From 1e740437488713759c4a7e899c0a23941e4d6062 Mon Sep 17 00:00:00 2001 From: Conor Ward Date: Sat, 15 Sep 2018 10:09:20 +0000 Subject: [PATCH] Fix FeedServlet Vulnerabilities Change-Id: Iba40e2e6825c019c1b3c648b617936c9ab40a666 Signed-off-by: Conor Ward Issue-ID: DMAAP-775 --- .../dmaap/datarouter/provisioning/FeedServlet.java | 101 +++++++++++++-------- 1 file changed, 64 insertions(+), 37 deletions(-) diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java index 3f8929e7..d2452e7d 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/FeedServlet.java @@ -30,6 +30,7 @@ import java.io.InvalidObjectException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.json.JSONException; import org.json.JSONObject; import org.onap.dmaap.datarouter.authz.AuthorizationResponse; import org.onap.dmaap.datarouter.provisioning.beans.EventLogRecord; @@ -39,6 +40,8 @@ import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError; + /** * This servlet handles provisioning for the <feedURL> which is generated by the provisioning * server to handle a particular feed. It supports DELETE to mark the feed as deleted, @@ -59,7 +62,7 @@ public class FeedServlet extends ProxyServlet { * document for details on how this method should be invoked. */ @Override - public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doDelete(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doDelete"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+""); EventLogRecord elr = new EventLogRecord(req); @@ -68,11 +71,15 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doDelete(req, resp); + try { + super.doDelete(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -81,7 +88,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int feedid = getIdFromPath(req); @@ -90,7 +97,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Feed feed = Feed.getFeedById(feedid); @@ -99,7 +106,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -109,7 +116,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } @@ -126,7 +133,7 @@ public class FeedServlet extends ProxyServlet { // Something went wrong with the UPDATE elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG); + sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger); } } /** @@ -135,7 +142,7 @@ public class FeedServlet extends ProxyServlet { * document for details on how this method should be invoked. */ @Override - public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doGet(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doGet"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+""); EventLogRecord elr = new EventLogRecord(req); @@ -144,11 +151,15 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doGet(req, resp); + try { + super.doGet(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -157,7 +168,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int feedid = getIdFromPath(req); @@ -166,7 +177,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Feed feed = Feed.getFeedById(feedid); @@ -175,7 +186,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -185,7 +196,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } @@ -194,7 +205,11 @@ public class FeedServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(FEEDFULL_CONTENT_TYPE); - resp.getOutputStream().print(feed.asJSONObject(true).toString()); + try { + resp.getOutputStream().print(feed.asJSONObject(true).toString()); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } } /** * PUT on the <feedURL> for a feed. @@ -202,7 +217,7 @@ public class FeedServlet extends ProxyServlet { * document for details on how this method should be invoked. */ @Override - public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPut(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doPut"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_FEEDID, req.getHeader(BEHALF_HEADER),getIdFromPath(req)+""); EventLogRecord elr = new EventLogRecord(req); @@ -211,11 +226,15 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doPut(req, resp); + try { + super.doPut(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -224,7 +243,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int feedid = getIdFromPath(req); @@ -233,7 +252,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Feed oldFeed = Feed.getFeedById(feedid); @@ -242,7 +261,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // check content type is FEED_CONTENT_TYPE, version 1.0 @@ -253,7 +272,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message); + sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger); return; } JSONObject jo = getJSONfromInput(req); @@ -262,7 +281,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } if (intlogger.isDebugEnabled()) @@ -275,7 +294,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } feed.setFeedid(feedid); @@ -287,7 +306,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } if (!oldFeed.getName().equals(feed.getName())) { @@ -295,7 +314,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } if (!oldFeed.getVersion().equals(feed.getVersion())) { @@ -303,7 +322,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } // Check with the Authorizer @@ -313,7 +332,7 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } @@ -324,15 +343,23 @@ public class FeedServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(FEEDFULL_CONTENT_TYPE); - resp.getOutputStream().print(feed.asLimitedJSONObject().toString()); + try { + resp.getOutputStream().print(feed.asLimitedJSONObject().toString()); + } catch (IOException ioe) { + eventlogger.error("IOException" + ioe.getMessage()); + } /**Change Owner ship of Feed //Adding for group feature:Rally US708115*/ if (jo.has("changeowner") && subjectgroup != null) { - Boolean changeowner = (Boolean) jo.get("changeowner"); - if (changeowner != null && changeowner.equals(true)) { - feed.setPublisher(req.getHeader(BEHALF_HEADER)); - feed.changeOwnerShip(); + try { + Boolean changeowner = (Boolean) jo.get("changeowner"); + if (changeowner != null && changeowner.equals(true)) { + feed.setPublisher(req.getHeader(BEHALF_HEADER)); + feed.changeOwnerShip(); + } + } catch (JSONException je) { + eventlogger.error("JSONException" + je.getMessage()); } } /***End of change ownership*/ @@ -342,14 +369,14 @@ public class FeedServlet extends ProxyServlet { // Something went wrong with the UPDATE elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG); + sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, eventlogger); } } /** * POST on the <feedURL> -- not supported. */ @Override - public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPost(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doPost"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF, req.getHeader(BEHALF_HEADER)); String message = "POST not allowed for the feedURL."; @@ -357,6 +384,6 @@ public class FeedServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, message); + sendResponseError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, message, eventlogger); } } -- 2.16.6