You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2018/07/12 01:31:18 UTC
[10/10] nifi git commit: NIFI-5374 - Added ExceptionFilter which
catches RequestRejectedException thrown in the nifi-api Jersey code. These
exceptions were not caught by the Jetty error-page configuration because
they're thrown before the endpoint/Jetty
NIFI-5374 - Added ExceptionFilter which catches RequestRejectedException thrown in the nifi-api Jersey code. These exceptions were not caught by the Jetty error-page configuration because they're thrown before the endpoint/Jetty routing is hit.
Added integration test for checking the ExceptionFilter catches malicious string exceptions.
Made minor changes to PR 2840 for code style.
This closes #2840.
Co-authored-by: Andy LoPresto <al...@apache.org>
Signed-off-by: Andy LoPresto <al...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/b46033be
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/b46033be
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/b46033be
Branch: refs/heads/support/nifi-1.7.x
Commit: b46033be306b2ce66c3316b2f4fec92b941307ac
Parents: d326edb
Author: thenatog <th...@gmail.com>
Authored: Tue Jul 3 14:21:03 2018 -0400
Committer: Andy LoPresto <al...@apache.org>
Committed: Wed Jul 11 18:30:11 2018 -0700
----------------------------------------------------------------------
.../apache/nifi/web/filter/ExceptionFilter.java | 72 ++++++++++++++++++++
.../src/main/webapp/WEB-INF/web.xml | 9 ++-
.../ITProcessGroupAccessControl.java | 36 ++++++++++
3 files changed, 116 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/b46033be/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/filter/ExceptionFilter.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/filter/ExceptionFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/filter/ExceptionFilter.java
new file mode 100644
index 0000000..17d7dc5
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/filter/ExceptionFilter.java
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.filter;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.web.firewall.RequestRejectedException;
+
+/**
+ * A filter to catch exceptions that aren't handled by the Jetty error-page.
+ *
+ */
+public class ExceptionFilter implements Filter {
+
+ private static final Logger logger = LoggerFactory.getLogger(ExceptionFilter.class);
+
+ @Override
+ public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
+ throws IOException, ServletException {
+
+ try {
+ filterChain.doFilter(req, resp);
+ } catch (RequestRejectedException e) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("An exception was caught performing the HTTP request security filter check and the stacktrace has been suppressed from the response");
+ }
+
+ HttpServletResponse filteredResponse = (HttpServletResponse) resp;
+ filteredResponse.setStatus(500);
+ filteredResponse.getWriter().write(e.getMessage());
+
+ StringWriter sw = new StringWriter();
+ sw.write("Exception caught by ExceptionFilter:\n");
+ PrintWriter pw = new PrintWriter(sw);
+ e.printStackTrace(pw);
+ logger.error(sw.toString());
+ }
+ }
+
+ @Override
+ public void init(final FilterConfig config) {
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/b46033be/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml
index 1887710..2c87331 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml
@@ -42,7 +42,14 @@
<servlet-name>jerseySpring</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
-
+ <filter>
+ <filter-name>exceptionFilter</filter-name>
+ <filter-class>org.apache.nifi.web.filter.ExceptionFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>exceptionFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter>
<filter-name>timer</filter-name>
<filter-class>org.apache.nifi.web.filter.TimerFilter</filter-class>
http://git-wip-us.apache.org/repos/asf/nifi/blob/b46033be/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java
index 2b3f42c..48061a8 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java
@@ -315,6 +315,35 @@ public class ITProcessGroupAccessControl {
verifyDelete(helper.getNoneUser(), NONE_CLIENT_ID, 403);
}
+ /**
+ * Ensures malicious string inputs added to the end of a process group
+ * are handled safely and a stack trace is not returned.
+ *
+ * @throws Exception ex
+ */
+ @Test
+ public void testProcessGroupRejectMaliciousString() throws Exception {
+ final ProcessGroupEntity entity = createProcessGroup(NiFiTestAuthorizer.NO_POLICY_COMPONENT_NAME);
+
+ final String updatedName = "Updated name" + count++;
+ final String maliciousString = "z--><qss>;<script>alert(\"hello\")</script>";
+ final String maliciousErrorMessage = "The request was rejected because the URL contained a potentially malicious String \";\"";
+
+ // attempt to update the name
+ entity.getRevision().setClientId(READ_WRITE_CLIENT_ID);
+ entity.getComponent().setName(updatedName);
+
+ // perform the request
+ final Response response = updateProcessGroup(helper.getReadWriteUser(), entity, maliciousString);
+ String maliciousStringResponse = response.readEntity(String.class);
+
+ // ensure successful response
+ assertEquals(500, response.getStatus());
+
+ // verify
+ assertEquals(maliciousErrorMessage, maliciousStringResponse);
+ }
+
private ProcessGroupEntity getRandomProcessGroup(final NiFiTestUser user) throws Exception {
final String url = helper.getBaseUrl() + "/flow/process-groups/root";
@@ -338,6 +367,13 @@ public class ITProcessGroupAccessControl {
return processGroupIter.next();
}
+ private Response updateProcessGroup(final NiFiTestUser user, final ProcessGroupEntity entity, final String urlParameter) throws Exception {
+ final String url = helper.getBaseUrl() + "/process-groups/" + entity.getId() + urlParameter;
+
+ // perform the request
+ return user.testPut(url, entity);
+ }
+
private Response updateProcessGroup(final NiFiTestUser user, final ProcessGroupEntity entity) throws Exception {
final String url = helper.getBaseUrl() + "/process-groups/" + entity.getId();