diff options
author | GuangrongFu <fu.guangrong@zte.com.cn> | 2021-06-29 16:00:54 +0800 |
---|---|---|
committer | GuangrongFu <fu.guangrong@zte.com.cn> | 2021-06-29 16:00:54 +0800 |
commit | 732234a32c7413ccf4f49b592ff6ed3e17c7059b (patch) | |
tree | e564a455fe0ed6d3bfa1efcd716107373a8a23c7 | |
parent | 6f99775bd30cea7a2471ba37b875067a40bd5aeb (diff) |
Trying to fix XSS issues
Change-Id: I84d8cfccabf18aa84bb2e8d1428cea0b27e8f254
Issue-ID: HOLMES-453
Signed-off-by: GuangrongFu <fu.guangrong@zte.com.cn>
3 files changed, 26 insertions, 15 deletions
diff --git a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java index f72466d..9d42b91 100644 --- a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java +++ b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java @@ -59,8 +59,9 @@ public class TransactionIdFilter implements Filter { String requestID = ensureTransactionIdIsPresent(requestWithTransactionId); HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse; - if (TransactionIdUtils.validate(requestID)) { - httpServletResponse.setHeader(TransactionIdUtils.REQUEST_ID_HEADER, requestID); + String validatedRequestID = TransactionIdUtils.validate(requestID); + if (validatedRequestID != null) { + httpServletResponse.setHeader(TransactionIdUtils.REQUEST_ID_HEADER, validatedRequestID); } else { log.warn("A mal-formatted request ID has been detected: {}. It will be replaced by the default ID: {}", requestID, DEFAULT_REQUEST_ID); diff --git a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java index 7d04257..9d301ec 100644 --- a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java +++ b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java @@ -15,23 +15,24 @@ */ package org.onap.holmes.common.utils.transactionid; -import lombok.extern.slf4j.Slf4j; - import java.util.regex.Matcher; import java.util.regex.Pattern; -@Slf4j public class TransactionIdUtils { public static final String REQUEST_ID_HEADER = "X-TransactionID"; public static final String INVOCATIONIDID_HEADER = "X-InvocationID"; - private static final Pattern UUID_PATTERN = Pattern.compile("[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}"); + private static final Pattern UUID_PATTERN = Pattern.compile("^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$"); public static String getUUID() { return java.util.UUID.randomUUID().toString(); } - public static boolean validate(String uuid) { + public static String validate(String uuid) { Matcher matcher = UUID_PATTERN.matcher(uuid); - return matcher.matches(); + if (matcher.matches()) { + return uuid; + } + + return null; } } diff --git a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java index a9684af..4b1a58d 100644 --- a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java +++ b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java @@ -1,12 +1,12 @@ /** * Copyright 2021 ZTE Corporation. - * + * <p> * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -19,17 +19,26 @@ package org.onap.holmes.common.utils.transactionid; import org.junit.Test; import static org.hamcrest.core.Is.is; +import static org.hamcrest.core.IsEqual.equalTo; +import static org.hamcrest.core.IsNull.nullValue; import static org.junit.Assert.assertThat; public class TransactionIdUtilsTest { @Test public void validate_is_uuid() { - assertThat(TransactionIdUtils.validate(TransactionIdUtils.getUUID()), is(true)); + final String uuid = TransactionIdUtils.getUUID(); + assertThat(TransactionIdUtils.validate(uuid), equalTo(uuid)); } @Test - public void validate_not_uuid() { - assertThat(TransactionIdUtils.validate("a-random-string"), is(false)); + public void validate_is_not_uuid() { + assertThat(TransactionIdUtils.validate("a-random-string"), is(nullValue())); + } + + @Test + public void validate_contains_uuid() { + final String uuid = "test" + TransactionIdUtils.getUUID(); + assertThat(TransactionIdUtils.validate(uuid), is(nullValue())); } }
\ No newline at end of file |