/** * Creates a Discussion Post * * <p>- Requires a cookie for the session user - Requires a comment and threadId request parameter * for the POST * * @param req The HTTP Request * @param res The HTTP Response */ public void createPostAction(HttpServletRequest req, HttpServletResponse res) { // Ensure there is a cookie for the session user if (AccountController.redirectIfNoCookie(req, res)) return; Map<String, Object> viewData = new HashMap<>(); if (req.getMethod() == HttpMethod.Post) { DiscussionManager dm = new DiscussionManager(); HttpSession session = req.getSession(); Session userSession = (Session) session.getAttribute("userSession"); // Create the discussion post DiscussionPost post = new DiscussionPost(); post.setUserId(userSession.getUserId()); post.setMessage(req.getParameter("comment")); post.setThreadId(Integer.parseInt(req.getParameter("threadId"))); dm.createPost(post); redirectToLocal(req, res, "/group/discussion/?threadId=" + req.getParameter("threadId")); } else { httpNotFound(req, res); } }
/** * Deletes a meeting from the database * * <p>- Requires a cookie for the session user - Requires a meetingId request parameter for the * HTTP GET * * @param req The HTTP Request * @param res The HTTP Response */ public void deletemeetingAction(HttpServletRequest req, HttpServletResponse res) { // Ensure there is a cookie for the session user if (AccountController.redirectIfNoCookie(req, res)) return; if (req.getMethod() == HttpMethod.Get) { // Get the meeting int meetingId = Integer.parseInt(req.getParameter("meetingId")); MeetingManager meetingMan = new MeetingManager(); Meeting meeting = meetingMan.get(meetingId); meetingMan.deleteMeeting(meetingId); // Update the User Session to remove meeting HttpSession session = req.getSession(); Session userSession = (Session) session.getAttribute("userSession"); List<Meeting> adminMeetings = userSession.getUser().getMeetings(); for (int i = 0; i < adminMeetings.size(); i++) { Meeting m = adminMeetings.get(i); if (m.getId() == meeting.getId()) { adminMeetings.remove(i); break; } } redirectToLocal(req, res, "/home/dashboard"); return; } else if (req.getMethod() == HttpMethod.Post) { httpNotFound(req, res); } }
/* good2() reverses the bodies in the if statement */ private void good2(HttpServletRequest request, HttpServletResponse response) throws Throwable { if (IO.static_returns_t()) { Logger tcLog = Logger.getLogger("cwe_testcases_logger"); if (request.getParameter("username") == null) { return; } String username = request.getParameter("username"); if (username.matches("[a-zA-Z0-9]*")) { HttpSession session = request.getSession(true); /* FIX: logged message does not contain session id */ tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId()); } else { response.getWriter().println("Invalid characters"); } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger tcLog = Logger.getLogger("cwe_testcases_logger"); if (request.getParameter("username") == null) { return; } String username = request.getParameter("username"); if (username.matches("[a-zA-Z0-9]*")) { HttpSession session = request.getSession(true); /* FLAW: leak session ID to debug log */ tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId()); } else { response.getWriter().println("Invalid characters"); } } }
/** * Removes User from the Group * * <p>- Requires a cookie for the session user - Requires a groupId request parameter for the HTTP * GET * * @param req The HTTP Request * @param res The HTTP Response */ public void leaveAction(HttpServletRequest req, HttpServletResponse res) { if (AccountController.redirectIfNoCookie(req, res)) return; if (req.getMethod() == HttpMethod.Get) { int groupId = Integer.parseInt(req.getParameter("groupId")); HttpSession session = req.getSession(); Session userSession = (Session) session.getAttribute("userSession"); int userId = userSession.getUser().getId(); GroupManager groupMan = new GroupManager(); groupMan.removeMapping(groupId, userId); // reload groups into the user userSession.getUser().setGroups(groupMan.getAllGroups(userId)); redirectToLocal(req, res, "/home/dashboard"); return; } else { httpNotFound(req, res); } }
/** * Creates a notification to a Group coordinator signaling that a user wants to join their group * * <p>- Requires a groupId request parameter for the GET * * @param req The HTTP Request * @param res The HTTP Response */ public void inviteAction(HttpServletRequest req, HttpServletResponse res) { // Ensure there is a cookie for the session user if (AccountController.redirectIfNoCookie(req, res)) return; Map<String, Object> viewData = new HashMap<String, Object>(); int groupId = Integer.parseInt(req.getParameter("groupId")); try { // Get the session user HttpSession session = req.getSession(); Session userSession = (Session) session.getAttribute("userSession"); User user = userSession.getUser(); // Get the coordinator for the group GroupManager groupMan = new GroupManager(); Group group = groupMan.get(groupId); User coordinator = groupMan.getCoordinator(groupId); // Send a notification to the coordinator for them to permit access to the group NotificationManager notificationMan = new NotificationManager(); Notification notification = new Notification( coordinator.getId(), coordinator, groupId, group, user.getFullName() + " wants to join your group " + group.getGroupName(), "/home/notifications?addUserId=" + user.getId() + "&groupId=" + group.getId()); notificationMan.createNotification(notification); redirectToLocal(req, res, "/home/dashboard"); return; } catch (Exception e) { redirectToLocal(req, res, "/home/dashboard"); } }
public void doProcess(HttpServletRequest req, HttpServletResponse res, boolean isPost) { StringBuffer bodyContent = null; OutputStream out = null; PrintWriter writer = null; String serviceKey = null; try { BufferedReader in = req.getReader(); String line = null; while ((line = in.readLine()) != null) { if (bodyContent == null) bodyContent = new StringBuffer(); bodyContent.append(line); } } catch (Exception e) { } try { if (requireSession) { // check to see if there was a session created for this request // if not assume it was from another domain and blow up // Wrap this to prevent Portlet exeptions HttpSession session = req.getSession(false); if (session == null) { res.setStatus(HttpServletResponse.SC_FORBIDDEN); return; } } serviceKey = req.getParameter("id"); // only to preven regressions - Remove before 1.0 if (serviceKey == null) serviceKey = req.getParameter("key"); // check if the services have been loaded or if they need to be reloaded if (services == null || configUpdated()) { getServices(res); } String urlString = null; String xslURLString = null; String userName = null; String password = null; String format = "json"; String callback = req.getParameter("callback"); String urlParams = req.getParameter("urlparams"); String countString = req.getParameter("count"); // encode the url to prevent spaces from being passed along if (urlParams != null) { urlParams = urlParams.replace(' ', '+'); } try { if (services.has(serviceKey)) { JSONObject service = services.getJSONObject(serviceKey); // default to the service default if no url parameters are specified if (urlParams == null && service.has("defaultURLParams")) { urlParams = service.getString("defaultURLParams"); } String serviceURL = service.getString("url"); // build the URL if (urlParams != null && serviceURL.indexOf("?") == -1) { serviceURL += "?"; } else if (urlParams != null) { serviceURL += "&"; } String apikey = ""; if (service.has("username")) userName = service.getString("username"); if (service.has("password")) password = service.getString("password"); if (service.has("apikey")) apikey = service.getString("apikey"); urlString = serviceURL + apikey; if (urlParams != null) urlString += "&" + urlParams; if (service.has("xslStyleSheet")) { xslURLString = service.getString("xslStyleSheet"); } } // code for passing the url directly through instead of using configuration file else if (req.getParameter("url") != null) { String serviceURL = req.getParameter("url"); // build the URL if (urlParams != null && serviceURL.indexOf("?") == -1) { serviceURL += "?"; } else if (urlParams != null) { serviceURL += "&"; } urlString = serviceURL; if (urlParams != null) urlString += urlParams; } else { writer = res.getWriter(); if (serviceKey == null) writer.write("XmlHttpProxyServlet Error: id parameter specifying serivce required."); else writer.write( "XmlHttpProxyServlet Error : service for id '" + serviceKey + "' not found."); writer.flush(); return; } } catch (Exception ex) { getLogger().severe("XmlHttpProxyServlet Error loading service: " + ex); } Map paramsMap = new HashMap(); paramsMap.put("format", format); // do not allow for xdomain unless the context level setting is enabled. if (callback != null && allowXDomain) { paramsMap.put("callback", callback); } if (countString != null) { paramsMap.put("count", countString); } InputStream xslInputStream = null; if (urlString == null) { writer = res.getWriter(); writer.write( "XmlHttpProxyServlet parameters: id[Required] urlparams[Optional] format[Optional] callback[Optional]"); writer.flush(); return; } // default to JSON res.setContentType(responseContentType); out = res.getOutputStream(); // get the stream for the xsl stylesheet if (xslURLString != null) { // check the web root for the resource URL xslURL = null; xslURL = ctx.getResource(resourcesDir + "xsl/" + xslURLString); // if not in the web root check the classpath if (xslURL == null) { xslURL = XmlHttpProxyServlet.class.getResource(classpathResourcesDir + "xsl/" + xslURLString); } if (xslURL != null) { xslInputStream = xslURL.openStream(); } else { String message = "Could not locate the XSL stylesheet provided for service id " + serviceKey + ". Please check the XMLHttpProxy configuration."; getLogger().severe(message); try { out.write(message.getBytes()); out.flush(); return; } catch (java.io.IOException iox) { } } } if (!isPost) { xhp.doGet(urlString, out, xslInputStream, paramsMap, userName, password); } else { if (bodyContent == null) getLogger() .info( "XmlHttpProxyServlet attempting to post to url " + urlString + " with no body content"); xhp.doPost( urlString, out, xslInputStream, paramsMap, bodyContent.toString(), req.getContentType(), userName, password); } } catch (Exception iox) { iox.printStackTrace(); getLogger().severe("XmlHttpProxyServlet: caught " + iox); try { writer = res.getWriter(); writer.write(iox.toString()); writer.flush(); } catch (java.io.IOException ix) { ix.printStackTrace(); } return; } finally { try { if (out != null) out.close(); if (writer != null) writer.close(); } catch (java.io.IOException iox) { } } }
/** * Displays a given Research Group page for a HTTP Get, or creates a new Group for a HTTP Post * * <p>- Requires a cookie for the session user - Requires a groupId request parameter for a GET - * Requires a groupName, description, createdByUserId request parameters for a POST * * @param req The HTTP Request * @param res The HTTP Response */ public void researchgroupAction(HttpServletRequest req, HttpServletResponse res) { // Ensure there is a cookie for the session user if (AccountController.redirectIfNoCookie(req, res)) return; Map<String, Object> viewData = new HashMap<String, Object>(); viewData.put("title", "Research Group"); if (req.getMethod() == HttpMethod.Get) { // Load group data into Map GroupManager gm = new GroupManager(); int groupId = Integer.parseInt(req.getParameter("groupId")); Group group = gm.get(groupId); if (group != null) { // Load Group into map viewData.put("group", group); // Load group members into Map List<String> groupMembers = gm.getGroupMembers(groupId); viewData.put("groupMembers", groupMembers); // Load meetings into map MeetingManager meetMan = new MeetingManager(); List<Meeting> groupMeetings = meetMan.getGroupMeetings(groupId); viewData.put("groupMeetings", groupMeetings); // Load Document Data into Map DocumentManager docMan = new DocumentManager(); List<Document> groupDocuments = docMan.getGroupDocuments(groupId); viewData.put("groupDocuments", groupDocuments); // Load discussion threads DiscussionManager dm = new DiscussionManager(); viewData.put("groupDiscussions", dm.getThreads(groupId)); // Check if the user is a member boolean isMember = false; HttpSession session = req.getSession(); Session userSession = (Session) session.getAttribute("userSession"); User user = userSession.getUser(); for (Group g : gm.getAllGroups(user.getId())) { if (g.getId() == group.getId()) { isMember = true; break; } } viewData.put("notMember", !isMember); // View group page. view(req, res, "/views/group/ResearchGroup.jsp", viewData); } else { httpNotFound(req, res); } } else if (req.getMethod() == HttpMethod.Post) { // Create Group // Get data from parameters String groupName = req.getParameter("groupName"); String description = req.getParameter("description"); int adminId = Integer.parseInt(req.getParameter("createdByUserId")); // Create the Group GroupManager groupMan = new GroupManager(); Group group = new Group(); group.setGroupName(groupName); group.setDescription(description); group.setCoordinatorId(adminId); // Create the mapping groupMan.createGroup(group); int groupId = groupMan.getIdFor(group); groupMan.createMapping(groupId, adminId); group.setId(groupId); // Update the User Session to show new group HttpSession session = req.getSession(); Session userSession = (Session) session.getAttribute("userSession"); User admin = userSession.getUser(); admin.getGroups().add(group); // Show the Group Page viewData.put("groupName", group.getGroupName()); List<String> groupMembers = groupMan.getGroupMembers(groupId); viewData.put("groupMembers", groupMembers); view(req, res, "/views/group/ResearchGroup.jsp", viewData); } }
/** * Displays the Create Discussion page for a HTTP Get, or creates a Discussion Thread for a HTTP * Post * * <p>- Requires a cookie for the session user - Requires a groupId request parameter for a GET - * Requires a groupId and threadName request parameter for a POST - Requires a document request * part for a POST * * @param req The HTTP Request * @param res The HTTP Response */ public void createDiscussionAction(HttpServletRequest req, HttpServletResponse res) { // Ensure there is a cookie for the session user if (AccountController.redirectIfNoCookie(req, res)) return; Map<String, Object> viewData = new HashMap<>(); if (req.getMethod() == HttpMethod.Get) { viewData.put("title", "Create Discussion"); viewData.put("groupId", req.getParameter("groupId")); view(req, res, "/views/group/CreateDiscussion.jsp", viewData); return; } else if (req.getMethod() == HttpMethod.Post) { // save discussion GroupManager groupMan = new GroupManager(); DiscussionThread thread = new DiscussionThread(); int groupId = Integer.parseInt(req.getParameter("groupId")); thread.setGroupId(groupId); thread.setGroup(groupMan.get(groupId)); thread.setThreadName(req.getParameter("threadName")); DiscussionManager dm = new DiscussionManager(); dm.createDiscussion(thread); try { Part documentPart = req.getPart("document"); // if we have a document to upload if (documentPart.getSize() > 0) { String uuid = DocumentController.saveDocument(this.getServletContext(), documentPart); Document doc = new Document(); doc.setDocumentName(getFileName(documentPart)); doc.setDocumentPath(uuid); doc.setVersionNumber(1); doc.setThreadId(thread.getId()); doc.setGroupId(thread.getGroupId()); DocumentManager docMan = new DocumentManager(); docMan.createDocument(doc); // Get uploading User HttpSession session = req.getSession(); Session userSession = (Session) session.getAttribute("userSession"); User uploader = userSession.getUser(); // Create a notification to all in the group NotificationManager notificationMan = new NotificationManager(); groupMan = new GroupManager(); List<User> groupUsers = groupMan.getGroupUsers(groupId); for (User u : groupUsers) { Notification notification = new Notification( u.getId(), u, groupId, null, "User " + uploader.getFullName() + " has uploaded a document", "/document/document?documentId=" + doc.getId()); notificationMan.createNotification(notification); } } } catch (Exception e) { logger.log(Level.SEVERE, "Document save error", e); } redirectToLocal(req, res, "/group/discussion/?threadId=" + thread.getId()); return; } httpNotFound(req, res); }
/** * Displays a given Meeting page for a HTTP Get, or creates a new Meeting for a HTTP Post * * <p>- Requires a cookie for the session user - Requires a meetingId request parameter for a GET * - Requires description, createdByUserId, datepicker, meetingTime, groupId request parameters * for a POST * * @param req The HTTP Request * @param res The HTTP Response */ public void meetingAction(HttpServletRequest req, HttpServletResponse res) { // Ensure there is a cookie for the session user if (AccountController.redirectIfNoCookie(req, res)) return; Map<String, Object> viewData = new HashMap<String, Object>(); viewData.put("title", "Meeting"); // Initialise Manager connections MeetingManager meetingMan = new MeetingManager(); GroupManager groupMan = new GroupManager(); if (req.getMethod() == HttpMethod.Get) { // Get request parameter int meetingId = Integer.parseInt(req.getParameter("meetingId")); Meeting meeting = meetingMan.get(meetingId); if (meeting != null) { List<User> meetingUsers = groupMan.getGroupUsers(meeting.getGroupId()); viewData.put("meetingUsers", meetingUsers); viewData.put("meeting", meeting); view(req, res, "/views/group/Meeting.jsp", viewData); } else { httpNotFound(req, res); } } else if (req.getMethod() == HttpMethod.Post) { // Get details from request String description = req.getParameter("description"); int createdByUserId = Integer.parseInt(req.getParameter("createdByUserId")); Date dateCreated = new Date(); String meetingDate = req.getParameter("datepicker"); String meetingTime = req.getParameter("meetingTime"); // Parse meeting date time details DateFormat format = new SimpleDateFormat("MM/dd/yyyy HH:mm"); Date dateDue = new Date(); try { dateDue = format.parse(meetingDate + " " + meetingTime); } catch (ParseException e) { // Unable to parse date. This shouldn't happen since we are // performing javascript validation. } int groupId = Integer.parseInt(req.getParameter("groupId")); // Create a Meeting Meeting meeting = new Meeting(); meeting.setDescription(description); meeting.setCreatedByUserId(createdByUserId); meeting.setDateCreated(dateCreated); meeting.setDateDue(dateDue); meeting.setGroupId(groupId); meetingMan.createMeeting(meeting); int meetingId = meetingMan.getIdFor(meeting); meeting.setId(meetingId); UserManager userMan = new UserManager(); User createdByUser = userMan.get(createdByUserId); // Create a notification for all users in group NotificationManager notificationMan = new NotificationManager(); List<User> users = groupMan.getGroupUsers(groupId); for (User u : users) { Notification notification = new Notification( u.getId(), u, groupId, null, "Meeting " + description + " was created by " + createdByUser.getFullName(), "/group/meeting?meetingId=" + meetingId); notificationMan.createNotification(notification); } // Update the User Session to show new meeting HttpSession session = req.getSession(); Session userSession = (Session) session.getAttribute("userSession"); User admin = userSession.getUser(); admin.getMeetings().add(meeting); // Show meeting page viewData.put("meetingUsers", users); viewData.put("meeting", meeting); view(req, res, "/views/group/Meeting.jsp", viewData); } }