summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common/src/main
diff options
context:
space:
mode:
authorManoop Talasila <talasila@research.att.com>2019-07-22 19:32:19 +0000
committerGerrit Code Review <gerrit@onap.org>2019-07-22 19:32:19 +0000
commit3efc4f4d7b5943a3ce3d3066f5935df1a82274f0 (patch)
treee45bdef21fd034e032252dc550ba6ec1216c3455 /ecomp-portal-BE-common/src/main
parent973207e0557c86a30723f3328b06cde5d0428373 (diff)
parentb8a540c2aa08175b2d4c144c6a27d774c8e76acb (diff)
Merge "XSS Vulnerability fix in AuxApiRequestMapperController"
Diffstat (limited to 'ecomp-portal-BE-common/src/main')
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java5
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java10
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java122
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java7
4 files changed, 124 insertions, 20 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java
index 550d11df..49eb469c 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java
@@ -38,13 +38,14 @@
package org.onap.portalapp.externalsystemapproval.model;
import java.io.Serializable;
+import org.hibernate.validator.constraints.SafeHtml;
public class ExternalSystemRoleApproval implements Serializable {
private static final long serialVersionUID = 6048830318039958615L;
-
+ @SafeHtml
private String roleName;
-
+ @SafeHtml
public String getRoleName() {
return roleName;
}
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java
index cfe49267..fa6c04e1 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java
@@ -40,15 +40,17 @@ package org.onap.portalapp.externalsystemapproval.model;
import java.util.ArrayList;
import java.util.List;
+import javax.validation.Valid;
+import org.hibernate.validator.constraints.SafeHtml;
public class ExternalSystemUser {
-
+ @SafeHtml
private String loginId;
-
+ @SafeHtml
private String applicationName;
-
+ @SafeHtml
private String myloginrequestId;
-
+ @Valid
private List<ExternalSystemRoleApproval> roles;
public ExternalSystemUser() {
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java
index fe2c349f..9ca88c0f 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java
@@ -36,6 +36,8 @@
*/
package org.onap.portalapp.portal.controller;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.swagger.annotations.ApiOperation;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
@@ -47,10 +49,8 @@ import java.util.Map;
import java.util.jar.Attributes;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
import org.onap.aaf.cadi.aaf.AAFPermission;
import org.onap.portalapp.annotation.ApiVersion;
import org.onap.portalapp.externalsystemapproval.model.ExternalSystemUser;
@@ -67,6 +67,8 @@ import org.onap.portalapp.portal.transport.EpNotificationItem;
import org.onap.portalapp.portal.transport.FavoritesFunctionalMenuItemJson;
import org.onap.portalapp.portal.transport.FunctionalMenuItem;
import org.onap.portalapp.portal.transport.OnboardingApp;
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.domain.Role;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse;
@@ -76,6 +78,7 @@ import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
+import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
@@ -85,18 +88,15 @@ import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
-import com.fasterxml.jackson.databind.ObjectMapper;
-
-import io.swagger.annotations.ApiOperation;
-
@RestController
@RequestMapping("/auxapi")
-@org.springframework.context.annotation.Configuration
+@Configuration
@EnableAspectJAutoProxy
@EPAuditLog
public class AuxApiRequestMapperController implements ApplicationContextAware, BasicAuthenticationController {
private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AuxApiRequestMapperController.class);
+ private DataValidator dataValidator = new DataValidator();
ApplicationContext context = null;
int minorVersion = 0;
@@ -108,6 +108,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@RequestMapping(value = { "/v3/user/{loginId}" }, method = RequestMethod.GET, produces = "application/json")
public String getUser(HttpServletRequest request, HttpServletResponse response,
@PathVariable("loginId") String loginId) throws Exception {
+ if (loginId!=null){
+ SecureString secureLoginId = new SecureString(loginId);
+ if (!dataValidator.isValid(secureLoginId))
+ return "Provided data is not valid";
+ }
+
+
Map<String, Object> res = getMethod(request, response);
String answer = null;
try {
@@ -198,6 +205,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@RequestMapping(value = { "/v3/function/{code}" }, method = RequestMethod.GET, produces = "application/json")
public CentralV2RoleFunction getRoleFunction(HttpServletRequest request, HttpServletResponse response,
@PathVariable("code") String code) throws Exception {
+ if (code!=null){
+ SecureString secureCode = new SecureString(code);
+ if (!dataValidator.isValid(secureCode))
+ return new CentralV2RoleFunction();
+ }
+
Map<String, Object> res = getMethod(request, response);
CentralV2RoleFunction roleFunction = null;
try {
@@ -214,13 +227,20 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response,
@RequestBody String roleFunc) throws Exception {
PortalRestResponse<String> result = null;
+
+ if (roleFunc!=null){
+ SecureString secureRoleFunc = new SecureString(roleFunc);
+ if(!dataValidator.isValid(secureRoleFunc))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed");
+ }
+
Map<String, Object> res = getMethod(request, response);
try {
result = (PortalRestResponse<String>) invokeMethod(res, request, response, roleFunc);
return result;
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "saveRoleFunction failed", e);
- return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, e.getMessage(), "Failed");
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage(), "Failed");
}
}
@@ -230,6 +250,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
public PortalRestResponse<String> deleteRoleFunction(HttpServletRequest request, HttpServletResponse response,
@PathVariable("code") String code) throws Exception {
PortalRestResponse<String> result = null;
+
+ if (code!=null){
+ SecureString secureCode = new SecureString(code);
+ if(!dataValidator.isValid(secureCode))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed");
+ }
+
Map<String, Object> res = getMethod(request, response);
try {
result = (PortalRestResponse<String>) invokeMethod(res, request, response, code);
@@ -276,6 +303,14 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
public String getEcompUser(HttpServletRequest request, HttpServletResponse response,
@PathVariable("loginId") String loginId) throws Exception {
Map<String, Object> res = getMethod(request, response);
+
+ if (loginId!=null){
+ SecureString secureLoginId = new SecureString(loginId);
+
+ if (!dataValidator.isValid(secureLoginId))
+ return null;
+ }
+
String answer = null;
try {
answer = (String) invokeMethod(res, request, response, loginId);
@@ -319,6 +354,14 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@RequestMapping(value = { "/v3/extendSessionTimeOuts" }, method = RequestMethod.POST)
public Boolean extendSessionTimeOuts(HttpServletRequest request, HttpServletResponse response,
@RequestParam String sessionMap) throws Exception {
+
+ if (sessionMap!=null){
+ SecureString secureSessionMap = new SecureString(sessionMap);
+ if (!dataValidator.isValid(secureSessionMap)){
+ return null;
+ }
+ }
+
Map<String, Object> res = getMethod(request, response);
Boolean ans = null;
try {
@@ -347,6 +390,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@ApiOperation(value = "Accepts data from partner applications with web analytics data.", response = PortalAPIResponse.class)
public PortalAPIResponse storeAnalyticsScript(HttpServletRequest request, HttpServletResponse response,
@RequestBody Analytics analyticsMap) throws Exception {
+
+ if (analyticsMap!=null){
+ if (!dataValidator.isValid(analyticsMap))
+ return new PortalAPIResponse(false, "analyticsScript is not valid");
+ }
+
Map<String, Object> res = getMethod(request, response);
PortalAPIResponse ans = new PortalAPIResponse(true, "error");
try {
@@ -715,6 +764,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.POST, produces = "application/json")
public PortalRestResponse<String> postUserProfile(HttpServletRequest request,
@RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) {
+
+ if (extSysUser!=null){
+ if (!dataValidator.isValid(extSysUser))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+ }
+
PortalRestResponse<String> result = null;
Map<String, Object> res = getMethod(request, response);
try {
@@ -731,6 +786,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.PUT, produces = "application/json")
public PortalRestResponse<String> putUserProfile(HttpServletRequest request,
@RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) {
+
+ if (extSysUser!=null){
+ if (!dataValidator.isValid(extSysUser))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+ }
+
PortalRestResponse<String> result = null;
Map<String, Object> res = getMethod(request, response);
try {
@@ -747,6 +808,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.DELETE, produces = "application/json")
public PortalRestResponse<String> deleteUserProfile(HttpServletRequest request,
@RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) {
+
+ if (extSysUser!=null){
+ if (!dataValidator.isValid(extSysUser))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed");
+ }
+
PortalRestResponse<String> result = null;
Map<String, Object> res = getMethod(request, response);
try {
@@ -763,6 +830,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@RequestMapping(value = { "/v3/ticketevent" }, method = RequestMethod.POST)
public PortalRestResponse<String> handleRequest(HttpServletRequest request, HttpServletResponse response,
@RequestBody String ticketEventJson) throws Exception {
+
+ if (ticketEventJson!=null){
+ SecureString secureTicketEventJson = new SecureString(ticketEventJson);
+ if (!dataValidator.isValid(secureTicketEventJson))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ticketEventJson is not valid", "Failed");
+ }
+
PortalRestResponse<String> result = null;
Map<String, Object> res = getMethod(request, response);
try {
@@ -780,6 +854,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@ResponseBody
public PortalRestResponse<String> postPortalAdmin(HttpServletRequest request, HttpServletResponse response,
@RequestBody EPUser epUser) {
+
+ if (epUser!=null){
+ if (!dataValidator.isValid(epUser))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "EPUser is not valid", "Failed");
+ }
+
PortalRestResponse<String> result = null;
Map<String, Object> res = getMethod(request, response);
try {
@@ -812,6 +892,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@ResponseBody
public PortalRestResponse<String> postOnboardAppExternal(HttpServletRequest request, HttpServletResponse response,
@RequestBody OnboardingApp newOnboardApp) {
+
+ if (newOnboardApp!=null){
+ if (!dataValidator.isValid(newOnboardApp))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed");
+ }
+
PortalRestResponse<String> result = new PortalRestResponse<>();
Map<String, Object> res = getMethod(request, response);
try {
@@ -830,7 +916,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@ResponseBody
public PortalRestResponse<String> putOnboardAppExternal(HttpServletRequest request, HttpServletResponse response,
@PathVariable("appId") Long appId, @RequestBody OnboardingApp oldOnboardApp) {
- PortalRestResponse<String> result = new PortalRestResponse<>();
+
+ if (oldOnboardApp!=null){
+ if (!dataValidator.isValid(oldOnboardApp))
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed");
+ }
+
+ PortalRestResponse<String> result;
Map<String, Object> res = getMethod(request, response);
try {
result = (PortalRestResponse<String>) invokeMethod(res, request, response, appId, oldOnboardApp);
@@ -845,12 +937,16 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B
@RequestMapping(value = { "/v3/publishNotification" }, method = RequestMethod.POST, produces = "application/json")
@ResponseBody
public PortalAPIResponse publishNotification(HttpServletRequest request,
- @RequestBody EpNotificationItem notificationItem, HttpServletResponse response) throws Exception {
- PortalAPIResponse result = new PortalAPIResponse(true, "success");
+ @RequestBody EpNotificationItem notificationItem, HttpServletResponse response) {
+
+ if (notificationItem!=null){
+ if (!dataValidator.isValid(notificationItem))
+ return new PortalAPIResponse(false, "EpNotificationItem is not valid");
+ }
+
Map<String, Object> res = getMethod(request, response);
try {
- result = (PortalAPIResponse) invokeMethod(res, request, response, notificationItem);
- return result;
+ return (PortalAPIResponse) invokeMethod(res, request, response, notificationItem);
} catch (Exception e) {
logger.error(EELFLoggerDelegate.errorLogger, "publishNotification failed", e);
return new PortalAPIResponse(false, e.getMessage());
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java
index 2d85e8f2..f5ca1832 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java
@@ -38,14 +38,19 @@
package org.onap.portalapp.portal.transport;
import com.fasterxml.jackson.annotation.JsonInclude;
+import org.hibernate.validator.constraints.SafeHtml;
@JsonInclude(JsonInclude.Include.NON_NULL)
public class Analytics {
-
+ @SafeHtml
private String action;
+ @SafeHtml
private String page;
+ @SafeHtml
private String function;
+ @SafeHtml
private String userid;
+ @SafeHtml
private String type;
public String getType() {