summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominik Mizyn <d.mizyn@samsung.com>2019-06-06 11:39:35 +0200
committerDominik Mizyn <d.mizyn@samsung.com>2019-07-12 11:55:25 +0200
commit5d37bb1bbd825616ef7b1622c71a2dce5239cc23 (patch)
tree1a80faf69a9459f17700e5b9115ae21cee935855
parent73248465fc2867a3dd1a6494afb6b0774c9028f2 (diff)
XSS Vulnerability fix in WidgetsController
Custom data validator used to fix this issue. Issue-ID: OJSI-15 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com> Change-Id: I0113097b2118656780f4f9bca8b4ee99e85b6f6d
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java72
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java8
-rw-r--r--ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java51
3 files changed, 106 insertions, 25 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java
index f2bba8b8..45035a25 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java
@@ -52,10 +52,13 @@ import org.onap.portalapp.portal.service.PersUserWidgetService;
import org.onap.portalapp.portal.service.WidgetService;
import org.onap.portalapp.portal.transport.FieldsValidator;
import org.onap.portalapp.portal.transport.OnboardingWidget;
+import org.onap.portalapp.portal.transport.WidgetCatalogPersonalization;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
@@ -64,30 +67,36 @@ import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
@RestController
-@org.springframework.context.annotation.Configuration
+@Configuration
@EnableAspectJAutoProxy
@EPAuditLog
public class WidgetsController extends EPRestrictedBaseController {
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(WidgetsController.class);
-
- @Autowired
+ private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(WidgetsController.class);
+ private static final DataValidator dataValidator = new DataValidator();
+
private AdminRolesService adminRolesService;
- @Autowired
private WidgetService widgetService;
- @Autowired
private PersUserWidgetService persUserWidgetService;
+ @Autowired
+ public WidgetsController(AdminRolesService adminRolesService,
+ WidgetService widgetService, PersUserWidgetService persUserWidgetService) {
+ this.adminRolesService = adminRolesService;
+ this.widgetService = widgetService;
+ this.persUserWidgetService = persUserWidgetService;
+ }
+
@RequestMapping(value = { "/portalApi/widgets" }, method = RequestMethod.GET, produces = "application/json")
public List<OnboardingWidget> getOnboardingWidgets(HttpServletRequest request, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
List<OnboardingWidget> onboardingWidgets = null;
-
+
if (user == null || user.isGuest()) {
EcompPortalUtils.setBadPermissions(user, response, "getOnboardingWidgets");
} else {
String getType = request.getHeader("X-Widgets-Type");
- if (!StringUtils.isEmpty(getType) && (getType.equals("managed") || getType.equals("all"))) {
- onboardingWidgets = widgetService.getOnboardingWidgets(user, getType.equals("managed"));
+ if (!StringUtils.isEmpty(getType) && ("managed".equals(getType) || "all".equals(getType))) {
+ onboardingWidgets = widgetService.getOnboardingWidgets(user, "managed".equals(getType));
} else {
logger.debug(EELFLoggerDelegate.debugLogger, "WidgetsController.getOnboardingApps - request must contain header 'X-Widgets-Type' with 'all' or 'managed'");
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
@@ -112,6 +121,14 @@ public class WidgetsController extends EPRestrictedBaseController {
@RequestBody OnboardingWidget onboardingWidget, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
FieldsValidator fieldsValidator = null;
+ if (onboardingWidget!=null){
+ if(!dataValidator.isValid(onboardingWidget)){
+ fieldsValidator = new FieldsValidator();
+ fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+ return fieldsValidator;
+ }
+ }
+
if (userHasPermissions(user, response, "putOnboardingWidget")) {
onboardingWidget.id = widgetId; // !
onboardingWidget.normalize();
@@ -119,7 +136,7 @@ public class WidgetsController extends EPRestrictedBaseController {
response.setStatus(fieldsValidator.httpStatusCode.intValue());
}
EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets/" + widgetId, "GET result =", response.getStatus());
-
+
return fieldsValidator;
}
@@ -127,15 +144,23 @@ public class WidgetsController extends EPRestrictedBaseController {
@RequestMapping(value = { "/portalApi/widgets" }, method = { RequestMethod.POST }, produces = "application/json")
public FieldsValidator postOnboardingWidget(HttpServletRequest request, @RequestBody OnboardingWidget onboardingWidget, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
- FieldsValidator fieldsValidator = null; ;
-
+ FieldsValidator fieldsValidator = null;
+
+ if (onboardingWidget!=null){
+ if(!dataValidator.isValid(onboardingWidget)){
+ fieldsValidator = new FieldsValidator();
+ fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+ return fieldsValidator;
+ }
+ }
+
if (userHasPermissions(user, response, "postOnboardingWidget")) {
onboardingWidget.id = null; // !
onboardingWidget.normalize();
fieldsValidator = widgetService.setOnboardingWidget(user, onboardingWidget);
response.setStatus(fieldsValidator.httpStatusCode.intValue());
}
-
+
EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets", "POST result =", response.getStatus());
return fieldsValidator;
}
@@ -143,17 +168,17 @@ public class WidgetsController extends EPRestrictedBaseController {
@RequestMapping(value = { "/portalApi/widgets/{widgetId}" }, method = { RequestMethod.DELETE }, produces = "application/json")
public FieldsValidator deleteOnboardingWidget(HttpServletRequest request, @PathVariable("widgetId") Long widgetId, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
- FieldsValidator fieldsValidator = null; ;
-
+ FieldsValidator fieldsValidator = null;
+
if (userHasPermissions(user, response, "deleteOnboardingWidget")) {
fieldsValidator = widgetService.deleteOnboardingWidget(user, widgetId);
response.setStatus(fieldsValidator.httpStatusCode.intValue());
}
-
+
EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets/" + widgetId, "DELETE result =", response.getStatus());
return fieldsValidator;
}
-
+
/**
* service to accept a user's action made on the application
* catalog.
@@ -167,9 +192,18 @@ public class WidgetsController extends EPRestrictedBaseController {
*/
@RequestMapping(value = { "portalApi/widgetCatalogSelection" }, method = RequestMethod.PUT, produces = "application/json")
public FieldsValidator putWidgetCatalogSelection(HttpServletRequest request,
- @RequestBody org.onap.portalapp.portal.transport.WidgetCatalogPersonalization persRequest, HttpServletResponse response) throws IOException {
+ @RequestBody WidgetCatalogPersonalization persRequest, HttpServletResponse response) throws IOException {
FieldsValidator result = new FieldsValidator();
EPUser user = EPUserUtils.getUserSession(request);
+
+ if (persRequest!=null){
+ if(!dataValidator.isValid(persRequest)){
+ result.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE;
+ return result;
+ }
+ }
+
+
try {
if (persRequest.getWidgetId() == null || user == null) {
EcompPortalUtils.setBadPermissions(user, response, "putWidgetCatalogSelection");
@@ -180,7 +214,7 @@ public class WidgetsController extends EPRestrictedBaseController {
logger.error(EELFLoggerDelegate.errorLogger, "Failed in putAppCatalogSelection", e);
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.toString());
}
- result.httpStatusCode = new Long(HttpServletResponse.SC_OK);
+ result.httpStatusCode = (long) HttpServletResponse.SC_OK;
return result;
}
} \ No newline at end of file
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java
index 4f0a7d60..40460796 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java
@@ -42,6 +42,7 @@ import java.io.Serializable;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.Id;
+import org.hibernate.validator.constraints.SafeHtml;
@Entity
public class OnboardingWidget implements Serializable {
@@ -53,12 +54,14 @@ public class OnboardingWidget implements Serializable {
public Long id;
@Column(name = "WDG_NAME")
+ @SafeHtml
public String name;
@Column(name = "APP_ID")
public Long appId;
@Column(name = "APP_NAME")
+ @SafeHtml
public String appName;
@Column(name = "WDG_WIDTH")
@@ -68,15 +71,16 @@ public class OnboardingWidget implements Serializable {
public Integer height;
@Column(name = "WDG_URL")
+ @SafeHtml
public String url;
public void normalize() {
this.name = (this.name == null) ? "" : this.name.trim();
this.appName = (this.appName == null) ? "" : this.appName.trim();
if (this.width == null)
- this.width = new Integer(0);
+ this.width = 0;
if (this.height == null)
- this.height = new Integer(0);
+ this.height = 0;
this.url = (this.url == null) ? "" : this.url.trim();
}
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
index c6bd8001..f69ac99e 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
@@ -68,7 +68,7 @@ import org.springframework.web.client.RestClientException;
public class WidgetsControllerTest extends MockitoTestSuite{
@InjectMocks
- WidgetsController widgetsController = new WidgetsController();
+ WidgetsController widgetsController;
@Mock
private AdminRolesService rolesService;
@@ -150,7 +150,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{
OnboardingWidget onboardingWidget=new OnboardingWidget();
onboardingWidget.id=12L;
onboardingWidget.normalize();
- //Mockito.doNothing().when(onboardingWidget).normalize();
+ //Mockito.doNothing().when(onboardingWidget).normalize();
FieldsValidator expectedFieldValidator = new FieldsValidator();
List<FieldName> fields = new ArrayList<>();
@@ -161,6 +161,24 @@ public class WidgetsControllerTest extends MockitoTestSuite{
actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse);
}
+
+ @Test
+ public void putOnboardingWidgetXSSTest() {
+ FieldsValidator actualFieldsValidator = null;
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ OnboardingWidget onboardingWidget=new OnboardingWidget();
+ onboardingWidget.id=12L;
+ onboardingWidget.name = "<script>alert(/XSS”)</script>";
+ onboardingWidget.normalize();
+ FieldsValidator expectedFieldValidator = new FieldsValidator();
+ expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+ Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator);
+ actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse);
+
+ assertEquals(expectedFieldValidator, actualFieldsValidator);
+
+ }
@Test
public void putOnboardingWidgetWithUserPermissionTest() {
@@ -172,7 +190,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{
OnboardingWidget onboardingWidget=new OnboardingWidget();
onboardingWidget.id=12L;
onboardingWidget.normalize();
- //Mockito.doNothing().when(onboardingWidget).normalize();
+ //Mockito.doNothing().when(onboardingWidget).normalize();
FieldsValidator expectedFieldValidator = new FieldsValidator();
List<FieldName> fields = new ArrayList<>();
@@ -209,6 +227,31 @@ public class WidgetsControllerTest extends MockitoTestSuite{
assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode());
assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields());
}
+
+ @Test
+ public void postOnboardingWidgetXSSTest(){
+ EPUser user=mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ FieldsValidator actualFieldsValidator = null;
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(rolesService.isSuperAdmin(user)).thenReturn(true);
+ Mockito.when(rolesService.isAccountAdmin(user)).thenReturn(true);
+ OnboardingWidget onboardingWidget=new OnboardingWidget();
+ onboardingWidget.id=12L;
+ onboardingWidget.appName="<script>alert(/XSS”)</script>";
+ onboardingWidget.normalize();
+ FieldsValidator expectedFieldValidator = new FieldsValidator();
+ List<FieldName> fields = new ArrayList<>();
+
+ expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+ expectedFieldValidator.setFields(fields);
+ expectedFieldValidator.setErrorCode(null);
+ Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator);
+ actualFieldsValidator = widgetsController.postOnboardingWidget(mockedRequest, onboardingWidget, mockedResponse);
+ assertEquals(expectedFieldValidator.getHttpStatusCode(), actualFieldsValidator.getHttpStatusCode());
+ assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode());
+ assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields());
+ }
@Test
public void postOnboardingWidgetTestwiThoutUserPermission() {
@@ -218,7 +261,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{
OnboardingWidget onboardingWidget=new OnboardingWidget();
onboardingWidget.id=12L;
onboardingWidget.normalize();
- //Mockito.doNothing().when(onboardingWidget).normalize();
+ //Mockito.doNothing().when(onboardingWidget).normalize();
FieldsValidator expectedFieldValidator = new FieldsValidator();
List<FieldName> fields = new ArrayList<>();