summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common/src/main
diff options
context:
space:
mode:
authorDominik Mizyn <d.mizyn@samsung.com>2019-10-21 13:03:55 +0200
committerDominik Mizyn <d.mizyn@samsung.com>2019-10-21 13:04:06 +0200
commitbe638f25cb9d7021ba6b58a6d3baa5cca134c56f (patch)
tree7cbe22ea55404f92b9d3e20b19f31c1a95ddc789 /ecomp-portal-BE-common/src/main
parent606a1248b23a738071e9798354cebb04fe04c54d (diff)
Reflected XSS vulnerability in saveNotification form fix.
javax.validation.Validator used to fix this vulnerability. Issue-ID: OJSI-22 Change-Id: I5837e333f640a398ab6b25e8a0b9f611bb7d3af9 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
Diffstat (limited to 'ecomp-portal-BE-common/src/main')
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java12
1 files changed, 10 insertions, 2 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
index 15ce305d..7615b660 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
@@ -66,6 +66,8 @@ import org.onap.portalapp.portal.transport.FunctionalMenuItem;
import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.portal.utils.PortalConstants;
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse;
import org.slf4j.MDC;
@@ -90,6 +92,7 @@ import io.swagger.annotations.ApiOperation;
public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseController {
private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(ExternalAppsRestfulController.class);
+ private final DataValidator DATA_VALIDATOR = new DataValidator();
@Autowired
private FunctionalMenuService functionalMenuService;
@@ -111,6 +114,11 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro
@ResponseBody
public PortalAPIResponse publishNotification(HttpServletRequest request,
@RequestBody EpNotificationItem notificationItem) throws Exception {
+
+ if(!DATA_VALIDATOR.isValid(notificationItem)){
+ PortalAPIResponse response = new PortalAPIResponse(false, "failed");
+ return response;
+ }
String appKey = request.getHeader("uebkey");
EPApp app = findEpApp(appKey);
List<Long> postRoleIds = new ArrayList<Long>();
@@ -119,8 +127,8 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro
EPRole role = epRoleService.getRole(app.getId(), roleId);
if (role != null)
postRoleIds.add(role.getId());
- }
- }
+ }
+ }
// --- recreate the user notification object with the POrtal Role Ids
EpNotificationItem postItem = new EpNotificationItem();