Code Review / portal.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: f9a1944)
Don't give user the exact exception description 89/88689/1
authorPiotr Borelowski <p.borelowski@partner.samsung.com>
Fri, 10 May 2019 10:23:48 +0000 (12:23 +0200)
committerKrzysztof Opasiak <k.opasiak@samsung.com>
Tue, 28 May 2019 15:12:04 +0000 (17:12 +0200)
The exact description of the exception especially if related to
cryptography cannot be given to the user as it may be abused by the
attacker.

To fix that, we started to use @ExceptionHandler for all exceptions
in the LoginController as well.

CVE: CVE-2019-12121
Issue-ID: OJSI-92
Change-Id: I100b37ff33d28ebccc2411c3acc62bdb7ce11ca8
Signed-off-by: Piotr Borelowski <p.borelowski@partner.samsung.com>
Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Acked-by: Manoop Talasila <talasila@research.att.com>
ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java patch | blob | history

diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
index 0ba7bdc..56064b9 100644 (file)
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
@@ -39,6 +39,7 @@ package org.onap.portalapp.controller;
 
 import static com.att.eelf.configuration.Configuration.MDC_KEY_REQUEST_ID;
 
+import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLDecoder;
@@ -68,8 +69,10 @@ import org.onap.portalsdk.core.menu.MenuProperties;
 import org.onap.portalsdk.core.util.SystemProperties;
 import org.slf4j.MDC;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.StopWatch;
+import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -409,4 +412,9 @@ public class LoginController extends EPUnRestrictedBaseController implements Log
                this.sharedContextService = sharedContextService;
        }
 
+       @ExceptionHandler(Exception.class)
+       protected void handleBadRequests(Exception e, HttpServletResponse response) throws IOException {
+               logger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e);
+               response.sendError(HttpStatus.BAD_REQUEST.value());
+       }
 }
ARCHIVED- 2022-02-15 at the request of the project