From c2a3499c9dd1ca8f531da8b23c06d71e4fecf428 Mon Sep 17 00:00:00 2001 From: Conor Ward Date: Fri, 14 Sep 2018 13:22:18 +0000 Subject: [PATCH] Fix Vulnerabilities in SubscriptionServlet Change-Id: I3ba9192d334a6023756eaac217999b01e598d7cb Signed-off-by: Conor Ward Issue-ID: DMAAP-775 --- .../provisioning/SubscriptionServlet.java | 115 +++++++++++++-------- .../provisioning/utils/HttpServletUtils.java | 38 +++++++ 2 files changed, 110 insertions(+), 43 deletions(-) create mode 100644 datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/HttpServletUtils.java diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java index 3294580b..3bfa7507 100644 --- a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/SubscriptionServlet.java @@ -44,6 +44,8 @@ import org.onap.dmaap.datarouter.provisioning.eelf.EelfMsgs; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; +import static org.onap.dmaap.datarouter.provisioning.utils.HttpServletUtils.sendResponseError; + /** * This servlet handles provisioning for the <subscriptionURL> which is generated by the provisioning server to * handle the inspection, modification, and deletion of a particular subscription to a feed. It supports DELETE to @@ -66,7 +68,7 @@ public class SubscriptionServlet extends ProxyServlet { * the Provisioning API document for details on how this method should be invoked. */ @Override - public void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doDelete(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doDelete"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); EventLogRecord elr = new EventLogRecord(req); @@ -75,11 +77,15 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doDelete(req, resp); + try { + super.doDelete(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -88,7 +94,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int subid = getIdFromPath(req); @@ -97,7 +103,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Subscription sub = Subscription.getSubscriptionById(subid); @@ -106,7 +112,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -116,7 +122,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } @@ -132,7 +138,7 @@ public class SubscriptionServlet extends ProxyServlet { // Something went wrong with the DELETE elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG); + sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, intlogger); } } @@ -142,7 +148,7 @@ public class SubscriptionServlet extends ProxyServlet { * invoked. */ @Override - public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doGet(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doGet"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); EventLogRecord elr = new EventLogRecord(req); @@ -151,11 +157,15 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doGet(req, resp); + try { + super.doGet(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -164,7 +174,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int subid = getIdFromPath(req); @@ -173,7 +183,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Subscription sub = Subscription.getSubscriptionById(subid); @@ -182,7 +192,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -192,7 +202,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } @@ -201,7 +211,11 @@ public class SubscriptionServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(SUBFULL_CONTENT_TYPE); - resp.getOutputStream().print(sub.asJSONObject(true).toString()); + try { + resp.getOutputStream().print(sub.asJSONObject(true).toString()); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } } /** @@ -209,7 +223,7 @@ public class SubscriptionServlet extends ProxyServlet { * the Provisioning API document for details on how this method should be invoked. */ @Override - public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPut(HttpServletRequest req, HttpServletResponse resp) { setIpAndFqdnForEelf("doPut"); eelflogger.info(EelfMsgs.MESSAGE_WITH_BEHALF_AND_SUBID, req.getHeader(BEHALF_HEADER), getIdFromPath(req) + ""); EventLogRecord elr = new EventLogRecord(req); @@ -218,11 +232,15 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doPut(req, resp); + try { + super.doPut(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -231,7 +249,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } int subid = getIdFromPath(req); @@ -240,7 +258,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } Subscription oldsub = Subscription.getSubscriptionById(subid); @@ -249,7 +267,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_NOT_FOUND); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_NOT_FOUND, message); + sendResponseError(resp, HttpServletResponse.SC_NOT_FOUND, message, eventlogger); return; } // Check with the Authorizer @@ -259,7 +277,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } // check content type is SUB_CONTENT_TYPE, version 1.0 @@ -270,7 +288,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message); + sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger); return; } JSONObject jo = getJSONfromInput(req); @@ -279,7 +297,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } if (intlogger.isDebugEnabled()) { @@ -293,7 +311,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } sub.setSubid(oldsub.getSubid()); @@ -306,7 +324,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } @@ -317,14 +335,22 @@ public class SubscriptionServlet extends ProxyServlet { eventlogger.info(elr); resp.setStatus(HttpServletResponse.SC_OK); resp.setContentType(SUBFULL_CONTENT_TYPE); - resp.getOutputStream().print(sub.asLimitedJSONObject().toString()); + try { + resp.getOutputStream().print(sub.asLimitedJSONObject().toString()); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } /**Change Owner ship of Subscriber Adding for group feature:Rally US708115*/ if (jo.has("changeowner") && subjectgroup != null) { - Boolean changeowner = (Boolean) jo.get("changeowner"); - if (changeowner != null && changeowner.equals(true)) { - sub.setSubscriber(req.getHeader(BEHALF_HEADER)); - sub.changeOwnerShip(); + try { + Boolean changeowner = (Boolean) jo.get("changeowner"); + if (changeowner != null && changeowner.equals(true)) { + sub.setSubscriber(req.getHeader(BEHALF_HEADER)); + sub.changeOwnerShip(); + } + } catch (JSONException je) { + eventlogger.error("JSONException: " + je.getMessage()); } } /***End of change ownership*/ @@ -334,7 +360,7 @@ public class SubscriptionServlet extends ProxyServlet { // Something went wrong with the UPDATE elr.setResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG); + sendResponseError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, DB_PROBLEM_MSG, intlogger); } } @@ -343,7 +369,7 @@ public class SubscriptionServlet extends ProxyServlet { * Schedule section in the Provisioning API document for details on how this method should be invoked. */ @Override - public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void doPost(HttpServletRequest req, HttpServletResponse resp) { // OLD pre-3.0 code // String message = "POST not allowed for the subscriptionURL."; // EventLogRecord elr = new EventLogRecord(req); @@ -360,11 +386,15 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } if (isProxyServer()) { - super.doPost(req, resp); + try { + super.doPost(req, resp); + } catch (IOException ioe) { + eventlogger.error("IOException: " + ioe.getMessage()); + } return; } String bhdr = req.getHeader(BEHALF_HEADER); @@ -373,7 +403,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } final int subid = getIdFromPath(req); @@ -382,7 +412,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } // check content type is SUBCNTRL_CONTENT_TYPE, version 1.0 @@ -393,7 +423,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message); + sendResponseError(resp, HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, message, eventlogger); return; } // Check with the Authorizer @@ -403,7 +433,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_FORBIDDEN); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, message); + sendResponseError(resp, HttpServletResponse.SC_FORBIDDEN, message, eventlogger); return; } JSONObject jo = getJSONfromInput(req); @@ -412,7 +442,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); return; } try { @@ -434,7 +464,7 @@ public class SubscriptionServlet extends ProxyServlet { elr.setMessage(message); elr.setResult(HttpServletResponse.SC_BAD_REQUEST); eventlogger.info(elr); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, message); + sendResponseError(resp, HttpServletResponse.SC_BAD_REQUEST, message, eventlogger); } } @@ -474,7 +504,6 @@ public class SubscriptionServlet extends ProxyServlet { } } catch (Exception e) { intlogger.warn("Caught exception in SubscriberNotifyThread: " + e); - e.printStackTrace(); } } } diff --git a/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/HttpServletUtils.java b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/HttpServletUtils.java new file mode 100644 index 00000000..ce287f4d --- /dev/null +++ b/datarouter-prov/src/main/java/org/onap/dmaap/datarouter/provisioning/utils/HttpServletUtils.java @@ -0,0 +1,38 @@ +/******************************************************************************* + * ============LICENSE_START================================================== + * * org.onap.dmaap + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. + * * + ******************************************************************************/ +package org.onap.dmaap.datarouter.provisioning.utils; + +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +import org.apache.log4j.Logger; + +public class HttpServletUtils { + public static void sendResponseError(HttpServletResponse response, int errorCode, String message, Logger intlogger) { + try { + response.sendError(errorCode, message); + } catch (IOException ioe) { + intlogger.error("IOException" + ioe.getMessage()); + } + } +} -- 2.16.6