From 4562b4d318fee0229c98a2d6414f29d9ff77fd96 Mon Sep 17 00:00:00 2001 From: hasuniea Date: Mon, 8 Aug 2016 18:06:14 +0530 Subject: [PATCH] adding security fixes --- .../org.wso2.carbon.device.mgt.iot/pom.xml | 2 +- .../pom.xml | 2 +- .../pom.xml | 2 +- .../pom.xml | 4 ++-- .../pom.xml | 2 +- .../pom.xml | 4 ++-- .../bean/AndroidPlatformConfiguration.java | 2 -- .../bean/wrapper/EventBeanWrapper.java | 2 -- .../exception/GlobalThrowableMapper.java | 21 +++++++++++++------ .../services/EventReceiverService.java | 3 --- .../impl/EventReceiverServiceImpl.java | 4 +--- .../pom.xml | 2 +- .../CertificateEnrollmentServiceImpl.java | 11 +++++----- pom.xml | 14 +++++++++---- 14 files changed, 40 insertions(+), 35 deletions(-) diff --git a/components/iot-plugins/iot-base-plugin/org.wso2.carbon.device.mgt.iot/pom.xml b/components/iot-plugins/iot-base-plugin/org.wso2.carbon.device.mgt.iot/pom.xml index e27711dd3..2b0116e9d 100644 --- a/components/iot-plugins/iot-base-plugin/org.wso2.carbon.device.mgt.iot/pom.xml +++ b/components/iot-plugins/iot-base-plugin/org.wso2.carbon.device.mgt.iot/pom.xml @@ -192,7 +192,7 @@ smackx - commons-codec.wso2 + commons-codec commons-codec diff --git a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/pom.xml b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/pom.xml index f9280d521..a5dffc290 100644 --- a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/pom.xml +++ b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/pom.xml @@ -125,7 +125,7 @@ - commons-codec.wso2 + commons-codec commons-codec diff --git a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/pom.xml b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/pom.xml index b124944ff..a91cf4275 100644 --- a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/pom.xml +++ b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/pom.xml @@ -134,7 +134,7 @@ - commons-codec.wso2 + commons-codec commons-codec diff --git a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.api/pom.xml b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.api/pom.xml index a23269b76..53d5cfba2 100644 --- a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.api/pom.xml +++ b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.api/pom.xml @@ -69,7 +69,7 @@ provided - commons-codec.wso2 + commons-codec commons-codec @@ -208,7 +208,7 @@ - commons-codec.wso2 + commons-codec commons-codec diff --git a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.plugin/pom.xml b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.plugin/pom.xml index 4dfe501c3..8a5c0077a 100644 --- a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.plugin/pom.xml +++ b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.plugin/pom.xml @@ -98,7 +98,7 @@ - commons-codec.wso2 + commons-codec commons-codec diff --git a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.scep.api/pom.xml b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.scep.api/pom.xml index 0fa58551c..1cf6753b6 100644 --- a/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.scep.api/pom.xml +++ b/components/iot-plugins/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.scep.api/pom.xml @@ -57,7 +57,7 @@ provided - commons-codec.wso2 + commons-codec commons-codec @@ -171,7 +171,7 @@ - commons-codec.wso2 + commons-codec commons-codec diff --git a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/bean/AndroidPlatformConfiguration.java b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/bean/AndroidPlatformConfiguration.java index 19623877e..be290151d 100644 --- a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/bean/AndroidPlatformConfiguration.java +++ b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/bean/AndroidPlatformConfiguration.java @@ -23,7 +23,6 @@ import io.swagger.annotations.ApiModelProperty; import org.wso2.carbon.device.mgt.common.configuration.mgt.ConfigurationEntry; import javax.validation.constraints.NotNull; -import javax.validation.constraints.Pattern; import javax.validation.constraints.Size; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; @@ -52,7 +51,6 @@ public class AndroidPlatformConfiguration implements Serializable { ) @NotNull @Size(min = 2, max = 10) - @Pattern(regexp = "^[A-Za-z0-9]*$") private String type; @ApiModelProperty( name = "configuration", diff --git a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/bean/wrapper/EventBeanWrapper.java b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/bean/wrapper/EventBeanWrapper.java index c6efc2131..c4fb13e07 100644 --- a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/bean/wrapper/EventBeanWrapper.java +++ b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/bean/wrapper/EventBeanWrapper.java @@ -21,7 +21,6 @@ package org.wso2.carbon.mdm.services.android.bean.wrapper; import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; -import javax.validation.constraints.Pattern; import javax.validation.constraints.Size; /** @@ -33,7 +32,6 @@ public class EventBeanWrapper { @ApiModelProperty(name = "deviceIdentifier", value = "DeviceIdentifier to be need to retrieve/publish Event.", required = true) @Size(min = 2, max = 45) - @Pattern(regexp = "^[A-Za-z0-9]*$") private String deviceIdentifier; @ApiModelProperty(name = "payload", value = "Event payload.", required = true) private String payload; diff --git a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/exception/GlobalThrowableMapper.java b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/exception/GlobalThrowableMapper.java index 5d1ae59a7..99d2c6ef0 100644 --- a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/exception/GlobalThrowableMapper.java +++ b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/exception/GlobalThrowableMapper.java @@ -50,15 +50,18 @@ public class GlobalThrowableMapper implements ExceptionMapper { if (e instanceof JsonParseException) { String errorMessage = "Malformed request body."; - log.error(errorMessage); + if (log.isDebugEnabled()) { + log.error(errorMessage, e); + } return AndroidDeviceUtils.buildBadRequestException(errorMessage).getResponse(); - } if (e instanceof NotFoundException) { return ((NotFoundException) e).getResponse(); } if (e instanceof UnexpectedServerErrorException) { - log.error("Unexpected server error", e); + if (log.isDebugEnabled()) { + log.error("Unexpected server error", e); + } return ((UnexpectedServerErrorException) e).getResponse(); } if (e instanceof ConstraintViolationException) { @@ -76,7 +79,9 @@ public class GlobalThrowableMapper implements ExceptionMapper { .build(); } if (e instanceof ClientErrorException) { - log.error("Client error", e); + if (log.isDebugEnabled()) { + log.error("Client error", e); + } return ((ClientErrorException) e).getResponse(); } if (e instanceof AuthenticationException) { @@ -91,11 +96,15 @@ public class GlobalThrowableMapper implements ExceptionMapper { .build(); } if (e instanceof ForbiddenException) { - log.error("Resource forbidden", e); + if (log.isDebugEnabled()) { + log.error("Resource forbidden", e); + } return ((ForbiddenException) e).getResponse(); } //unknown exception log and return - log.error("An Unknown exception has been captured by global exception mapper.", e); + if (log.isDebugEnabled()) { + log.error("An Unknown exception has been captured by global exception mapper.", e); + } return Response.status(Response.Status.INTERNAL_SERVER_ERROR).header("Content-Type", "application/json") .entity(e500).build(); } diff --git a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/services/EventReceiverService.java b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/services/EventReceiverService.java index cc77bb42f..9c04a49bd 100644 --- a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/services/EventReceiverService.java +++ b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/services/EventReceiverService.java @@ -23,7 +23,6 @@ import org.wso2.carbon.mdm.services.android.bean.DeviceState; import org.wso2.carbon.mdm.services.android.bean.wrapper.EventBeanWrapper; import javax.validation.Valid; -import javax.validation.constraints.Pattern; import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; @@ -141,7 +140,6 @@ public interface EventReceiverService { value = "Device Identifier to be need to retrieve events.", required = true) @Size(min = 2, max = 45) - @Pattern(regexp = "^[A-Za-z0-9]*$") @QueryParam("id") String deviceId, @ApiParam( name = "from", @@ -155,7 +153,6 @@ public interface EventReceiverService { name = "type", value = "Type of the Alert to be need to retrieve events.") @Size(min = 2, max = 45) - @Pattern(regexp = "^[A-Za-z0-9]*$") @QueryParam("type") String type, @ApiParam( name = "If-Modified-Since", diff --git a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/services/impl/EventReceiverServiceImpl.java b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/services/impl/EventReceiverServiceImpl.java index c933c4bb1..cf6677189 100644 --- a/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/services/impl/EventReceiverServiceImpl.java +++ b/components/mobile-plugins/android-plugin/org.wso2.carbon.device.mgt.mobile.android.api/src/main/java/org/wso2/carbon/mdm/services/android/services/impl/EventReceiverServiceImpl.java @@ -33,7 +33,6 @@ import org.wso2.carbon.mdm.services.android.util.AndroidAPIUtils; import org.wso2.carbon.mdm.services.android.util.Message; import javax.validation.Valid; -import javax.validation.constraints.Pattern; import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.Response; @@ -78,11 +77,10 @@ public class EventReceiverServiceImpl implements EventReceiverService { @Override public Response retrieveAlerts(@QueryParam("id") @Size(min = 2, max = 45) - @Pattern(regexp = "^[A-Za-z0-9]*$") String deviceId, + String deviceId, @QueryParam("from") long from, @QueryParam("to") long to, @Size(min = 2, max = 45) - @Pattern(regexp = "^[A-Za-z0-9]*$") @QueryParam("type") String type, @HeaderParam("If-Modified-Since") String ifModifiedSince) { diff --git a/components/mobile-plugins/windows-plugin/org.wso2.carbon.device.mgt.mobile.windows.api/pom.xml b/components/mobile-plugins/windows-plugin/org.wso2.carbon.device.mgt.mobile.windows.api/pom.xml index 897b7adbe..4aedb77be 100644 --- a/components/mobile-plugins/windows-plugin/org.wso2.carbon.device.mgt.mobile.windows.api/pom.xml +++ b/components/mobile-plugins/windows-plugin/org.wso2.carbon.device.mgt.mobile.windows.api/pom.xml @@ -230,7 +230,7 @@ core - commons-codec.wso2 + commons-codec commons-codec diff --git a/components/mobile-plugins/windows-plugin/org.wso2.carbon.device.mgt.mobile.windows.api/src/main/java/org/wso2/carbon/mdm/mobileservices/windows/services/wstep/impl/CertificateEnrollmentServiceImpl.java b/components/mobile-plugins/windows-plugin/org.wso2.carbon.device.mgt.mobile.windows.api/src/main/java/org/wso2/carbon/mdm/mobileservices/windows/services/wstep/impl/CertificateEnrollmentServiceImpl.java index f439620e0..928ccdde9 100644 --- a/components/mobile-plugins/windows-plugin/org.wso2.carbon.device.mgt.mobile.windows.api/src/main/java/org/wso2/carbon/mdm/mobileservices/windows/services/wstep/impl/CertificateEnrollmentServiceImpl.java +++ b/components/mobile-plugins/windows-plugin/org.wso2.carbon.device.mgt.mobile.windows.api/src/main/java/org/wso2/carbon/mdm/mobileservices/windows/services/wstep/impl/CertificateEnrollmentServiceImpl.java @@ -215,7 +215,6 @@ public class CertificateEnrollmentServiceImpl implements CertificateEnrollmentSe private String prepareWapProvisioningXML(String binarySecurityToken, String wapProvisioningFilePath, String headerBst) throws CertificateGenerationException, WAPProvisioningException, WindowsDeviceEnrolmentException { - String rootCertEncodedString; String signedCertEncodedString; X509Certificate signedCertificate; @@ -225,11 +224,11 @@ public class CertificateEnrollmentServiceImpl implements CertificateEnrollmentSe Base64 base64Encoder = new Base64(); try { rootCACertificate = (X509Certificate) certMgtServiceImpl.getCACertificate(); - rootCertEncodedString = base64Encoder.encodeToString(rootCACertificate.getEncoded()); + rootCertEncodedString = base64Encoder.encodeAsString(rootCACertificate.getEncoded()); signedCertificate = certMgtServiceImpl.getSignedCertificateFromCSR(binarySecurityToken); - signedCertEncodedString = base64Encoder.encodeToString(signedCertificate.getEncoded()); + signedCertEncodedString = base64Encoder.encodeAsString(signedCertificate.getEncoded()); DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); DocumentBuilder builder; @@ -242,7 +241,7 @@ public class CertificateEnrollmentServiceImpl implements CertificateEnrollmentSe //Adding SHA1 CA certificate finger print to wap-provisioning xml. caCertificatePosition.getParentNode().getAttributes().getNamedItem(PluginConstants. CertificateEnrolment.TYPE).setTextContent(String.valueOf( - DigestUtils.sha256Hex(rootCACertificate.getEncoded())).toUpperCase()); + DigestUtils.sha1Hex(rootCACertificate.getEncoded())).toUpperCase()); //Adding encoded CA certificate to wap-provisioning file after removing new line // characters. NamedNodeMap rootCertAttributes = caCertificatePosition.getAttributes(); @@ -261,7 +260,7 @@ public class CertificateEnrollmentServiceImpl implements CertificateEnrollmentSe //Adding SHA1 signed certificate finger print to wap-provisioning xml. signedCertificatePosition.getParentNode().getAttributes().getNamedItem(PluginConstants. CertificateEnrolment.TYPE).setTextContent(String.valueOf( - DigestUtils.sha256Hex(signedCertificate.getEncoded())).toUpperCase()); + DigestUtils.sha1Hex(signedCertificate.getEncoded())).toUpperCase()); //Adding encoded signed certificate to wap-provisioning file after removing new line // characters. @@ -326,7 +325,7 @@ public class CertificateEnrollmentServiceImpl implements CertificateEnrollmentSe } catch (KeystoreException e) { throw new CertificateGenerationException("CA certificate cannot be generated.", e); } - return base64Encoder.encodeToString(provisioningXmlString.getBytes()); + return base64Encoder.encodeAsString(provisioningXmlString.getBytes()); } /** diff --git a/pom.xml b/pom.xml index 7dd072ed3..aa5241f92 100644 --- a/pom.xml +++ b/pom.xml @@ -331,7 +331,7 @@ ${carbon.analytics.common.version} - commons-codec + commons-codec.wso2 commons-codec @@ -859,10 +859,15 @@ commons-httpclient ${orbit.version.commons-httpclient} + + + + + - commons-codec.wso2 + commons-codec commons-codec - ${commons-codec.wso2.version} + ${commons-codec.version} org.codehaus.jackson @@ -1169,7 +1174,8 @@ 1.0.2 3.1.0.wso2v2 - 1.4.0.wso2v1 + + 1.7 6.0