From: esobmar Date: Mon, 17 Sep 2018 16:25:17 +0000 (+0100) Subject: Fix NodeServlet Vulnerabilities X-Git-Tag: 1.0.2~27^2 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=dmaap%2Fdatarouter.git;a=commitdiff_plain;h=527f8c01aab421811407a0dbe4868370e53cd7a2 Fix NodeServlet Vulnerabilities Change-Id: I16a6a7c4f0a7ac1005878106f176a1dcf25940a3 Signed-off-by: Mariusz Sobucki Issue-ID: DMAAP-775 --- diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java index 9ddbc25a..e5eb2edc 100644 --- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java +++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java @@ -27,14 +27,12 @@ package org.onap.dmaap.datarouter.node; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import java.io.File; -import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.FileWriter; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.io.Writer; -import java.net.Socket; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; @@ -44,9 +42,12 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; + import org.apache.log4j.Logger; import org.onap.dmaap.datarouter.node.eelf.EelfMsgs; +import static org.onap.dmaap.datarouter.node.NodeUtils.sendResponseError; + /** * Servlet for handling all http and https requests to the data router node *

@@ -59,11 +60,9 @@ import org.onap.dmaap.datarouter.node.eelf.EelfMsgs; * PUT/DELETE https://node/publish/feedid/fileid - publsh request */ public class NodeServlet extends HttpServlet { - private static Logger logger = Logger.getLogger("org.onap.dmaap.datarouter.node.NodeServlet"); private static NodeConfigManager config; private static Pattern MetaDataPattern; - private static SubnetMatcher internalsubnet = new SubnetMatcher("135.207.136.128/25"); //Adding EELF Logger Rally:US664892 private static EELFLogger eelflogger = EELFManager.getInstance() .getLogger("org.onap.dmaap.datarouter.node.NodeServlet"); @@ -93,7 +92,7 @@ public class NodeServlet extends HttpServlet { private boolean down(HttpServletResponse resp) throws IOException { if (config.isShutdown() || !config.isConfigured()) { - resp.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE); + sendResponseError(resp, HttpServletResponse.SC_SERVICE_UNAVAILABLE, logger); logger.info("NODE0102 Rejecting request: Service is being quiesced"); return (true); } @@ -103,12 +102,17 @@ public class NodeServlet extends HttpServlet { /** * Handle a GET for /internal/fetchProv */ - protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + protected void doGet(HttpServletRequest req, HttpServletResponse resp){ NodeUtils.setIpAndFqdnForEelf("doGet"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader("X-ATT-DR-ON-BEHALF-OF"), getIdFromPath(req) + ""); - if (down(resp)) { - return; + try{ + if (down(resp)) { + return; + } + + } catch (IOException ioe) { + logger.error("IOException" + ioe.getMessage()); } String path = req.getPathInfo(); String qs = req.getQueryString(); @@ -128,50 +132,9 @@ public class NodeServlet extends HttpServlet { return; } } - if (internalsubnet.matches(NodeUtils.getInetAddress(ip))) { - if (path.startsWith("/internal/logs/")) { - String f = path.substring(15); - File fn = new File(config.getLogDir() + "/" + f); - if (f.indexOf('/') != -1 || !fn.isFile()) { - logger.info("NODE0103 Rejecting invalid GET of " + path + " from " + ip); - resp.sendError(HttpServletResponse.SC_NOT_FOUND); - return; - } - byte[] buf = new byte[65536]; - resp.setContentType("text/plain"); - resp.setContentLength((int) fn.length()); - resp.setStatus(200); - try (InputStream is = new FileInputStream(fn)) { - OutputStream os = resp.getOutputStream(); - int i; - while ((i = is.read(buf)) > 0) { - os.write(buf, 0, i); - } - } - return; - } - if (path.startsWith("/internal/rtt/")) { - String xip = path.substring(14); - long st = System.currentTimeMillis(); - String status = " unknown"; - try { - Socket s = new Socket(xip, 443); - s.close(); - status = " connected"; - } catch (Exception e) { - status = " error " + e.toString(); - } - long dur = System.currentTimeMillis() - st; - resp.setContentType("text/plain"); - resp.setStatus(200); - byte[] buf = (dur + status + "\n").getBytes(); - resp.setContentLength(buf.length); - resp.getOutputStream().write(buf); - return; - } - } + logger.info("NODE0103 Rejecting invalid GET of " + path + " from " + ip); - resp.sendError(HttpServletResponse.SC_NOT_FOUND); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, logger); } /** @@ -181,7 +144,12 @@ public class NodeServlet extends HttpServlet { NodeUtils.setIpAndFqdnForEelf("doPut"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader("X-ATT-DR-ON-BEHALF-OF"), getIdFromPath(req) + ""); - common(req, resp, true); + try { + common(req, resp, true); + } + catch(IOException ioe){ + logger.error("IOException" + ioe.getMessage()); + } } /** @@ -191,7 +159,12 @@ public class NodeServlet extends HttpServlet { NodeUtils.setIpAndFqdnForEelf("doDelete"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader("X-ATT-DR-ON-BEHALF-OF"), getIdFromPath(req) + ""); - common(req, resp, false); + try { + common(req, resp, false); + } + catch(IOException ioe){ + logger.error("IOException" + ioe.getMessage()); + } } private void common(HttpServletRequest req, HttpServletResponse resp, boolean isput) diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeUtils.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeUtils.java index 2c013ca5..01585d9f 100644 --- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeUtils.java +++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeUtils.java @@ -45,6 +45,8 @@ import org.apache.log4j.Logger; import org.onap.dmaap.datarouter.node.eelf.EelfMsgs; import org.slf4j.MDC; +import javax.servlet.http.HttpServletResponse; + /** * Utility functions for the data router node */ @@ -261,5 +263,13 @@ public class NodeUtils { } + public static void sendResponseError(HttpServletResponse response, int errorCode, Logger intlogger) { + try { + response.sendError(errorCode); + } catch (IOException ioe) { + intlogger.error("IOException" + ioe.getMessage()); + } + } + } diff --git a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java index 048c44fa..fbdd9230 100644 --- a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java +++ b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java @@ -86,24 +86,6 @@ public class NodeServletTest { verify(response).setStatus(eq(HttpServletResponse.SC_NO_CONTENT)); } - @Test - public void Given_Request_Is_HTTP_GET_And_Endpoint_Is_Internal_Logs_And_File_Does_Not_Exist_Then_Not_Found_Response_Is_Generated() throws Exception { - when(request.getPathInfo()).thenReturn("/internal/logs/fileName"); - when(request.getRemoteAddr()).thenReturn("135.207.136.128"); - nodeServlet.doGet(request, response); - verify(response).sendError(eq(HttpServletResponse.SC_NOT_FOUND)); - } - - @Test - public void Given_Request_Is_HTTP_GET_And_Endpoint_Is_Internal_Rtt_And_Error_Connecting_To_Socket_Occurs_Then_Ok_Response_Is_Generated() throws Exception { - when(request.getPathInfo()).thenReturn("/internal/rtt/0.0.0.0"); - when(request.getRemoteAddr()).thenReturn("135.207.136.128"); - ServletOutputStream outStream = mock(ServletOutputStream.class); - when(response.getOutputStream()).thenReturn(outStream); - nodeServlet.doGet(request, response); - verify(response).setStatus(eq(200)); - } - @Test public void Given_Request_Is_HTTP_GET_To_Invalid_Endpoint_Then_Not_Found_Response_Is_Generated() throws Exception { when(request.getPathInfo()).thenReturn("/incorrect");