Skip to content

Commit

Permalink
Feature internal 58 vulnerabilities (#537)
Browse files Browse the repository at this point in the history
* internal issue first 7 vulnerabilities identified by sonarqube

* fix syntax error- missing ;

* added missing catch to try around line 958

* Fixed vulnerabilities

* Fixed syntax errors (missing ;, mismatched curly braces, etc)

* Address new vulnerability with handleClearListValCache and handleClearListStatCache by separating these into two try-catch blocks

* Revert to previous try-catch code

* Uncomment try-catch near line 1318

* fix syntax error

* Line 1318 only handle ParserConfigurationException

* Revert to catching the ValidationException and ParserConfigurationException for else if at line 1318

---------

Co-authored-by: bikegeek <[email protected]>
  • Loading branch information
hankenstein2 and bikegeek authored Jul 10, 2024
1 parent 5db7758 commit 08572ff
Showing 1 changed file with 69 additions and 21 deletions.
90 changes: 69 additions & 21 deletions java/edu/ucar/metviewer/MVServlet.java
Original file line number Diff line number Diff line change
Expand Up @@ -1032,12 +1032,15 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {


// if there is no specified database, print out the list of parameters for debugging
try (PrintWriter printWriter = response.getWriter()) {
try {
PrintWriter printWriter = response.getWriter();
response.setContentType("text/plain");
printWriter.println("howdy from MVServlet");
} catch (IOException e) {
logger.error(e.getMessage());
}
} catch (IOException e) {
logger.error( e.getMessage());
} catch (Exception e) {
logger.error(e.getMessage());
}
}

Expand Down Expand Up @@ -1109,7 +1112,12 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) {

} else {
// if the request is not a file upload, read it directly
requestBody.append(request.getReader().lines().collect(Collectors.joining()));
try {
requestBody.append(request.getReader().lines().collect(Collectors.joining()));
} catch (Exception e) {
logger.error(e.getMessage());
}


}
logger.debug("doPost() - request (" + request.getRemoteHost() + "): " + requestBody);
Expand Down Expand Up @@ -1148,8 +1156,11 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) {
}
}
request.getSession().setAttribute("init_xml", strResp.toString().replace("'", "\""));

request.getRequestDispatcher("/metviewer1.jsp").forward(request, response);
try {
request.getRequestDispatcher("/metviewer1.jsp").forward(request, response);
} catch (IOException | ServletException e) {
logger.error(e.getMessage());
}
}
}
} else {
Expand Down Expand Up @@ -1281,8 +1292,13 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) {
urlXml.appendChild(docResp.createCDATASection(urlOutput));
listDb.appendChild(urlXml);
strResp.append(MVUtil.domSourceToString(docResp));
handleClearListValCache();
handleClearListStatCache();
try {
handleClearListValCache();
handleClearListStatCache();
} catch (ParserConfigurationException e) {
logger.error(e.getMessage());
}

}

// <date> tag, which is used to prevent caching
Expand All @@ -1300,39 +1316,66 @@ else if (nodeCall.tag.equalsIgnoreCase("db_con")) {

// <list_val>
else if (nodeCall.tag.equalsIgnoreCase("list_val")) {
try {
strResp.append(handleListVal(nodeCall, requestBody.toString(), currentDbName));
} catch (ValidationException |ParserConfigurationException e){
logger.info(e.getMessage());
}
}

// <list_stat>
else if (nodeCall.tag.equalsIgnoreCase("list_stat")) {
strResp.append(handleListStat(nodeCall, requestBody.toString(), currentDbName));
try {
strResp.append(handleListStat(nodeCall, requestBody.toString(), currentDbName));
} catch (ParserConfigurationException e) {
logger.error(e.getMessage());
}
}
// <list_val_clear_cache>
else if (nodeCall.tag.equalsIgnoreCase("list_val_clear_cache")) {

strResp.append(handleClearListValCache());
try {
strResp.append(handleClearListValCache());
} catch (ParserConfigurationException e) {
logger.error(e.getMessage());
}
}

// <list_val_cache_keys>
else if (nodeCall.tag.equalsIgnoreCase("list_val_cache_keys")) {

strResp.append(handleListValCacheKeys());
try {
strResp.append(handleListValCacheKeys());
} catch (ParserConfigurationException e) {
logger.error(e.getMessage());
}
}

// <list_stat_clear_cache>
else if (nodeCall.tag.equalsIgnoreCase("list_stat_clear_cache")) {

strResp.append(handleClearListStatCache());
try {
strResp.append(handleClearListStatCache());
} catch (ParserConfigurationException e) {
logger.error(e.getMessage());
}
}

// <list_stat_cache_keys>
else if (nodeCall.tag.equalsIgnoreCase("list_stat_cache_keys")) {
strResp.append(handleListStatCacheKeys());
try {
strResp.append(handleListStatCacheKeys());
} catch (ParserConfigurationException e) {
logger.error(e.getMessage());
}
}

// <plot>
else if (nodeCall.tag.equalsIgnoreCase("plot")) {
strResp.append(handlePlot(requestBody.toString(), currentDbName));
try {
strResp.append(handlePlot(requestBody.toString(), currentDbName));
} catch (ParserConfigurationException | DatabaseException | ValidationException | IOException |
SAXException e) {
logger.error(e.getMessage());
}

}


Expand All @@ -1351,7 +1394,11 @@ else if (nodeCall.tag.equalsIgnoreCase("xml_upload")) {

} else if (nodeCall.tag.equalsIgnoreCase("history")) {
String isShowAll = nodeCall.children[0].value;
strResp.append(getAvailableResults(isShowAll));
try {
strResp.append(getAvailableResults(isShowAll));
} catch (ParserConfigurationException e) {
logger.error(e.getMessage());
}

}

Expand All @@ -1374,12 +1421,13 @@ else if (nodeCall.tag.equalsIgnoreCase("xml_upload")) {
response.setContentType("application/xml;charset=UTF-8");
try (PrintWriter printWriter = response.getWriter()) {
printWriter.append(strResp);
} catch (IOException e) {
logger.info(e.getMessage());
}
}


}
} catch (ParserConfigurationException | FileUploadException | IOException | SAXException | ValidationException
| DatabaseException | ServletException e) {
| ServletException e) {
errorStream.print("doPost() - caught " + e.getClass() + ": " + e.getMessage());
logger.info(INFO_MARKER, "doPost() - caught " + e.getClass() + ": " + e.getMessage());
System.out.println("doPost() - caught " + e.getClass() + ": " + e.getMessage());
Expand Down

0 comments on commit 08572ff

Please sign in to comment.