  " + e.getMessage());
             log.info("Exception while running the unzip " + e.getMessage());
@@ -265,6 +278,9 @@ public class DataImportTasks {
             process = new ProcessBuilder().command(script).start();
             int exitVal = process.waitFor();
             log.info("addManualData.sh returned: " + exitVal);
+        } catch (InterruptedException ie) {
+            Thread.currentThread().interrupt();
+            log.warn("Thread interrupted while running addManualData.sh", ie);
         } catch (Exception e) {
             ErrorLogHelper.logError("AAI_8002", "Exception while running addManualData.sh " + e.getMessage());
             log.info("Exception while running addManualData.sh" + e.getMessage());