summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common/src/main/java
diff options
context:
space:
mode:
authorDominik Mizyn <d.mizyn@samsung.com>2019-05-30 10:47:56 +0200
committerDominik Mizyn <d.mizyn@samsung.com>2019-05-30 10:48:13 +0200
commit1f4d93651fdc71e0b661728a7c7efc9b4f524b5a (patch)
treefdf232903f5ea43b9d8659758b169bc6dbdff2ed /ecomp-portal-BE-common/src/main/java
parentc5b960eaa66fcfdd69c4a8201d2c0ff8ee1253a8 (diff)
XSS Vulnerability fix in DashboardSearchResultController
@SafeHtml annotation is used to fix this problem. New class 'SecureString' must be added to project to valid incoming Strings from '@RequestParam String incoming String' pom.xml file update. This patch also fix: * remove unnecessary semicolon * Sonar issue: Replace the type specification in this constructor call with the diamond operator ("<>") Issue-ID: PORTAL-601 Change-Id: Id214b6e65f0c486141679fd23725a7fb66443acd Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
Diffstat (limited to 'ecomp-portal-BE-common/src/main/java')
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java90
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java12
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java11
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/SecureString.java55
4 files changed, 138 insertions, 30 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java
index 29f5b20f..04ee5e0b 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java
@@ -45,8 +45,14 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.onap.portalapp.controller.EPRestrictedBaseController;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
@@ -56,6 +62,7 @@ import org.onap.portalapp.portal.service.DashboardSearchService;
import org.onap.portalapp.portal.transport.CommonWidget;
import org.onap.portalapp.portal.transport.CommonWidgetMeta;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.domain.support.CollaborateList;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
@@ -68,6 +75,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/portalApi/search")
public class DashboardSearchResultController extends EPRestrictedBaseController {
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardSearchResultController.class);
@@ -85,8 +93,11 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
@RequestMapping(value = "/widgetData", method = RequestMethod.GET, produces = "application/json")
public PortalRestResponse<CommonWidgetMeta> getWidgetData(HttpServletRequest request,
@RequestParam String resourceType) {
- return new PortalRestResponse<CommonWidgetMeta>(PortalRestStatusEnum.OK, "success",
- searchService.getWidgetData(resourceType));
+ if (stringIsNotSafeHtml(resourceType)) {
+ return new PortalRestResponse(PortalRestStatusEnum.ERROR, "resourceType: String string is not valid", "");
+ }
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.getWidgetData(resourceType));
}
/**
@@ -97,19 +108,26 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/widgetDataBulk", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> saveWidgetDataBulk(@RequestBody CommonWidgetMeta commonWidgetMeta) {
+ public PortalRestResponse<String> saveWidgetDataBulk(@Valid @RequestBody CommonWidgetMeta commonWidgetMeta) {
logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetDataBulk: argument is {}", commonWidgetMeta);
- if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals(""))
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
- "Category cannot be null or empty");
+ if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals("")){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Cateogry cannot be null or empty");
+ }else {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidgetMeta>> constraintViolations = validator.validate(commonWidgetMeta);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category is not valid");
+ }
// validate dates
for (CommonWidget cw : commonWidgetMeta.getItems()) {
String err = validateCommonWidget(cw);
if (err != null)
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
}
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.saveWidgetDataBulk(commonWidgetMeta));
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.saveWidgetDataBulk(commonWidgetMeta));
}
/**
@@ -120,16 +138,23 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/widgetData", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> saveWidgetData(@RequestBody CommonWidget commonWidget) {
+ public PortalRestResponse<String> saveWidgetData(@Valid @RequestBody CommonWidget commonWidget) {
logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetData: argument is {}", commonWidget);
- if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals(""))
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
- "Cateogry cannot be null or empty");
+ if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals("")){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category cannot be null or empty");
+ }else {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidget>> constraintViolations = validator.validate(commonWidget);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "Category is not valid");
+ }
String err = validateCommonWidget(commonWidget);
if (err != null)
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.saveWidgetData(commonWidget));
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.saveWidgetData(commonWidget));
}
/**
@@ -162,10 +187,17 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
* @return Rest response wrapped around a String; e.g., "success" or "ERROR"
*/
@RequestMapping(value = "/deleteData", method = RequestMethod.POST, produces = "application/json")
- public PortalRestResponse<String> deleteWidgetData(@RequestBody CommonWidget commonWidget) {
+ public PortalRestResponse<String> deleteWidgetData(@Valid @RequestBody CommonWidget commonWidget) {
+ if (commonWidget!=null){
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CommonWidget>> constraintViolations = validator.validate(commonWidget);
+ if (!constraintViolations.isEmpty())
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+ "CommonWidget is not valid");
+ }
logger.debug(EELFLoggerDelegate.debugLogger, "deleteWidgetData: argument is {}", commonWidget);
- return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
- searchService.deleteWidgetData(commonWidget));
+ return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+ searchService.deleteWidgetData(commonWidget));
}
/**
@@ -185,11 +217,14 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
if (user == null) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
"searchPortal: User object is null? - check logs",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
} else if (searchString == null || searchString.trim().length() == 0) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is null",
- new HashMap<String, List<SearchResultItem>>());
- } else {
+ new HashMap<>());
+ }else if (stringIsNotSafeHtml(searchString)){
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is not valid",
+ new HashMap<>());
+ }else {
logger.debug(EELFLoggerDelegate.debugLogger, "searchPortal: user {}, search string '{}'",
user.getLoginId(), searchString);
Map<String, List<SearchResultItem>> results = searchService.searchResults(user.getLoginId(),
@@ -199,7 +234,7 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "searchPortal failed", e);
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage() + " - check logs.",
- new HashMap<String, List<SearchResultItem>>());
+ new HashMap<>());
}
}
@@ -258,4 +293,13 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
}
}
+ private boolean stringIsNotSafeHtml(String string){
+ SecureString secureString = new SecureString(string);
+
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+ return !constraintViolations.isEmpty();
+ }
+
}
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java
index ec27d987..3fbdc3e8 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java
@@ -44,6 +44,7 @@ import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
+import org.hibernate.validator.constraints.SafeHtml;
import org.onap.portalsdk.core.domain.support.DomainVo;
import com.fasterxml.jackson.annotation.JsonInclude;
@@ -63,28 +64,33 @@ public class CommonWidget extends DomainVo{
private Long id;
@Column(name = "category")
+ @SafeHtml
public String category;
@Column(name = "href")
+ @SafeHtml
public String href;
@Column(name = "title")
+ @SafeHtml
public String title;
@Column(name = "content")
+ @SafeHtml
public String content;
@Column(name = "event_date")
+ @SafeHtml
public String eventDate;
@Column(name = "sort_order")
public Integer sortOrder;
-
+
public CommonWidget(){
-
+
}
-
+
public CommonWidget(String category, String href, String title, String content, String eventDate, Integer sortOrder){
this.category = category;
this.href = href;
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java
index 55dfc91a..51a02652 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java
@@ -38,14 +38,17 @@
package org.onap.portalapp.portal.transport;
import java.util.List;
+import javax.validation.Valid;
+import org.hibernate.validator.constraints.SafeHtml;
public class CommonWidgetMeta {
-
+ @SafeHtml
private String category;
+ @Valid
private List<CommonWidget> items;
-
- public CommonWidgetMeta(){
-
+
+ public CommonWidgetMeta(){
+
}
public CommonWidgetMeta(String category, List<CommonWidget> items){
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/SecureString.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/SecureString.java
new file mode 100644
index 00000000..ca2712a3
--- /dev/null
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/SecureString.java
@@ -0,0 +1,55 @@
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ *
+ */
+
+package org.onap.portalapp.validation;
+
+import org.hibernate.validator.constraints.SafeHtml;
+
+public class SecureString {
+
+ @SafeHtml
+ private String string;
+
+ public SecureString(String string) {
+ this.string = string;
+ }
+
+ public String getString() {
+ return string;
+ }
+}