You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2018/07/12 01:31:18 UTC
[10/10] nifi git commit: NIFI-5374 - Added ExceptionFilter which catches RequestRejectedException thrown in the nifi-api Jersey code. These exceptions were not caught by the Jetty error-page configuration because they're thrown before the endpoint/Jetty

NIFI-5374 - Added ExceptionFilter which catches RequestRejectedException thrown in the nifi-api Jersey code. These exceptions were not caught by the Jetty error-page configuration because they're thrown before the endpoint/Jetty routing is hit.
Added integration test for checking the ExceptionFilter catches malicious string exceptions.
Made minor changes to PR 2840 for code style.

This closes #2840.

Co-authored-by: Andy LoPresto <al...@apache.org>

Signed-off-by: Andy LoPresto <al...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/b46033be
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/b46033be
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/b46033be

Branch: refs/heads/support/nifi-1.7.x
Commit: b46033be306b2ce66c3316b2f4fec92b941307ac
Parents: d326edb
Author: thenatog <th...@gmail.com>
Authored: Tue Jul 3 14:21:03 2018 -0400
Committer: Andy LoPresto <al...@apache.org>
Committed: Wed Jul 11 18:30:11 2018 -0700

----------------------------------------------------------------------
 .../apache/nifi/web/filter/ExceptionFilter.java | 72 ++++++++++++++++++++
 .../src/main/webapp/WEB-INF/web.xml             |  9 ++-
 .../ITProcessGroupAccessControl.java            | 36 ++++++++++
 3 files changed, 116 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi/blob/b46033be/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/filter/ExceptionFilter.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/filter/ExceptionFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/filter/ExceptionFilter.java
new file mode 100644
index 0000000..17d7dc5
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/filter/ExceptionFilter.java
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.filter;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.web.firewall.RequestRejectedException;
+
+/**
+ * A filter to catch exceptions that aren't handled by the Jetty error-page.
+ *
+ */
+public class ExceptionFilter implements Filter {
+
+    private static final Logger logger = LoggerFactory.getLogger(ExceptionFilter.class);
+
+    @Override
+    public void doFilter(final ServletRequest req, final ServletResponse resp, final FilterChain filterChain)
+            throws IOException, ServletException {
+
+        try {
+            filterChain.doFilter(req, resp);
+        } catch (RequestRejectedException e) {
+            if (logger.isDebugEnabled()) {
+                logger.debug("An exception was caught performing the HTTP request security filter check and the stacktrace has been suppressed from the response");
+            }
+
+            HttpServletResponse filteredResponse = (HttpServletResponse) resp;
+            filteredResponse.setStatus(500);
+            filteredResponse.getWriter().write(e.getMessage());
+
+            StringWriter sw = new StringWriter();
+            sw.write("Exception caught by ExceptionFilter:\n");
+            PrintWriter pw = new PrintWriter(sw);
+            e.printStackTrace(pw);
+            logger.error(sw.toString());
+        }
+    }
+
+    @Override
+    public void init(final FilterConfig config) {
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/nifi/blob/b46033be/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml
index 1887710..2c87331 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/webapp/WEB-INF/web.xml
@@ -42,7 +42,14 @@
         <servlet-name>jerseySpring</servlet-name>
         <url-pattern>/*</url-pattern>
     </servlet-mapping>
-    
+    <filter>
+        <filter-name>exceptionFilter</filter-name>
+        <filter-class>org.apache.nifi.web.filter.ExceptionFilter</filter-class>
+    </filter>
+    <filter-mapping>
+    <filter-name>exceptionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
     <filter>
         <filter-name>timer</filter-name>
         <filter-class>org.apache.nifi.web.filter.TimerFilter</filter-class>

http://git-wip-us.apache.org/repos/asf/nifi/blob/b46033be/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java
index 2b3f42c..48061a8 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/accesscontrol/ITProcessGroupAccessControl.java
@@ -315,6 +315,35 @@ public class ITProcessGroupAccessControl {
         verifyDelete(helper.getNoneUser(), NONE_CLIENT_ID, 403);
     }
 
+    /**
+     * Ensures malicious string inputs added to the end of a process group
+     * are handled safely and a stack trace is not returned.
+     *
+     * @throws Exception ex
+     */
+    @Test
+    public void testProcessGroupRejectMaliciousString() throws Exception {
+        final ProcessGroupEntity entity = createProcessGroup(NiFiTestAuthorizer.NO_POLICY_COMPONENT_NAME);
+
+        final String updatedName = "Updated name" + count++;
+        final String maliciousString = "z--><qss>;<script>alert(\"hello\")</script>";
+        final String maliciousErrorMessage = "The request was rejected because the URL contained a potentially malicious String \";\"";
+
+        // attempt to update the name
+        entity.getRevision().setClientId(READ_WRITE_CLIENT_ID);
+        entity.getComponent().setName(updatedName);
+
+        // perform the request
+        final Response response = updateProcessGroup(helper.getReadWriteUser(), entity, maliciousString);
+        String maliciousStringResponse = response.readEntity(String.class);
+
+        // ensure successful response
+        assertEquals(500, response.getStatus());
+
+        // verify
+        assertEquals(maliciousErrorMessage, maliciousStringResponse);
+    }
+
     private ProcessGroupEntity getRandomProcessGroup(final NiFiTestUser user) throws Exception {
         final String url = helper.getBaseUrl() + "/flow/process-groups/root";
 
@@ -338,6 +367,13 @@ public class ITProcessGroupAccessControl {
         return processGroupIter.next();
     }
 
+    private Response updateProcessGroup(final NiFiTestUser user, final ProcessGroupEntity entity, final String urlParameter) throws Exception {
+        final String url = helper.getBaseUrl() + "/process-groups/" + entity.getId() + urlParameter;
+
+        // perform the request
+        return user.testPut(url, entity);
+    }
+
     private Response updateProcessGroup(final NiFiTestUser user, final ProcessGroupEntity entity) throws Exception {
         final String url = helper.getBaseUrl() + "/process-groups/" + entity.getId();