From 8df9c4d2a1ac8fcbf76a38a4bb8a2e42b590ae18 Mon Sep 17 00:00:00 2001
From: "david.mcweeney" <david.mcweeney@est.tech>
Date: Tue, 27 Jul 2021 15:53:14 +0100
Subject: DMAAP-DR Header Injection fix

Signed-off-by: david.mcweeney <david.mcweeney@est.tech>
Change-Id: I5eb00945762064a5beeb5ce9c57e24243364c238
Issue-ID: DMAAP-1624
---
 .../main/java/org/onap/dmaap/datarouter/node/NodeServlet.java |  7 +++++++
 .../java/org/onap/dmaap/datarouter/node/NodeServletTest.java  | 11 +++++++++++
 2 files changed, 18 insertions(+)

diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
index 0d030683..27fa5f3e 100644
--- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
+++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
@@ -253,6 +253,13 @@ public class NodeServlet extends HttpServlet {
                 return;
             }
             fileid = fileid.substring(18);
+            if (req.getHeader("X-DMAAP-DR-PUBLISH-ID") != null && !req.getHeader("X-DMAAP-DR-PUBLISH-ID").matches("^[a-zA-Z0-9_]+$")) {
+                String reason = "Error validating header";
+                eelfLogger.error(reason);
+                resp.sendError(HttpServletResponse.SC_BAD_REQUEST, reason);
+                eelfLogger.info(EelfMsgs.EXIT);
+                return;
+            }
             pubid = req.getHeader("X-DMAAP-DR-PUBLISH-ID");
             user = "datartr";   // SP6 : Added usr as datartr to avoid null entries for internal routing
             targets = config.parseRouting(req.getHeader("X-DMAAP-DR-ROUTING"));
diff --git a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
index 4340b018..ad2fcf5d 100644
--- a/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
+++ b/datarouter-node/src/test/java/org/onap/dmaap/datarouter/node/NodeServletTest.java
@@ -204,6 +204,17 @@ public class NodeServletTest {
         verifyEnteringExitCalled(listAppender);
     }
 
+    @Test
+    public void Given_Request_Is_HTTP_PUT_And_Internal_Publish_But_Invalid_Header_Then_Bad_Request_Response_Is_Generated() throws Exception {
+        when(request.getPathInfo()).thenReturn("/internal/publish/1/blah");
+        when(request.getRemoteAddr()).thenReturn("1.2.3.4");
+        when(config.isAnotherNode(anyString(), anyString())).thenReturn(true);
+        when(request.getHeader("X-DMAAP-DR-PUBLISH-ID")).thenReturn("User1+");
+        nodeServlet.doPut(request, response);
+        verify(response).sendError(eq(HttpServletResponse.SC_BAD_REQUEST), anyString());
+        verifyEnteringExitCalled(listAppender);
+    }
+
     @Test
     public void Given_Request_Is_HTTP_PUT_On_Publish_And_Ingress_Node_Is_Provided_Then_Request_Is_Redirected() throws Exception {
         setNodeConfigManagerToAllowRedirectOnIngressNode();
-- 
cgit 1.2.3-korg