src

src/main/java/com/capitalone/dashboard/Application.java

@@ -4,7 +4,7 @@
 
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.boot.web.support.SpringBootServletInitializer;
+import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.context.annotation.Bean;
 
 import com.capitalone.dashboard.config.MongoConfig;

src/main/java/com/capitalone/dashboard/auth/access/MethodLevelSecurityHandler.java

@@ -10,6 +10,8 @@
 import com.capitalone.dashboard.model.Owner;
 import com.capitalone.dashboard.repository.DashboardRepository;
 
+import java.util.Optional;
+
 @Component
 public class MethodLevelSecurityHandler {
 
@@ -21,10 +23,11 @@ public MethodLevelSecurityHandler(DashboardRepository dashboardRepository) {
 	}
 
 	public boolean isOwnerOfDashboard(ObjectId dashboardId) {
-		Dashboard dashboard = dashboardRepository.findOne(dashboardId);
-		if (dashboard == null) {
+		Optional<Dashboard> dashboardOptional = dashboardRepository.findById(dashboardId);
+		if (dashboardOptional.isEmpty()) {
 			return false;
 		}
+		Dashboard dashboard = dashboardOptional.get();
 
 		String username = AuthenticationUtil.getUsernameFromContext();
 		AuthType authType = AuthenticationUtil.getAuthTypeFromContext();

src/main/java/com/capitalone/dashboard/auth/ldap/CustomUserDetailsContextMapper.java

@@ -1,6 +1,7 @@
 package com.capitalone.dashboard.auth.ldap;
 
-import org.apache.log4j.Logger;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.ldap.core.DirContextAdapter;
 import org.springframework.ldap.core.DirContextOperations;
@@ -14,7 +15,7 @@
 @Configuration
 public class CustomUserDetailsContextMapper extends LdapUserDetailsMapper {
 
-    private static final Logger LOGGER = Logger.getLogger(CustomUserDetailsContextMapper.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(CustomUserDetailsContextMapper.class);
 
     @Override
     public CustomUserDetails mapUserFromContext(DirContextOperations ctx, String username, Collection authorities) {

src/main/java/com/capitalone/dashboard/auth/openid/OpenIdAuthenticationFilter.java

@@ -15,7 +15,7 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
-@Component
+
 public class OpenIdAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
 
     @Autowired

src/main/java/com/capitalone/dashboard/auth/openid/OpenIdAuthenticationServiceImpl.java

@@ -57,12 +57,12 @@ public OpenIdAuthenticationServiceImpl(AuthProperties authProperties, RestClient
 
     @Override
     public void addAuthentication(HttpServletResponse response, Authentication authentication) {
-        String jwt = Jwts.builder().setSubject(authentication.getName())
+        char[] jwt = Jwts.builder().setSubject(authentication.getName())
                 .claim(DETAILS_CLAIM, authentication.getDetails())
                 .claim(ROLES_CLAIM, getRoles(authentication.getAuthorities()))
                 .setExpiration(new Date(System.currentTimeMillis() + authProperties.getExpirationTime()))
-                .signWith(SignatureAlgorithm.HS512, authProperties.getSecret()).compact();
-        response.addHeader(AUTH_RESPONSE_HEADER, jwt);
+                .signWith(SignatureAlgorithm.HS512, authProperties.getSecret()).compact().toCharArray();
+        response.addHeader(AUTH_RESPONSE_HEADER, String.valueOf(jwt));
 
     }
 

src/main/java/com/capitalone/dashboard/auth/sso/SsoAuthenticationFilter.java

@@ -7,7 +7,9 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.log4j.Logger;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
@@ -17,9 +19,9 @@
 
 import com.capitalone.dashboard.auth.AuthenticationResultHandler;
 
-@Component
+
 public class SsoAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
-	private static final Logger LOGGER = Logger.getLogger(SsoAuthenticationFilter.class);
+	private static final Logger LOGGER = LoggerFactory.getLogger(SsoAuthenticationFilter.class);
 
 	@Autowired
 	private SsoAuthenticationService ssoAuthenticationService;

src/main/java/com/capitalone/dashboard/auth/sso/SsoAuthenticationServiceImpl.java

@@ -5,7 +5,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import org.apache.log4j.Logger;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -17,7 +18,7 @@
 
 @Component
 public class SsoAuthenticationServiceImpl implements SsoAuthenticationService {
-	private static final Logger LOGGER = Logger.getLogger(SsoAuthenticationServiceImpl.class);
+	private static final Logger LOGGER = LoggerFactory.getLogger(SsoAuthenticationServiceImpl.class);
 
 	@Autowired
 	private SsoAuthenticationUtil ssoAuthenticationUtil;

src/main/java/com/capitalone/dashboard/auth/sso/SsoAuthenticationUtil.java

@@ -3,7 +3,8 @@
 import java.util.ArrayList;
 import java.util.Map;
 
-import org.apache.log4j.Logger;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -16,7 +17,7 @@
 
 @Component
 public class SsoAuthenticationUtil {
-	private static final Logger LOGGER = Logger.getLogger(SsoAuthenticationUtil.class);
+	private static final Logger LOGGER = LoggerFactory.getLogger(SsoAuthenticationUtil.class);
 
 	@Autowired
 	private AuthProperties authProperties;

src/main/java/com/capitalone/dashboard/auth/token/JwtAuthenticationFilter.java

@@ -3,7 +3,8 @@
 import com.capitalone.dashboard.util.CommonConstants;
 import org.apache.commons.collections4.MapUtils;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.log4j.Logger;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.core.Authentication;
@@ -25,7 +26,7 @@
 @Order(2)
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
-    private static final Logger LOGGER = Logger.getLogger(JwtAuthenticationFilter.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
 	private TokenAuthenticationService tokenAuthenticationService;
     private static final String PING = "ping";
 
@@ -116,4 +117,4 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
             }
         }
     }
-}
+}

src/main/java/com/capitalone/dashboard/auth/token/TokenAuthenticationServiceImpl.java

@@ -42,12 +42,12 @@ public TokenAuthenticationServiceImpl(AuthProperties tokenAuthProperties) {
 
 	@Override
 	public void addAuthentication(HttpServletResponse response, Authentication authentication) {
-		String jwt = Jwts.builder().setSubject(authentication.getName())
+		char[] jwt = Jwts.builder().setSubject(authentication.getName())
 				.claim(DETAILS_CLAIM, authentication.getDetails())
 				.claim(ROLES_CLAIM, getRoles(authentication.getAuthorities()))
 				.setExpiration(new Date(System.currentTimeMillis() + tokenAuthProperties.getExpirationTime()))
-				.signWith(SignatureAlgorithm.HS512, tokenAuthProperties.getSecret()).compact();
-		response.addHeader(AUTH_RESPONSE_HEADER, jwt);
+				.signWith(SignatureAlgorithm.HS512, tokenAuthProperties.getSecret()).compact().toCharArray();
+		response.addHeader(AUTH_RESPONSE_HEADER, String.valueOf(jwt));
 	}
 
 	@SuppressWarnings("unchecked")

src/main/java/com/capitalone/dashboard/config/WebSecurityConfig.java

@@ -17,7 +17,8 @@
 import com.capitalone.dashboard.settings.ApiSettings;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint;
+//import org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
@@ -34,8 +35,12 @@
 import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
 
 import java.util.List;
+import java.util.Objects;
+import java.util.stream.Stream;
 
 @Configuration
 @EnableWebSecurity
@@ -64,9 +69,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     @Autowired
     private ApiSettings apiSettings;
 
+    @Value("${cors.allowed-origins:}")
+    private String[] allowedOrigins;
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http.headers().cacheControl();
+        if (Objects.nonNull(allowedOrigins) && allowedOrigins.length > 0) {
+            http.cors().configurationSource(corsConfigSource());
+        }
         http.csrf().disable()
                 .authorizeRequests().antMatchers("/appinfo").permitAll()
                 .antMatchers("/registerUser").permitAll()
@@ -105,8 +116,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .addFilterBefore(apiTokenRequestFilter(), UsernamePasswordAuthenticationFilter.class)
                 .addFilterBefore(openIdAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
-                .addFilterBefore(githubWebhookRequestFilter(), UsernamePasswordAuthenticationFilter.class)
-                .exceptionHandling().authenticationEntryPoint(new Http401AuthenticationEntryPoint("Authorization"));
+                .addFilterBefore(githubWebhookRequestFilter(), UsernamePasswordAuthenticationFilter.class);
     }
 
     @Override
@@ -214,5 +224,15 @@ protected ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthentic
     public RestClient restClient() {
         return new RestClient(RestTemplate::new);
     }
-
+    private CorsConfigurationSource corsConfigSource() {
+        final CorsConfiguration corsConfig = new CorsConfiguration();
+        corsConfig.addAllowedHeader(CorsConfiguration.ALL);
+        corsConfig.addAllowedMethod(CorsConfiguration.ALL);
+        corsConfig.addExposedHeader("x-authentication-token");
+        Stream.of(allowedOrigins).forEach(
+                origin -> corsConfig.addAllowedOriginPattern(origin)
+        );
+
+        return request -> corsConfig;
+    }
 }

src/main/java/com/capitalone/dashboard/logging/LoggingFilter.java

@@ -9,9 +9,10 @@
 import org.apache.commons.io.output.TeeOutputStream;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.apache.log4j.Logger;
 import org.json.simple.parser.JSONParser;
 import org.json.simple.parser.ParseException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpMethod;
@@ -57,7 +58,7 @@
 @Order(1)
 public class LoggingFilter implements Filter {
 
-    private static final Logger LOGGER = Logger.getLogger("LoggingFilter");
+    private static final Logger LOGGER = LoggerFactory.getLogger("LoggingFilter");
 
     private static final String API_USER_KEY = "apiUser";
 

src/main/java/com/capitalone/dashboard/request/DashboardRemoteRequest.java

@@ -6,7 +6,6 @@
 import com.capitalone.dashboard.model.CollectorItem;
 import com.capitalone.dashboard.model.CollectorType;
 import com.capitalone.dashboard.model.Owner;
-import com.capitalone.dashboard.model.WhiteSourceComponent;
 import com.capitalone.dashboard.util.GitHubParsedUrl;
 import org.hibernate.validator.constraints.NotEmpty;
 

src/main/java/com/capitalone/dashboard/rest/BuildController.java

@@ -12,6 +12,7 @@
 import com.capitalone.dashboard.service.BuildService;
 import com.capitalone.dashboard.util.CommonConstants;
 import org.bson.types.ObjectId;
+import org.owasp.esapi.ESAPI;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -84,7 +85,7 @@ public ResponseEntity<String> createBuildv2(@Valid @RequestBody BuildDataCreateR
     @RequestMapping(value = "/v3/build", method = POST,
             consumes = APPLICATION_JSON_VALUE, produces = APPLICATION_JSON_VALUE)
     public ResponseEntity<BuildDataCreateResponse> createBuildv3(@Valid @RequestBody BuildDataCreateRequest request) throws HygieiaException {
-        request.setClientReference(httpServletRequest.getHeader(CommonConstants.HEADER_CLIENT_CORRELATION_ID));
+        request.setClientReference(ESAPI.encoder().encodeForHTML(httpServletRequest.getHeader(CommonConstants.HEADER_CLIENT_CORRELATION_ID)));
         String requester = httpServletRequest.getHeader(CommonConstants.HEADER_API_USER);
         BuildDataCreateResponse response = buildService.createV3(request);
         String response_message = "Successfully created/updated build : "+ response.getId();

src/main/java/com/capitalone/dashboard/rest/CollectorController.java

@@ -169,5 +169,4 @@ public ResponseEntity<Void> deletePropertiesCase(@PathVariable String id) {
         collectorService.deletePropertiesInCollectorById(id);
         return ResponseEntity.<Void>noContent().build();
     }
-
-}
+}

src/main/java/com/capitalone/dashboard/rest/CollectorItemController.java

@@ -3,6 +3,7 @@
 import com.capitalone.dashboard.service.CollectorItemService;
 import java.util.Objects;
 import org.apache.commons.lang3.StringUtils;
+import org.owasp.esapi.ESAPI;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -24,10 +25,11 @@ public CollectorItemController(CollectorItemService collectorItemService){
 
     @RequestMapping(path="/collector-items/cleanup", method = RequestMethod.DELETE)
     public ResponseEntity<String> cleanup(@RequestParam(value = "collectorType", required = true, defaultValue = "") String collectorType, @RequestParam(value = "collectorName", required = true, defaultValue = "") String collectorName) {
-        if (StringUtils.isEmpty(collectorName) || Objects.isNull(collectorType)) {
+
+    	if (StringUtils.isEmpty(ESAPI.encoder().encodeForHTML(collectorName)) || Objects.isNull(ESAPI.encoder().encodeForHTML(collectorType))) {
             return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("Collector type and name are required parameters");
         }
-            return  collectorItemService.cleanup(collectorType, collectorName);
+            return  collectorItemService.cleanup(ESAPI.encoder().encodeForHTML(collectorType), ESAPI.encoder().encodeForHTML(collectorName));
     }
 
 }

src/main/java/com/capitalone/dashboard/rest/DashboardController.java

@@ -14,6 +14,7 @@
 import com.capitalone.dashboard.auth.access.Admin;
 import com.capitalone.dashboard.util.PaginationHeaderUtility;
 import org.bson.types.ObjectId;
+import org.owasp.esapi.ESAPI;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -487,7 +488,7 @@ public ResponseEntity<List<Dashboard>> myDashboardByTitlePage(@RequestParam(valu
     @RequestMapping(value = "/dashboard/removeWidgetDuplicates", method = DELETE)
     public ResponseEntity<String> removeWidgetDuplicates(@RequestParam(value="title", required = false)String title,
     @RequestParam(value="dryRun", required = true, defaultValue = "true") boolean dryRun){
-        String message = dashboardService.removeWidgetDuplicatesHelper(title, dryRun);
+        String message = dashboardService.removeWidgetDuplicatesHelper(ESAPI.encoder().encodeForHTML(title), dryRun);
         return ResponseEntity.ok().body(message);
     }
 }

src/main/java/com/capitalone/dashboard/rest/DefaultTestResultController.java

@@ -22,6 +22,7 @@
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.owasp.esapi.ESAPI;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.validation.Valid;
@@ -93,17 +94,16 @@ public ResponseEntity<String> createPerfTestV2(@Valid @RequestBody PerfTestDataC
     @RequestMapping(value = "/quality/test-result", method = POST,
             consumes = "application/json;v=3", produces = APPLICATION_JSON_VALUE)
     public ResponseEntity<String> createTest(@Valid @RequestBody TestCreateRequest request) throws HygieiaException {
-        String correlation_id = httpServletRequest.getHeader(CommonConstants.HEADER_CLIENT_CORRELATION_ID);
-        String requester = httpServletRequest.getHeader(CommonConstants.HEADER_API_USER);
-        request.setClientReference(correlation_id);
+        char[] requester = httpServletRequest.getHeader(CommonConstants.HEADER_API_USER).toCharArray();
+        request.setClientReference(ESAPI.encoder().encodeForHTML(httpServletRequest.getHeader(CommonConstants.HEADER_CLIENT_CORRELATION_ID)));
         String response = testResultService.createTest(request);
 
         //temporary fix to ensure backward compatibility
         boolean success = !StringUtils.containsIgnoreCase(response, "Hygieia does not support");
         HttpStatus httpStatus = success ? HttpStatus.CREATED : HttpStatus.BAD_REQUEST;
         String response_status = success ? "success" : "failed";
-        LOGGER.info("correlation_id=" + correlation_id + ", application=hygieia, service=api, uri=" + httpServletRequest.getRequestURI() +
-                        ", requester=" + requester + ", response_status=" + response_status + ", response_code=" + httpStatus.value() +
+        LOGGER.info("correlation_id=" + request.getClientReference() + ", application=hygieia, service=api, uri=" + httpServletRequest.getRequestURI() +
+                        ", requester=" + String.valueOf(requester) + ", response_status=" + response_status + ", response_code=" + httpStatus.value() +
                         ", response_status_message=" + response + ", test_type=" + request.getTestType() +
                         ", test_source_format="+request.getSourceFormat() + ", test_source=" + request.getSource() +
                         ", target_app_name=" + request.getTargetAppName() + ", target_service_name=" + request.getTargetServiceName() +

src/main/java/com/capitalone/dashboard/rest/PingController.java

@@ -1,6 +1,7 @@
 package com.capitalone.dashboard.rest;
 
-import org.apache.log4j.Logger;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.http.HttpStatus;
@@ -15,7 +16,7 @@
 
 @RestController
 public class PingController {
-	private static final Logger LOGGER = Logger.getLogger(PingController.class);
+	private static final Logger LOGGER = LoggerFactory.getLogger(PingController.class);
 
     @Value("${version.number}")
     private String versionNumber;

src/main/java/com/capitalone/dashboard/service/AutoDiscoveryServiceImpl.java

@@ -52,9 +52,9 @@ public AutoDiscovery save(AutoDiscoveryRemoteRequest request) throws HygieiaExce
         AutoDiscovery autoDiscovery;
         FeatureFlag featureFlag = featureFlagRepository.findByName(FeatureFlagsEnum.auto_discover.toString());
 
-        if (autoDiscoveryRepository.exists(id)) {
+        if (autoDiscoveryRepository.existsById(id)) {
             // update existing AutoDiscovery record with the status from request
-            autoDiscovery = autoDiscoveryRepository.findOne(id);
+            autoDiscovery = autoDiscoveryRepository.findById(id).get();
             updateAutoDiscovery(autoDiscovery, request, featureFlag);
             autoDiscovery.setModifiedTimestamp(System.currentTimeMillis());
         } else {