Merge "XSS Vulnerability fix in AuxApiRequestMapperController"

author: Manoop Talasila <talasila@research.att.com> 2019-07-22 19:32:19 +0000
committer: Gerrit Code Review <gerrit@onap.org> 2019-07-22 19:32:19 +0000
commit: 3efc4f4d7b5943a3ce3d3066f5935df1a82274f0 (patch)
tree: e45bdef21fd034e032252dc550ba6ec1216c3455
parent: 973207e0557c86a30723f3328b06cde5d0428373 (diff)
parent: b8a540c2aa08175b2d4c144c6a27d774c8e76acb (diff)
5 files changed, 352 insertions, 22 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java
index 550d11df..49eb469c 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java
@@ -38,13 +38,14 @@
 package org.onap.portalapp.externalsystemapproval.model;
 
 import java.io.Serializable;
+import org.hibernate.validator.constraints.SafeHtml;
 
 public class ExternalSystemRoleApproval implements Serializable {
 
 	private static final long serialVersionUID = 6048830318039958615L;
-
+	@SafeHtml
 	private String roleName;
-
+	@SafeHtml
 	public String getRoleName() {
 		return roleName;
 	}
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java
index cfe49267..fa6c04e1 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java
@@ -40,15 +40,17 @@ package org.onap.portalapp.externalsystemapproval.model;
 
 import java.util.ArrayList;
 import java.util.List;
+import javax.validation.Valid;
+import org.hibernate.validator.constraints.SafeHtml;
 
 public class ExternalSystemUser {
-
+	@SafeHtml
 	private String loginId;
-	
+	@SafeHtml
 	private String applicationName;
-	
+	@SafeHtml
 	private String myloginrequestId;
-	
+	@Valid
 	private List<ExternalSystemRoleApproval> roles;
 
 	public ExternalSystemUser() {
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java
index fe2c349f..9ca88c0f 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java
@@ -36,6 +36,8 @@
  */
 package org.onap.portalapp.portal.controller;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.swagger.annotations.ApiOperation;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.util.ArrayList;
@@ -47,10 +49,8 @@ import java.util.Map;
 import java.util.jar.Attributes;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
 import org.onap.aaf.cadi.aaf.AAFPermission;
 import org.onap.portalapp.annotation.ApiVersion;
 import org.onap.portalapp.externalsystemapproval.model.ExternalSystemUser;
@@ -67,6 +67,8 @@ import org.onap.portalapp.portal.transport.EpNotificationItem;
 import org.onap.portalapp.portal.transport.FavoritesFunctionalMenuItemJson;
 import org.onap.portalapp.portal.transport.FunctionalMenuItem;
 import org.onap.portalapp.portal.transport.OnboardingApp;
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.domain.Role;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse;
@@ -76,6 +78,7 @@ import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -85,18 +88,15 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-
-import io.swagger.annotations.ApiOperation;
-
 @RestController
 @RequestMapping("/auxapi")
-@org.springframework.context.annotation.Configuration
+@Configuration
 @EnableAspectJAutoProxy
 @EPAuditLog
 public class AuxApiRequestMapperController implements ApplicationContextAware, BasicAuthenticationController {
 
 	private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AuxApiRequestMapperController.class);
+	private DataValidator dataValidator = new DataValidator();
 
 	ApplicationContext context = null;
 	int minorVersion = 0;
@@ -108,6 +108,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@RequestMapping(value = { "/v3/user/{loginId}" }, method = RequestMethod.GET, produces = "application/json")
 	public String getUser(HttpServletRequest request, HttpServletResponse response,
 			@PathVariable("loginId") String loginId) throws Exception {
+		if (loginId!=null){
+			SecureString secureLoginId = new SecureString(loginId);
+			if (!dataValidator.isValid(secureLoginId))
+				return "Provided data is not valid";
+		}
+
+
 		Map<String, Object> res = getMethod(request, response);
 		String answer = null;
 		try {
@@ -198,6 +205,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@RequestMapping(value = { "/v3/function/{code}" }, method = RequestMethod.GET, produces = "application/json")
 	public CentralV2RoleFunction getRoleFunction(HttpServletRequest request, HttpServletResponse response,
 			@PathVariable("code") String code) throws Exception {
+		if (code!=null){
+			SecureString secureCode = new SecureString(code);
+			if (!dataValidator.isValid(secureCode))
+				return new CentralV2RoleFunction();
+		}
+
 		Map<String, Object> res = getMethod(request, response);
 		CentralV2RoleFunction roleFunction = null;
 		try {
@@ -214,13 +227,20 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response,
 			@RequestBody String roleFunc) throws Exception {
 		PortalRestResponse<String> result = null;
+
+		if (roleFunc!=null){
+			SecureString secureRoleFunc = new SecureString(roleFunc);
+			if(!dataValidator.isValid(secureRoleFunc))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed");
+		}
+
 		Map<String, Object> res = getMethod(request, response);
 		try {
 			result = (PortalRestResponse<String>) invokeMethod(res, request, response, roleFunc);
 			return result;
 		} catch (Exception e) {
 			logger.error(EELFLoggerDelegate.errorLogger, "saveRoleFunction failed", e);
-			return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, e.getMessage(), "Failed");
+			return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage(), "Failed");
 		}
 	}
 
@@ -230,6 +250,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	public PortalRestResponse<String> deleteRoleFunction(HttpServletRequest request, HttpServletResponse response,
 			@PathVariable("code") String code) throws Exception {
 		PortalRestResponse<String> result = null;
+
+		if (code!=null){
+			SecureString secureCode = new SecureString(code);
+			if(!dataValidator.isValid(secureCode))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed");
+		}
+
 		Map<String, Object> res = getMethod(request, response);
 		try {
 			result = (PortalRestResponse<String>) invokeMethod(res, request, response, code);
@@ -276,6 +303,14 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	public String getEcompUser(HttpServletRequest request, HttpServletResponse response,
 			@PathVariable("loginId") String loginId) throws Exception {
 		Map<String, Object> res = getMethod(request, response);
+
+		if (loginId!=null){
+			SecureString secureLoginId = new SecureString(loginId);
+
+			if (!dataValidator.isValid(secureLoginId))
+				return null;
+		}
+
 		String answer = null;
 		try {
 			answer = (String) invokeMethod(res, request, response, loginId);
@@ -319,6 +354,14 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@RequestMapping(value = { "/v3/extendSessionTimeOuts" }, method = RequestMethod.POST)
 	public Boolean extendSessionTimeOuts(HttpServletRequest request, HttpServletResponse response,
 			@RequestParam String sessionMap) throws Exception {
+
+		if (sessionMap!=null){
+			SecureString secureSessionMap = new SecureString(sessionMap);
+			if (!dataValidator.isValid(secureSessionMap)){
+				return null;
+			}
+		}
+
 		Map<String, Object> res = getMethod(request, response);
 		Boolean ans = null;
 		try {
@@ -347,6 +390,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@ApiOperation(value = "Accepts data from partner applications with web analytics data.", response = PortalAPIResponse.class)
 	public PortalAPIResponse storeAnalyticsScript(HttpServletRequest request, HttpServletResponse response,
 			@RequestBody Analytics analyticsMap) throws Exception {
+
+		if (analyticsMap!=null){
+			if (!dataValidator.isValid(analyticsMap))
+				return new PortalAPIResponse(false, "analyticsScript is not valid");
+		}
+
 		Map<String, Object> res = getMethod(request, response);
 		PortalAPIResponse ans = new PortalAPIResponse(true, "error");
 		try {
@@ -715,6 +764,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.POST, produces = "application/json")
 	public PortalRestResponse<String> postUserProfile(HttpServletRequest request,
 			@RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) {
+
+		if (extSysUser!=null){
+			if (!dataValidator.isValid(extSysUser))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+		}
+
 		PortalRestResponse<String> result = null;
 		Map<String, Object> res = getMethod(request, response);
 		try {
@@ -731,6 +786,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.PUT, produces = "application/json")
 	public PortalRestResponse<String> putUserProfile(HttpServletRequest request,
 			@RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) {
+
+		if (extSysUser!=null){
+			if (!dataValidator.isValid(extSysUser))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+		}
+
 		PortalRestResponse<String> result = null;
 		Map<String, Object> res = getMethod(request, response);
 		try {
@@ -747,6 +808,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.DELETE, produces = "application/json")
 	public PortalRestResponse<String> deleteUserProfile(HttpServletRequest request,
 			@RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) {
+
+		if (extSysUser!=null){
+			if (!dataValidator.isValid(extSysUser))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+		}
+
 		PortalRestResponse<String> result = null;
 		Map<String, Object> res = getMethod(request, response);
 		try {
@@ -763,6 +830,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@RequestMapping(value = { "/v3/ticketevent" }, method = RequestMethod.POST)
 	public PortalRestResponse<String> handleRequest(HttpServletRequest request, HttpServletResponse response,
 			@RequestBody String ticketEventJson) throws Exception {
+
+		if (ticketEventJson!=null){
+			SecureString secureTicketEventJson = new SecureString(ticketEventJson);
+			if (!dataValidator.isValid(secureTicketEventJson))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ticketEventJson is not valid", "Failed");
+		}
+
 		PortalRestResponse<String> result = null;
 		Map<String, Object> res = getMethod(request, response);
 		try {
@@ -780,6 +854,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@ResponseBody
 	public PortalRestResponse<String> postPortalAdmin(HttpServletRequest request, HttpServletResponse response,
 			@RequestBody EPUser epUser) {
+
+		if (epUser!=null){
+			if (!dataValidator.isValid(epUser))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "EPUser is not valid", "Failed");
+		}
+
 		PortalRestResponse<String> result = null;
 		Map<String, Object> res = getMethod(request, response);
 		try {
@@ -812,6 +892,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@ResponseBody
 	public PortalRestResponse<String> postOnboardAppExternal(HttpServletRequest request, HttpServletResponse response,
 			@RequestBody OnboardingApp newOnboardApp) {
+
+		if (newOnboardApp!=null){
+			if (!dataValidator.isValid(newOnboardApp))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed");
+		}
+
 		PortalRestResponse<String> result = new PortalRestResponse<>();
 		Map<String, Object> res = getMethod(request, response);
 		try {
@@ -830,7 +916,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@ResponseBody
 	public PortalRestResponse<String> putOnboardAppExternal(HttpServletRequest request, HttpServletResponse response,
 			@PathVariable("appId") Long appId, @RequestBody OnboardingApp oldOnboardApp) {
-		PortalRestResponse<String> result = new PortalRestResponse<>();
+
+		if (oldOnboardApp!=null){
+			if (!dataValidator.isValid(oldOnboardApp))
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed");
+		}
+
+		PortalRestResponse<String> result;
 		Map<String, Object> res = getMethod(request, response);
 		try {
 			result = (PortalRestResponse<String>) invokeMethod(res, request, response, appId, oldOnboardApp);
@@ -845,12 +937,16 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
 	@RequestMapping(value = { "/v3/publishNotification" }, method = RequestMethod.POST, produces = "application/json")
 	@ResponseBody
 	public PortalAPIResponse publishNotification(HttpServletRequest request,
-			@RequestBody EpNotificationItem notificationItem, HttpServletResponse response) throws Exception {
-		PortalAPIResponse result = new PortalAPIResponse(true, "success");
+			@RequestBody EpNotificationItem notificationItem, HttpServletResponse response) {
+
+		if (notificationItem!=null){
+			if (!dataValidator.isValid(notificationItem))
+				return new PortalAPIResponse(false, "EpNotificationItem is not valid");
+		}
+
 		Map<String, Object> res = getMethod(request, response);
 		try {
-			result = (PortalAPIResponse) invokeMethod(res, request, response, notificationItem);
-			return result;
+			return (PortalAPIResponse) invokeMethod(res, request, response, notificationItem);
 		} catch (Exception e) {
 			logger.error(EELFLoggerDelegate.errorLogger, "publishNotification failed", e);
 			return new PortalAPIResponse(false, e.getMessage());
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java
index 2d85e8f2..f5ca1832 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java
@@ -38,14 +38,19 @@
 package org.onap.portalapp.portal.transport;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
+import org.hibernate.validator.constraints.SafeHtml;
 
 @JsonInclude(JsonInclude.Include.NON_NULL)
 public class Analytics {
-	
+	@SafeHtml
 	private String action;
+	@SafeHtml
 	private String page;
+	@SafeHtml
 	private String function;
+	@SafeHtml
 	private String userid;
+	@SafeHtml
 	private String type;
 	
 	public String getType() {
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java
index e7303313..5f49c744 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java
@@ -45,10 +45,8 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -68,6 +66,7 @@ import org.onap.portalapp.portal.transport.Analytics;
 import org.onap.portalapp.portal.transport.EpNotificationItem;
 import org.onap.portalapp.portal.transport.OnboardingApp;
 import org.onap.portalsdk.core.domain.Role;
+import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse;
 import org.powermock.api.mockito.PowerMockito;
 import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
@@ -114,6 +113,21 @@ public class AuxApiRequestMapperControllerTest {
 		Mockito.when(mockedRequest.getMethod()).thenReturn("GET");
 		assertNull(auxApiRequestMapperController.getUser(mockedRequest, mockedResponse, "test12"));
 	}
+
+	@Test
+	public void getUserXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roles");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", rolesController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("GET");
+		String expected = "Provided data is not valid";
+		String actual = auxApiRequestMapperController.getUser(mockedRequest, mockedResponse, "“><script>alert(“XSS”)</script>");
+		assertEquals(expected, actual);
+	}
 	
 	@Test
 	public void getUserTestWithException() throws Exception {
@@ -233,6 +247,7 @@ public class AuxApiRequestMapperControllerTest {
 		assertNull(auxApiRequestMapperController.getRoleFunction(mockedRequest, mockedResponse, "test"));
 	}
 
+
 	@Test
 	public void saveRoleFunctionTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction");
@@ -248,6 +263,21 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void saveRoleFunctionXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", rolesController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.saveRoleFunction(mockedRequest, mockedResponse, "<script>alert(123)</script>");
+		PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void deleteRoleFunctionTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction/test");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -261,6 +291,22 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void deleteRoleFunctionXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction/test");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", rolesController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("DELETE");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.deleteRoleFunction(mockedRequest, mockedResponse,
+			"<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}");
+		PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void deleteRoleTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/deleteRole/1");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -300,6 +346,19 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void getEcompUserXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v4/user/test");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", rolesController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("GET");
+		assertNull(auxApiRequestMapperController.getEcompUser(mockedRequest, mockedResponse, "<script>alert(‘XSS’)</script>"));
+	}
+
+	@Test
 	public void getEcompRolesOfApplicationTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v4/roles");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -340,6 +399,20 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void extendSessionTimeOutsXSSTest() throws Exception {
+		String sessionMap = "<script>alert(“XSS”)</script>";
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/extendSessionTimeOuts");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", sessionCommunicationController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		assertNull(auxApiRequestMapperController.extendSessionTimeOuts(mockedRequest, mockedResponse, sessionMap));
+	}
+
+	@Test
 	public void getAnalyticsScriptTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/analytics");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -367,6 +440,23 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void storeAnalyticsScriptXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/storeAnalytics");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", webAnalyticsExtAppController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		Analytics analyticsMap = new Analytics();
+		analyticsMap.setPage("<script>alert(“XSS”);</script>");
+		PortalAPIResponse actual = auxApiRequestMapperController.storeAnalyticsScript(mockedRequest, mockedResponse, analyticsMap);
+		PortalAPIResponse expected  = new PortalAPIResponse(true, "analyticsScript is not valid");
+		assertEquals(expected.getMessage(), actual.getMessage());
+	}
+
+	@Test
 	public void bulkUploadFunctionsTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/upload/portal/functions");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -532,6 +622,23 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void postUserProfileXSSTest() {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", rolesApprovalSystemController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		ExternalSystemUser extSysUser = new ExternalSystemUser();
+		extSysUser.setLoginId("<script>alert(“XSS”);</script>");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.postUserProfile(mockedRequest, extSysUser, mockedResponse);
+		PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void putUserProfileTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -546,6 +653,23 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void putUserProfileXSSTest() {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", rolesApprovalSystemController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		ExternalSystemUser extSysUser = new ExternalSystemUser();
+		extSysUser.setLoginId("<script>alert(“XSS”);</script>");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.putUserProfile(mockedRequest, extSysUser, mockedResponse);
+		PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void deleteUserProfileTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -560,6 +684,23 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void deleteUserProfileXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", rolesApprovalSystemController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("DELETE");
+		ExternalSystemUser extSysUser = new ExternalSystemUser();
+		extSysUser.setLoginId("<script>alert(“XSS”);</script>");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.deleteUserProfile(mockedRequest, extSysUser, mockedResponse);
+		PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void handleRequestTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/ticketevent");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -573,6 +714,21 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void handleRequestXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/ticketevent");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", ticketEventVersionController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.handleRequest(mockedRequest, mockedResponse, "<script>alert(“XSS”);</script>");
+		PortalRestResponse<String> expected =  new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ticketEventJson is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void postPortalAdminTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/portalAdmin");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -587,6 +743,23 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void postPortalAdminXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/portalAdmin");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", appsControllerExternalVersionRequest);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		EPUser epUser = new EPUser();
+		epUser.setLoginId("<script>alert(/XSS”)</script>");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.postPortalAdmin(mockedRequest, mockedResponse, epUser);
+		PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "EPUser is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void getOnboardAppExternalTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -614,6 +787,23 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void postOnboardAppExternalXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", appsControllerExternalVersionRequest);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		OnboardingApp newOnboardApp = new OnboardingApp();
+		newOnboardApp.setUebKey("&#00;</form><input type&#61;\"date\" onfocus=\"alert(1)\">");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.postOnboardAppExternal(mockedRequest, mockedResponse, newOnboardApp);
+		PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void putOnboardAppExternalTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -629,6 +819,24 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void putOnboardAppExternalXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", appsControllerExternalVersionRequest);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("PUT");
+		OnboardingApp newOnboardApp = new OnboardingApp();
+		newOnboardApp.setUebTopicName("&#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}");
+		PortalRestResponse<String> actual = auxApiRequestMapperController.putOnboardAppExternal(mockedRequest, mockedResponse, (long) 1,
+			newOnboardApp);
+		PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void publishNotificationTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/publishNotification");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
@@ -643,6 +851,24 @@ public class AuxApiRequestMapperControllerTest {
 	}
 
 	@Test
+	public void publishNotificationXSSTest() throws Exception {
+		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/publishNotification");
+		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
+		Map<String, Object> beans = new HashMap<>();
+		beans.put("bean1", externalAppsRestfulVersionController);
+		Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans);
+		PowerMockito.mockStatic(AopUtils.class);
+		Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false);
+		Mockito.when(mockedRequest.getMethod()).thenReturn("POST");
+		EpNotificationItem notificationItem = new EpNotificationItem();
+		notificationItem.setIsForAllRoles("</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}");
+		PortalAPIResponse actual = auxApiRequestMapperController.publishNotification(mockedRequest, notificationItem, mockedResponse);
+		PortalAPIResponse expected = new PortalAPIResponse(false, "EpNotificationItem is not valid");
+		assertEquals(expected.getMessage(), actual.getMessage());
+		assertEquals(expected.getStatus(), actual.getStatus());
+	}
+
+	@Test
 	public void getFavoritesForUserTest() throws Exception {
 		Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/getFavorites");
 		Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0");
author	Manoop Talasila <talasila@research.att.com>	2019-07-22 19:32:19 +0000
committer	Gerrit Code Review <gerrit@onap.org>	2019-07-22 19:32:19 +0000
commit	3efc4f4d7b5943a3ce3d3066f5935df1a82274f0 (patch)
tree	e45bdef21fd034e032252dc550ba6ec1216c3455
parent	973207e0557c86a30723f3328b06cde5d0428373 (diff)
parent	b8a540c2aa08175b2d4c144c6a27d774c8e76acb (diff)