Code Review / dmaap / datarouter.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
DMAAP-DR Header Injection fix
[dmaap/datarouter.git] / datarouter-node / src / main / java / org / onap / dmaap / datarouter / node / NodeServlet.java
diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
index 0d03068..27fa5f3 100644 (file)
--- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
+++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
@@ -253,6 +253,13 @@ public class NodeServlet extends HttpServlet {
                 return;
             }
             fileid = fileid.substring(18);
+            if (req.getHeader("X-DMAAP-DR-PUBLISH-ID") != null && !req.getHeader("X-DMAAP-DR-PUBLISH-ID").matches("^[a-zA-Z0-9_]+$")) {
+                String reason = "Error validating header";
+                eelfLogger.error(reason);
+                resp.sendError(HttpServletResponse.SC_BAD_REQUEST, reason);
+                eelfLogger.info(EelfMsgs.EXIT);
+                return;
+            }
             pubid = req.getHeader("X-DMAAP-DR-PUBLISH-ID");
             user = "datartr";   // SP6 : Added usr as datartr to avoid null entries for internal routing
             targets = config.parseRouting(req.getHeader("X-DMAAP-DR-ROUTING"));
The Data Routing System project is intended to provide a common framework by which data producers can make data available to data consumers and a way for potential consumers to find feeds with the data they require. The interface to DR is exposed as a RESTful web service known as the DR Publishing and Delivery API