DMAAP-1624 Cross Scripting sonar check

Change-Id: Id5a10c3a9dd037d28caaee5e7a1831477cca3dad
Signed-off-by: david.mcweeney <david.mcweeney@est.tech>
Issue-ID: DMAAP-1624

1 files changed, 12 insertions, 1 deletions

diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
index aa827de1..139c7492 100644
--- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
+++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
@@ -253,7 +253,7 @@ public class NodeServlet extends HttpServlet {
                 return;
             }
             fileid = fileid.substring(18);
-            pubid = req.getHeader("X-DMAAP-DR-PUBLISH-ID");
+            pubid = generateAndValidatePublishId(req);
 
             user = "datartr";   // SP6 : Added usr as datartr to avoid null entries for internal routing
             targets = config.parseRouting(req.getHeader("X-DMAAP-DR-ROUTING"));
@@ -466,6 +466,17 @@ public class NodeServlet extends HttpServlet {
         }
     }
 
+    private String generateAndValidatePublishId(HttpServletRequest req) throws IOException {
+        String newPubId = req.getHeader("X-DMAAP-DR-PUBLISH-ID");
+
+        String regex = ".*";
+
+        if(newPubId.matches(regex)){
+            return newPubId;
+        }
+        throw new IOException("Invalid Header X-DMAAP-DR-PUBLISH-ID");
+    }
+
     private String writeInputStreamToFile(HttpServletRequest req, File data) {
         byte[] buf = new byte[1024 * 1024];
         int bytesRead;