summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuangrongFu <fu.guangrong@zte.com.cn>2021-06-29 16:00:54 +0800
committerGuangrongFu <fu.guangrong@zte.com.cn>2021-06-29 16:00:54 +0800
commit732234a32c7413ccf4f49b592ff6ed3e17c7059b (patch)
treee564a455fe0ed6d3bfa1efcd716107373a8a23c7
parent6f99775bd30cea7a2471ba37b875067a40bd5aeb (diff)
Trying to fix XSS issues
Change-Id: I84d8cfccabf18aa84bb2e8d1428cea0b27e8f254 Issue-ID: HOLMES-453 Signed-off-by: GuangrongFu <fu.guangrong@zte.com.cn>
-rw-r--r--holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java5
-rw-r--r--holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java13
-rw-r--r--holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java23
3 files changed, 26 insertions, 15 deletions
diff --git a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java
index f72466d..9d42b91 100644
--- a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java
+++ b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdFilter.java
@@ -59,8 +59,9 @@ public class TransactionIdFilter implements Filter {
String requestID = ensureTransactionIdIsPresent(requestWithTransactionId);
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
- if (TransactionIdUtils.validate(requestID)) {
- httpServletResponse.setHeader(TransactionIdUtils.REQUEST_ID_HEADER, requestID);
+ String validatedRequestID = TransactionIdUtils.validate(requestID);
+ if (validatedRequestID != null) {
+ httpServletResponse.setHeader(TransactionIdUtils.REQUEST_ID_HEADER, validatedRequestID);
} else {
log.warn("A mal-formatted request ID has been detected: {}. It will be replaced by the default ID: {}",
requestID, DEFAULT_REQUEST_ID);
diff --git a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java
index 7d04257..9d301ec 100644
--- a/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java
+++ b/holmes-actions/src/main/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtils.java
@@ -15,23 +15,24 @@
*/
package org.onap.holmes.common.utils.transactionid;
-import lombok.extern.slf4j.Slf4j;
-
import java.util.regex.Matcher;
import java.util.regex.Pattern;
-@Slf4j
public class TransactionIdUtils {
public static final String REQUEST_ID_HEADER = "X-TransactionID";
public static final String INVOCATIONIDID_HEADER = "X-InvocationID";
- private static final Pattern UUID_PATTERN = Pattern.compile("[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}");
+ private static final Pattern UUID_PATTERN = Pattern.compile("^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$");
public static String getUUID() {
return java.util.UUID.randomUUID().toString();
}
- public static boolean validate(String uuid) {
+ public static String validate(String uuid) {
Matcher matcher = UUID_PATTERN.matcher(uuid);
- return matcher.matches();
+ if (matcher.matches()) {
+ return uuid;
+ }
+
+ return null;
}
}
diff --git a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java
index a9684af..4b1a58d 100644
--- a/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java
+++ b/holmes-actions/src/test/java/org/onap/holmes/common/utils/transactionid/TransactionIdUtilsTest.java
@@ -1,12 +1,12 @@
/**
* Copyright 2021 ZTE Corporation.
- *
+ * <p>
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -19,17 +19,26 @@ package org.onap.holmes.common.utils.transactionid;
import org.junit.Test;
import static org.hamcrest.core.Is.is;
+import static org.hamcrest.core.IsEqual.equalTo;
+import static org.hamcrest.core.IsNull.nullValue;
import static org.junit.Assert.assertThat;
public class TransactionIdUtilsTest {
@Test
public void validate_is_uuid() {
- assertThat(TransactionIdUtils.validate(TransactionIdUtils.getUUID()), is(true));
+ final String uuid = TransactionIdUtils.getUUID();
+ assertThat(TransactionIdUtils.validate(uuid), equalTo(uuid));
}
@Test
- public void validate_not_uuid() {
- assertThat(TransactionIdUtils.validate("a-random-string"), is(false));
+ public void validate_is_not_uuid() {
+ assertThat(TransactionIdUtils.validate("a-random-string"), is(nullValue()));
+ }
+
+ @Test
+ public void validate_contains_uuid() {
+ final String uuid = "test" + TransactionIdUtils.getUUID();
+ assertThat(TransactionIdUtils.validate(uuid), is(nullValue()));
}
} \ No newline at end of file