Merge "JUnit additions for ONAP-PAP-REST xacml.rest"

commit: e22a2b613bda0e683043ef870d6b16e5a7e04df7 [log] [tgz]
author: Jorge Hernandez <jh1730@att.com> Thu Feb 22 19:36:06 2018 +0000
committer: Gerrit Code Review <gerrit@onap.org> Thu Feb 22 19:36:06 2018 +0000
tree: 3c7aac2697d278cafa0290651cecf606ae422f4a
parent: 5cca39500fa5b1fde5c9d8f1d4ee4b43787a3ad9 [diff]
parent: dbc32033d680a91b359222c7138147df810662d6 [diff]
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/DisctionaryNames.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/DisctionaryNames.java
new file mode 100644
index 0000000..f0dfa0a
--- /dev/null
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/DisctionaryNames.java

@@ -0,0 +1,56 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP-Logging
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+
+package org.onap.policy.pap.xacml.rest;
+
+/**
+ * 
+ * MessageCodes contains all the valid Dictionary names
+ *
+ */
+public enum DisctionaryNames {
+	
+	Attribute,
+	ActionPolicyDictionary,
+	OnapName,
+	MSPolicyDictionary,
+	VNFType,
+	VSCLAction,
+	ClosedLoopService,
+	ClosedLoopSite,
+	PEPOptions,
+	VarbindDictionary,
+	BRMSParamDictionary,
+	BRMSControllerDictionary,
+	BRMSDependencyDictionary,
+	Settings,
+	PrefixList,
+	SecurityZone,
+	Zone,
+	ServiceList,
+	ServiceGroup,
+	AddressGroup,
+	ProtocolList,
+	ActionList,
+	TermList,
+	SearchCriteria
+}
+

diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryImportController.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryImportController.java
index e2317e4..142f72b 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryImportController.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/controller/DictionaryImportController.java

@@ -36,6 +36,7 @@
 import org.apache.commons.compress.utils.IOUtils;
 import org.onap.policy.common.logging.flexlogger.FlexLogger;
 import org.onap.policy.common.logging.flexlogger.Logger;
+import org.onap.policy.pap.xacml.rest.DisctionaryNames;
 import org.onap.policy.rest.dao.CommonClassDao;
 import org.onap.policy.rest.jpa.ActionList;
 import org.onap.policy.rest.jpa.ActionPolicyDict;
@@ -104,6 +105,14 @@
 			response.getWriter().write("Error");
 			return;
 		}
+		
+		// fix Fortify Path Manipulation issue
+		if(!isValidDictionaryName(dictionaryName)){
+			LOGGER.error("dictionaryName is invalid");
+			response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+			response.getWriter().write("Error");
+			return;			
+		}
 				
 		boolean dictionaryImportExists = false;
 		try{
@@ -710,4 +719,81 @@
 			response.getWriter().write("Error");
 		}
 	}
+	
+	public boolean isValidDictionaryName(String dictionaryName){
+		
+		if(dictionaryName.startsWith(DisctionaryNames.Attribute.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.ActionPolicyDictionary.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.OnapName.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.MSPolicyDictionary.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.VNFType.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.VSCLAction.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.ClosedLoopService.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.ClosedLoopSite.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.PEPOptions.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.VarbindDictionary.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.BRMSParamDictionary.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.BRMSControllerDictionary.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.BRMSDependencyDictionary.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.Settings.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.PrefixList.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.SecurityZone.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.Zone.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.ServiceList.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.ServiceGroup.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.AddressGroup.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.ProtocolList.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.ActionList.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.TermList.toString())){
+			return true;
+		}
+		if(dictionaryName.startsWith(DisctionaryNames.SearchCriteria.toString())){
+			return true;
+		}
+		return false;
+	}
 }
\ No newline at end of file

diff --git a/ONAP-PAP-REST/src/test/java/org/onap/policy/pap/xacml/rest/controller/DictionaryImportControllerTest.java b/ONAP-PAP-REST/src/test/java/org/onap/policy/pap/xacml/rest/controller/DictionaryImportControllerTest.java
new file mode 100644
index 0000000..e8d602c
--- /dev/null
+++ b/ONAP-PAP-REST/src/test/java/org/onap/policy/pap/xacml/rest/controller/DictionaryImportControllerTest.java

@@ -0,0 +1,52 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP-PAP-REST
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.policy.pap.xacml.rest.controller;
+
+import static org.junit.Assert.assertTrue;
+import org.onap.policy.pap.xacml.rest.controller.DictionaryImportController;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.onap.policy.common.logging.flexlogger.FlexLogger;
+import org.onap.policy.common.logging.flexlogger.Logger;
+
+public class DictionaryImportControllerTest {
+	
+	private static Logger logger = FlexLogger.getLogger(DictionaryImportController.class);
+
+	@Before
+	public void setUp() throws Exception {
+		logger.info("setUp: Entering");
+	}
+	
+	@Test
+	public void testIsValidDictionaryName(){
+		DictionaryImportController cotroller = new DictionaryImportController();
+		//test invalid name
+		assertTrue(!cotroller.isValidDictionaryName("wrong-name"));
+		//test valid name
+		assertTrue(cotroller.isValidDictionaryName("ActionList"));
+	}
+	
+	@After
+	 public void destroy(){
+
+	 }
+}

diff --git a/ONAP-XACML/src/main/java/org/onap/policy/xacml/std/pap/StdEngine.java b/ONAP-XACML/src/main/java/org/onap/policy/xacml/std/pap/StdEngine.java
index 273383a..ca2271a 100644
--- a/ONAP-XACML/src/main/java/org/onap/policy/xacml/std/pap/StdEngine.java
+++ b/ONAP-XACML/src/main/java/org/onap/policy/xacml/std/pap/StdEngine.java

@@ -349,7 +349,7 @@
 					props.store(os, "");
 				}
 			} catch (IOException e) {
-				PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "StdEngine", "Failed to create " + policyProperties);
+				PolicyLogger.error(MessageCodes.EXCEPTION_ERROR, e, "StdEngine", "Failed to create policyProperties");
 				throw new PAPException("Failed to create " + id);
 			}
 		}
@@ -368,7 +368,7 @@
 					props.store(os, "");
 				}
 			} catch (IOException e) {
-				PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, e, "StdEngine", "Failed to create " + pipProperties);
+				PolicyLogger.error(MessageCodes.ERROR_DATA_ISSUE, e, "StdEngine", "Failed to create pipProperties");
 				throw new PAPException("Failed to create " + id);
 			}
commit	e22a2b613bda0e683043ef870d6b16e5a7e04df7	[log] [tgz]
author	Jorge Hernandez <jh1730@att.com>	Thu Feb 22 19:36:06 2018 +0000
committer	Gerrit Code Review <gerrit@onap.org>	Thu Feb 22 19:36:06 2018 +0000
tree	3c7aac2697d278cafa0290651cecf606ae422f4a
parent	5cca39500fa5b1fde5c9d8f1d4ee4b43787a3ad9 [diff]
parent	dbc32033d680a91b359222c7138147df810662d6 [diff]