From: Piotr Borelowski <p.borelowski@partner.samsung.com>
Date: Wed, 29 May 2019 08:47:15 +0000 (+0200)
Subject: Don't give the user the exact stack trace of the exception
X-Git-Tag: 3.2.0~308^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;ds=sidebyside;h=3101e7778575b6425d47321685105d0272286598;p=portal.git

Don't give the user the exact stack trace of the exception

Catching the exception in the SecurityXssFilter class.

Issue-ID: OJSI-192
Change-Id: I8d9d7a3032f98afcb58285b13b13d5ce35fddadd
Signed-off-by: Piotr Borelowski <p.borelowski@partner.samsung.com>
---

diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
index 25eee828..703019f9 100644
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -1,9 +1,9 @@
-
 /*-
  * ============LICENSE_START==========================================
  * ONAP Portal
  * ===================================================================
  * Copyright Â© 2017 AT&T Intellectual Property. All rights reserved.
+ * Modifications Copyright (c) 2019 Samsung
  * ===================================================================
  *
  * Unless otherwise specified, all software contained herein is licensed
@@ -36,6 +36,7 @@
  *
  * 
  */
+
 package org.onap.portalapp.filter;
 
 import java.io.BufferedReader;
@@ -48,7 +49,6 @@ import java.util.Enumeration;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ReadListener;
-import javax.servlet.ServletException;
 import javax.servlet.ServletInputStream;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
@@ -62,7 +62,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
 
 public class SecurityXssFilter extends OncePerRequestFilter {
 
-	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
+	private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
 
 	private static final String APPLICATION_JSON = "application/json";
 
@@ -120,40 +120,47 @@ public class SecurityXssFilter extends OncePerRequestFilter {
 
 			@Override
 			public void setReadListener(ReadListener readListener) {
-
+				// do nothing
 			}
-
 		}
 	}
 
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
-			throws ServletException, IOException {
+			throws IOException {
 		StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString());
-	    String queryString = request.getQueryString();
-	    String requestUrl = "";
-	    if (queryString == null) {
-	    	requestUrl = requestURL.toString();
-	    } else {
-	    	requestUrl = requestURL.append('?').append(queryString).toString();
-	    }
-	    validateRequest(requestUrl, response);
+		String queryString = request.getQueryString();
+		String requestUrl;
+
+		if (queryString == null) {
+			requestUrl = requestURL.toString();
+		} else {
+			requestUrl = requestURL.append('?').append(queryString).toString();
+		}
+
+		validateRequest(requestUrl, response);
 		StringBuilder headerValues = new StringBuilder();
 		Enumeration<String> headerNames = request.getHeaderNames();
+
 		while (headerNames.hasMoreElements()) {
-			String key = (String) headerNames.nextElement();
+			String key = headerNames.nextElement();
 			String value = request.getHeader(key);
 			headerValues.append(value);
 		}
+
 		validateRequest(headerValues.toString(), response);
+
 		if (validateRequestType(request)) {
 			request = new RequestWrapper(request);
 			String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
 			validateRequest(requestData, response);
-			filterChain.doFilter(request, response);
+		}
 
-		} else {
+		try {
 			filterChain.doFilter(request, response);
+		} catch (Exception e) {
+			sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e);
+			response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request");
 		}
 	}
 
@@ -171,9 +178,8 @@ public class SecurityXssFilter extends OncePerRequestFilter {
 				throw new SecurityException(ERROR_BAD_REQUEST);
 			}
 		} catch (Exception e) {
-			logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
+			sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
 			response.getWriter().close();
-			return;
 		}
 	}
-}
\ No newline at end of file
+}
