--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP-Logging
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+
+package org.onap.policy.pap.xacml.rest;
+
+/**
+ *
+ * MessageCodes contains all the valid Dictionary names
+ *
+ */
+public enum DisctionaryNames {
+
+ Attribute,
+ ActionPolicyDictionary,
+ OnapName,
+ MSPolicyDictionary,
+ VNFType,
+ VSCLAction,
+ ClosedLoopService,
+ ClosedLoopSite,
+ PEPOptions,
+ VarbindDictionary,
+ BRMSParamDictionary,
+ BRMSControllerDictionary,
+ BRMSDependencyDictionary,
+ Settings,
+ PrefixList,
+ SecurityZone,
+ Zone,
+ ServiceList,
+ ServiceGroup,
+ AddressGroup,
+ ProtocolList,
+ ActionList,
+ TermList,
+ SearchCriteria
+}
+
import org.apache.commons.compress.utils.IOUtils;
import org.onap.policy.common.logging.flexlogger.FlexLogger;
import org.onap.policy.common.logging.flexlogger.Logger;
+import org.onap.policy.pap.xacml.rest.DisctionaryNames;
import org.onap.policy.rest.dao.CommonClassDao;
import org.onap.policy.rest.jpa.ActionList;
import org.onap.policy.rest.jpa.ActionPolicyDict;
response.getWriter().write("Error");
return;
}
+
+ // fix Fortify Path Manipulation issue
+ if(!isValidDictionaryName(dictionaryName)){
+ LOGGER.error("dictionaryName is invalid");
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ response.getWriter().write("Error");
+ return;
+ }
boolean dictionaryImportExists = false;
try{
response.getWriter().write("Error");
}
}
+
+ public boolean isValidDictionaryName(String dictionaryName){
+
+ if(dictionaryName.startsWith(DisctionaryNames.Attribute.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ActionPolicyDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.OnapName.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.MSPolicyDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.VNFType.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.VSCLAction.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ClosedLoopService.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ClosedLoopSite.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.PEPOptions.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.VarbindDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.BRMSParamDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.BRMSControllerDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.BRMSDependencyDictionary.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.Settings.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.PrefixList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.SecurityZone.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.Zone.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ServiceList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ServiceGroup.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.AddressGroup.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ProtocolList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.ActionList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.TermList.toString())){
+ return true;
+ }
+ if(dictionaryName.startsWith(DisctionaryNames.SearchCriteria.toString())){
+ return true;
+ }
+ return false;
+ }
}
\ No newline at end of file
--- /dev/null
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP-PAP-REST
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.policy.pap.xacml.rest.controller;
+
+import static org.junit.Assert.assertTrue;
+import org.onap.policy.pap.xacml.rest.controller.DictionaryImportController;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.onap.policy.common.logging.flexlogger.FlexLogger;
+import org.onap.policy.common.logging.flexlogger.Logger;
+
+public class DictionaryImportControllerTest {
+
+ private static Logger logger = FlexLogger.getLogger(DictionaryImportController.class);
+
+ @Before
+ public void setUp() throws Exception {
+ logger.info("setUp: Entering");
+ }
+
+ @Test
+ public void testIsValidDictionaryName(){
+ DictionaryImportController cotroller = new DictionaryImportController();
+ //test invalid name
+ assertTrue(!cotroller.isValidDictionaryName("wrong-name"));
+ //test valid name
+ assertTrue(cotroller.isValidDictionaryName("ActionList"));
+ }
+
+ @After
+ public void destroy(){
+
+ }
+}
props.store(os, "");
}
} catch (IOException e) {
- PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "StdEngine", "Failed to create " + policyProperties);
+ PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "StdEngine", "Failed to create policyProperties");
throw new PAPException("Failed to create " + id);
}
}
props.store(os, "");
}
} catch (IOException e) {
- PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, e, "StdEngine", "Failed to create " + pipProperties);
+ PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, e, "StdEngine", "Failed to create pipProperties");
throw new PAPException("Failed to create " + id);
}
Code Review / policy / engine.git / commitdiff