From 6e4ce6970552917c0f35617164017d93bd6b2f1b Mon Sep 17 00:00:00 2001 From: ToineSiebelink Date: Tue, 6 Apr 2021 16:44:14 +0100 Subject: Fix security hotspots n Regex Attemting to fix security risks indentified by SQ by reducing unlimited spaces to 0-9 spaces See https://sonarcloud.io/project/security_hotspots?id=onap_cps# I think the proposed regex changes are acceptable and better then adding @SupressWarning annotation (have to test by merging this commit as issues are not spotted when using SonarLinit locally?!) Issue-ID: CPS-89 Change-Id: I00bbacb3145650ab7d21d13152c08d5ccf0c04fa Signed-off-by: ToineSiebelink --- .../src/main/java/org/onap/cps/config/WebSecurityConfig.java | 2 +- cps-ri/src/main/java/org/onap/cps/spi/query/CpsPathQuery.java | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java index fbf1be9a18..93a3a6ed2b 100644 --- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java +++ b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java @@ -55,7 +55,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired @Value("${security.auth.password}") final String password ) { super(); - this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s*,\\s*"); + this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}"); this.username = username; this.password = password; } diff --git a/cps-ri/src/main/java/org/onap/cps/spi/query/CpsPathQuery.java b/cps-ri/src/main/java/org/onap/cps/spi/query/CpsPathQuery.java index 7b9bfba174..97a304d763 100644 --- a/cps-ri/src/main/java/org/onap/cps/spi/query/CpsPathQuery.java +++ b/cps-ri/src/main/java/org/onap/cps/spi/query/CpsPathQuery.java @@ -39,7 +39,8 @@ public class CpsPathQuery { private static final String NON_CAPTURING_GROUP_1_TO_99_YANG_CONTAINERS = "((?:\\/[^\\/]+){1,99})"; - private static final String YANG_LEAF_VALUE_EQUALS_CONDITION = "\\[\\s*@(\\S+?)\\s*=\\s*(.*?)\\s*\\]"; + private static final String YANG_LEAF_VALUE_EQUALS_CONDITION = + "\\[\\s{0,9}@(\\S+?)\\s{0,9}=\\s{0,9}(.*?)\\s{0,9}\\]"; private static final Pattern QUERY_CPS_PATH_WITH_SINGLE_LEAF_PATTERN = Pattern.compile(NON_CAPTURING_GROUP_1_TO_99_YANG_CONTAINERS + YANG_LEAF_VALUE_EQUALS_CONDITION); -- cgit 1.2.3-korg