Improved missing ping, fixed fortify issue

This commit is contained in:
anhefti 2020-01-07 16:07:14 +01:00
parent 67c1aef81e
commit d8668e1c68
10 changed files with 71 additions and 26 deletions

View file

@ -303,6 +303,11 @@
<artifactId>jncryptor</artifactId> <artifactId>jncryptor</artifactId>
<version>1.2.0</version> <version>1.2.0</version>
</dependency> </dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.8</version>
</dependency>
<!-- Testing --> <!-- Testing -->

View file

@ -183,7 +183,7 @@ public class ClientHttpRequestFactoryService {
.toCharArray(); .toCharArray();
if (password.length < 3) { if (password.length < 3) {
log.error("Missing or incorrect trust-store password: " + String.valueOf(password)); log.error("Missing or incorrect trust-store password");
throw new IllegalArgumentException("Missing or incorrect trust-store password"); throw new IllegalArgumentException("Missing or incorrect trust-store password");
} }

View file

@ -11,6 +11,7 @@ package ch.ethz.seb.sebserver.gbl.api;
import org.springframework.context.annotation.Lazy; import org.springframework.context.annotation.Lazy;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import com.fasterxml.jackson.annotation.JsonInclude.Include;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.joda.JodaModule; import com.fasterxml.jackson.datatype.joda.JodaModule;
@ -29,6 +30,7 @@ public class JSONMapper extends ObjectMapper {
super.configure( super.configure(
com.fasterxml.jackson.databind.SerializationFeature.WRITE_DATES_WITH_ZONE_ID, com.fasterxml.jackson.databind.SerializationFeature.WRITE_DATES_WITH_ZONE_ID,
false); false);
super.setSerializationInclusion(Include.NON_NULL);
} }
} }

View file

@ -16,8 +16,6 @@ import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.annotation.JsonProperty;
import ch.ethz.seb.sebserver.gbl.model.exam.Indicator.IndicatorType;
import ch.ethz.seb.sebserver.gbl.model.session.ClientConnection.ConnectionStatus;
import ch.ethz.seb.sebserver.gbl.util.Utils; import ch.ethz.seb.sebserver.gbl.util.Utils;
public class ClientConnectionData { public class ClientConnectionData {
@ -26,31 +24,32 @@ public class ClientConnectionData {
public final ClientConnection clientConnection; public final ClientConnection clientConnection;
@JsonProperty("indicatorValues") @JsonProperty("indicatorValues")
public final List<? extends IndicatorValue> indicatorValues; public final List<? extends IndicatorValue> indicatorValues;
@JsonIgnore
public final boolean missingPing; public final Boolean missingPing;
@JsonCreator @JsonCreator
protected ClientConnectionData( public ClientConnectionData(
@JsonProperty("missingPing") final Boolean missingPing,
@JsonProperty("clientConnection") final ClientConnection clientConnection, @JsonProperty("clientConnection") final ClientConnection clientConnection,
@JsonProperty("indicatorValues") final Collection<? extends SimpleIndicatorValue> indicatorValues) { @JsonProperty("indicatorValues") final Collection<? extends SimpleIndicatorValue> indicatorValues) {
this.missingPing = missingPing;
this.clientConnection = clientConnection; this.clientConnection = clientConnection;
this.indicatorValues = Utils.immutableListOf(indicatorValues); this.indicatorValues = Utils.immutableListOf(indicatorValues);
this.missingPing = clientConnection.status == ConnectionStatus.ACTIVE &&
this.indicatorValues.stream()
.filter(ind -> ind.getType() == IndicatorType.LAST_PING)
.findFirst()
.map(ind -> (long) ind.getValue())
.orElse(0L) > 5000;
} }
protected ClientConnectionData( protected ClientConnectionData(
@JsonProperty("clientConnection") final ClientConnection clientConnection, final ClientConnection clientConnection,
@JsonProperty("indicatorValues") final List<? extends IndicatorValue> indicatorValues) { final List<? extends IndicatorValue> indicatorValues) {
this.missingPing = null;
this.clientConnection = clientConnection; this.clientConnection = clientConnection;
this.indicatorValues = Utils.immutableListOf(indicatorValues); this.indicatorValues = Utils.immutableListOf(indicatorValues);
this.missingPing = false; }
@JsonProperty("missingPing")
public Boolean getMissingPing() {
return this.missingPing;
} }
@JsonIgnore @JsonIgnore

View file

@ -28,6 +28,7 @@ import java.util.stream.Collector;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.eclipse.swt.graphics.RGB; import org.eclipse.swt.graphics.RGB;
import org.joda.time.DateTime; import org.joda.time.DateTime;
import org.joda.time.DateTimeZone; import org.joda.time.DateTimeZone;
@ -375,6 +376,13 @@ public final class Utils {
return builder.toString(); return builder.toString();
} }
public static String escapeHTML_XML_EcmaScript(final String string) {
return StringEscapeUtils.escapeXml11(
StringEscapeUtils.escapeHtml4(
StringEscapeUtils.escapeEcmaScript(string)));
}
// https://www.owasp.org/index.php/HTTP_Response_Splitting
public static String preventResponseSplittingAttack(final String string) { public static String preventResponseSplittingAttack(final String string) {
final int xni = string.indexOf('\n'); final int xni = string.indexOf('\n');
final int xri = string.indexOf('\r'); final int xri = string.indexOf('\r');

View file

@ -61,8 +61,9 @@ public abstract class AbstractDownloadServiceHandler implements DownloadServiceH
downloadFileName); downloadFileName);
} }
final String header = final String header = "attachment; filename=\"" +
"attachment; filename=\"" + Utils.preventResponseSplittingAttack(downloadFileName) + "\""; Utils.escapeHTML_XML_EcmaScript(Utils.preventResponseSplittingAttack(downloadFileName)) +
"\"";
response.setHeader(HttpHeaders.CONTENT_DISPOSITION, header); response.setHeader(HttpHeaders.CONTENT_DISPOSITION, header);
response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE); response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);

View file

@ -14,6 +14,8 @@ import java.util.Collections;
import java.util.EnumMap; import java.util.EnumMap;
import java.util.List; import java.util.List;
import com.fasterxml.jackson.annotation.JsonProperty;
import ch.ethz.seb.sebserver.gbl.model.session.ClientConnection; import ch.ethz.seb.sebserver.gbl.model.session.ClientConnection;
import ch.ethz.seb.sebserver.gbl.model.session.ClientConnectionData; import ch.ethz.seb.sebserver.gbl.model.session.ClientConnectionData;
import ch.ethz.seb.sebserver.gbl.model.session.ClientEvent.EventType; import ch.ethz.seb.sebserver.gbl.model.session.ClientEvent.EventType;
@ -61,4 +63,10 @@ public class ClientConnectionDataInternal extends ClientConnectionData {
return this.indicatorMapping.get(eventType); return this.indicatorMapping.get(eventType);
} }
@Override
@JsonProperty("missingPing")
public Boolean getMissingPing() {
return this.pingIndicator.missingPing;
}
} }

View file

@ -36,8 +36,8 @@ public final class PingIntervalClientIndicator extends AbstractPingIndicator {
private static final Logger log = LoggerFactory.getLogger(PingIntervalClientIndicator.class); private static final Logger log = LoggerFactory.getLogger(PingIntervalClientIndicator.class);
private long pingErrorThreshold; long pingErrorThreshold;
private boolean isOnError = false; boolean missingPing = false;
boolean hidden = false; boolean hidden = false;
@ -84,9 +84,9 @@ public final class PingIntervalClientIndicator extends AbstractPingIndicator {
public ClientEventRecord updateLogEvent() { public ClientEventRecord updateLogEvent() {
final long now = DateTime.now(DateTimeZone.UTC).getMillis(); final long now = DateTime.now(DateTimeZone.UTC).getMillis();
final long value = now - (long) super.currentValue; final long value = now - (long) super.currentValue;
if (this.isOnError) { if (this.missingPing) {
if (this.pingErrorThreshold > value) { if (this.pingErrorThreshold > value) {
this.isOnError = false; this.missingPing = false;
return new ClientEventRecord( return new ClientEventRecord(
null, null,
this.connectionId, this.connectionId,
@ -98,7 +98,7 @@ public final class PingIntervalClientIndicator extends AbstractPingIndicator {
} }
} else { } else {
if (this.pingErrorThreshold < value) { if (this.pingErrorThreshold < value) {
this.isOnError = true; this.missingPing = true;
return new ClientEventRecord( return new ClientEventRecord(
null, null,
this.connectionId, this.connectionId,

View file

@ -13,6 +13,7 @@ import java.util.Objects;
import java.util.UUID; import java.util.UUID;
import java.util.function.Predicate; import java.util.function.Predicate;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -25,6 +26,7 @@ import ch.ethz.seb.sebserver.gbl.model.exam.Exam;
import ch.ethz.seb.sebserver.gbl.model.exam.Exam.ExamType; import ch.ethz.seb.sebserver.gbl.model.exam.Exam.ExamType;
import ch.ethz.seb.sebserver.gbl.model.session.ClientConnection; import ch.ethz.seb.sebserver.gbl.model.session.ClientConnection;
import ch.ethz.seb.sebserver.gbl.model.session.ClientConnection.ConnectionStatus; import ch.ethz.seb.sebserver.gbl.model.session.ClientConnection.ConnectionStatus;
import ch.ethz.seb.sebserver.gbl.model.session.ClientConnectionData;
import ch.ethz.seb.sebserver.gbl.model.session.ClientEvent; import ch.ethz.seb.sebserver.gbl.model.session.ClientEvent;
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile; import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
import ch.ethz.seb.sebserver.gbl.util.Result; import ch.ethz.seb.sebserver.gbl.util.Result;
@ -385,6 +387,17 @@ public class SebClientConnectionServiceImpl implements SebClientConnectionServic
@Override @Override
public Result<ClientConnection> disableConnection(final String connectionToken, final Long institutionId) { public Result<ClientConnection> disableConnection(final String connectionToken, final Long institutionId) {
return Result.tryCatch(() -> { return Result.tryCatch(() -> {
final ClientConnectionData connectionData = getExamSessionService()
.getConnectionData(connectionToken)
.getOrThrow();
// An active connection can only be disabled if we have a missing ping
if (connectionData.clientConnection.status == ConnectionStatus.ACTIVE &&
!BooleanUtils.isTrue(connectionData.getMissingPing())) {
return connectionData.clientConnection;
}
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("SEB client connection: SEB Server disable attempt for " log.debug("SEB client connection: SEB Server disable attempt for "
+ "instituion {} " + "instituion {} "

View file

@ -62,4 +62,13 @@ public class InstitutionTest {
json); json);
} }
@Test
public void testNullValues() throws Exception {
final JSONMapper jsonMapper = new JSONMapper();
final Institution inst = new Institution(1L, null, "suffix", "logo", "theme", null);
final String jsonString = jsonMapper.writeValueAsString(inst);
assertEquals("{\"id\":1,\"urlSuffix\":\"suffix\",\"logoImage\":\"logo\",\"themeName\":\"theme\"}", jsonString);
}
} }