From be5ca2b68e80688677d75e5f688199511745570b Mon Sep 17 00:00:00 2001 From: GuangrongFu Date: Tue, 8 Jun 2021 13:59:18 +0800 Subject: [PATCH] Trying to fix the XSS problem Change-Id: I7cb2604d886dba0c13c5c182c59f7d0991bd3ab6 Issue-ID: HOLMES-453 Signed-off-by: GuangrongFu --- .../utils/transactionid/TransactionIdFilter.java | 41 ++++++++++++---------- .../utils/transactionid/TransactionIdUtils.java | 17 ++++++--- .../transactionid/TransactionIdFilterTest.java | 13 +++++-- .../transactionid/TransactionIdUtilsTest.java | 35 ++++++++++++++++++ 4 files changed, 82 insertions(+), 24 deletions(-) create mode 100644 holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java diff --git a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java index 3b12399..f72466d 100644 --- a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java +++ b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java @@ -1,12 +1,12 @@ /** - * Copyright 2018 ZTE Corporation. - * + * Copyright 2018 - 2021 ZTE Corporation. + *

* Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -15,15 +15,6 @@ */ package org.onap.holmes.common.utils.transactionid; -import java.io.IOException; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.jvnet.hk2.annotations.Service; @@ -31,6 +22,12 @@ import org.slf4j.MDC; import org.slf4j.Marker; import org.slf4j.MarkerFactory; +import javax.servlet.*; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.UUID; + @Service @Slf4j @@ -40,19 +37,21 @@ public class TransactionIdFilter implements Filter { public static final Marker ENTRY = MarkerFactory.getMarker("ENTRY"); public static final Marker EXIT = MarkerFactory.getMarker("EXIT"); + private static final String DEFAULT_REQUEST_ID = UUID.randomUUID().toString(); + static { INVOKE_SYNCHRONOUS = MarkerFactory.getMarker("INVOKE"); INVOKE_SYNCHRONOUS.add(MarkerFactory.getMarker("SYNCHRONOUS")); } @Override - public void init(FilterConfig filterConfig) throws ServletException { + public void init(FilterConfig filterConfig) { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, - FilterChain filterChain) throws IOException, ServletException { + FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; AddHeadersHttpServletRequestWrapper requestWithTransactionId = new AddHeadersHttpServletRequestWrapper( httpServletRequest); @@ -60,10 +59,16 @@ public class TransactionIdFilter implements Filter { String requestID = ensureTransactionIdIsPresent(requestWithTransactionId); HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse; - httpServletResponse.setHeader(TransactionIdUtils.REQUEST_ID_HEADER, requestID); + if (TransactionIdUtils.validate(requestID)) { + httpServletResponse.setHeader(TransactionIdUtils.REQUEST_ID_HEADER, requestID); + } else { + log.warn("A mal-formatted request ID has been detected: {}. It will be replaced by the default ID: {}", + requestID, DEFAULT_REQUEST_ID); + requestID = DEFAULT_REQUEST_ID; + } String invocationID = TransactionIdUtils.getUUID(); - httpServletResponse.setHeader(TransactionIdUtils.INVOCATIONIDID_HEADER,invocationID); + httpServletResponse.setHeader(TransactionIdUtils.INVOCATIONIDID_HEADER, invocationID); MDC.put("RequestID", requestID); MDC.put("InvocationID", invocationID); diff --git a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java index be61b92..7d04257 100644 --- a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java +++ b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java @@ -1,12 +1,12 @@ /** * Copyright 2018 ZTE Corporation. - * + *

* Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -17,12 +17,21 @@ package org.onap.holmes.common.utils.transactionid; import lombok.extern.slf4j.Slf4j; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + @Slf4j public class TransactionIdUtils { public static final String REQUEST_ID_HEADER = "X-TransactionID"; public static final String INVOCATIONIDID_HEADER = "X-InvocationID"; + private static final Pattern UUID_PATTERN = Pattern.compile("[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}"); public static String getUUID() { return java.util.UUID.randomUUID().toString(); } + + public static boolean validate(String uuid) { + Matcher matcher = UUID_PATTERN.matcher(uuid); + return matcher.matches(); + } } diff --git a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java index 3ef092e..cfbf747 100644 --- a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java +++ b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilterTest.java @@ -1,5 +1,5 @@ /** - * Copyright 2018 ZTE Corporation. + * Copyright 2018 - 2021 ZTE Corporation. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,11 +38,13 @@ public class TransactionIdFilterTest { responseMock = EasyMock.createMock(HttpServletResponse.class); chainMock = EasyMock.createMock(FilterChain.class); } + @Test public void callsChainDoFilter() throws Exception { filter.doFilter(requestMock, responseMock, chainMock); EasyMock.verify(); } + @Test public void requestIdExistTest() throws Exception{ String requestID = TransactionIdUtils.getUUID(); @@ -51,8 +53,15 @@ public class TransactionIdFilterTest { EasyMock.replay(requestMock); filter.doFilter(requestMock, responseMock, chainMock); EasyMock.verify(); - } + @Test + public void requestIdInvalidRerquestId() throws Exception{ + String requestID = "TransactionIdUtils.getUUID()"; + EasyMock.expect(requestMock.getHeader(TransactionIdUtils.REQUEST_ID_HEADER)).andReturn(requestID); + EasyMock.replay(requestMock); + filter.doFilter(requestMock, responseMock, chainMock); + EasyMock.verify(); + } } \ No newline at end of file diff --git a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java new file mode 100644 index 0000000..a9684af --- /dev/null +++ b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java @@ -0,0 +1,35 @@ +/** + * Copyright 2021 ZTE Corporation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onap.holmes.common.utils.transactionid; + +import org.junit.Test; + +import static org.hamcrest.core.Is.is; +import static org.junit.Assert.assertThat; + +public class TransactionIdUtilsTest { + + @Test + public void validate_is_uuid() { + assertThat(TransactionIdUtils.validate(TransactionIdUtils.getUUID()), is(true)); + } + + @Test + public void validate_not_uuid() { + assertThat(TransactionIdUtils.validate("a-random-string"), is(false)); + } +} \ No newline at end of file -- 2.16.6