summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominik Mizyn <d.mizyn@samsung.com>2019-05-31 08:55:42 +0200
committerDominik Mizyn <d.mizyn@samsung.com>2019-05-31 08:56:01 +0200
commit7b634d6019b6fb31a120f7810af095feb7a0317d (patch)
treeb0070c6bfa67d8d68a9b52516802d72db67c31e5
parent73cf89e10ba0d50c119cbd82b3aa4f46154c4b9f (diff)
XSS Vulnerability fix in AppsOSController
SecureString class used to secure PathVariable. Issue-ID: OJSI-207 Change-Id: I6275c5db4d8d97dc60ef1676b651e3d8802ad9f7 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
-rw-r--r--ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java24
-rw-r--r--ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java11
2 files changed, 32 insertions, 3 deletions
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
index ed540551..915c5e08 100644
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
@@ -40,8 +40,13 @@ package org.onap.portalapp.portal.controller;
import java.util.HashMap;
import java.util.Map;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.json.JSONObject;
import org.onap.portalapp.portal.controller.AppsController;
import org.onap.portalapp.portal.domain.EPUser;
@@ -53,6 +58,7 @@ import org.onap.portalapp.portal.service.EPAppService;
import org.onap.portalapp.portal.service.PersUserAppService;
import org.onap.portalapp.portal.service.UserService;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
@@ -67,6 +73,7 @@ import org.springframework.web.bind.annotation.RestController;
@EnableAspectJAutoProxy
@EPAuditLog
public class AppsOSController extends AppsController {
+ private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory();
static final String FAILURE = "failure";
EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
@@ -113,9 +120,20 @@ public class AppsOSController extends AppsController {
@RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json")
public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) {
+
+ if(loginId != null){
+ Validator validator = validatorFactory.getValidator();
+ SecureString secureString = new SecureString(loginId);
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+ if (!constraintViolations.isEmpty()){
+ return "loginId is not valid";
+ }
+ }
+
- Map<String,String> map = new HashMap<String,String>();
- EPUser user = null;
+ Map<String,String> map = new HashMap<>();
+ EPUser user;
try {
user = (EPUser) userService.getUserByUserId(loginId).get(0);
map.put("firstName", user.getFirstName());
@@ -128,7 +146,7 @@ public class AppsOSController extends AppsController {
logger.error(EELFLoggerDelegate.errorLogger, "Failed to get user info", e);
}
- JSONObject j = new JSONObject(map);;
+ JSONObject j = new JSONObject(map);
return j.toString();
}
diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
index 0596e749..15fe1dd9 100644
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
+++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
@@ -176,6 +176,17 @@ public class AppsOSControllerTest {
}
@Test
+ public void getCurrentUserProfileXSSTest() {
+ String loginId = "<iframe/src=\"data:text/html,<svg &#111;&#110;load=alert(1)>\">";
+ EPUser user = mockUser.mockEPUser();
+ List<EPUser> expectedList = new ArrayList<>();
+ expectedList.add(user);
+ Mockito.when(userService.getUserByUserId(loginId)).thenReturn(expectedList);
+ String expectedString = appsOSController.getCurrentUserProfile(mockedRequest, loginId);
+ assertEquals("loginId is not valid", expectedString);
+ }
+
+ @Test
public void getCurrentUserProfileExceptionTest() {
String loginId = "guestT";
EPUser user = mockUser.mockEPUser();