Merge changes I5837e333,I340cb721

* changes:
  Reflected XSS vulnerability in saveNotification form fix.
  Security Vulnerability in pom.xml fix

3 files changed, 70 insertions, 21 deletions

diff --git a/ecomp-portal-BE-common/pom.xml b/ecomp-portal-BE-common/pom.xml
index a3e445de..1a04c40d 100644
--- a/ecomp-portal-BE-common/pom.xml
+++ b/ecomp-portal-BE-common/pom.xml
@@ -136,7 +136,7 @@
 		<dependency>
 			<groupId>com.att.eelf</groupId>
 			<artifactId>eelf-core</artifactId>
-			<version>${eelf.version}</version>
+			<version>1.0.0-oss</version>
 		</dependency>
 		<dependency>
 			<groupId>com.google.code.gson</groupId>
@@ -187,7 +187,7 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter</artifactId>
-			<version>1.3.0.RELEASE</version>
+			<version>1.3.1.RELEASE</version>
 			<exclusions>
 				<exclusion>
 					<groupId>org.slf4j</groupId>
@@ -204,7 +204,7 @@
 		<dependency>
 			<groupId>org.hibernate</groupId>
 			<artifactId>hibernate-validator</artifactId>
-			<version>5.1.3.Final</version>
+			<version>5.2.5.Final</version>
 		</dependency>
 		<!-- hibernate-core depends on dom4j, which has optional dependencies. 
 			On jenkins, contrary to doc, mvn 3.0.5 packages the optional dependencies 
@@ -284,7 +284,7 @@
 		<dependency>
 			<groupId>org.apache.cxf</groupId>
 			<artifactId>cxf-rt-rs-client</artifactId>
-			<version>3.0.0-milestone1</version>
+			<version>3.1.16</version>
 		</dependency>
 		<!-- Mapper -->
 		<dependency>
@@ -311,7 +311,7 @@
 		<dependency>
 			<groupId>org.elasticsearch</groupId>
 			<artifactId>elasticsearch</artifactId>
-			<version>2.2.0</version>
+			<version>6.8.2</version>
 			<exclusions>
 				<exclusion>
 					<groupId>org.apache.lucene</groupId>
@@ -322,7 +322,7 @@
 		<dependency>
 			<groupId>io.searchbox</groupId>
 			<artifactId>jest</artifactId>
-			<version>2.0.0</version>
+			<version>5.3.2</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.jcs</groupId>
@@ -338,7 +338,7 @@
 		<dependency>
 			<groupId>org.apache.tomcat</groupId>
 			<artifactId>tomcat-websocket</artifactId>
-			<version>8.0.28</version>
+			<version>8.0.52</version>
 			<scope>provided</scope>
 		</dependency>
 		<dependency>
@@ -361,7 +361,7 @@
 		<dependency>
 			<groupId>org.apache.poi</groupId>
 			<artifactId>poi</artifactId>
-			<version>3.15</version>
+			<version>3.17</version>
 			<exclusions>
 				<exclusion>
 					<groupId>commons-logging</groupId>
@@ -376,7 +376,7 @@
 		<dependency>
 			<groupId>org.apache.poi</groupId>
 			<artifactId>poi-ooxml</artifactId>
-			<version>3.15</version>
+			<version>3.17</version>
 			<exclusions>
 				<exclusion>
 					<groupId>commons-logging</groupId>
@@ -391,7 +391,7 @@
 		<dependency>
 			<groupId>org.apache.poi</groupId>
 			<artifactId>poi-scratchpad</artifactId>
-			<version>3.5-FINAL</version>
+			<version>3.17</version>
 			<exclusions>
 				<exclusion>
 					<groupId>commons-logging</groupId>
@@ -434,7 +434,7 @@
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk15on</artifactId>
-			<version>1.59</version>
+			<version>1.60</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-codec</groupId>
@@ -562,17 +562,17 @@
 		<dependency>
 			<groupId>commons-beanutils</groupId>
 			<artifactId>commons-beanutils</artifactId>
-			<version>1.9.3</version>
+			<version>1.9.4</version>
 		</dependency>
 		<dependency>
 			<groupId>com.ecwid.consul</groupId>
 			<artifactId>consul-api</artifactId>
-			<version>1.2.1</version>
+			<version>1.3.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.orbitz.consul</groupId>
 			<artifactId>consul-client</artifactId>
-			<version>0.13.8</version>
+			<version>1.3.6</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-fileupload</groupId>
@@ -603,7 +603,7 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.jaxrs</groupId>
 			<artifactId>jackson-jaxrs-json-provider</artifactId>
-			<version>2.8.10</version>
+			<version>2.10.0</version>
 		</dependency>
 		<!-- https://mvnrepository.com/artifact/org.glassfish.web/javax.el -->
 		<dependency>
@@ -626,7 +626,7 @@
 		<dependency>
 			<groupId>org.glassfish.jersey.connectors</groupId>
 			<artifactId>jersey-jetty-connector</artifactId>
-			<version>2.23.1</version>
+			<version>2.28</version>
 		</dependency>
 		<!-- Jacoco for offline instrumentation -->
 		<dependency>
@@ -638,7 +638,7 @@
 		<dependency>
              <groupId>org.owasp.esapi</groupId>
              <artifactId>esapi</artifactId>
-             <version>2.1.0.1</version>
+             <version>2.2.0.0</version>
              <exclusions>
 				<exclusion>
              		<groupId>commons-beanutils</groupId>
@@ -672,7 +672,7 @@
 		<dependency>
     		<groupId>com.thoughtworks.xstream</groupId>
     		<artifactId>xstream</artifactId>
-    		<version>1.4.10</version>
+    		<version>1.4.11</version>
 		</dependency>
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
@@ -752,7 +752,7 @@
 		<dependency>
 			<groupId>com.alibaba</groupId>
 			<artifactId>fastjson</artifactId>
-			<version>1.2.7</version>
+			<version>1.2.25</version>
 		</dependency>
 	</dependencies>
 
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
index 15ce305d..7615b660 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
@@ -66,6 +66,8 @@ import org.onap.portalapp.portal.transport.FunctionalMenuItem;
 import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
 import org.onap.portalapp.portal.utils.EcompPortalUtils;
 import org.onap.portalapp.portal.utils.PortalConstants;
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse;
 import org.slf4j.MDC;
@@ -90,6 +92,7 @@ import io.swagger.annotations.ApiOperation;
 public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseController {
 
 	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(ExternalAppsRestfulController.class);
+	private final DataValidator DATA_VALIDATOR = new DataValidator();
 
 	@Autowired
 	private FunctionalMenuService functionalMenuService;
@@ -111,6 +114,11 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro
 	@ResponseBody
 	public PortalAPIResponse publishNotification(HttpServletRequest request,
 			@RequestBody EpNotificationItem notificationItem) throws Exception {
+
+		if(!DATA_VALIDATOR.isValid(notificationItem)){
+			PortalAPIResponse response = new PortalAPIResponse(false, "failed");
+			return response;
+		}
 		String appKey = request.getHeader("uebkey");
 		EPApp app = findEpApp(appKey);
 		List<Long> postRoleIds = new ArrayList<Long>();
@@ -119,8 +127,8 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro
             EPRole role = epRoleService.getRole(app.getId(), roleId);
             if (role != null)
                 postRoleIds.add(role.getId());
-        }
-    }
+        	}
+    	}
 
 		// --- recreate the user notification object with the POrtal Role Ids
 		EpNotificationItem postItem = new EpNotificationItem();
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java
index d8f98bb9..d6cb42a6 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java
@@ -296,6 +296,47 @@ public class ExternalAppsRestfulControllerTest {
         assertEquals(543L, createdNofification.getRoleIds().get(0).longValue());
     }
 
+	@Test
+	public void publishNotificationXSSTest() throws Exception {
+		// input
+		EpNotificationItem notificationItem = new EpNotificationItem();
+		List<Long> roleList = new ArrayList<Long>();
+		Long role1 = 1L;
+		roleList.add(role1);
+		notificationItem.setRoleIds(roleList);
+		notificationItem.setPriority(1L);
+		notificationItem.setMsgHeader("<script>alert(‘XSS’)</script>");
+		notificationItem.setMsgDescription("Test Description");
+		Date currentDate = new Date();
+		Calendar c = Calendar.getInstance();
+		c.setTime(currentDate);
+		c.add(Calendar.DATE, 1);
+		Date currentDatePlusOne = c.getTime();
+		notificationItem.setStartTime(currentDate);
+		notificationItem.setEndTime(currentDatePlusOne);
+
+		// mock calls
+		Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn("RxH3983AHiyBOQmj");
+		Map<String, String> params = new HashMap<>();
+		params.put("appKey", "RxH3983AHiyBOQmj");
+		List<EPApp> apps = new ArrayList<>();
+		EPApp app = new EPApp();
+		app.setId(123L);
+		apps.add(app);
+		Mockito.when(DataAccessService.executeNamedQuery("getMyAppDetailsByUebKey", params, null)).thenReturn(apps);
+		EPRole role = new EPRole();
+		role.setId(543L);
+		Mockito.when(epRoleService.getRole(123L, 1L)).thenReturn(role);
+
+		// run
+		Mockito.when(userNotificationService.saveNotification(notificationItem)).thenReturn("Test");
+		PortalAPIResponse response = externalAppsRestfulController.publishNotification(mockedRequest, notificationItem);
+		// verify answer
+		assertNotNull(response);
+		assertEquals("error", response.getStatus());
+		assertEquals("failed", response.getMessage());
+	}
+
     @Test
     public void publishNotificationTest_EmptyAppHeader() throws Exception {
         // input