Fix NexusIQ security vulnerabilities

Remove Spring Boot Jackson dependencies and replace with Gson
implementation.

Fix potential source of NullPointerException.

Change-Id: I3a715a023223b596e8a0979f0e0d381511fca32d
Issue-ID: AAF-529
Signed-off-by: Lee, Tian (tl5884) <TianL@amdocs.com>

diff --git a/.gitignore b/.gitignore
index e02456b..d93e941 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 target/
 .idea
 *.iml
+.checkstyle

diff --git a/sidecar/fproxy/pom.xml b/sidecar/fproxy/pom.xml
index 81014e6..55221b9 100644 (file)
--- a/sidecar/fproxy/pom.xml
+++ b/sidecar/fproxy/pom.xml
@@ -71,14 +71,13 @@
                                        <artifactId>spring-boot-starter-tomcat</artifactId>
                                        <groupId>org.springframework.boot</groupId>
                                </exclusion>
+                               <exclusion>
+                                       <groupId>org.springframework.boot</groupId>
+                                       <artifactId>spring-boot-starter-json</artifactId>
+                               </exclusion>
                        </exclusions>
                </dependency>
 
-               <dependency>
-                       <groupId>org.springframework.boot</groupId>
-                       <artifactId>spring-boot-starter-actuator</artifactId>
-               </dependency>
-
                <dependency>
                        <groupId>org.apache.commons</groupId>
                        <artifactId>commons-lang3</artifactId>
@@ -89,6 +88,11 @@
                        <artifactId>httpclient</artifactId>
                </dependency>
 
+               <dependency>
+                       <groupId>com.google.code.gson</groupId>
+                       <artifactId>gson</artifactId>
+               </dependency>
+
                <!-- Testing -->
                <dependency>
                        <groupId>org.springframework.boot</groupId>

diff --git a/sidecar/fproxy/src/main/resources/application.properties b/sidecar/fproxy/src/main/resources/application.properties
index d269c54..5ed7510 100644 (file)
--- a/sidecar/fproxy/src/main/resources/application.properties
+++ b/sidecar/fproxy/src/main/resources/application.properties
@@ -9,6 +9,4 @@ server.contextPath=/
 
 logging.config=${CONFIG_HOME}/logback-spring.xml
 
-spring.profiles.active=secure
-
-management.endpoints.web.base-path=/fproxy
\ No newline at end of file
+spring.profiles.active=secure
\ No newline at end of file

diff --git a/sidecar/rproxy/config/auth/uri-authorization.json b/sidecar/rproxy/config/auth/uri-authorization.json
index 29b152d..61ea9e6 100644 (file)
--- a/sidecar/rproxy/config/auth/uri-authorization.json
+++ b/sidecar/rproxy/config/auth/uri-authorization.json
@@ -104,11 +104,5 @@
         "test.auth.access\\|tenants\\|read",
         "test.auth.access\\|vservers\\|read"
       ]     
-    },
-    {
-      "uri": "\/rproxy\/.*",
-      "permissions": [
-       "org\\.access\\|rproxy\\|get"
-       ]
     }
   ]
\ No newline at end of file

diff --git a/sidecar/rproxy/pom.xml b/sidecar/rproxy/pom.xml
index 004f569..09a0d06 100644 (file)
--- a/sidecar/rproxy/pom.xml
+++ b/sidecar/rproxy/pom.xml
@@ -68,6 +68,10 @@
                                        <groupId>org.springframework.boot</groupId>
                                        <artifactId>spring-boot-starter-tomcat</artifactId>
                                </exclusion>
+                               <exclusion>
+                                       <groupId>org.springframework.boot</groupId>
+                                       <artifactId>spring-boot-starter-json</artifactId>
+                               </exclusion>
                        </exclusions>
                </dependency>
 
@@ -86,11 +90,6 @@
                        <artifactId>spring-boot-starter-aop</artifactId>
                </dependency>
 
-               <dependency>
-                       <groupId>org.springframework.boot</groupId>
-                       <artifactId>spring-boot-starter-actuator</artifactId>
-               </dependency>
-
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-test</artifactId>
@@ -108,7 +107,6 @@
                <dependency>
                        <groupId>com.google.code.gson</groupId>
                        <artifactId>gson</artifactId>
-                       <version>2.8.5</version><!--$NO-MVN-MAN-VER$-->
                </dependency>
 
                <dependency>

diff --git a/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java b/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java
index 6374c9d..f939249 100644 (file)
--- a/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java
+++ b/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyAuthorizationFilter.java
@@ -20,6 +20,7 @@
 package org.onap.aaf.rproxy;
 
 import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
 import com.google.gson.stream.JsonReader;
 import java.io.File;
 import java.io.FileInputStream;
@@ -30,6 +31,7 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import javax.annotation.Resource;
 import javax.servlet.Filter;
@@ -58,7 +60,7 @@ public class ReverseProxyAuthorizationFilter implements Filter {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(ReverseProxyAuthorizationFilter.class);
 
-    private ReverseProxyAuthorization[] reverseProxyAuthorizations = new ReverseProxyAuthorization[] {};
+    private List<ReverseProxyAuthorization> reverseProxyAuthorizations = new ArrayList<>();
 
     @Resource
     private ReverseProxyURIAuthorizationProperties reverseProxyURIAuthorizationProperties;
@@ -72,7 +74,10 @@ public class ReverseProxyAuthorizationFilter implements Filter {
             try (InputStream inputStream =
                     new FileInputStream(new File(reverseProxyURIAuthorizationProperties.getConfigurationFile()));
                     JsonReader jsonReader = new JsonReader(new InputStreamReader(inputStream))) {
-                reverseProxyAuthorizations = new Gson().fromJson(jsonReader, ReverseProxyAuthorization[].class);
+                List<ReverseProxyAuthorization> untrimmedList = new Gson().fromJson(jsonReader,
+                        new TypeToken<ArrayList<ReverseProxyAuthorization>>() {}.getType());
+                untrimmedList.removeAll(Collections.singleton(null));
+                reverseProxyAuthorizations = untrimmedList;
             } catch (IOException e) {
                 throw new ServletException("Authorizations config file not found.", e);
             }

diff --git a/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java b/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java
index b5c000c..55fcdd1 100644 (file)
--- a/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java
+++ b/sidecar/rproxy/src/main/java/org/onap/aaf/rproxy/ReverseProxyService.java
@@ -35,7 +35,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.actuate.endpoint.InvalidEndpointRequestException;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
@@ -45,6 +44,7 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
 
 @RestController
@@ -152,8 +152,8 @@ public class ReverseProxyService {
                 restTemplate.postForEntity(forwardProxyURI, credentialCacheData, String.class);
 
         if (!response.getStatusCode().is2xxSuccessful()) {
-            throw new InvalidEndpointRequestException("Error posting to credential cache.",
-                    "Status code: " + response.getStatusCodeValue() + " Message: " + response.getBody());
+            throw new HttpClientErrorException(response.getStatusCode(),
+                    "Error posting to credential cache. Message: " + response.getBody());
         }
     }
 

diff --git a/sidecar/rproxy/src/main/resources/application.properties b/sidecar/rproxy/src/main/resources/application.properties
index f291372..9ba37aa 100644 (file)
--- a/sidecar/rproxy/src/main/resources/application.properties
+++ b/sidecar/rproxy/src/main/resources/application.properties
@@ -16,7 +16,4 @@ uri.authorization.configuration-file=${CONFIG_HOME}/auth/uri-authorization.json
 
 logging.config=${CONFIG_HOME}/logback-spring.xml
 
-spring.profiles.default=secure,cadi
-
-# For Spring Boot Actuator endpoints
-management.endpoints.web.base-path=/rproxy
\ No newline at end of file
+spring.profiles.default=secure,cadi
\ No newline at end of file