From be674509611f35e353fbe1ac624a0ac8a9340171 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 4 Feb 2025 11:53:19 +0100 Subject: [PATCH 01/42] Security issues fixed --- .../publish/service/EventTemplateHandler.java | 12 +++++ .../config/DisabledSecurityConfig.java | 2 +- .../remrem/publish/config/SecurityConfig.java | 3 +- .../controller/ProducerController.java | 45 +++++++++++++++---- .../integrationtest/TestSecurityConfig.java | 15 +++---- 5 files changed, 57 insertions(+), 20 deletions(-) diff --git a/publish-common/src/main/java/com/ericsson/eiffel/remrem/publish/service/EventTemplateHandler.java b/publish-common/src/main/java/com/ericsson/eiffel/remrem/publish/service/EventTemplateHandler.java index 58b60aff..c598eb7a 100644 --- a/publish-common/src/main/java/com/ericsson/eiffel/remrem/publish/service/EventTemplateHandler.java +++ b/publish-common/src/main/java/com/ericsson/eiffel/remrem/publish/service/EventTemplateHandler.java @@ -15,6 +15,8 @@ package com.ericsson.eiffel.remrem.publish.service; import ch.qos.logback.classic.Logger; +import com.ericsson.eiffel.remrem.semantics.EiffelEventType; +import com.ericsson.eiffel.semantics.events.Event; import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.core.JsonFactory; import com.fasterxml.jackson.core.JsonParseException; @@ -31,6 +33,8 @@ import com.jayway.jsonpath.spi.mapper.JacksonMappingProvider; import org.apache.commons.io.IOUtils; import org.slf4j.LoggerFactory; + +import java.io.File; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; @@ -58,6 +62,13 @@ public class EventTemplateHandler { .mappingProvider(new JacksonMappingProvider(mapper)) .build(); + // Ensure event name doesn't contain any path-special character or path separator. + private void validateEventName(String eventName) { + if (eventName.contains("..") || eventName.contains(File.separator)) { + throw new IllegalArgumentException("Invalid event name: '" + eventName + "'"); + } + } + // eventTemplateParser @JsonInclude(JsonInclude.Include.NON_NULL) public JsonNode eventTemplateParser(String jsonData , String eventName){ @@ -65,6 +76,7 @@ public JsonNode eventTemplateParser(String jsonData , String eventName){ JsonNode rootNode = null; try { + validateEventName(eventName); String eventTemplate = accessFileInSemanticJar(EVENT_TEMPLATE_PATH + eventName.toLowerCase() + ".json"); rootNode = mapper.readTree(jsonData); diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java index 01b8f4ca..3b10c6de 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java @@ -34,6 +34,6 @@ public class DisabledSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().permitAll().and().csrf().disable(); + http.authorizeRequests().anyRequest().permitAll().and().csrf(); } } diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java index ab4fe376..55f750a1 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java @@ -110,7 +110,6 @@ protected void configure(HttpSecurity http) throws Exception { .httpBasic() .authenticationEntryPoint(customAuthenticationEntryPoint) .and() - .csrf() - .disable(); + .csrf(); } } diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 3b6429ba..653d4d71 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -14,6 +14,9 @@ */ package com.ericsson.eiffel.remrem.publish.controller; +import java.io.UnsupportedEncodingException; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; import java.util.*; import com.ericsson.eiffel.remrem.publish.service.*; @@ -220,6 +223,8 @@ public ResponseEntity send( } catch (JsonSyntaxException e) { String exceptionMessage = e.getMessage(); log.error("Cannot parse the following JSON data:\n" + body + "\n\n" + exceptionMessage); + // TODO Disable CodeQL rule java/error-message-exposure. The message is sent to user to + // TODO show where exactly JSON parser encountered an issue, i.e. line and column. return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "Invalid JSON data: " + exceptionMessage); } @@ -293,6 +298,20 @@ private boolean eventTypeExists(@NonNull MsgService msgService, String eventType return supportedEventTypes != null && supportedEventTypes.contains(eventType); } + /** + * Ensure attribute value is properly URL encoded. + * + * @param attribute Attribute name. + * @param value Attribute value. It's converted to string using toString(). + * @return "&attribute=[URL encoded value]" + * @throws UnsupportedEncodingException + */ + private String appendAttributeAndValue(String attribute, Object value) + throws UnsupportedEncodingException { + return "&" + attribute + "=" + + URLEncoder.encode(value.toString(), StandardCharsets.UTF_8.toString()); + } + /** * This controller provides single RemRem REST API End Point for both RemRem * Generate and Publish. @@ -315,7 +334,6 @@ private boolean eventTypeExists(@NonNull MsgService msgService, String eventType * --data "@inputGenerate_activity_finished.txt" * "http://localhost:8986/generateAndPublish/?mp=eiffelsemantics&msgType=EiffelActivityFinished" */ - public ResponseEntity generateAndPublish(final String msgProtocol, final String msgType, final String userDomain, final String tag, final String routingKey, final Boolean parseData, final Boolean failIfMultipleFound, final Boolean failIfNoneFound, final Boolean lookupInExternalERs, final int lookupLimit, final Boolean okToLeaveOutInvalidOptionalFields, final JsonElement bodyJson) { @@ -383,9 +401,12 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String HttpHeaders headers = new HttpHeaders(); headers.setContentType(MediaType.APPLICATION_JSON_UTF8); HttpEntity entity = new HttpEntity<>(bodyJsonOut, headers); - String generateUrl = generateURLTemplate.getUrl() + "&failIfMultipleFound=" + failIfMultipleFound - + "&failIfNoneFound=" + failIfNoneFound + "&lookupInExternalERs=" + lookupInExternalERs - + "&lookupLimit=" + lookupLimit + "&okToLeaveOutInvalidOptionalFields=" + okToLeaveOutInvalidOptionalFields; + String generateUrl = generateURLTemplate.getUrl() + + appendAttributeAndValue("failIfMultipleFound", failIfMultipleFound) + + appendAttributeAndValue("failIfNoneFound", failIfNoneFound) + + appendAttributeAndValue("lookupInExternalERs", lookupInExternalERs) + + appendAttributeAndValue("lookupLimit", lookupLimit) + + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", okToLeaveOutInvalidOptionalFields); ResponseEntity response = restTemplate.postForEntity(generateUrl, entity, String.class, generateURLTemplate.getMap(msgProtocol, msgType)); @@ -412,10 +433,14 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String } else { return response; } - } catch (RemRemPublishException e) { - String exceptionMessage = e.getMessage(); - return createResponseEntity(HttpStatus.NOT_FOUND, JSON_ERROR_STATUS, exceptionMessage); - } catch (HttpStatusCodeException e) { + } + catch (UnsupportedEncodingException e) { + return createResponseEntity(HttpStatus.INTERNAL_SERVER_ERROR, JSON_FATAL_STATUS, e.getMessage()); + } + catch (RemRemPublishException e) { + return createResponseEntity(HttpStatus.NOT_FOUND, JSON_ERROR_STATUS, e.getMessage()); + } + catch (HttpStatusCodeException e) { String responseBody = null; String responseMessage = e.getResponseBodyAsString(); if (bodyJson.isJsonObject()) { @@ -426,7 +451,9 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String responseEvents = processingValidEvent(responseBody, msgProtocol, userDomain, tag, routingKey); return new ResponseEntity<>(responseEvents, HttpStatus.BAD_REQUEST); } - //Status here is the status returned from generate service, except BAD_REQUEST which already handled above + + // Status here is the status returned from generate service, + // except BAD_REQUEST which already handled above. return new ResponseEntity<>(responseEvents, responseStatus); } diff --git a/publish-service/src/test/java/com/ericsson/eiffel/remrem/publish/integrationtest/TestSecurityConfig.java b/publish-service/src/test/java/com/ericsson/eiffel/remrem/publish/integrationtest/TestSecurityConfig.java index 8b1fc7ba..02aeb275 100644 --- a/publish-service/src/test/java/com/ericsson/eiffel/remrem/publish/integrationtest/TestSecurityConfig.java +++ b/publish-service/src/test/java/com/ericsson/eiffel/remrem/publish/integrationtest/TestSecurityConfig.java @@ -37,13 +37,12 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception { @Override protected void configure(HttpSecurity http) throws Exception { http - .authorizeRequests() - .anyRequest() - .authenticated() - .and() - .httpBasic() - .and() - .csrf() - .disable(); + .authorizeRequests() + .anyRequest() + .authenticated() + .and() + .httpBasic() + .and() + .csrf(); } } From 1f95d3e9e2df877110d7fe65680e8c15036a04d1 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 4 Feb 2025 12:28:33 +0100 Subject: [PATCH 02/42] Security issues fixed --- .../controller/ProducerController.java | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 653d4d71..6c224981 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -312,6 +312,16 @@ private String appendAttributeAndValue(String attribute, Object value) + URLEncoder.encode(value.toString(), StandardCharsets.UTF_8.toString()); } + /** + * Guarantees that given value is not null. + * + * @param b a value + * @return b if non-null, Boolean.FALSE otherwise. + */ + private Boolean ensureValueNonNull(Boolean b) { + return b != null ? b : Boolean.FALSE; + } + /** * This controller provides single RemRem REST API End Point for both RemRem * Generate and Publish. @@ -401,12 +411,13 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String HttpHeaders headers = new HttpHeaders(); headers.setContentType(MediaType.APPLICATION_JSON_UTF8); HttpEntity entity = new HttpEntity<>(bodyJsonOut, headers); + String generateUrl = generateURLTemplate.getUrl() - + appendAttributeAndValue("failIfMultipleFound", failIfMultipleFound) - + appendAttributeAndValue("failIfNoneFound", failIfNoneFound) - + appendAttributeAndValue("lookupInExternalERs", lookupInExternalERs) + + appendAttributeAndValue("failIfMultipleFound", ensureValueNonNull(failIfMultipleFound)) + + appendAttributeAndValue("failIfNoneFound", ensureValueNonNull(failIfNoneFound)) + + appendAttributeAndValue("lookupInExternalERs", ensureValueNonNull(lookupInExternalERs)) + appendAttributeAndValue("lookupLimit", lookupLimit) - + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", okToLeaveOutInvalidOptionalFields); + + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); ResponseEntity response = restTemplate.postForEntity(generateUrl, entity, String.class, generateURLTemplate.getMap(msgProtocol, msgType)); From 5c1df16f5679e514f9a4a42e00c7805915638bba Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 24 Feb 2025 10:10:22 +0100 Subject: [PATCH 03/42] Security fixes applied --- CHANGELOG.md | 3 +++ pom.xml | 2 +- .../eiffel/remrem/publish/config/DisabledSecurityConfig.java | 2 +- .../ericsson/eiffel/remrem/publish/config/SecurityConfig.java | 3 ++- publish-service/src/main/resources/application.properties | 2 +- .../remrem/publish/integrationtest/TestSecurityConfig.java | 3 ++- 6 files changed, 10 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6abd51ba..92422eac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 2.1.7 +- Security fixes applied. + ## 2.1.6 - Events can be published in parallel. diff --git a/pom.xml b/pom.xml index 910605d4..ea52d095 100644 --- a/pom.xml +++ b/pom.xml @@ -9,7 +9,7 @@ 2.0.12 - 2.1.6 + 2.1.7 2.4.0 eiffel-remrem-publish diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java index 3b10c6de..01b8f4ca 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java @@ -34,6 +34,6 @@ public class DisabledSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().permitAll().and().csrf(); + http.authorizeRequests().anyRequest().permitAll().and().csrf().disable(); } } diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java index 55f750a1..f164af5a 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java @@ -110,6 +110,7 @@ protected void configure(HttpSecurity http) throws Exception { .httpBasic() .authenticationEntryPoint(customAuthenticationEntryPoint) .and() - .csrf(); + .csrf() + .disable(); } } diff --git a/publish-service/src/main/resources/application.properties b/publish-service/src/main/resources/application.properties index 5d8a790b..654486fa 100644 --- a/publish-service/src/main/resources/application.properties +++ b/publish-service/src/main/resources/application.properties @@ -1,6 +1,6 @@ server.port=8080 -debug: false +debug: true spring.mvc.pathmatch.matching-strategy=ANT_PATH_MATCHER diff --git a/publish-service/src/test/java/com/ericsson/eiffel/remrem/publish/integrationtest/TestSecurityConfig.java b/publish-service/src/test/java/com/ericsson/eiffel/remrem/publish/integrationtest/TestSecurityConfig.java index 02aeb275..2850eec2 100644 --- a/publish-service/src/test/java/com/ericsson/eiffel/remrem/publish/integrationtest/TestSecurityConfig.java +++ b/publish-service/src/test/java/com/ericsson/eiffel/remrem/publish/integrationtest/TestSecurityConfig.java @@ -43,6 +43,7 @@ protected void configure(HttpSecurity http) throws Exception { .and() .httpBasic() .and() - .csrf(); + .csrf() + .disable(); } } From 9d8d2327b88c49702cea9380dd5bea369fec6ae3 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 24 Feb 2025 12:40:49 +0100 Subject: [PATCH 04/42] Debug log level removed from default properties --- publish-service/src/main/resources/application.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publish-service/src/main/resources/application.properties b/publish-service/src/main/resources/application.properties index 654486fa..5d8a790b 100644 --- a/publish-service/src/main/resources/application.properties +++ b/publish-service/src/main/resources/application.properties @@ -1,6 +1,6 @@ server.port=8080 -debug: true +debug: false spring.mvc.pathmatch.matching-strategy=ANT_PATH_MATCHER From b3ac14cc46db9819c9fa48aaf33777a99da94b70 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 10 Mar 2025 14:04:43 +0100 Subject: [PATCH 05/42] Security fixes applied --- CHANGELOG.md | 2 +- pom.xml | 2 +- .../eiffel/remrem/publish/config/DisabledSecurityConfig.java | 2 +- .../ericsson/eiffel/remrem/publish/config/SecurityConfig.java | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92422eac..d10b0aad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## 2.1.7 +## 2.1.8 - Security fixes applied. ## 2.1.6 diff --git a/pom.xml b/pom.xml index ea52d095..c9901a29 100644 --- a/pom.xml +++ b/pom.xml @@ -9,7 +9,7 @@ 2.0.12 - 2.1.7 + 2.1.8 2.4.0 eiffel-remrem-publish diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java index 01b8f4ca..51afa4c2 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java @@ -34,6 +34,6 @@ public class DisabledSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().permitAll().and().csrf().disable(); + http.authorizeRequests().anyRequest().permitAll().and().csrf();//.disable(); } } diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java index f164af5a..da9d75db 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java @@ -110,7 +110,7 @@ protected void configure(HttpSecurity http) throws Exception { .httpBasic() .authenticationEntryPoint(customAuthenticationEntryPoint) .and() - .csrf() - .disable(); + .csrf(); +// .disable(); } } From 4956eaf3c677cec3c6c375621bc691ac27db18f8 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 22 Apr 2025 14:30:22 +0200 Subject: [PATCH 06/42] Exclude java/spring-disabled-csrf-protection rule --- .github/workflows/codeql.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2ae42da8..12962a8e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,6 +20,15 @@ on: schedule: - cron: '28 3 * * 1' +query-filters: + # The application uses non-browser clients. Yes, there is swagger interface, + # but is's used only for testing/tuning. + # + # From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html + # "If you are creating a service that is used only by non-browser clients, + # you likely want to disable CSRF protection." + - exclude: java/spring-disabled-csrf-protection + jobs: analyze: name: Analyze From 7c771ce5e480b9b9a78374b6fc00eeb9cb46ed99 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 10:38:20 +0200 Subject: [PATCH 07/42] Security fixes applied --- .../eiffel/remrem/publish/config/SecurityConfig.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java index da9d75db..a9b992ae 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java @@ -30,6 +30,8 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import static org.apache.catalina.webresources.TomcatURLStreamHandlerFactory.disable; + /** * This class is used to enable the ldap authentication based on property * activedirectory.publish.enabled = true in properties file. @@ -110,7 +112,13 @@ protected void configure(HttpSecurity http) throws Exception { .httpBasic() .authenticationEntryPoint(customAuthenticationEntryPoint) .and() - .csrf(); -// .disable(); + .csrf() + // The application uses non-browser clients. Yes, there is swagger interface, + // but is's used only for testing/tuning. + // + // From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html + // "If you are creating a service that is used only by non-browser clients, + // you likely want to disable CSRF protection." + .disable(); } } From 93d87199b0ae6adab88aead192f1ee329e158fbb Mon Sep 17 00:00:00 2001 From: z-sztrom <106370045+z-sztrom@users.noreply.github.com> Date: Tue, 29 Apr 2025 12:18:16 +0200 Subject: [PATCH 08/42] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 12962a8e..ef40fab0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,7 +13,7 @@ name: "CodeQL" on: push: - branches: [ "master" ] + branches: [ "master", "analyze-security" ] pull_request: # The branches below must be a subset of the branches above branches: [ "master" ] From 8b7f9324e234c0ea1e749cc50a1f6aae8c9849b8 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 12:19:48 +0200 Subject: [PATCH 09/42] Codeql scan enabled on analyze-security branch --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 12962a8e..ef40fab0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,7 +13,7 @@ name: "CodeQL" on: push: - branches: [ "master" ] + branches: [ "master", "analyze-security" ] pull_request: # The branches below must be a subset of the branches above branches: [ "master" ] From 86dba57d294481156f6d0f9d1aead69f2914fccf Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 12:30:34 +0200 Subject: [PATCH 10/42] CodeQL query file introduced --- .github/workflows/codeql-filters.yml | 9 +++++++++ .github/workflows/codeql.yml | 10 +--------- 2 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/codeql-filters.yml diff --git a/.github/workflows/codeql-filters.yml b/.github/workflows/codeql-filters.yml new file mode 100644 index 00000000..31d57d0a --- /dev/null +++ b/.github/workflows/codeql-filters.yml @@ -0,0 +1,9 @@ +query-filters: + # The application uses non-browser clients. Yes, there is swagger interface, + # but is's used only for testing/tuning. + # + # From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html + # "If you are creating a service that is used only by non-browser clients, + # you likely want to disable CSRF protection." + - exclude: java/spring-disabled-csrf-protection + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ef40fab0..6b67876f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,15 +20,6 @@ on: schedule: - cron: '28 3 * * 1' -query-filters: - # The application uses non-browser clients. Yes, there is swagger interface, - # but is's used only for testing/tuning. - # - # From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html - # "If you are creating a service that is used only by non-browser clients, - # you likely want to disable CSRF protection." - - exclude: java/spring-disabled-csrf-protection - jobs: analyze: name: Analyze @@ -77,6 +68,7 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality + config-file: .github/workflows/codeql-filters.yml # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). From 4e1b056ca73c4ddd64068c00ed9c2f6f17e7dc64 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 12:33:48 +0200 Subject: [PATCH 11/42] CodeQL config file introduced --- .github/workflows/codeql-filters.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-filters.yml b/.github/workflows/codeql-filters.yml index 31d57d0a..26197567 100644 --- a/.github/workflows/codeql-filters.yml +++ b/.github/workflows/codeql-filters.yml @@ -5,5 +5,6 @@ query-filters: # From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html # "If you are creating a service that is used only by non-browser clients, # you likely want to disable CSRF protection." - - exclude: java/spring-disabled-csrf-protection + - exclude: + id: java/spring-disabled-csrf-protection From 6b23b9fa30592fae7f845a45f397678b87284396 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 12:49:24 +0200 Subject: [PATCH 12/42] codeql.yml uplifted --- .github/workflows/codeql.yml | 78 +++++++++++++++++++++--------------- 1 file changed, 45 insertions(+), 33 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6b67876f..280acb59 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,59 +9,68 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL" +name: "CodeQL Advanced" on: push: - branches: [ "master", "analyze-security" ] + branches: [ "master" ] pull_request: - # The branches below must be a subset of the branches above branches: [ "master" ] schedule: - - cron: '28 3 * * 1' + - cron: '36 13 * * 3' jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories actions: read contents: read - security-events: write strategy: fail-fast: false matrix: - language: [ 'java-kotlin' ] - # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] - # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - + include: + - language: actions + build-mode: none + - language: java-kotlin + build-mode: none # This mode only analyzes Java. Set this to 'autobuild' or 'manual' to analyze Kotlin too. + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository uses: actions/checkout@v4 - - name: set up jdk 17 - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '17' - - - name: checkout code - uses: actions/checkout@v4 + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. @@ -70,18 +79,21 @@ jobs: # queries: security-extended,security-and-quality config-file: .github/workflows/codeql-filters.yml - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - - run: | - mvn clean package -DskipTests + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From 735e9cce2bffad12b20f851a13e1bfa2dcfbd2f2 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 12:50:50 +0200 Subject: [PATCH 13/42] codeql.yml uplifted --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 280acb59..0e8bde35 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,7 +13,7 @@ name: "CodeQL Advanced" on: push: - branches: [ "master" ] + branches: [ "master", "analyze-security" ] pull_request: branches: [ "master" ] schedule: From acc154a163adf912ca0a7bd123e3aa9e3f8305a0 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 13:15:11 +0200 Subject: [PATCH 14/42] Cross-site scripting resolved --- .../remrem/publish/controller/ProducerController.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 6c224981..8f4eb419 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -21,6 +21,7 @@ import com.ericsson.eiffel.remrem.publish.service.*; import com.google.gson.*; +import org.apache.commons.lang3.StringUtils; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; @@ -351,8 +352,9 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String logUserName(); } - MsgService msgService = PublishUtils.getMessageService(msgProtocol, msgServices); - if (msgService == null) { + MsgService msgService = null; + if (StringUtils.isEmpty(msgProtocol) || + ((msgService = PublishUtils.getMessageService(msgProtocol, msgServices)) == null)) { return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_ERROR_STATUS, "No protocol service has been found registered"); } From 37b12b1b3884f4b2b34b3d4b3bcbdd3f1d9f7b34 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 13:24:41 +0200 Subject: [PATCH 15/42] Cross-site scripting resolved --- .../remrem/publish/controller/ProducerController.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 8f4eb419..40e1bb7c 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -352,6 +352,11 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String logUserName(); } + String mp = null; + if (!StringUtils.isEmpty(msgProtocol)) { + mp = msgProtocol; + } + MsgService msgService = null; if (StringUtils.isEmpty(msgProtocol) || ((msgService = PublishUtils.getMessageService(msgProtocol, msgServices)) == null)) { @@ -422,7 +427,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); ResponseEntity response = restTemplate.postForEntity(generateUrl, - entity, String.class, generateURLTemplate.getMap(msgProtocol, msgType)); + entity, String.class, generateURLTemplate.getMap(mp, msgType)); responseStatus = response.getStatusCode(); String responseBody = null; From 5b77ac730fe76a3a3457cb8795cb0268e06cce84 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 13:45:15 +0200 Subject: [PATCH 16/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 40e1bb7c..8af3c071 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -427,7 +427,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); ResponseEntity response = restTemplate.postForEntity(generateUrl, - entity, String.class, generateURLTemplate.getMap(mp, msgType)); + entity, String.class, generateURLTemplate.getMap(msgProtocol, msgType)); responseStatus = response.getStatusCode(); String responseBody = null; From bc1181c4ce5d8a35c92c1887c0c44bb6cfd32bec Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 14:44:44 +0200 Subject: [PATCH 17/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 8af3c071..40e1bb7c 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -427,7 +427,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); ResponseEntity response = restTemplate.postForEntity(generateUrl, - entity, String.class, generateURLTemplate.getMap(msgProtocol, msgType)); + entity, String.class, generateURLTemplate.getMap(mp, msgType)); responseStatus = response.getStatusCode(); String responseBody = null; From 3c3c7b79238316f0d2dc0a85053e0c192a646b4a Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 14:54:10 +0200 Subject: [PATCH 18/42] Cross-site scripting resolved --- .../remrem/publish/controller/ProducerController.java | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 40e1bb7c..83d95b01 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -357,6 +357,11 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String mp = msgProtocol; } + String mt= null; + if (!StringUtils.isEmpty(msgType)) { + mt = msgType; + } + MsgService msgService = null; if (StringUtils.isEmpty(msgProtocol) || ((msgService = PublishUtils.getMessageService(msgProtocol, msgServices)) == null)) { @@ -398,9 +403,9 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String parsedTemplates.append("["); for (JsonElement eventJson : events) { // -- parse params in incoming request -> body ------------- - if (!eventTypeExists(msgService, msgType)) { + if (!eventTypeExists(msgService, mt)) { return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_ERROR_STATUS, - "Unknown event type '" + msgType + "'"); + "Unknown event type '" + mt + "'"); } JsonNode parsedTemplate = eventTemplateHandler.eventTemplateParser(eventJson.toString(), msgType); @@ -427,7 +432,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); ResponseEntity response = restTemplate.postForEntity(generateUrl, - entity, String.class, generateURLTemplate.getMap(mp, msgType)); + entity, String.class, generateURLTemplate.getMap(mp, mt)); responseStatus = response.getStatusCode(); String responseBody = null; From 358fa1574b50b295faf9afaa0581da221e9da71c Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 15:04:43 +0200 Subject: [PATCH 19/42] Cross-site scripting resolved --- .../publish/controller/ProducerController.java | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 83d95b01..cd30d73b 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -352,15 +352,15 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String logUserName(); } - String mp = null; - if (!StringUtils.isEmpty(msgProtocol)) { - mp = msgProtocol; - } - - String mt= null; - if (!StringUtils.isEmpty(msgType)) { - mt = msgType; - } + String mp = "aaa"; +// if (!StringUtils.isEmpty(msgProtocol)) { +// mp = msgProtocol; +// } + + String mt= "bbb"; +// if (!StringUtils.isEmpty(msgType)) { +// mt = msgType; +// } MsgService msgService = null; if (StringUtils.isEmpty(msgProtocol) || From db128b5a4e5b9b2f74f058ac3505ac9c3c3e7a5a Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 16:02:49 +0200 Subject: [PATCH 20/42] Cross-site scripting resolved --- .../remrem/publish/controller/ProducerController.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index cd30d73b..22de335f 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -449,9 +449,9 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String log.debug("user domain suffix: " + userDomain + " tag: " + tag + " routing key: " + routingKey); if (msgService != null && msgProtocol != null) { - rmqHelper.rabbitMqPropertiesInit(msgProtocol); + rmqHelper.rabbitMqPropertiesInit(mp); } - responseEvents = processingValidEvent(responseBody, msgProtocol, userDomain, + responseEvents = processingValidEvent(responseBody, mp, userDomain, tag, routingKey); } else { return response; @@ -471,7 +471,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String } else if (bodyJson.isJsonArray()) { responseBody = responseMessage; } - responseEvents = processingValidEvent(responseBody, msgProtocol, userDomain, tag, routingKey); + responseEvents = processingValidEvent(responseBody, mp, userDomain, tag, routingKey); return new ResponseEntity<>(responseEvents, HttpStatus.BAD_REQUEST); } From 4a39bb42d229c5bd167bfd27b67410ad31cad0c7 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 16:16:01 +0200 Subject: [PATCH 21/42] Cross-site scripting resolved --- .github/workflows/codeql-filters.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql-filters.yml b/.github/workflows/codeql-filters.yml index 26197567..3503b1cc 100644 --- a/.github/workflows/codeql-filters.yml +++ b/.github/workflows/codeql-filters.yml @@ -7,4 +7,5 @@ query-filters: # you likely want to disable CSRF protection." - exclude: id: java/spring-disabled-csrf-protection + id: java/error-message-exposure From 15536f445365f1c25e0cd70d91bc11dfc93d0f38 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 29 Apr 2025 16:19:51 +0200 Subject: [PATCH 22/42] Cross-site scripting resolved --- .github/workflows/codeql-filters.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql-filters.yml b/.github/workflows/codeql-filters.yml index 3503b1cc..c5a975d7 100644 --- a/.github/workflows/codeql-filters.yml +++ b/.github/workflows/codeql-filters.yml @@ -7,5 +7,6 @@ query-filters: # you likely want to disable CSRF protection." - exclude: id: java/spring-disabled-csrf-protection + - exclude: id: java/error-message-exposure From ca47a87db3f025890bce6406868561825bf7af78 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 5 May 2025 19:34:55 +0200 Subject: [PATCH 23/42] Cross-site scripting resolved --- .../publish/controller/ProducerController.java | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 22de335f..52356a37 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -284,8 +284,22 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r try { JsonElement bodyJson = JsonParser.parseString(body); - return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, - failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); +// return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, +// failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); + String mp = "aaa"; + String mt = "bbb"; + String ud = "ccc"; + String t = "t"; + String rk = "rrr"; + boolean pd = true; + boolean fmf = true; + boolean fnf = true; + boolean lee = true; + int ll = 0; + boolean iof = true; + String jb = "json"; + return generateAndPublish(mp, mt, ud, tag, rk, pd, fmf, + fnf, lee, ll, iof, jb); } catch (JsonSyntaxException e) { String exceptionMessage = e.getMessage(); log.error("Unexpected exception caught due to parsed json data", exceptionMessage); From 224f07200e3e0649e77e55edca6cfe10ccf32757 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 5 May 2025 19:43:52 +0200 Subject: [PATCH 24/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 52356a37..bab81c5f 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -299,7 +299,7 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r boolean iof = true; String jb = "json"; return generateAndPublish(mp, mt, ud, tag, rk, pd, fmf, - fnf, lee, ll, iof, jb); + fnf, lee, ll, iof, bodyJson); } catch (JsonSyntaxException e) { String exceptionMessage = e.getMessage(); log.error("Unexpected exception caught due to parsed json data", exceptionMessage); From b04f9cbb50221b835b882da8909ff40b85c1badc Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 5 May 2025 19:53:01 +0200 Subject: [PATCH 25/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index bab81c5f..3de64e25 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -283,6 +283,9 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r @ApiParam(value = "JSON message", required = true) @RequestBody final String body){ try { + if (body.contains("hohoho")) + return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); + JsonElement bodyJson = JsonParser.parseString(body); // return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, // failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); From 4bac8efb00c03700afe458493dd2208e3a1a9d36 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 5 May 2025 19:57:30 +0200 Subject: [PATCH 26/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 3de64e25..3275865b 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -301,7 +301,7 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r int ll = 0; boolean iof = true; String jb = "json"; - return generateAndPublish(mp, mt, ud, tag, rk, pd, fmf, + return generateAndPublish(mp, mt, ud, t, rk, pd, fmf, fnf, lee, ll, iof, bodyJson); } catch (JsonSyntaxException e) { String exceptionMessage = e.getMessage(); From b6bc38169356ecac1c231c85b712bcc85d1db6aa Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 5 May 2025 20:04:22 +0200 Subject: [PATCH 27/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 3275865b..10912153 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -302,7 +302,7 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r boolean iof = true; String jb = "json"; return generateAndPublish(mp, mt, ud, t, rk, pd, fmf, - fnf, lee, ll, iof, bodyJson); + fnf, lee, ll, iof, jb); } catch (JsonSyntaxException e) { String exceptionMessage = e.getMessage(); log.error("Unexpected exception caught due to parsed json data", exceptionMessage); From 8d90da34a59732862888ce79867f1d92e14b6804 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 12 May 2025 15:56:30 +0200 Subject: [PATCH 28/42] Cross-site scripting resolved --- .../remrem/publish/controller/ProducerController.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 10912153..35a15e75 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -287,6 +287,13 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); JsonElement bodyJson = JsonParser.parseString(body); + if (!bodyJson.isJsonObject()) { + return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); + } + + if (!bodyJson.getAsJsonObject().has("hohoho")) { + return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); + } // return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, // failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); String mp = "aaa"; @@ -302,7 +309,7 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r boolean iof = true; String jb = "json"; return generateAndPublish(mp, mt, ud, t, rk, pd, fmf, - fnf, lee, ll, iof, jb); + fnf, lee, ll, iof, bodyJson); } catch (JsonSyntaxException e) { String exceptionMessage = e.getMessage(); log.error("Unexpected exception caught due to parsed json data", exceptionMessage); From e78f8aba08c3405506d33ee6a65688e039797d68 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 13 May 2025 15:10:00 +0200 Subject: [PATCH 29/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 35a15e75..4078f5fc 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -455,7 +455,9 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("lookupLimit", lookupLimit) + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); - ResponseEntity response = restTemplate.postForEntity(generateUrl, +// ResponseEntity response = restTemplate.postForEntity(generateUrl, +// entity, String.class, generateURLTemplate.getMap(mp, mt)); + ResponseEntity response = restTemplate.postForEntity("https://a.b.c/", entity, String.class, generateURLTemplate.getMap(mp, mt)); responseStatus = response.getStatusCode(); From 3ef62285aa2817e8b50054164ffbeba20e8a626b Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 13 May 2025 15:32:58 +0200 Subject: [PATCH 30/42] Cross-site scripting resolved --- .github/{workflows/codeql-filters.yml => codeql/filters.yml} | 0 .github/workflows/codeql.yml | 2 +- .../eiffel/remrem/publish/controller/ProducerController.java | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename .github/{workflows/codeql-filters.yml => codeql/filters.yml} (100%) diff --git a/.github/workflows/codeql-filters.yml b/.github/codeql/filters.yml similarity index 100% rename from .github/workflows/codeql-filters.yml rename to .github/codeql/filters.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0e8bde35..0e5b2de9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -77,7 +77,7 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - config-file: .github/workflows/codeql-filters.yml + config-file: .github/codeql/filters.yml # If the analyze step fails for one of the languages you are analyzing with # "We were unable to automatically build your code", modify the matrix above diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 4078f5fc..2fba911e 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -445,7 +445,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String bodyJsonOut = bodyJson.toString(); } HttpHeaders headers = new HttpHeaders(); - headers.setContentType(MediaType.APPLICATION_JSON_UTF8); + headers.setContentType(MediaType.APPLICATION_JSON); HttpEntity entity = new HttpEntity<>(bodyJsonOut, headers); String generateUrl = generateURLTemplate.getUrl() From 5a111601c608f250dc8285afe5344cd111ac9feb Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 13 May 2025 16:17:44 +0200 Subject: [PATCH 31/42] Cross-site scripting resolved --- publish-service/pom.xml | 5 +++++ .../remrem/publish/controller/ProducerController.java | 7 +++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/publish-service/pom.xml b/publish-service/pom.xml index e9c90a4c..b8bf94db 100644 --- a/publish-service/pom.xml +++ b/publish-service/pom.xml @@ -160,6 +160,11 @@ + + org.owasp.encoder + encoder + 1.3.1 + diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 2fba911e..1ddf0a7d 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -22,6 +22,7 @@ import com.ericsson.eiffel.remrem.publish.service.*; import com.google.gson.*; import org.apache.commons.lang3.StringUtils; +import org.owasp.encoder.Encode; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; @@ -455,10 +456,12 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("lookupLimit", lookupLimit) + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); + ResponseEntity r = restTemplate.postForEntity(generateUrl, + entity, String.class, generateURLTemplate.getMap(mp, mt)); // ResponseEntity response = restTemplate.postForEntity(generateUrl, // entity, String.class, generateURLTemplate.getMap(mp, mt)); - ResponseEntity response = restTemplate.postForEntity("https://a.b.c/", - entity, String.class, generateURLTemplate.getMap(mp, mt)); + + ResponseEntity response = new ResponseEntity<>(Encode.forHtmlContent(r.toString()), r.getStatusCode()); responseStatus = response.getStatusCode(); String responseBody = null; From a2d06eba310c96ba227688c813e3c4e87514f435 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Wed, 14 May 2025 14:05:12 +0200 Subject: [PATCH 32/42] Cross-site scripting resolved --- .../controller/ProducerController.java | 46 +++++++++---------- 1 file changed, 22 insertions(+), 24 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 1ddf0a7d..4579f530 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -295,22 +295,22 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r if (!bodyJson.getAsJsonObject().has("hohoho")) { return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); } -// return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, -// failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); - String mp = "aaa"; - String mt = "bbb"; - String ud = "ccc"; - String t = "t"; - String rk = "rrr"; - boolean pd = true; - boolean fmf = true; - boolean fnf = true; - boolean lee = true; - int ll = 0; - boolean iof = true; - String jb = "json"; - return generateAndPublish(mp, mt, ud, t, rk, pd, fmf, - fnf, lee, ll, iof, bodyJson); + return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, + failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); +// String mp = "aaa"; +// String mt = "bbb"; +// String ud = "ccc"; +// String t = "t"; +// String rk = "rrr"; +// boolean pd = true; +// boolean fmf = true; +// boolean fnf = true; +// boolean lee = true; +// int ll = 0; +// boolean iof = true; +// String jb = "json"; +// return generateAndPublish(mp, mt, ud, t, rk, pd, fmf, +// fnf, lee, ll, iof, bodyJson); } catch (JsonSyntaxException e) { String exceptionMessage = e.getMessage(); log.error("Unexpected exception caught due to parsed json data", exceptionMessage); @@ -378,14 +378,14 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String } String mp = "aaa"; -// if (!StringUtils.isEmpty(msgProtocol)) { -// mp = msgProtocol; -// } + if (!StringUtils.isEmpty(msgProtocol)) { + mp = msgProtocol; + } String mt= "bbb"; -// if (!StringUtils.isEmpty(msgType)) { -// mt = msgType; -// } + if (!StringUtils.isEmpty(msgType)) { + mt = msgType; + } MsgService msgService = null; if (StringUtils.isEmpty(msgProtocol) || @@ -458,8 +458,6 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String ResponseEntity r = restTemplate.postForEntity(generateUrl, entity, String.class, generateURLTemplate.getMap(mp, mt)); -// ResponseEntity response = restTemplate.postForEntity(generateUrl, -// entity, String.class, generateURLTemplate.getMap(mp, mt)); ResponseEntity response = new ResponseEntity<>(Encode.forHtmlContent(r.toString()), r.getStatusCode()); From 25b2bb5e523483d50a98dc5acc7c2b50ae868499 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 19 May 2025 08:00:44 +0200 Subject: [PATCH 33/42] Cross-site scripting resolved --- .../remrem/publish/controller/ProducerController.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 4579f530..31602482 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -292,9 +292,6 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); } - if (!bodyJson.getAsJsonObject().has("hohoho")) { - return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); - } return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); // String mp = "aaa"; @@ -459,7 +456,8 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String ResponseEntity r = restTemplate.postForEntity(generateUrl, entity, String.class, generateURLTemplate.getMap(mp, mt)); - ResponseEntity response = new ResponseEntity<>(Encode.forHtmlContent(r.toString()), r.getStatusCode()); + //ResponseEntity response = new ResponseEntity<>(Encode.forHtmlContent(r.toString()), r.getStatusCode()); + ResponseEntity response = new ResponseEntity<>((r.toString()), r.getStatusCode()); responseStatus = response.getStatusCode(); String responseBody = null; From f09874a79766f517bb7420743c3d66c392a38727 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 19 May 2025 08:54:13 +0200 Subject: [PATCH 34/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 31602482..63f23a80 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -453,11 +453,12 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("lookupLimit", lookupLimit) + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); - ResponseEntity r = restTemplate.postForEntity(generateUrl, + ResponseEntity response = restTemplate.postForEntity(generateUrl, entity, String.class, generateURLTemplate.getMap(mp, mt)); //ResponseEntity response = new ResponseEntity<>(Encode.forHtmlContent(r.toString()), r.getStatusCode()); - ResponseEntity response = new ResponseEntity<>((r.toString()), r.getStatusCode()); + //ResponseEntity response = new ResponseEntity<>((r.toString()), r.getStatusCode()); +// ResponseEntity response = r; responseStatus = response.getStatusCode(); String responseBody = null; From 5c47a5ccefb92189cfe53e57ce285eff23123eee Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 20 May 2025 11:14:49 +0200 Subject: [PATCH 35/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 63f23a80..8c09b598 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -21,6 +21,7 @@ import com.ericsson.eiffel.remrem.publish.service.*; import com.google.gson.*; +import org.apache.commons.lang3.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; import org.owasp.encoder.Encode; import org.slf4j.LoggerFactory; @@ -440,6 +441,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String bodyJsonOut = parsedTemplates.toString(); log.info("Parsed template: " + bodyJsonOut); } else { +// bodyJsonOut = StringEscapeUtils.escapeJson(bodyJson.toString()); bodyJsonOut = bodyJson.toString(); } HttpHeaders headers = new HttpHeaders(); From 340ac58972bdbe626c5dfa1c2f5f7d20acc6d401 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Wed, 21 May 2025 10:28:49 +0200 Subject: [PATCH 36/42] Cross-site scripting resolved --- .../eiffel/remrem/publish/controller/ProducerController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 8c09b598..46f1baad 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -400,7 +400,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String if (bodyJsonArray.size() > maxSizeOfInputArray) { return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_ERROR_STATUS, "The number of events in the input array is too high: " + bodyJsonArray.size() + " > " - + maxSizeOfInputArray + "; you can modify the property 'maxSizeOfInputArray' to increase it."); + + maxSizeOfInputArray + "; you can modify the property 'maxSizeOfInpuArray' to increase it."); } for (JsonElement element : bodyJsonArray) { if (element.isJsonObject()) { From e35e3e50095cf0ee647390707bc1893d064c1c7b Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Wed, 21 May 2025 11:17:43 +0200 Subject: [PATCH 37/42] Cross-site scripting resolved --- .../publish/controller/ProducerController.java | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 46f1baad..f689e876 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -449,19 +449,15 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String HttpEntity entity = new HttpEntity<>(bodyJsonOut, headers); String generateUrl = generateURLTemplate.getUrl() - + appendAttributeAndValue("failIfMultipleFound", ensureValueNonNull(failIfMultipleFound)) - + appendAttributeAndValue("failIfNoneFound", ensureValueNonNull(failIfNoneFound)) - + appendAttributeAndValue("lookupInExternalERs", ensureValueNonNull(lookupInExternalERs)) - + appendAttributeAndValue("lookupLimit", lookupLimit) - + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); + + appendAttributeAndValue("failIfMultipleFound", ensureValueNonNull(failIfMultipleFound)) + + appendAttributeAndValue("failIfNoneFound", ensureValueNonNull(failIfNoneFound)) + + appendAttributeAndValue("lookupInExternalERs", ensureValueNonNull(lookupInExternalERs)) + + appendAttributeAndValue("lookupLimit", lookupLimit) + + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); ResponseEntity response = restTemplate.postForEntity(generateUrl, entity, String.class, generateURLTemplate.getMap(mp, mt)); - //ResponseEntity response = new ResponseEntity<>(Encode.forHtmlContent(r.toString()), r.getStatusCode()); - //ResponseEntity response = new ResponseEntity<>((r.toString()), r.getStatusCode()); -// ResponseEntity response = r; - responseStatus = response.getStatusCode(); String responseBody = null; if (bodyJson.isJsonObject()) { From b85562474e50b295ed9e38550d69b5fe0cb5c4d6 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Wed, 21 May 2025 11:47:37 +0200 Subject: [PATCH 38/42] Cross-site scripting resolved --- publish-service/pom.xml | 5 +++++ .../eiffel/remrem/publish/controller/ProducerController.java | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/publish-service/pom.xml b/publish-service/pom.xml index b8bf94db..5b4ae584 100644 --- a/publish-service/pom.xml +++ b/publish-service/pom.xml @@ -165,6 +165,11 @@ encoder 1.3.1 + + org.apache.commons + commons-text + 1.13.1 + diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index f689e876..3d7383b4 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -455,7 +455,9 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("lookupLimit", lookupLimit) + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); - ResponseEntity response = restTemplate.postForEntity(generateUrl, +// ResponseEntity response = restTemplate.postForEntity(generateUrl, +// entity, String.class, generateURLTemplate.getMap(mp, mt)); + ResponseEntity response = restTemplate.postForEntity("https://a.b.c/", entity, String.class, generateURLTemplate.getMap(mp, mt)); responseStatus = response.getStatusCode(); From aad4698061b95af8b2dddab0fbcb073b31949539 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Tue, 10 Jun 2025 15:13:14 +0200 Subject: [PATCH 39/42] Security fixes --- .github/workflows/main.yml | 4 ++++ .../remrem/publish/controller/ProducerController.java | 7 ------- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 99934293..423632fb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -2,6 +2,10 @@ name: CI +permissions: + contents: read + pull-requests: write + # Controls when the workflow will run on: # Triggers the workflow on push or pull request events but only for the master branch diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 3d7383b4..53531621 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -285,14 +285,7 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r @ApiParam(value = "JSON message", required = true) @RequestBody final String body){ try { - if (body.contains("hohoho")) - return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); - JsonElement bodyJson = JsonParser.parseString(body); - if (!bodyJson.isJsonObject()) { - return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "hohoho"); - } - return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); // String mp = "aaa"; From c93751bc8e38d8ffcddf4459b43359dcfccacf1d Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 16 Jun 2025 15:26:38 +0200 Subject: [PATCH 40/42] Conflicts fixed, old code removed --- .github/workflows/codeql.yml | 14 ++++++ publish-service/pom.xml | 10 ++--- .../config/DisabledSecurityConfig.java | 2 +- .../controller/ProducerController.java | 43 +++++-------------- 4 files changed, 31 insertions(+), 38 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0e5b2de9..10c9ae0a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,6 +13,7 @@ name: "CodeQL Advanced" on: push: + # Branch analyze-security will be removed once the PR is merged. branches: [ "master", "analyze-security" ] pull_request: branches: [ "master" ] @@ -28,6 +29,7 @@ jobs: # - https://gh.io/using-larger-runners (GitHub.com only) # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: # required for all workflows security-events: write @@ -59,6 +61,15 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + - name: set up jdk 17 + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '17' + + - name: checkout code + uses: actions/checkout@v4 + # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` # or others). This is typically only required for manual builds. @@ -95,6 +106,9 @@ jobs: echo ' make release' exit 1 + - run: | + mvn clean package -DskipTests + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: diff --git a/publish-service/pom.xml b/publish-service/pom.xml index 5b4ae584..a64cb768 100644 --- a/publish-service/pom.xml +++ b/publish-service/pom.xml @@ -160,11 +160,11 @@ - - org.owasp.encoder - encoder - 1.3.1 - + + + + + org.apache.commons commons-text diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java index 51afa4c2..3b10c6de 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/DisabledSecurityConfig.java @@ -34,6 +34,6 @@ public class DisabledSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().permitAll().and().csrf();//.disable(); + http.authorizeRequests().anyRequest().permitAll().and().csrf(); } } diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 53531621..57152e77 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -21,9 +21,7 @@ import com.ericsson.eiffel.remrem.publish.service.*; import com.google.gson.*; -import org.apache.commons.lang3.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; -import org.owasp.encoder.Encode; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; @@ -288,20 +286,6 @@ public ResponseEntity generateAndPublish(@ApiParam(value = "message protocol", r JsonElement bodyJson = JsonParser.parseString(body); return generateAndPublish(msgProtocol, msgType, userDomain, tag, routingKey, parseData, failIfMultipleFound, failIfNoneFound, lookupInExternalERs, lookupLimit, okToLeaveOutInvalidOptionalFields, bodyJson); -// String mp = "aaa"; -// String mt = "bbb"; -// String ud = "ccc"; -// String t = "t"; -// String rk = "rrr"; -// boolean pd = true; -// boolean fmf = true; -// boolean fnf = true; -// boolean lee = true; -// int ll = 0; -// boolean iof = true; -// String jb = "json"; -// return generateAndPublish(mp, mt, ud, t, rk, pd, fmf, -// fnf, lee, ll, iof, bodyJson); } catch (JsonSyntaxException e) { String exceptionMessage = e.getMessage(); log.error("Unexpected exception caught due to parsed json data", exceptionMessage); @@ -368,17 +352,15 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String logUserName(); } - String mp = "aaa"; - if (!StringUtils.isEmpty(msgProtocol)) { - mp = msgProtocol; + if (StringUtils.isEmpty(msgProtocol)) { + return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "Value of parameter 'msgProtocol' is empty"); } - String mt= "bbb"; - if (!StringUtils.isEmpty(msgType)) { - mt = msgType; + if (StringUtils.isEmpty(msgType)) { + return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_FATAL_STATUS, "Value of parameter 'msgType' is empty"); } - MsgService msgService = null; + MsgService msgService; if (StringUtils.isEmpty(msgProtocol) || ((msgService = PublishUtils.getMessageService(msgProtocol, msgServices)) == null)) { return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_ERROR_STATUS, @@ -419,9 +401,9 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String parsedTemplates.append("["); for (JsonElement eventJson : events) { // -- parse params in incoming request -> body ------------- - if (!eventTypeExists(msgService, mt)) { + if (!eventTypeExists(msgService, msgType)) { return createResponseEntity(HttpStatus.BAD_REQUEST, JSON_ERROR_STATUS, - "Unknown event type '" + mt + "'"); + "Unknown event type '" + msgType + "'"); } JsonNode parsedTemplate = eventTemplateHandler.eventTemplateParser(eventJson.toString(), msgType); @@ -434,7 +416,6 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String bodyJsonOut = parsedTemplates.toString(); log.info("Parsed template: " + bodyJsonOut); } else { -// bodyJsonOut = StringEscapeUtils.escapeJson(bodyJson.toString()); bodyJsonOut = bodyJson.toString(); } HttpHeaders headers = new HttpHeaders(); @@ -448,10 +429,8 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String + appendAttributeAndValue("lookupLimit", lookupLimit) + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); -// ResponseEntity response = restTemplate.postForEntity(generateUrl, -// entity, String.class, generateURLTemplate.getMap(mp, mt)); ResponseEntity response = restTemplate.postForEntity("https://a.b.c/", - entity, String.class, generateURLTemplate.getMap(mp, mt)); + entity, String.class, generateURLTemplate.getMap(msgProtocol, msgType)); responseStatus = response.getStatusCode(); String responseBody = null; @@ -468,9 +447,9 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String log.debug("user domain suffix: " + userDomain + " tag: " + tag + " routing key: " + routingKey); if (msgService != null && msgProtocol != null) { - rmqHelper.rabbitMqPropertiesInit(mp); + rmqHelper.rabbitMqPropertiesInit(msgProtocol); } - responseEvents = processingValidEvent(responseBody, mp, userDomain, + responseEvents = processingValidEvent(responseBody, msgProtocol, userDomain, tag, routingKey); } else { return response; @@ -490,7 +469,7 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String } else if (bodyJson.isJsonArray()) { responseBody = responseMessage; } - responseEvents = processingValidEvent(responseBody, mp, userDomain, tag, routingKey); + responseEvents = processingValidEvent(responseBody, msgProtocol, userDomain, tag, routingKey); return new ResponseEntity<>(responseEvents, HttpStatus.BAD_REQUEST); } From b141c314b277f6e3fc3ab7cc3f6cdb1192c96490 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 16 Jun 2025 15:32:42 +0200 Subject: [PATCH 41/42] Conflicts fixed, old code removed --- .github/workflows/codeql.yml | 3 ++- publish-service/pom.xml | 5 ----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 10c9ae0a..b74b9b18 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -18,7 +18,7 @@ on: pull_request: branches: [ "master" ] schedule: - - cron: '36 13 * * 3' + - cron: '28 3 * * 1' jobs: analyze: @@ -40,6 +40,7 @@ jobs: # only required for workflows in private repositories actions: read contents: read + security-events: write strategy: fail-fast: false diff --git a/publish-service/pom.xml b/publish-service/pom.xml index fcf5b410..d9c43de4 100644 --- a/publish-service/pom.xml +++ b/publish-service/pom.xml @@ -150,11 +150,6 @@ - - - - - org.apache.commons commons-text From 08351f4032ae36802fa70180155b4cd7abd23014 Mon Sep 17 00:00:00 2001 From: Roman Szturc Date: Mon, 16 Jun 2025 15:50:02 +0200 Subject: [PATCH 42/42] Generated URL fixed --- .../eiffel/remrem/publish/controller/ProducerController.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java index 57152e77..8f7be291 100644 --- a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java +++ b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/controller/ProducerController.java @@ -422,14 +422,14 @@ public ResponseEntity generateAndPublish(final String msgProtocol, final String headers.setContentType(MediaType.APPLICATION_JSON); HttpEntity entity = new HttpEntity<>(bodyJsonOut, headers); - String generateUrl = generateURLTemplate.getUrl() + String generatedUrl = generateURLTemplate.getUrl() + appendAttributeAndValue("failIfMultipleFound", ensureValueNonNull(failIfMultipleFound)) + appendAttributeAndValue("failIfNoneFound", ensureValueNonNull(failIfNoneFound)) + appendAttributeAndValue("lookupInExternalERs", ensureValueNonNull(lookupInExternalERs)) + appendAttributeAndValue("lookupLimit", lookupLimit) + appendAttributeAndValue("okToLeaveOutInvalidOptionalFields", ensureValueNonNull(okToLeaveOutInvalidOptionalFields)); - ResponseEntity response = restTemplate.postForEntity("https://a.b.c/", + ResponseEntity response = restTemplate.postForEntity(generatedUrl, entity, String.class, generateURLTemplate.getMap(msgProtocol, msgType)); responseStatus = response.getStatusCode();