From 116700ba242cc0b67c2b0f23bd412340ba60d952 Mon Sep 17 00:00:00 2001 From: "david.mcweeney" Date: Thu, 10 Mar 2022 11:39:53 +0000 Subject: DMAAP-1624 Cross Scripting sonar check Change-Id: Id5a10c3a9dd037d28caaee5e7a1831477cca3dad Signed-off-by: david.mcweeney Issue-ID: DMAAP-1624 --- .../java/org/onap/dmaap/datarouter/node/NodeServlet.java | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java index aa827de1..139c7492 100644 --- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java +++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java @@ -253,7 +253,7 @@ public class NodeServlet extends HttpServlet { return; } fileid = fileid.substring(18); - pubid = req.getHeader("X-DMAAP-DR-PUBLISH-ID"); + pubid = generateAndValidatePublishId(req); user = "datartr"; // SP6 : Added usr as datartr to avoid null entries for internal routing targets = config.parseRouting(req.getHeader("X-DMAAP-DR-ROUTING")); @@ -466,6 +466,17 @@ public class NodeServlet extends HttpServlet { } } + private String generateAndValidatePublishId(HttpServletRequest req) throws IOException { + String newPubId = req.getHeader("X-DMAAP-DR-PUBLISH-ID"); + + String regex = ".*"; + + if(newPubId.matches(regex)){ + return newPubId; + } + throw new IOException("Invalid Header X-DMAAP-DR-PUBLISH-ID"); + } + private String writeInputStreamToFile(HttpServletRequest req, File data) { byte[] buf = new byte[1024 * 1024]; int bytesRead; -- cgit 1.2.3-korg