Senitization for CSS Vulnerability

Issue-Id : ACUMOS-1650
Description : Senitization for CSS Vulnerability - Design Studio

Change-Id: If8fd4b9b06f884219d93881f7922421870de8e3d
Signed-off-by: Ramanaiah Pirla <RP00490596@techmahindra.com>

docs/release-notes.rst

@@ -27,6 +27,7 @@ repository as a jar file.
 1.40.3-SNAPSHOT, 2018-11-13
 ---------------------------
 * ACUMOS-1969 : Default CDS startup check interval too short, attempts too few; pls increase
+* ACUMOS-1650 : Senitization for CSS Vulnerability
 
 1.40.2-SNAPSHOT, 2018-10-12
 ---------------------------

ds-compositionengine/pom.xml

@@ -145,7 +145,12 @@
 			<groupId>com.github.docker-java</groupId>
 			<artifactId>docker-java</artifactId>
 			<version>3.0.10</version>
-		</dependency>		
+		</dependency>
+		<dependency>
+		 	<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+		 	<artifactId>owasp-java-html-sanitizer</artifactId>
+		 	<version>20180219.1</version>
+		</dependency>	
 	</dependencies>
 	<build>
 		<resources>

ds-compositionengine/src/main/java/org/acumos/designstudio/ce/controller/ArtfactDetailsController.java

@@ -25,6 +25,7 @@
 import org.acumos.designstudio.ce.service.IAcumosCatalog;
 import org.acumos.designstudio.ce.util.EELFLoggerDelegator;
 import org.acumos.designstudio.ce.util.Properties;
+import org.acumos.designstudio.ce.util.SanitizeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -66,7 +67,7 @@ public String fetchJsonTOSCA(@RequestParam(value = "userId", required = true) St
 		logger.debug(EELFLoggerDelegator.debugLogger, "fetchJsonTOSCA() : Begin");
 		String result = "";
 		try {
-			result = iacumosCatalog.readArtifact(userId, solutionId, version, props.getArtifactType().trim());
+			result = iacumosCatalog.readArtifact(userId, SanitizeUtils.sanitize(solutionId), version, props.getArtifactType().trim());
 
 			if (result == null || result.isEmpty()) {
 				response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
@@ -102,7 +103,7 @@ public String fetchProtoBufJSON(@RequestParam(value = "userId", required = true)
 		String resultTemplate = "{\"protobuf_json\" : %s,\n \"success\" : \"%s\",\n \"errorMessage\" : \"%s\"}";
 		String result = "";
 		try {
-			result = iacumosCatalog.readArtifact(userId, solutionId, version, props.getProtoArtifactType().trim());
+			result = iacumosCatalog.readArtifact(userId, SanitizeUtils.sanitize(solutionId), version, props.getProtoArtifactType().trim());
 
 			if (result != null && !result.isEmpty()) {
 				resultTemplate = String.format(resultTemplate, result, true, "");

ds-compositionengine/src/main/java/org/acumos/designstudio/ce/controller/SolutionController.java

@@ -33,6 +33,7 @@
 import org.acumos.designstudio.ce.util.DSUtil;
 import org.acumos.designstudio.ce.util.EELFLoggerDelegator;
 import org.acumos.designstudio.ce.util.Properties;
+import org.acumos.designstudio.ce.util.SanitizeUtils;
 import org.acumos.designstudio.ce.vo.DSCompositeSolution;
 import org.acumos.designstudio.ce.vo.SuccessErrorMessage;
 import org.acumos.designstudio.ce.vo.cdump.DataConnector;
@@ -136,7 +137,7 @@ public Object saveCompositeSolution(HttpServletRequest request,
 		try {
 			dscs.setAuthor(userId);
 			dscs.setSolutionName(solutionName);
-			dscs.setSolutionId(solutionId);
+			dscs.setSolutionId(SanitizeUtils.sanitize(solutionId));
 			dscs.setVersion(version);
 			dscs.setOnBoarder(userId);
 			dscs.setDescription(description);
@@ -226,7 +227,7 @@ public String addNode(@RequestParam(value = "userId", required = true) String us
 			boolean validNode = validateNode(node);
 			if (validNode) {
 				if ((solutionId != null && version != null) || (null != cid)) {
-					results = solutionService.addNode(userId, solutionId, version, cid, node);
+					results = solutionService.addNode(userId, SanitizeUtils.sanitize(solutionId), version, cid, node);
 				} else {
 					results = "{\"error\": \"Either Cid or SolutionId and Version need to Pass\"}";
 				}
@@ -296,7 +297,7 @@ public String readCompositeSolutionGraph(@RequestParam(value = "userId", require
 		logger.debug(EELFLoggerDelegator.debugLogger, " fetchJsonTOSCA()  : Begin");
 		String result;
 		try {
-			result = solutionService.readCompositeSolutionGraph(userId, solutionId, version);
+			result = solutionService.readCompositeSolutionGraph(userId, SanitizeUtils.sanitize(solutionId), version);
 		} catch (Exception e) {
 			logger.error(EELFLoggerDelegator.errorLogger, "Failed to read the ComposietSolution", e);
 			result = "";
@@ -361,7 +362,7 @@ public String modifyNode(@RequestParam(value = "userid", required = true) String
 					splitterMap = dataConnector.getSplitterMap();
 				}
 			}
-			result = solutionService.modifyNode(userId, solutionId, version, cid, nodeId, nodeName, ndata, fieldMap, databrokerMap, collatorMap, splitterMap);
+			result = solutionService.modifyNode(userId, SanitizeUtils.sanitize(solutionId), version, cid, nodeId, nodeName, ndata, fieldMap, databrokerMap, collatorMap, splitterMap);
 		} catch (Exception e) {
 			logger.error(EELFLoggerDelegator.errorLogger, "-------Exception in  modifyNode() -------", e);
 		}
@@ -381,7 +382,7 @@ public String modifyLink(@RequestParam(value = "userid", required = true) String
 		String result = null;
 		logger.debug(EELFLoggerDelegator.debugLogger, " modifyLink()  : Begin");
 		try {
-			result = solutionService.modifyLink(userId, cid, solutionId, version, linkId, linkName);
+			result = solutionService.modifyLink(userId, cid, SanitizeUtils.sanitize(solutionId), version, linkId, linkName);
 		} catch (Exception e) {
 			logger.error(EELFLoggerDelegator.errorLogger, "Exception in  modifyLink() ", e);
 		}
@@ -401,7 +402,7 @@ public String deleteCompositeSolution(@RequestParam(value = "userid", required =
 
 		try {
 
-			boolean deleted = compositeServiceImpl.deleteCompositeSolution(userId, solutionId, version);
+			boolean deleted = compositeServiceImpl.deleteCompositeSolution(userId, SanitizeUtils.sanitize(solutionId), version);
 			if (!deleted) {
 				result = String.format(resultTemplate, "false", "Requested Solution Not Found");
 			} else {
@@ -429,7 +430,7 @@ public String deleteNode(@RequestParam(value = "userId", required = true) String
 			result = String.format(resultTemplate, false, "Mandatory feild(s) missing");
 		} else {
 			try {
-				boolean deletedNode = solutionService.deleteNode(userId, solutionId, version, cid, nodeId);
+				boolean deletedNode = solutionService.deleteNode(userId, SanitizeUtils.sanitize(solutionId), version, cid, nodeId);
 				if (deletedNode) {
 					result = String.format(resultTemplate, true, "");
 				} else {
@@ -454,7 +455,7 @@ public String closeCompositeSolution(@RequestParam(value = "userId", required =
 		logger.debug(EELFLoggerDelegator.debugLogger, " closeCompositeSolution(): Begin ");
 		String result = "";
 		try {
-			result = compositeServiceImpl.closeCompositeSolution(userId, solutionId, solutionVersion, cid);
+			result = compositeServiceImpl.closeCompositeSolution(userId, SanitizeUtils.sanitize(solutionId), solutionVersion, cid);
 		} catch (Exception e) {
 			logger.error(EELFLoggerDelegator.errorLogger, " Exception in closeCompositeSolution() ", e);
 		}
@@ -472,7 +473,7 @@ public String clearCompositeSolution(@RequestParam(value = "userId", required =
 		logger.debug(EELFLoggerDelegator.debugLogger, " clearCompositeSolution(): Begin ");
 		String result = "";
 		try {
-			result = compositeServiceImpl.clearCompositeSolution(userId, solutionId, solutionVersion, cid);
+			result = compositeServiceImpl.clearCompositeSolution(userId, SanitizeUtils.sanitize(solutionId), solutionVersion, cid);
 		} catch (Exception e) {
 			logger.error(EELFLoggerDelegator.errorLogger, " Exception in clearCompositeSolution() ", e);
 		}
@@ -543,7 +544,7 @@ public String validateCompositeSolution(@RequestParam(value = "userId", required
 		logger.debug(EELFLoggerDelegator.debugLogger, "validateCompositeSolution() : Begin ");
 		String result = "";
 		try {
-			result = compositeServiceImpl.validateCompositeSolution(userId, solutionName, solutionId, version);
+			result = compositeServiceImpl.validateCompositeSolution(userId, solutionName, SanitizeUtils.sanitize(solutionId), version);
 			result = String.format(result);
 		} catch (Exception e) {
 			result = "{\"success\" : \"false\", \"errorDescription\" : \"Failed to Validate Composite Solution\"}";
@@ -582,7 +583,7 @@ public String addLink(@RequestParam(value = "userId", required = true) String us
 					&& targetNodeCapabilityName != null) {
 
 				if (validateProperty(property)) {
-					linkAdded = solutionService.addLink(userId, solutionId, version, linkName, linkId, sourceNodeName,
+					linkAdded = solutionService.addLink(userId, SanitizeUtils.sanitize(solutionId), version, linkName, linkId, sourceNodeName,
 							sourceNodeId, targetNodeName, targetNodeId, sourceNodeRequirement, targetNodeCapabilityName,
 							cid, property);
 
@@ -684,7 +685,7 @@ public String deleteLink(@RequestParam(value = "userId", required = true) String
 			result = String.format(resultTemplate, false, "Mandatory feild(s) missing");
 		} else {
 			try {
-				boolean deletedLink = solutionService.deleteLink(userId, solutionId, version, cid, linkId);
+				boolean deletedLink = solutionService.deleteLink(userId, SanitizeUtils.sanitize(solutionId), version, cid, linkId);
 				if (deletedLink) {
 					result = String.format(resultTemplate, true, "");
 				} else {
@@ -711,7 +712,7 @@ public String deleteLink(@RequestParam(value = "userId", required = true) String
         SuccessErrorMessage successErrorMessage = null;
 		logger.debug(EELFLoggerDelegator.debugLogger, "setProbeIndicator() in SolutionController Begin");
         try {
-        	successErrorMessage = compositeServiceImpl.setProbeIndicator(userId, solutionId, version, cid,probeIndicator);
+        	successErrorMessage = compositeServiceImpl.setProbeIndicator(userId, SanitizeUtils.sanitize(solutionId), version, cid,probeIndicator);
 		}catch (Exception e) {
 			logger.error(EELFLoggerDelegator.errorLogger, "Exception in setProbeIndicator() in SolutionController", e);
 		}

ds-compositionengine/src/main/java/org/acumos/designstudio/ce/util/SanitizeUtils.java

@@ -0,0 +1,40 @@
+/*-
+ * ===============LICENSE_START=======================================================
+ * Acumos
+ * ===================================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property & Tech Mahindra. All rights reserved.
+ * ===================================================================================
+ * This Acumos software file is distributed by AT&T and Tech Mahindra
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *  
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ * This file is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ===============LICENSE_END=========================================================
+ */
+
+package org.acumos.designstudio.ce.util;
+
+import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.PolicyFactory;
+
+public class SanitizeUtils {
+
+	public static PolicyFactory genericPolicy = new HtmlPolicyBuilder()
+    	    .requireRelNofollowOnLinks()
+    	    .allowTextIn("@")
+    	    .toFactory();
+
+	public static String sanitize(String html) {
+		if(null == html){
+			return html;
+		}
+		return genericPolicy.sanitize(html);
+	}
+
+}