From 6db76a6e7cae28209ae7273da02ff6b92cbee199 Mon Sep 17 00:00:00 2001
From: Dmitry Toptygin <dmitry.toptygin@connectus.ai>
Date: Fri, 19 Jun 2020 18:06:42 -0400
Subject: [PATCH] addressed vulnerabilities reported by sonar

---
 .../RestTemplateConfigurationX509ClientCertAuth.java     | 7 ++++---
 .../wlan/core/server/security/WebSecurityConfig.java     | 1 -
 .../core/server/webconfig/CommonControllerAdvice.java    | 9 +++++++--
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/base-client/src/main/java/com/telecominfraproject/wlan/core/client/RestTemplateConfigurationX509ClientCertAuth.java b/base-client/src/main/java/com/telecominfraproject/wlan/core/client/RestTemplateConfigurationX509ClientCertAuth.java
index 509f762..34be2df 100644
--- a/base-client/src/main/java/com/telecominfraproject/wlan/core/client/RestTemplateConfigurationX509ClientCertAuth.java
+++ b/base-client/src/main/java/com/telecominfraproject/wlan/core/client/RestTemplateConfigurationX509ClientCertAuth.java
@@ -118,12 +118,13 @@ public class RestTemplateConfigurationX509ClientCertAuth {
             
             Principal principal = clientCertificate.getSubjectDN();
             subjectDn = principal.getName();
+            
+            // Replace pattern-breaking characters
+            subjectDn = subjectDn.replaceAll("[\n|\r|\t]", "_");
+
             int startPos = subjectDn.indexOf("CN=") + "CN=".length();
             int endPos = subjectDn.indexOf(',', startPos);
             subjectDn = subjectDn.substring(startPos, endPos);
-
-            // Replace pattern-breaking characters
-            subjectDn = subjectDn.replaceAll("[\n|\r|\t]", "_");
             
             LOG.info("X509 client name {}", subjectDn);
             return sslCxt;
diff --git a/base-container/src/main/java/com/telecominfraproject/wlan/core/server/security/WebSecurityConfig.java b/base-container/src/main/java/com/telecominfraproject/wlan/core/server/security/WebSecurityConfig.java
index 9ee96cf..5299623 100644
--- a/base-container/src/main/java/com/telecominfraproject/wlan/core/server/security/WebSecurityConfig.java
+++ b/base-container/src/main/java/com/telecominfraproject/wlan/core/server/security/WebSecurityConfig.java
@@ -47,7 +47,6 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.codec.Hex;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
-import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
diff --git a/base-container/src/main/java/com/telecominfraproject/wlan/core/server/webconfig/CommonControllerAdvice.java b/base-container/src/main/java/com/telecominfraproject/wlan/core/server/webconfig/CommonControllerAdvice.java
index 760849e..0092f00 100644
--- a/base-container/src/main/java/com/telecominfraproject/wlan/core/server/webconfig/CommonControllerAdvice.java
+++ b/base-container/src/main/java/com/telecominfraproject/wlan/core/server/webconfig/CommonControllerAdvice.java
@@ -1,5 +1,7 @@
 package com.telecominfraproject.wlan.core.server.webconfig;
 
+import java.util.regex.Pattern;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
@@ -23,6 +25,8 @@ public class CommonControllerAdvice {
 
     private static final Logger LOG = LoggerFactory.getLogger(CommonControllerAdvice.class);
 
+    private static Pattern securityRepacementRegexPattern = Pattern.compile("[\n|\r|\t]");
+    
     /**
      * Custom exception handler, it will be applied to all methods (both sync
      * and async) on all controllers
@@ -41,7 +45,7 @@ public class CommonControllerAdvice {
         // String, String)
         StringBuilder msg = new StringBuilder();
         // Replace pattern-breaking characters
-        msg.append(request.getRequestURI().replaceAll("[\n|\r|\t]", "_"));
+        msg.append(securityRepacementRegexPattern.matcher(request.getRequestURI()).replaceAll( "_"));
 
         String queryString = request.getQueryString();
         if (queryString != null) {
@@ -60,7 +64,8 @@ public class CommonControllerAdvice {
         }
         String user = request.getRemoteUser();
         if (user != null) {
-            msg.append(";user=").append(user);
+            // Replace pattern-breaking characters
+            msg.append(";user=").append(securityRepacementRegexPattern.matcher(user).replaceAll( "_"));
         }
 
         String requestDetails = msg.toString();