From dfde473ef88f8be7873385b1ff3357c1f79afe73 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Thu, 26 Mar 2015 10:04:08 +0100 Subject: added Whitelist for external configuration overwrites --- .../src/main/configuration/pdf-as-web.properties | 7 +++- .../gv/egiz/pdfas/web/config/WebConfiguration.java | 43 +++++++++++++++++++++- .../pdfas/web/helper/ConfigurationOverwrite.java | 35 ++++++++++++++++++ .../at/gv/egiz/pdfas/web/helper/PdfAsHelper.java | 34 ++++------------- 4 files changed, 90 insertions(+), 29 deletions(-) create mode 100644 pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java diff --git a/pdf-as-web/src/main/configuration/pdf-as-web.properties b/pdf-as-web/src/main/configuration/pdf-as-web.properties index 4f6b0661..71bcf386 100644 --- a/pdf-as-web/src/main/configuration/pdf-as-web.properties +++ b/pdf-as-web/src/main/configuration/pdf-as-web.properties @@ -10,7 +10,12 @@ bku.local.url=http://127.0.0.1:3495/http-security-layer-request bku.mobile.url=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx # Allow full configuration overwrite from external sources -allow.ext.overwrite=true +# use with care! +allow.ext.overwrite=false + +# White list entries for properties, that can be overwriten, +# by external components +ext.overwrite.wl.1=^$ ks.enabled=false ks.file=test.p12 diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java index 5860b740..ca4f2c50 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java @@ -50,6 +50,8 @@ public class WebConfiguration implements IConfigurationConstants { public static final String STATISTIC_BACKEND_LIST = "statistic.backends"; public static final String ALLOW_EXT_OVERWRITE = "allow.ext.overwrite"; + public static final String ALLOW_EXT_WHITELIST_VALUE_PRE = "ext.overwrite.wl."; + public static final String MOA_SS_ENABLED = "moa.enabled"; public static final String SOAP_SIGN_ENABLED = "soap.sign.enabled"; public static final String SOAP_VERIFY_ENABLED = "soap.verify.enabled"; @@ -94,11 +96,13 @@ public class WebConfiguration implements IConfigurationConstants { .getLogger(WebConfiguration.class); private static List whiteListregEx = new ArrayList(); - + private static List overwritewhiteListregEx = new ArrayList(); + public static void configure(String config) { properties.clear(); whiteListregEx.clear(); + overwritewhiteListregEx.clear(); try { properties.load(new FileInputStream(config)); @@ -123,6 +127,23 @@ public class WebConfiguration implements IConfigurationConstants { } } } + + if (isAllowExtOverwrite()) { + Iterator keyIt = properties.keySet().iterator(); + while (keyIt.hasNext()) { + Object keyObj = keyIt.next(); + if (keyObj != null) { + String key = keyObj.toString(); + if (key.startsWith(ALLOW_EXT_WHITELIST_VALUE_PRE)) { + String whitelist_expr = properties.getProperty(key); + if (whitelist_expr != null) { + overwritewhiteListregEx.add(whitelist_expr); + logger.debug("Overwrite Whitelist: " + whitelist_expr); + } + } + } + } + } Iterator keyIt = properties.keySet().iterator(); while (keyIt.hasNext()) { @@ -249,6 +270,26 @@ public class WebConfiguration implements IConfigurationConstants { return false; } + public static synchronized boolean isOverwriteAllowed(String key) { + if (isAllowExtOverwrite()) { + + Iterator patterns = whiteListregEx.iterator(); + while (patterns.hasNext()) { + String pattern = patterns.next(); + try { + if (key.matches(pattern)) { + return true; + } + } catch (Throwable e) { + logger.warn("Error in matching regex: " + pattern, e); + } + } + + return false; + } + return false; + } + public static boolean isMoaEnabled(String keyIdentifier) { String value = properties.getProperty(MOA_LIST + "." + keyIdentifier + ".enabled"); if (value != null) { diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java new file mode 100644 index 00000000..3bf20bf4 --- /dev/null +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java @@ -0,0 +1,35 @@ +package at.gv.egiz.pdfas.web.helper; + +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.pdfas.lib.api.Configuration; +import at.gv.egiz.pdfas.web.config.WebConfiguration; + +public class ConfigurationOverwrite { + + private static final Logger logger = LoggerFactory + .getLogger(ConfigurationOverwrite.class); + + public static void overwriteConfiguration(Map overwrite, + Configuration config) { + if (WebConfiguration.isAllowExtOverwrite() && overwrite != null && config != null) { + Iterator> entryIt = overwrite.entrySet() + .iterator(); + while (entryIt.hasNext()) { + Entry entry = entryIt.next(); + if (WebConfiguration.isOverwriteAllowed(entry.getKey())) { + config.setValue(entry.getKey(), entry.getValue()); + } else { + logger.warn( + "External component tried to overwrite cfg {}. This is not in the whitelist!", + entry.getKey()); + } + } + } + } +} diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java index 53cf5783..52eb8468 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java @@ -36,7 +36,6 @@ import java.security.cert.CertificateException; import java.util.Iterator; import java.util.List; import java.util.Map; -import java.util.Map.Entry; import javax.imageio.ImageIO; import javax.servlet.RequestDispatcher; @@ -362,16 +361,9 @@ public class PdfAsHelper { Configuration config = pdfAs.getConfiguration(); - if (WebConfiguration.isAllowExtOverwrite()) { - Map configOverwrite = PdfAsParameterExtractor.getOverwriteMap(request); - if(configOverwrite != null) { - Iterator> entryIt = configOverwrite.entrySet().iterator(); - while (entryIt.hasNext()) { - Entry entry = entryIt.next(); - config.setValue(entry.getKey(), entry.getValue()); - } - } - } + + Map configOverwrite = PdfAsParameterExtractor.getOverwriteMap(request); + ConfigurationOverwrite.overwriteConfiguration(configOverwrite, config); ByteArrayOutputStream baos = new ByteArrayOutputStream(); @@ -502,6 +494,7 @@ public class PdfAsHelper { // set Signature Position signParameter.setSignaturePosition(buildPosString(request, response)); + @SuppressWarnings("unused") SignResult result = pdfAs.sign(signParameter); return baos.toByteArray(); @@ -523,15 +516,8 @@ public class PdfAsHelper { PDFASSignParameters params) throws Exception { Configuration config = pdfAs.getConfiguration(); - if (WebConfiguration.isAllowExtOverwrite()) { - if (params.getOverrides() != null) { - Iterator> entryIt = params.getOverrides() - .getMap().entrySet().iterator(); - while (entryIt.hasNext()) { - Entry entry = entryIt.next(); - config.setValue(entry.getKey(), entry.getValue()); - } - } + if (WebConfiguration.isAllowExtOverwrite() && params.getOverrides() != null) { + ConfigurationOverwrite.overwriteConfiguration(params.getOverrides().getMap(), config); } ByteArrayOutputStream baos = new ByteArrayOutputStream(); @@ -702,13 +688,7 @@ public class PdfAsHelper { Configuration config = pdfAs.getConfiguration(); session.setAttribute(PDF_CONFIG, config); - if (WebConfiguration.isAllowExtOverwrite() && overwrite != null) { - Iterator> entryIt = overwrite.entrySet().iterator(); - while (entryIt.hasNext()) { - Entry entry = entryIt.next(); - config.setValue(entry.getKey(), entry.getValue()); - } - } + ConfigurationOverwrite.overwriteConfiguration(overwrite, config); ByteArrayOutputStream baos = new ByteArrayOutputStream(); session.setAttribute(PDF_OUTPUT, baos); -- cgit v1.2.3