Code Review / dmaap / datarouter.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 4916be0)
DMAAP-DR Header Injection fix 83/122883/1
authordavid.mcweeney <david.mcweeney@est.tech>
Tue, 27 Jul 2021 14:53:14 +0000 (15:53 +0100)
committerdavid.mcweeney <david.mcweeney@est.tech>
Tue, 27 Jul 2021 14:53:18 +0000 (15:53 +0100)
Signed-off-by: david.mcweeney <david.mcweeney@est.tech>
Change-Id: I5eb00945762064a5beeb5ce9c57e24243364c238
Issue-ID: DMAAP-1624

datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java patch | blob | history
datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java patch | blob | history

diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
index 0d03068..27fa5f3 100644 (file)
--- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
+++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
@@ -253,6 +253,13 @@ public class NodeServlet extends HttpServlet {
                 return;
             }
             fileid = fileid.substring(18);
+            if (req.getHeader("X-DMAAP-DR-PUBLISH-ID") != null && !req.getHeader("X-DMAAP-DR-PUBLISH-ID").matches("^[a-zA-Z0-9_]+$")) {
+                String reason = "Error validating header";
+                eelfLogger.error(reason);
+                resp.sendError(HttpServletResponse.SC_BAD_REQUEST, reason);
+                eelfLogger.info(EelfMsgs.EXIT);
+                return;
+            }
             pubid = req.getHeader("X-DMAAP-DR-PUBLISH-ID");
             user = "datartr";   // SP6 : Added usr as datartr to avoid null entries for internal routing
             targets = config.parseRouting(req.getHeader("X-DMAAP-DR-ROUTING"));
diff --git a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
index 4340b01..ad2fcf5 100644 (file)
--- a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
+++ b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
@@ -204,6 +204,17 @@ public class NodeServletTest {
         verifyEnteringExitCalled(listAppender);
     }
 
+    @Test
+    public void Given_Request_Is_HTTP_PUT_And_Internal_Publish_But_Invalid_Header_Then_Bad_Request_Response_Is_Generated() throws Exception {
+        when(request.getPathInfo()).thenReturn("/internal/publish/1/blah");
+        when(request.getRemoteAddr()).thenReturn("1.2.3.4");
+        when(config.isAnotherNode(anyString(), anyString())).thenReturn(true);
+        when(request.getHeader("X-DMAAP-DR-PUBLISH-ID")).thenReturn("User1+");
+        nodeServlet.doPut(request, response);
+        verify(response).sendError(eq(HttpServletResponse.SC_BAD_REQUEST), anyString());
+        verifyEnteringExitCalled(listAppender);
+    }
+
     @Test
     public void Given_Request_Is_HTTP_PUT_On_Publish_And_Ingress_Node_Is_Provided_Then_Request_Is_Redirected() throws Exception {
         setNodeConfigManagerToAllowRedirectOnIngressNode();
The Data Routing System project is intended to provide a common framework by which data producers can make data available to data consumers and a way for potential consumers to find feeds with the data they require. The interface to DR is exposed as a RESTful web service known as the DR Publishing and Delivery API