From commits-return-1528-archive-asf-public=cust-asf.ponee.io@fineract.apache.org Mon Jan 22 16:31:03 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 623511807A0 for ; Mon, 22 Jan 2018 16:31:02 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 4C7BB160C4B; Mon, 22 Jan 2018 15:31:02 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 68D9F160C51 for ; Mon, 22 Jan 2018 16:31:00 +0100 (CET) Received: (qmail 42554 invoked by uid 500); 22 Jan 2018 15:30:59 -0000 Mailing-List: contact commits-help@fineract.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@fineract.apache.org Delivered-To: mailing list commits@fineract.apache.org Received: (qmail 42381 invoked by uid 99); 22 Jan 2018 15:30:59 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Jan 2018 15:30:59 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 307768201A; Mon, 22 Jan 2018 15:30:58 +0000 (UTC) Date: Mon, 22 Jan 2018 15:31:02 +0000 To: "commits@fineract.apache.org" Subject: [fineract-cn-reporting] 05/24: Refactor address query to use address table Add dummy entity to give EntityManagerFactory a package folder to load entities. This is a workaround to prevent an error described here: https://github.com/spring-projects/spring-boot/issues/6635 Extract string fields into constants Add needed property files for OWASP library Removed example migration sql MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit From: myrle@apache.org In-Reply-To: <151663505772.22521.4200642985145410403@gitbox.apache.org> References: <151663505772.22521.4200642985145410403@gitbox.apache.org> X-Git-Host: gitbox.apache.org X-Git-Repo: fineract-cn-reporting X-Git-Refname: refs/heads/develop X-Git-Reftype: branch X-Git-Rev: f93d9e6e09d6fa31c82f308442828662638e47d6 X-Git-NotificationType: diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated Message-Id: <20180122153058.307768201A@gitbox.apache.org> This is an automated email from the ASF dual-hosted git repository. myrle pushed a commit to branch develop in repository https://gitbox.apache.org/repos/asf/fineract-cn-reporting.git commit f93d9e6e09d6fa31c82f308442828662638e47d6 Author: Mark AuthorDate: Fri Jul 7 16:35:53 2017 +0200 Refactor address query to use address table Add dummy entity to give EntityManagerFactory a package folder to load entities. This is a workaround to prevent an error described here: https://github.com/spring-projects/spring-boot/issues/6635 Extract string fields into constants Add needed property files for OWASP library Removed example migration sql --- .../reporting/service/ReportingConfiguration.java | 2 + .../service/internal/repository/DummyEntity.java | 38 ++ .../internal/repository/DummyRepository.java | 23 ++ .../CustomerListReportSpecification.java | 100 +++-- .../reporting/service/spi/CriteriaBuilder.java | 15 +- service/src/main/resources/ESAPI.properties | 452 +++++++++++++++++++++ .../db/migrations/mariadb/V1__initial_setup.sql | 22 - service/src/main/resources/validation.properties | 32 ++ 8 files changed, 629 insertions(+), 55 deletions(-) diff --git a/service/src/main/java/io/mifos/reporting/service/ReportingConfiguration.java b/service/src/main/java/io/mifos/reporting/service/ReportingConfiguration.java index e3b03c9..1289d02 100644 --- a/service/src/main/java/io/mifos/reporting/service/ReportingConfiguration.java +++ b/service/src/main/java/io/mifos/reporting/service/ReportingConfiguration.java @@ -29,6 +29,7 @@ import org.springframework.cloud.client.discovery.EnableDiscoveryClient; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; +import org.springframework.data.jpa.repository.config.EnableJpaRepositories; import org.springframework.web.servlet.config.annotation.PathMatchConfigurer; import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter; @@ -43,6 +44,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter @EnableMariaDB @EnableAnubis @EnableServiceException +@EnableJpaRepositories(basePackages = { "io.mifos.reporting.service.internal.repository" }) @ComponentScan({ "io.mifos.reporting.service.rest", "io.mifos.reporting.service.internal" diff --git a/service/src/main/java/io/mifos/reporting/service/internal/repository/DummyEntity.java b/service/src/main/java/io/mifos/reporting/service/internal/repository/DummyEntity.java new file mode 100644 index 0000000..0f36a7e --- /dev/null +++ b/service/src/main/java/io/mifos/reporting/service/internal/repository/DummyEntity.java @@ -0,0 +1,38 @@ +/* + * Copyright 2016 The Mifos Initiative. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.mifos.reporting.service.internal.repository; + +import javax.persistence.Entity; +import javax.persistence.Id; + +@Entity +public class DummyEntity { + + @Id + private Long id; + + public DummyEntity() { + super(); + } + + public Long getId() { + return id; + } + + public void setId(Long id) { + this.id = id; + } +} diff --git a/service/src/main/java/io/mifos/reporting/service/internal/repository/DummyRepository.java b/service/src/main/java/io/mifos/reporting/service/internal/repository/DummyRepository.java new file mode 100644 index 0000000..20baf0e --- /dev/null +++ b/service/src/main/java/io/mifos/reporting/service/internal/repository/DummyRepository.java @@ -0,0 +1,23 @@ +/* + * Copyright 2016 The Mifos Initiative. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package io.mifos.reporting.service.internal.repository; + +import org.springframework.data.jpa.repository.JpaRepository; +import org.springframework.stereotype.Repository; + +@Repository +public interface DummyRepository extends JpaRepository { +} diff --git a/service/src/main/java/io/mifos/reporting/service/internal/specification/CustomerListReportSpecification.java b/service/src/main/java/io/mifos/reporting/service/internal/specification/CustomerListReportSpecification.java index f56657f..c799f68 100644 --- a/service/src/main/java/io/mifos/reporting/service/internal/specification/CustomerListReportSpecification.java +++ b/service/src/main/java/io/mifos/reporting/service/internal/specification/CustomerListReportSpecification.java @@ -50,11 +50,22 @@ import java.util.stream.Collectors; @Report(category = "Customer", identifier = "Listing") public class CustomerListReportSpecification implements ReportSpecification { + private static final String DATE_RANGE = "Date range"; + private static final String STATE = "State"; + private static final String CUSTOMER = "Customer"; + private static final String FIRST_NAME = "First name"; + private static final String MIDDLE_NAME = "Middle name"; + private static final String LAST_NAME = "Last name"; + private static final String ACCOUNT_NUMBER = "Account number"; + private static final String ADDRESS = "Address"; + private final Logger logger; + private final EntityManager entityManager; private final HashMap customerColumnMapping = new HashMap<>(); private final HashMap addressColumnMapping = new HashMap<>(); private final HashMap accountColumnMapping = new HashMap<>(); + private final HashMap allColumnMapping = new HashMap<>(); @Autowired public CustomerListReportSpecification(@Qualifier(ServiceConstants.LOGGER_NAME) final Logger logger, @@ -104,13 +115,13 @@ public class CustomerListReportSpecification implements ReportSpecification { public void validate(final ReportRequest reportRequest) throws IllegalArgumentException { final ArrayList unknownFields = new ArrayList<>(); reportRequest.getQueryParameters().forEach(queryParameter -> { - if (!this.customerColumnMapping.keySet().contains(queryParameter.getName())) { + if (!this.allColumnMapping.keySet().contains(queryParameter.getName())) { unknownFields.add(queryParameter.getName()); } }); reportRequest.getDisplayableFields().forEach(displayableField -> { - if (!this.customerColumnMapping.keySet().contains(displayableField.getName())) { + if (!this.allColumnMapping.keySet().contains(displayableField.getName())) { unknownFields.add(displayableField.getName()); } }); @@ -123,16 +134,20 @@ public class CustomerListReportSpecification implements ReportSpecification { } private void initializeMapping() { - this.customerColumnMapping.put("Date Range", "cst.created_on"); - this.customerColumnMapping.put("State", "cst.current_state"); - this.customerColumnMapping.put("Customer", "cst.identifier"); - this.customerColumnMapping.put("First name", "cst.given_name"); - this.customerColumnMapping.put("Middle Name", "cst.middle_name"); - this.customerColumnMapping.put("Last Name", "cst.surname"); + this.customerColumnMapping.put(DATE_RANGE, "cst.created_on"); + this.customerColumnMapping.put(STATE, "cst.current_state"); + this.customerColumnMapping.put(CUSTOMER, "cst.identifier"); + this.customerColumnMapping.put(FIRST_NAME, "cst.given_name"); + this.customerColumnMapping.put(MIDDLE_NAME, "cst.middle_name"); + this.customerColumnMapping.put(LAST_NAME, "cst.surname"); - this.accountColumnMapping.put("Account number", "acc.identifier, acc.balance"); + this.accountColumnMapping.put(ACCOUNT_NUMBER, "acc.identifier, acc.balance"); - this.addressColumnMapping.put("Address", "CONCAT(adr.street, ', ', adr.postal_code, ', ', adr.city)"); + this.addressColumnMapping.put(ADDRESS, "CONCAT(adr.street, ', ', adr.postal_code, ', ', adr.city)"); + + this.allColumnMapping.putAll(customerColumnMapping); + this.allColumnMapping.putAll(accountColumnMapping); + this.allColumnMapping.putAll(addressColumnMapping); } private Header createHeader(final List displayableFields) { @@ -152,15 +167,34 @@ public class CustomerListReportSpecification implements ReportSpecification { customerResultList.forEach(result -> { final Row row = new Row(); row.setValues(new ArrayList<>()); - final Object[] resultValues = (Object[]) result; - for (final Object resultValue : resultValues) { + + final String customerIdentifier; + + if (result instanceof Object[]) { + final Object[] resultValues = (Object[]) result; + + customerIdentifier = resultValues[0].toString(); + + for (final Object resultValue : resultValues) { + final Value value = new Value(); + if (resultValue != null) { + value.setValues(new String[]{resultValue.toString()}); + } else { + value.setValues(new String[]{}); + } + + row.getValues().add(value); + } + } else { + customerIdentifier = result.toString(); + final Value value = new Value(); - value.setValues(new String[]{resultValue.toString()}); + value.setValues(new String[]{result.toString()}); row.getValues().add(value); } - final DecimalFormat decimalFormat = new DecimalFormat(".##"); - final Query accountQuery = this.entityManager.createNativeQuery(this.buildAccountQuery(reportRequest, resultValues[0].toString())); + final DecimalFormat decimalFormat = new DecimalFormat("0.##"); + final Query accountQuery = this.entityManager.createNativeQuery(this.buildAccountQuery(reportRequest, customerIdentifier)); final List accountResultList = accountQuery.getResultList(); final ArrayList values = new ArrayList<>(); accountResultList.forEach(accountResult -> { @@ -175,7 +209,7 @@ public class CustomerListReportSpecification implements ReportSpecification { accountValue.setValues(values.toArray(new String[values.size()])); row.getValues().add(accountValue); - final String addressQueryString = this.buildAddressQuery(reportRequest, resultValues[0].toString()); + final String addressQueryString = this.buildAddressQuery(reportRequest, customerIdentifier); if (addressQueryString != null) { final Query addressQuery = this.entityManager.createNativeQuery(addressQueryString); final List resultList = addressQuery.getResultList(); @@ -192,19 +226,19 @@ public class CustomerListReportSpecification implements ReportSpecification { private List buildQueryParameters() { return Arrays.asList( - QueryParameterBuilder.create("Date range", Type.DATE).operator(QueryParameter.Operator.BETWEEN).build(), - QueryParameterBuilder.create("State", Type.TEXT).operator(QueryParameter.Operator.IN).build() + QueryParameterBuilder.create(DATE_RANGE, Type.DATE).operator(QueryParameter.Operator.BETWEEN).build(), + QueryParameterBuilder.create(STATE, Type.TEXT).operator(QueryParameter.Operator.IN).build() ); } private List buildDisplayableFields() { return Arrays.asList( - DisplayableFieldBuilder.create("Customer", Type.TEXT).mandatory().build(), - DisplayableFieldBuilder.create("First name", Type.TEXT).build(), - DisplayableFieldBuilder.create("Middle name", Type.TEXT).build(), - DisplayableFieldBuilder.create("Last name", Type.TEXT).build(), - DisplayableFieldBuilder.create("Account number", Type.TEXT).mandatory().build(), - DisplayableFieldBuilder.create("Address", Type.TEXT).build() + DisplayableFieldBuilder.create(CUSTOMER, Type.TEXT).mandatory().build(), + DisplayableFieldBuilder.create(FIRST_NAME, Type.TEXT).build(), + DisplayableFieldBuilder.create(MIDDLE_NAME, Type.TEXT).build(), + DisplayableFieldBuilder.create(LAST_NAME, Type.TEXT).build(), + DisplayableFieldBuilder.create(ACCOUNT_NUMBER, Type.TEXT).mandatory().build(), + DisplayableFieldBuilder.create(ADDRESS, Type.TEXT).build() ); } @@ -228,9 +262,14 @@ public class CustomerListReportSpecification implements ReportSpecification { if (!queryParameters.isEmpty()) { query.append(" WHERE "); final ArrayList criteria = new ArrayList<>(); - queryParameters.forEach(queryParameter -> criteria.add( - CriteriaBuilder.buildCriteria(this.customerColumnMapping.get(queryParameter.getName()), queryParameter)) - ); + queryParameters.forEach(queryParameter -> { + if(queryParameter.getValue() != null && !queryParameter.getValue().isEmpty()) { + criteria.add( + CriteriaBuilder.buildCriteria(this.customerColumnMapping.get(queryParameter.getName()), queryParameter) + ); + } + }); + query.append(criteria.stream().collect(Collectors.joining(" AND "))); } query.append(" ORDER BY cst.identifier"); @@ -275,10 +314,9 @@ public class CustomerListReportSpecification implements ReportSpecification { if (!columns.isEmpty()) { return "SELECT " + columns.stream().collect(Collectors.joining(", ")) + " " + - "FROM thoth_accounts acc " + - "LEFT JOIN maat_customers cst on acc.holders = cst.identifier " + - "WHERE cst.identifier ='" + customerIdentifier + "' " + - "ORDER BY acc.identifier"; + "FROM maat_addresses adr " + + "LEFT JOIN maat_customers cst on adr.id = cst.address_id " + + "WHERE cst.identifier ='" + customerIdentifier + "' "; } return null; } diff --git a/service/src/main/java/io/mifos/reporting/service/spi/CriteriaBuilder.java b/service/src/main/java/io/mifos/reporting/service/spi/CriteriaBuilder.java index a0dc841..53157b6 100644 --- a/service/src/main/java/io/mifos/reporting/service/spi/CriteriaBuilder.java +++ b/service/src/main/java/io/mifos/reporting/service/spi/CriteriaBuilder.java @@ -27,8 +27,18 @@ import java.util.stream.Collectors; public class CriteriaBuilder { // https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet - private static final Encoder ENCODER = ESAPI.encoder(); - private static final MySQLCodec MY_SQL_CODEC = new MySQLCodec(MySQLCodec.Mode.ANSI); + public static Encoder ENCODER; + public static MySQLCodec MY_SQL_CODEC; + + static { + // TODO move this code into bean + try { + ENCODER = ESAPI.encoder(); + MY_SQL_CODEC = new MySQLCodec(MySQLCodec.Mode.ANSI); + } catch(final Exception e) { + System.out.println(e.getMessage()); + } + } private CriteriaBuilder() { super(); @@ -67,6 +77,7 @@ public class CriteriaBuilder { .map(s -> "'" + CriteriaBuilder.ENCODER.encodeForSQL(CriteriaBuilder.MY_SQL_CODEC, s) + "'") .collect(Collectors.joining(",")) ); + criteria.append(")"); break; case BETWEEN: final String[] splitString = queryParameter.getValue().split("\\.\\."); diff --git a/service/src/main/resources/ESAPI.properties b/service/src/main/resources/ESAPI.properties new file mode 100644 index 0000000..1dedfe6 --- /dev/null +++ b/service/src/main/resources/ESAPI.properties @@ -0,0 +1,452 @@ +# +# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version +# +# This file is part of the Open Web Application Security Project (OWASP) +# Enterprise Security API (ESAPI) project. For details, please see +# http://www.owasp.org/index.php/ESAPI. +# +# Copyright (c) 2008,2009 - The OWASP Foundation +# +# DISCUSS: This may cause a major backwards compatibility issue, etc. but +# from a name space perspective, we probably should have prefaced +# all the property names with ESAPI or at least OWASP. Otherwise +# there could be problems is someone loads this properties file into +# the System properties. We could also put this file into the +# esapi.jar file (perhaps as a ResourceBundle) and then allow an external +# ESAPI properties be defined that would overwrite these defaults. +# That keeps the application's properties relatively simple as usually +# they will only want to override a few properties. If looks like we +# already support multiple override levels of this in the +# DefaultSecurityConfiguration class, but I'm suggesting placing the +# defaults in the esapi.jar itself. That way, if the jar is signed, +# we could detect if those properties had been tampered with. (The +# code to check the jar signatures is pretty simple... maybe 70-90 LOC, +# but off course there is an execution penalty (similar to the way +# that the separate sunjce.jar used to be when a class from it was +# first loaded). Thoughts? +############################################################################### +# +# WARNING: Operating system protection should be used to lock down the .esapi +# resources directory and all the files inside and all the directories all the +# way up to the root directory of the file system. Note that if you are using +# file-based implementations, that some files may need to be read-write as they +# get updated dynamically. +# +# Before using, be sure to update the MasterKey and MasterSalt as described below. +# N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4, +# you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired) +# re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be +# able to decrypt your data with ESAPI 2.0. +# +# YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes. +# +#=========================================================================== +# ESAPI Configuration +# +# If true, then print all the ESAPI properties set here when they are loaded. +# If false, they are not printed. Useful to reduce output when running JUnit tests. +# If you need to troubleshoot a properties related problem, turning this on may help. +# This is 'false' in the src/test/resources/.esapi version. It is 'true' by +# default for reasons of backward compatibility with earlier ESAPI versions. +ESAPI.printProperties=true + +# ESAPI is designed to be easily extensible. You can use the reference implementation +# or implement your own providers to take advantage of your enterprise's security +# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: +# +# String ciphertext = +# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0 +# CipherText cipherText = +# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred +# +# Below you can specify the classname for the provider that you wish to use in your +# application. The only requirement is that it implement the appropriate ESAPI interface. +# This allows you to switch security implementations in the future without rewriting the +# entire application. +# +# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory +ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController +# FileBasedAuthenticator requires users.txt file in .esapi directory +ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor + +ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor +ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities +ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector +# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html +ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory +#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory +ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer +ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator + +#=========================================================================== +# ESAPI Authenticator +# +Authenticator.AllowedLoginAttempts=3 +Authenticator.MaxOldPasswordHashes=13 +Authenticator.UsernameParameterName=username +Authenticator.PasswordParameterName=password +# RememberTokenDuration (in days) +Authenticator.RememberTokenDuration=14 +# Session Timeouts (in minutes) +Authenticator.IdleTimeoutDuration=20 +Authenticator.AbsoluteTimeoutDuration=120 + +#=========================================================================== +# ESAPI Encoder +# +# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. +# Failure to canonicalize input is a very common mistake when implementing validation schemes. +# Canonicalization is automatic when using the ESAPI Validator, but you can also use the +# following code to canonicalize data. +# +# ESAPI.Encoder().canonicalize( "%22hello world"" ); +# +# Multiple encoding is when a single encoding format is applied multiple times. Allowing +# multiple encoding is strongly discouraged. +Encoder.AllowMultipleEncoding=false + +# Mixed encoding is when multiple different encoding formats are applied, or when +# multiple formats are nested. Allowing multiple encoding is strongly discouraged. +Encoder.AllowMixedEncoding=false + +# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs +# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or +# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + + +#=========================================================================== +# ESAPI Encryption +# +# The ESAPI Encryptor provides basic cryptographic functions with a simplified API. +# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor +# There is not currently any support for key rotation, so be careful when changing your key and salt as it +# will invalidate all signed, encrypted, and hashed data. +# +# WARNING: Not all combinations of algorithms and key lengths are supported. +# If you choose to use a key length greater than 128, you MUST download the +# unlimited strength policy files and install in the lib directory of your JRE/JDK. +# See http://java.sun.com/javase/downloads/index.jsp for more information. +# +# Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API +# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever +# possible, these methods should be avoided as they use ECB cipher mode, which in almost +# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default +# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you +# should only use this compatibility setting if you have persistent data encrypted with +# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL +# you have decrypted all of your old encrypted data and then re-encrypted it with +# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode +# with the new 2.0 methods, make sure that you use the same cipher algorithm for both +# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for +# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods +# where you can specify a SecretKey. (Note that if you are using the 256-bit AES, +# that requires downloading the special jurisdiction policy files mentioned above.) +# +# ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** +# To calculate these values, you can run: +# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor +# +Encryptor.MasterKey=tzfztf56ftv +Encryptor.MasterSalt=123456ztrewq + +# Provides the default JCE provider that ESAPI will "prefer" for its symmetric +# encryption and hashing. (That is it will look to this provider first, but it +# will defer to other providers if the requested algorithm is not implemented +# by this provider.) If left unset, ESAPI will just use your Java VM's current +# preferred JCE provider, which is generally set in the file +# "$JAVA_HOME/jre/lib/security/java.security". +# +# The main intent of this is to allow ESAPI symmetric encryption to be +# used with a FIPS 140-2 compliant crypto-module. For details, see the section +# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in +# the ESAPI 2.0 Symmetric Encryption User Guide, at: +# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html +# However, this property also allows you to easily use an alternate JCE provider +# such as "Bouncy Castle" without having to make changes to "java.security". +# See Javadoc for SecurityProviderLoader for further details. If you wish to use +# a provider that is not known to SecurityProviderLoader, you may specify the +# fully-qualified class name of the JCE provider class that implements +# java.security.Provider. If the name contains a '.', this is interpreted as +# a fully-qualified class name that implements java.security.Provider. +# +# NOTE: Setting this property has the side-effect of changing it in your application +# as well, so if you are using JCE in your application directly rather than +# through ESAPI (you wouldn't do that, would you? ;-), it will change the +# preferred JCE provider there as well. +# +# Default: Keeps the JCE provider set to whatever JVM sets it to. +Encryptor.PreferredJCEProvider= + +# AES is the most widely used and strongest encryption algorithm. This +# should agree with your Encryptor.CipherTransformation property. +# By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is +# very weak. It is essentially a password-based encryption key, hashed +# with MD5 around 1K times and then encrypted with the weak DES algorithm +# (56-bits) using ECB mode and an unspecified padding (it is +# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses +# "AES/CBC/PKCSPadding". If you want to change these, change them here. +# Warning: This property does not control the default reference implementation for +# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped +# in the future. +# @deprecated +Encryptor.EncryptionAlgorithm=AES +# For ESAPI Java 2.0 - New encrypt / decrypt methods use this. +Encryptor.CipherTransformation=AES/CBC/PKCS5Padding + +# Applies to ESAPI 2.0 and later only! +# Comma-separated list of cipher modes that provide *BOTH* +# confidentiality *AND* message authenticity. (NIST refers to such cipher +# modes as "combined modes" so that's what we shall call them.) If any of these +# cipher modes are used then no MAC is calculated and stored +# in the CipherText upon encryption. Likewise, if one of these +# cipher modes is used with decryption, no attempt will be made +# to validate the MAC contained in the CipherText object regardless +# of whether it contains one or not. Since the expectation is that +# these cipher modes support support message authenticity already, +# injecting a MAC in the CipherText object would be at best redundant. +# +# Note that as of JDK 1.5, the SunJCE provider does not support *any* +# of these cipher modes. Of these listed, only GCM and CCM are currently +# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports +# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other +# padding modes. +Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC + +# Applies to ESAPI 2.0 and later only! +# Additional cipher modes allowed for ESAPI 2.0 encryption. These +# cipher modes are in _addition_ to those specified by the property +# 'Encryptor.cipher_modes.combined_modes'. +# Note: We will add support for streaming modes like CFB & OFB once +# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' +# (probably in ESAPI 2.1). +# DISCUSS: Better name? +Encryptor.cipher_modes.additional_allowed=CBC + +# 128-bit is almost always sufficient and appears to be more resistant to +# related key attacks than is 256-bit AES. Use '_' to use default key size +# for cipher algorithms (where it makes sense because the algorithm supports +# a variable key size). Key length must agree to what's provided as the +# cipher transformation, otherwise this will be ignored after logging a +# warning. +# +# NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing! +Encryptor.EncryptionKeyLength=128 + +# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). +# (All cipher modes except ECB require an IV.) There are two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While +# the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Also, random IVs are generally much more +# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes +# such as CFB and OFB use a different IV for each encryption with a given key so +# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random +# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and +# uncomment the Encryptor.fixedIV. +# +# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 +Encryptor.ChooseIVMethod=random +# If you choose to use a fixed IV, then you must place a fixed IV here that +# is known to all others who are sharing your secret key. The format should +# be a hex string that is the same length as the cipher block size for the +# cipher algorithm that you are using. The following is an *example* for AES +# from an AES test vector for AES-128/CBC as described in: +# NIST Special Publication 800-38A (2001 Edition) +# "Recommendation for Block Cipher Modes of Operation". +# (Note that the block size for AES is 16 bytes == 128 bits.) +# +Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f + +# Whether or not CipherText should use a message authentication code (MAC) with it. +# This prevents an adversary from altering the IV as well as allowing a more +# fool-proof way of determining the decryption failed because of an incorrect +# key being supplied. This refers to the "separate" MAC calculated and stored +# in CipherText, not part of any MAC that is calculated as a result of a +# "combined mode" cipher mode. +# +# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also +# set this property to false. +Encryptor.CipherText.useMAC=true + +# Whether or not the PlainText object may be overwritten and then marked +# eligible for garbage collection. If not set, this is still treated as 'true'. +Encryptor.PlainText.overwrite=true + +# Do not use DES except in a legacy situations. 56-bit is way too small key size. +#Encryptor.EncryptionKeyLength=56 +#Encryptor.EncryptionAlgorithm=DES + +# TripleDES is considered strong enough for most purposes. +# Note: There is also a 112-bit version of DESede. Using the 168-bit version +# requires downloading the special jurisdiction policy from Sun. +#Encryptor.EncryptionKeyLength=168 +#Encryptor.EncryptionAlgorithm=DESede + +Encryptor.HashAlgorithm=SHA-512 +Encryptor.HashIterations=1024 +Encryptor.DigitalSignatureAlgorithm=SHA1withDSA +Encryptor.DigitalSignatureKeyLength=1024 +Encryptor.RandomAlgorithm=SHA1PRNG +Encryptor.CharacterEncoding=UTF-8 + +# This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function +# (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and +# *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for +# the MAC, mostly to keep the overall size at a minimum.) +# +# Currently supported choices for JDK 1.5 and 1.6 are: +# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and +# HmacSHA512 (512 bits). +# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though +# the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide +# further details. +Encryptor.KDF.PRF=HmacSHA256 +#=========================================================================== +# ESAPI HttpUtilties +# +# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods +# protect against malicious data from attackers, such as unprintable characters, escaped characters, +# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies, +# headers, and CSRF tokens. +# +# Default file upload location (remember to escape backslashes with \\) +HttpUtilities.UploadDir=C:\\ESAPI\\testUpload +HttpUtilities.UploadTempDir=C:\\temp +# Force flags on cookies, if you use HttpUtilities to set cookies +HttpUtilities.ForceHttpOnlySession=false +HttpUtilities.ForceSecureSession=false +HttpUtilities.ForceHttpOnlyCookies=true +HttpUtilities.ForceSecureCookies=true +# Maximum size of HTTP headers +HttpUtilities.MaxHeaderSize=4096 +# File upload configuration +HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll +HttpUtilities.MaxUploadFileBytes=500000000 +# Using UTF-8 throughout your stack is highly recommended. That includes your database driver, +# container, and any other technologies you may be using. Failure to do this may expose you +# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization. +HttpUtilities.ResponseContentType=text/html; charset=UTF-8 +# This is the name of the cookie used to represent the HTTP session +# Typically this will be the default "JSESSIONID" +HttpUtilities.HttpSessionIdName=JSESSIONID + + + +#=========================================================================== +# ESAPI Executor +# CHECKME - Not sure what this is used for, but surely it should be made OS independent. +Executor.WorkingDirectory=C:\\Windows\\Temp +Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe + + +#=========================================================================== +# ESAPI Logging +# Set the application name if these logs are combined with other applications +Logger.ApplicationName=ExampleApplication +# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true +Logger.LogEncodingRequired=false +# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. +Logger.LogApplicationName=true +# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. +Logger.LogServerIP=true +# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you +# want to place it in a specific directory. +Logger.LogFileName=ESAPI_logging_file +# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) +Logger.MaxLogFileSize=10000000 + + +#=========================================================================== +# ESAPI Intrusion Detection +# +# Each event has a base to which .count, .interval, and .action are added +# The IntrusionException will fire if we receive "count" events within "interval" seconds +# The IntrusionDetector is configurable to take the following actions: log, logout, and disable +# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable +# +# Custom Events +# Names must start with "event." as the base +# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here +# You can also disable intrusion detection completely by changing +# the following parameter to true +# +IntrusionDetector.Disable=false +# +IntrusionDetector.event.test.count=2 +IntrusionDetector.event.test.interval=10 +IntrusionDetector.event.test.actions=disable,log + +# Exception Events +# All EnterpriseSecurityExceptions are registered automatically +# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException +# Use the fully qualified classname of the exception as the base + +# any intrusion is an attack +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout + +# for test purposes +# CHECKME: Shouldn't there be something in the property name itself that designates +# that these are for testing??? +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout + +# rapid validation errors indicate scans or attacks in progress +# org.owasp.esapi.errors.ValidationException.count=10 +# org.owasp.esapi.errors.ValidationException.interval=10 +# org.owasp.esapi.errors.ValidationException.actions=log,logout + +# sessions jumping between hosts indicates session hijacking +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout + + +#=========================================================================== +# ESAPI Validation +# +# The ESAPI Validator works on regular expressions with defined names. You can define names +# either here, or you may define application specific patterns in a separate file defined below. +# This allows enterprises to specify both organizational standards as well as application specific +# validation rules. +# +Validator.ConfigurationFile=validation.properties + +# Validators used by ESAPI +Validator.AccountName=^[a-zA-Z0-9]{3,20}$ +Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ +Validator.RoleName=^[a-z]{1,20}$ + +#the word TEST below should be changed to your application +#name - only relative URL's are supported +Validator.Redirect=^\\/test.*$ + +# Global HTTP Validation Rules +# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] +Validator.HTTPScheme=^(http|https)$ +Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ +Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ +Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$ +Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ +Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ +Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$ +Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ +Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ +Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$ +Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ +Validator.HTTPURL=^.*$ +Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$ + +# Validation of file related input +Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ +Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ + +# Validation of dates. Controls whether or not 'lenient' dates are accepted. +# See DataFormat.setLenient(boolean flag) for further details. +Validator.AcceptLenientDates=false \ No newline at end of file diff --git a/service/src/main/resources/db/migrations/mariadb/V1__initial_setup.sql b/service/src/main/resources/db/migrations/mariadb/V1__initial_setup.sql deleted file mode 100644 index fb1b54e..0000000 --- a/service/src/main/resources/db/migrations/mariadb/V1__initial_setup.sql +++ /dev/null @@ -1,22 +0,0 @@ --- --- Copyright 2017 The Mifos Initiative. --- --- Licensed under the Apache License, Version 2.0 (the "License"); --- you may not use this file except in compliance with the License. --- You may obtain a copy of the License at --- --- http://www.apache.org/licenses/LICENSE-2.0 --- --- Unless required by applicable law or agreed to in writing, software --- distributed under the License is distributed on an "AS IS" BASIS, --- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. --- See the License for the specific language governing permissions and --- limitations under the License. --- - -CREATE TABLE template_samples ( - id BIGINT NOT NULL AUTO_INCREMENT, - identifier VARCHAR(8) NOT NULL, - payload VARCHAR(512) NULL, - CONSTRAINT template_samples_pk PRIMARY KEY (id) -); diff --git a/service/src/main/resources/validation.properties b/service/src/main/resources/validation.properties new file mode 100644 index 0000000..0e9e2d3 --- /dev/null +++ b/service/src/main/resources/validation.properties @@ -0,0 +1,32 @@ +# The ESAPI validator does many security checks on input, such as canonicalization +# and whitelist validation. Note that all of these validation rules are applied *after* +# canonicalization. Double-encoded characters (even with different encodings involved, +# are never allowed. +# +# To use: +# +# First set up a pattern below. You can choose any name you want, prefixed by the word +# "Validation." For example: +# Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ +# +# Then you can validate in your code against the pattern like this: +# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); +# Where maxLength and allowNull are set for you needs, respectively. +# +# But note, when you use boolean variants of validation functions, you lose critical +# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and +# and use the returned user input which is in canonical form. Consider the following: +# +# try { +# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); +# + +Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$ +# 2 majuscules, 3 minuscules, 2 chiffres, 1 caract�re sp�cial, +Validator.Password=^(?=.*[A-Z].*[A-Z])(?=.*[.:,;-_+"'?!@#$&*])(?=.*[0-9].*[0-9])(?=.*[a-z].*[a-z].*[a-z]).{8,20}$ +Validator.Digit=^[0-9]{1,20}$ +Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ +Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ +Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ +Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ +Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ \ No newline at end of file -- To stop receiving notification emails like this one, please contact myrle@apache.org.