diff options
author | Dominik Mizyn <d.mizyn@samsung.com> | 2019-10-21 15:29:52 +0200 |
---|---|---|
committer | Dominik Mizyn <d.mizyn@samsung.com> | 2019-10-24 15:54:49 +0200 |
commit | 2bd26995f7ac5a0c1f19c1ca0ab1f5f0b50ea5c2 (patch) | |
tree | 435327d15ed809258c1d6e4285a4ab3f33b615a1 | |
parent | 31643c4db220bda9ffd9ac06d884f9035bbc4e1f (diff) |
Persistent XSS vulnerability in saveNewUser form fix
javax.validation.Validator used to fix this vulnerability issue.
Issue-ID: OJSI-16
Change-Id: I50a7acc4f7e9294170628fd5b2894ee6cbdba8f0
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
-rw-r--r-- | ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java index b1154aa3..8314e7b9 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java @@ -52,6 +52,7 @@ import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; import org.onap.portalapp.portal.logging.aop.EPAuditLog; import org.onap.portalapp.portal.service.UserService; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; @@ -70,7 +71,7 @@ import lombok.NoArgsConstructor; @EPAuditLog @NoArgsConstructor public class AppsOSController extends AppsController { - private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); + private final DataValidator dataValidator = new DataValidator(); private static final String FAILURE = "failure"; private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class); @@ -90,7 +91,10 @@ public class AppsOSController extends AppsController { if (newUser == null) return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "New User cannot be null or empty"); - + if (!dataValidator.isValid(newUser)) { + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, + "New User is not safe html"); + } if (!(super.getAdminRolesService().isSuperAdmin(user) || super.getAdminRolesService().isAccountAdmin(user)) && !user.getLoginId().equalsIgnoreCase(newUser.getLoginId())) { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, @@ -113,11 +117,7 @@ public class AppsOSController extends AppsController { public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) { if (loginId != null) { - Validator validator = validatorFactory.getValidator(); - SecureString secureString = new SecureString(loginId); - Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString); - - if (!constraintViolations.isEmpty()) { + if (!dataValidator.isValid(new SecureString(loginId))) { return "loginId is not valid"; } } |