From bbd56ec8187ce2a072b574b90ea0906d8ec0a140 Mon Sep 17 00:00:00 2001 From: eramkve Date: Fri, 23 Mar 2018 14:29:02 +0000 Subject: [PATCH] Fix final 10 vulnerabilities in policy/engine Code fixes for final 10 vulnerabilities in policy/engine Change-Id: I234194b596bdacd5f3f9fd1becd4da9d6d0b5cf4 Issue-ID: POLICY-662 Signed-off-by: eramkve --- .../policy/pap/xacml/rest/XACMLPapServlet.java | 56 +++++++++++++--------- .../ActionPolicyDictionaryController.java | 2 +- .../rest/controller/BRMSDictionaryController.java | 2 +- .../controller/ClosedLoopDictionaryController.java | 2 +- .../DecisionPolicyDictionaryController.java | 2 +- .../DescriptiveDictionaryController.java | 2 +- .../rest/controller/DictionaryController.java | 2 +- .../controller/FirewallDictionaryController.java | 2 +- .../MicroServiceDictionaryController.java | 2 +- .../PolicyScopeDictionaryController.java | 2 +- .../rest/controller/SafePolicyController.java | 2 +- .../pap/xacml/rest/util/DictionaryUtils.java | 4 +- 12 files changed, 46 insertions(+), 34 deletions(-) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java index 9564acc25..a30c9c7ec 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/XACMLPapServlet.java @@ -792,7 +792,6 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList } else { PolicyLogger.info("requestID was provided in call to XACMLPapSrvlet (doGet)"); } - try { loggingContext.metricStarted(); XACMLRest.dumpRequest(request); loggingContext.metricEnded(); @@ -907,7 +906,18 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList request.getRemoteHost().equals(request.getLocalAddr())) { // Return status information - basically all the groups loggingContext.setServiceName("PAP.getGroups"); - Set groups = papEngine.getOnapPDPGroups(); + Set groups = null; + try { + groups = papEngine.getOnapPDPGroups(); + } catch(PAPException e) { + LOGGER.debug(e); + PolicyLogger.error(MessageCodes.ERROR_UNKNOWN, e, "XACMLPapServlet", " GET exception"); + loggingContext.transactionEnded(); + PolicyLogger.audit("Transaction Failed - See Error.log"); + setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); + im.endTransaction(); + return; + } // convert response object to JSON and include in the response mapperWriteValue(new ObjectMapper(), response, groups); response.setHeader("content-type", "application/json"); @@ -984,15 +994,6 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList PolicyLogger.audit("Transaction Failed - See Error.log"); setResponseError(response,HttpServletResponse.SC_NOT_FOUND, message); } - } catch (PAPException e) { - LOGGER.debug(e); - PolicyLogger.error(MessageCodes.ERROR_UNKNOWN, e, "XACMLPapServlet", " GET exception"); - loggingContext.transactionEnded(); - PolicyLogger.audit("Transaction Failed - See Error.log"); - setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); - im.endTransaction(); - return; - } loggingContext.transactionEnded(); PolicyLogger.audit("Transaction Ended"); im.endTransaction(); @@ -1892,7 +1893,16 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList } else { // request is for top-level properties about all groups loggingContext.setServiceName("AC:PAP.getAllGroups"); - Set groups = papEngine.getOnapPDPGroups(); + Set groups = null; + try { + groups = papEngine.getOnapPDPGroups(); + } catch(PAPException e) { + PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " AC Get exception"); + loggingContext.transactionEnded(); + PolicyLogger.audit("Transaction Failed - See Error.log"); + setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); + return; + } // convert response object to JSON and include in the response mapperWriteValue(new ObjectMapper(), response, groups); if (LOGGER.isDebugEnabled()) { @@ -2039,7 +2049,12 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList LOGGER.info("JSON request from AC: " + json); // convert Object sent as JSON into local object ObjectMapper mapper = new ObjectMapper(); - Object objectFromJSON = mapper.readValue(json, StdPDP.class); + Object objectFromJSON = null; + try { + objectFromJSON = mapper.readValue(json, StdPDP.class); + } catch(Exception e) { + LOGGER.error(e); + } if (pdpId == null || objectFromJSON == null || ! (objectFromJSON instanceof StdPDP) || @@ -2144,7 +2159,12 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList LOGGER.info("JSON request from AC: " + json); // convert Object sent as JSON into local object ObjectMapper mapper = new ObjectMapper(); - Object objectFromJSON = mapper.readValue(json, StdPDPGroup.class); + Object objectFromJSON = null; + try { + objectFromJSON = mapper.readValue(json, StdPDPGroup.class); + } catch(Exception e) { + LOGGER.error(e); + } if (objectFromJSON == null || ! (objectFromJSON instanceof StdPDPGroup) || ! ((StdPDPGroup)objectFromJSON).getId().equals(group.getId())) { PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE + " Group update had bad input. id=" + group.getId() + " objectFromJSON="+objectFromJSON); @@ -2209,14 +2229,6 @@ public class XACMLPapServlet extends HttpServlet implements StdItemSetChangeList PolicyLogger.audit("Transaction Failed - See Error.log"); setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); return; - } catch (IOException | JsonException e) { - LOGGER.debug(e); - acPutTransaction.rollbackTransaction(); - PolicyLogger.error(MessageCodes.ERROR_PROCESS_FLOW, e, "XACMLPapServlet", " AC PUT exception"); - loggingContext.transactionEnded(); - PolicyLogger.audit("Transaction Failed - See Error.log"); - setResponseError(response,HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); - return; } } diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java index 3d275c3d9..59a7ed312 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ActionPolicyDictionaryController.java @@ -64,7 +64,7 @@ public class ActionPolicyDictionaryController { } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @RequestMapping(value={"/get_ActionPolicyDictDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java index f07ca3478..0ab5cf935 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/BRMSDictionaryController.java @@ -91,7 +91,7 @@ public class BRMSDictionaryController{ } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @RequestMapping(value={"/get_BRMSParamDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java index 2b0556716..5d28c82e7 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/ClosedLoopDictionaryController.java @@ -89,7 +89,7 @@ public class ClosedLoopDictionaryController{ } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @RequestMapping(value={"/get_VSCLActionDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java index 9b79303fa..6e68d78d9 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DecisionPolicyDictionaryController.java @@ -66,7 +66,7 @@ public class DecisionPolicyDictionaryController { } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @RequestMapping(value={"/get_SettingsDictionaryDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java index 364a4f73a..db710961f 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DescriptiveDictionaryController.java @@ -65,7 +65,7 @@ public class DescriptiveDictionaryController { } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @RequestMapping(value={"/get_DescriptiveScopeByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java index 7e30635f9..0b7693c6f 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryController.java @@ -69,7 +69,7 @@ public class DictionaryController { } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @RequestMapping(value={"/get_AttributeDatabyAttributeName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java index d02cbca73..bd1fb0e32 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/FirewallDictionaryController.java @@ -113,7 +113,7 @@ public class FirewallDictionaryController { } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @RequestMapping(value={"/get_PrefixListDataByName"}, method={RequestMethod.GET} , produces=MediaType.APPLICATION_JSON_VALUE) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java index 20e75a08b..becf5adf7 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/MicroServiceDictionaryController.java @@ -92,7 +92,7 @@ public class MicroServiceDictionaryController { } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @Autowired diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java index 40c9d7269..fd3d2f641 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/PolicyScopeDictionaryController.java @@ -71,7 +71,7 @@ public class PolicyScopeDictionaryController { } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @Autowired diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java index 23450cbbe..209ba4f45 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/SafePolicyController.java @@ -66,7 +66,7 @@ public class SafePolicyController { } private DictionaryUtils getDictionaryUtilsInstance(){ - return DictionaryUtils.dictionaryUtils != null ? DictionaryUtils.getDictionaryUtils() : new DictionaryUtils(); + return DictionaryUtils.getDictionaryUtils(); } @RequestMapping(value = { "/get_RiskTypeDataByName" }, method = {RequestMethod.GET }, produces = MediaType.APPLICATION_JSON_VALUE) diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java index e18595956..5610577a9 100644 --- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java +++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/util/DictionaryUtils.java @@ -58,10 +58,10 @@ public class DictionaryUtils { private static CommonClassDao commonClassDao; - public static DictionaryUtils dictionaryUtils; + private static DictionaryUtils dictionaryUtils; public static synchronized DictionaryUtils getDictionaryUtils() { - return dictionaryUtils; + return dictionaryUtils != null ? dictionaryUtils : new DictionaryUtils(); } public static synchronized void setDictionaryUtils(DictionaryUtils dictionaryUtils) { -- 2.16.6