aboutsummaryrefslogtreecommitdiffstats
path: root/ONAP-PAP-REST
diff options
context:
space:
mode:
authorWang,Frank(gw1218) <gw1218@att.com>2018-04-05 09:22:50 -0500
committerWang,Frank(gw1218) <gw1218@att.com>2018-04-11 13:01:09 -0500
commit89e06a653ef40d5fc91ad89be4722e02d67d8ebd (patch)
tree58e51a38d7dc28018f2155c2a1f394a351ed9964 /ONAP-PAP-REST
parentaff7dbd3713e42412bcc7b5f6416896e16e82898 (diff)
Fix Fortify Header Manipulation Issue
Fix Forfity issue on group Id by adding a validation on this input value. Issue-ID: POLICY-734 Change-Id: I83321a5ffd1ddca84f985b5fd8659e502ca967d7 Signed-off-by: Wang,Frank(gw1218) <gw1218@att.com>
Diffstat (limited to 'ONAP-PAP-REST')
-rw-r--r--ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java9
1 files changed, 8 insertions, 1 deletions
diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
index 85b6e24a1..f3dda33fc 100644
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
@@ -64,7 +64,7 @@ public class DeleteHandler {
public static final String POLICY_IN_PDP = "PolicyInPDP";
public static final String ERROR = "error";
public static final String UNKNOWN = "unknown";
-
+ private static final String REGEX = "[0-9a-zA-Z._]*";
public void doAPIDeleteFromPAP(HttpServletRequest request, HttpServletResponse response) throws IOException, SQLException {
// get the request content into a String
@@ -320,6 +320,13 @@ public class DeleteHandler {
String groupId = request.getParameter("groupId");
String responseString = null;
+ if(groupId != null && !groupId.matches(REGEX) ){
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ response.addHeader("error",ERROR);
+ response.addHeader("message", "Group Id is not valid");
+ return;
+ }
+
PolicyLogger.info("JSON request from API to Delete Policy from the PDP: " + policyName);
// for PUT operations the group may or may not need to exist before the operation can be done