From 0916f79740061fd041cc72bbda871c8f2dd18b4d Mon Sep 17 00:00:00 2001 From: Fiete Ostkamp Date: Fri, 20 Mar 2026 13:06:50 +0100 Subject: [PATCH] Fix sonarqube security issues Issue-ID: SDC-4813 Change-Id: I056d7ba335b01849b33b6892b2e12446dd546ce5 Signed-off-by: Fiete Ostkamp --- .../nsd/generator/EtsiNfvNsCsarEntryGenerator.java | 14 +++++++++++--- .../src/app/ng2/pipes/safeUrlSanitizer.pipe.ts | 21 ++++++++++++++++++--- .../java/org/onap/config/ConfigurationUtils.java | 21 ++++++++++++--------- .../sdcrests/item/rest/services/VersionsImpl.java | 4 +++- 4 files changed, 44 insertions(+), 16 deletions(-) diff --git a/catalog-be-plugins/etsi-nfv-nsd-csar-plugin/src/main/java/org/openecomp/sdc/be/plugins/etsi/nfv/nsd/generator/EtsiNfvNsCsarEntryGenerator.java b/catalog-be-plugins/etsi-nfv-nsd-csar-plugin/src/main/java/org/openecomp/sdc/be/plugins/etsi/nfv/nsd/generator/EtsiNfvNsCsarEntryGenerator.java index f5d7828e2d..4c3893c8ac 100644 --- a/catalog-be-plugins/etsi-nfv-nsd-csar-plugin/src/main/java/org/openecomp/sdc/be/plugins/etsi/nfv/nsd/generator/EtsiNfvNsCsarEntryGenerator.java +++ b/catalog-be-plugins/etsi-nfv-nsd-csar-plugin/src/main/java/org/openecomp/sdc/be/plugins/etsi/nfv/nsd/generator/EtsiNfvNsCsarEntryGenerator.java @@ -23,6 +23,8 @@ import static org.openecomp.sdc.common.api.ArtifactTypeEnum.ETSI_PACKAGE; import java.util.Collections; import java.util.HashMap; import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import org.openecomp.sdc.be.datatypes.enums.ComponentTypeEnum; import org.openecomp.sdc.be.plugins.etsi.nfv.nsd.generator.config.CategoriesToGenerateNsd; import org.openecomp.sdc.be.model.Component; @@ -45,6 +47,7 @@ public class EtsiNfvNsCsarEntryGenerator implements CsarEntryGenerator { static final String UNSIGNED_CSAR_EXTENSION = "csar"; static final String ETSI_VERSION_METADATA = "ETSI Version"; private static final Logger LOGGER = LoggerFactory.getLogger(EtsiNfvNsCsarEntryGenerator.class); + private static final Pattern ETSI_VERSION_PATTERN = Pattern.compile("(\\d+\\.\\d+\\.\\d+)"); private final EtsiNfvNsdCsarGeneratorFactory etsiNfvNsdCsarGeneratorFactory; public EtsiNfvNsCsarEntryGenerator(final EtsiNfvNsdCsarGeneratorFactory etsiNfvNsdCsarGeneratorFactory) { @@ -91,9 +94,14 @@ public class EtsiNfvNsCsarEntryGenerator implements CsarEntryGenerator { private EtsiVersion getComponentEtsiVersion(Component component) { String etsiVersion = component.getCategorySpecificMetadata().get(ETSI_VERSION_METADATA); - final String modelName = component.getModel(); - if (etsiVersion == null && modelName.matches(".*\\d+\\.\\d+\\.\\d+.*" )){ - etsiVersion = modelName.replaceAll(".*?(\\d+\\.\\d+\\.\\d+).*", "$1"); + if (etsiVersion == null) { + final String modelName = component.getModel(); + if (modelName != null) { + final Matcher matcher = ETSI_VERSION_PATTERN.matcher(modelName); + if (matcher.find()) { + etsiVersion = matcher.group(1); + } + } } return EtsiVersion.convertOrNull(etsiVersion); } diff --git a/catalog-ui/src/app/ng2/pipes/safeUrlSanitizer.pipe.ts b/catalog-ui/src/app/ng2/pipes/safeUrlSanitizer.pipe.ts index 9d8588030e..e3b3a029e5 100644 --- a/catalog-ui/src/app/ng2/pipes/safeUrlSanitizer.pipe.ts +++ b/catalog-ui/src/app/ng2/pipes/safeUrlSanitizer.pipe.ts @@ -1,10 +1,25 @@ import { Pipe, PipeTransform } from '@angular/core'; -import { DomSanitizer } from '@angular/platform-browser'; +import { DomSanitizer, SafeResourceUrl } from '@angular/platform-browser'; @Pipe({ name: 'safeUrlSanitizer' }) export class SafeUrlSanitizerPipe implements PipeTransform { constructor(private sanitizer: DomSanitizer) {} - transform(url) { - return this.sanitizer.bypassSecurityTrustResourceUrl(url); + transform(url: string): SafeResourceUrl { + if (this.isSafeResourceUrl(url)) { + return this.sanitizer.bypassSecurityTrustResourceUrl(url); + } + return this.sanitizer.bypassSecurityTrustResourceUrl('about:blank'); + } + + private isSafeResourceUrl(url: string): boolean { + if (!url) { + return false; + } + try { + const parsed = new URL(url); + return parsed.protocol === 'https:' || parsed.protocol === 'http:'; + } catch (e) { + return false; + } } } diff --git a/common/onap-common-configuration-management/onap-configuration-management-core/src/main/java/org/onap/config/ConfigurationUtils.java b/common/onap-common-configuration-management/onap-configuration-management-core/src/main/java/org/onap/config/ConfigurationUtils.java index 71dd457e6f..9b26b7314b 100644 --- a/common/onap-common-configuration-management/onap-configuration-management-core/src/main/java/org/onap/config/ConfigurationUtils.java +++ b/common/onap-common-configuration-management/onap-configuration-management-core/src/main/java/org/onap/config/ConfigurationUtils.java @@ -93,6 +93,10 @@ public class ConfigurationUtils { private static final Map, Class> ARRAY_CLASS_MAP; private static final String CONFIG_REGEX_TPL_OPT_1 = "CONFIG(-\\w*){0,1}(-(%s|%s|%s)){0,1}\\.(%s|%s|%s|%s)$"; private static final String CONFIG_REGEX_TPL_OPT_2 = "CONFIG(.)*\\.(%s|%s|%s|%s)$"; + private static final Pattern CONFIG_PATTERN_OPT_1; + private static final Pattern CONFIG_PATTERN_OPT_2; + private static final Pattern COLLECTION_STRING_PATTERN = Pattern.compile("^\\[(.*)\\]$"); + private static final Pattern VARIABLE_PATTERN = Pattern.compile("^.*\\$\\{(.*)\\}.*"); static { Map, Class> arrayTypes = new HashMap<>(); @@ -106,6 +110,11 @@ public class ConfigurationUtils { arrayTypes.put(Character.class, Character[].class); arrayTypes.put(String.class, String[].class); ARRAY_CLASS_MAP = Collections.unmodifiableMap(arrayTypes); + CONFIG_PATTERN_OPT_1 = Pattern.compile(String.format(CONFIG_REGEX_TPL_OPT_1, ConfigurationMode.OVERRIDE, ConfigurationMode.MERGE, + ConfigurationMode.UNION, ConfigurationType.PROPERTIES.name(), ConfigurationType.XML.name(), ConfigurationType.JSON.name(), + ConfigurationType.YAML.name())); + CONFIG_PATTERN_OPT_2 = Pattern.compile(String.format(CONFIG_REGEX_TPL_OPT_2, ConfigurationType.PROPERTIES.name(), + ConfigurationType.XML.name(), ConfigurationType.JSON.name(), ConfigurationType.YAML.name())); } private ConfigurationUtils() { @@ -160,11 +169,7 @@ public class ConfigurationUtils { public static boolean isConfig(String file) { file = file.toUpperCase().substring(file.lastIndexOf('!') + 1); file = file.substring(file.lastIndexOf('/') + 1); - return file.matches(String.format(CONFIG_REGEX_TPL_OPT_1, ConfigurationMode.OVERRIDE, ConfigurationMode.MERGE, ConfigurationMode.UNION, - ConfigurationType.PROPERTIES.name(), ConfigurationType.XML.name(), ConfigurationType.JSON.name(), ConfigurationType.YAML.name())) || file - .matches(String - .format(CONFIG_REGEX_TPL_OPT_2, ConfigurationType.PROPERTIES.name(), ConfigurationType.XML.name(), ConfigurationType.JSON.name(), - ConfigurationType.YAML.name())); + return CONFIG_PATTERN_OPT_1.matcher(file).matches() || CONFIG_PATTERN_OPT_2.matcher(file).matches(); } public static boolean isConfig(File file) { @@ -446,8 +451,7 @@ public class ConfigurationUtils { } public static String getCollectionString(String input) { - Pattern pattern = Pattern.compile("^\\[(.*)\\]$"); - Matcher matcher = pattern.matcher(input); + Matcher matcher = COLLECTION_STRING_PATTERN.matcher(input); if (matcher.matches()) { input = matcher.group(1); } @@ -455,8 +459,7 @@ public class ConfigurationUtils { } public static String processVariablesIfPresent(String tenant, String namespace, String data) { - Pattern pattern = Pattern.compile("^.*\\$\\{(.*)\\}.*"); - Matcher matcher = pattern.matcher(data); + Matcher matcher = VARIABLE_PATTERN.matcher(data); if (matcher.matches()) { final int substringStartIndex = 4; String key = matcher.group(1); diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/item-rest/item-rest-services/src/main/java/org/openecomp/sdcrests/item/rest/services/VersionsImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/item-rest/item-rest-services/src/main/java/org/openecomp/sdcrests/item/rest/services/VersionsImpl.java index 6e7703cda3..89fe609e00 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/item-rest/item-rest-services/src/main/java/org/openecomp/sdcrests/item/rest/services/VersionsImpl.java +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/item-rest/item-rest-services/src/main/java/org/openecomp/sdcrests/item/rest/services/VersionsImpl.java @@ -26,6 +26,7 @@ import com.google.common.annotations.VisibleForTesting; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.regex.Pattern; import javax.inject.Named; import javax.ws.rs.core.Response; import org.openecomp.sdc.activitylog.dao.type.ActivityLogEntity; @@ -64,6 +65,7 @@ public class VersionsImpl implements Versions { private static final String COMMIT_ITEM_ACTION = "Commit_Item"; private static final Logger LOGGER = LoggerFactory.getLogger(VersionsImpl.class); + private static final Pattern INITIAL_REVISION_PATTERN = Pattern.compile("Initial .*:.*"); private ManagersProvider managersProvider; @Override @@ -176,7 +178,7 @@ public class VersionsImpl implements Versions { 3- the second revision is in format "Initial : " 4- only if a revision in this format exists we remove the first revision. */ int numOfRevisions = revisions.size(); - if (numOfRevisions > 1 && revisions.get(numOfRevisions - 2).getMessage().matches("Initial .*:.*")) { + if (numOfRevisions > 1 && INITIAL_REVISION_PATTERN.matcher(revisions.get(numOfRevisions - 2).getMessage()).matches()) { revisions.remove(numOfRevisions - 1); } } -- 2.16.6