From: Manoop Talasila Date: Thu, 30 May 2019 14:46:41 +0000 (+0000) Subject: Merge changes I1c586793,I47249407,Idad22dea,I5c3bee06,I5cb96956 X-Git-Tag: 3.2.0~307 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=portal.git;a=commitdiff_plain;h=40c8f073970f3664786d1bb4d4c69ed3f57b8b45;hp=8514f4a449cf3b06b4f515b1c6754c82abbfc5b6 Merge changes I1c586793,I47249407,Idad22dea,I5c3bee06,I5cb96956 * changes: Document OJSI-190 vulnerability Document OJSI-174 (CVE-2019-12318) vulnerability Document OJSI-92 (CVE-2019-12121) vulnerability Document OJSI-65 (CVE-2019-1212) vulnerability Document OJSI-15 (CVE-2019-12317) vulnerability --- diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java index 0ba7bdc6..56064b99 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java @@ -39,6 +39,7 @@ package org.onap.portalapp.controller; import static com.att.eelf.configuration.Configuration.MDC_KEY_REQUEST_ID; +import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; import java.net.URLDecoder; @@ -68,8 +69,10 @@ import org.onap.portalsdk.core.menu.MenuProperties; import org.onap.portalsdk.core.util.SystemProperties; import org.slf4j.MDC; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; import org.springframework.stereotype.Controller; import org.springframework.util.StopWatch; +import org.springframework.web.bind.annotation.ExceptionHandler; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; @@ -409,4 +412,9 @@ public class LoginController extends EPUnRestrictedBaseController implements Log this.sharedContextService = sharedContextService; } + @ExceptionHandler(Exception.class) + protected void handleBadRequests(Exception e, HttpServletResponse response) throws IOException { + logger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e); + response.sendError(HttpStatus.BAD_REQUEST.value()); + } } diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java index 25eee828..703019f9 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -1,9 +1,9 @@ - /*- * ============LICENSE_START========================================== * ONAP Portal * =================================================================== * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modifications Copyright (c) 2019 Samsung * =================================================================== * * Unless otherwise specified, all software contained herein is licensed @@ -36,6 +36,7 @@ * * */ + package org.onap.portalapp.filter; import java.io.BufferedReader; @@ -48,7 +49,6 @@ import java.util.Enumeration; import javax.servlet.FilterChain; import javax.servlet.ReadListener; -import javax.servlet.ServletException; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; @@ -62,7 +62,7 @@ import org.springframework.web.filter.OncePerRequestFilter; public class SecurityXssFilter extends OncePerRequestFilter { - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); + private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); private static final String APPLICATION_JSON = "application/json"; @@ -120,40 +120,47 @@ public class SecurityXssFilter extends OncePerRequestFilter { @Override public void setReadListener(ReadListener readListener) { - + // do nothing } - } } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) - throws ServletException, IOException { + throws IOException { StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString()); - String queryString = request.getQueryString(); - String requestUrl = ""; - if (queryString == null) { - requestUrl = requestURL.toString(); - } else { - requestUrl = requestURL.append('?').append(queryString).toString(); - } - validateRequest(requestUrl, response); + String queryString = request.getQueryString(); + String requestUrl; + + if (queryString == null) { + requestUrl = requestURL.toString(); + } else { + requestUrl = requestURL.append('?').append(queryString).toString(); + } + + validateRequest(requestUrl, response); StringBuilder headerValues = new StringBuilder(); Enumeration headerNames = request.getHeaderNames(); + while (headerNames.hasMoreElements()) { - String key = (String) headerNames.nextElement(); + String key = headerNames.nextElement(); String value = request.getHeader(key); headerValues.append(value); } + validateRequest(headerValues.toString(), response); + if (validateRequestType(request)) { request = new RequestWrapper(request); String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString()); validateRequest(requestData, response); - filterChain.doFilter(request, response); + } - } else { + try { filterChain.doFilter(request, response); + } catch (Exception e) { + sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e); + response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request"); } } @@ -171,9 +178,8 @@ public class SecurityXssFilter extends OncePerRequestFilter { throw new SecurityException(ERROR_BAD_REQUEST); } } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); + sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); response.getWriter().close(); - return; } } -} \ No newline at end of file +}