XSS Vulnerability fix in DashboardSearchResultController

@SafeHtml annotation is used to fix this problem. New class 'SecureString' must be added to project to valid incoming Strings from '@RequestParam String incoming String' pom.xml file update. This patch also fix: * remove unnecessary semicolon * Sonar issue: Replace the type specification in this constructor call with the diamond operator ("<>") Issue-ID: PORTAL-601 Change-Id: Id214b6e65f0c486141679fd23725a7fb66443acd Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
author: Dominik Mizyn <d.mizyn@samsung.com> 2019-05-30 10:47:56 +0200
committer: Dominik Mizyn <d.mizyn@samsung.com> 2019-05-30 10:48:13 +0200
commit: 1f4d93651fdc71e0b661728a7c7efc9b4f524b5a (patch)
tree: fdf232903f5ea43b9d8659758b169bc6dbdff2ed /ecomp-portal-BE-common/src/main
parent: c5b960eaa66fcfdd69c4a8201d2c0ff8ee1253a8 (diff)
4 files changed, 138 insertions, 30 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java
index 29f5b20f..04ee5e0b 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java
@@ -45,8 +45,14 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 
+import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
 import org.onap.portalapp.controller.EPRestrictedBaseController;
 import org.onap.portalapp.portal.domain.EPUser;
 import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
@@ -56,6 +62,7 @@ import org.onap.portalapp.portal.service.DashboardSearchService;
 import org.onap.portalapp.portal.transport.CommonWidget;
 import org.onap.portalapp.portal.transport.CommonWidgetMeta;
 import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.domain.support.CollaborateList;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -68,6 +75,7 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 @RequestMapping("/portalApi/search")
 public class DashboardSearchResultController extends EPRestrictedBaseController {
+	private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
 
 	private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardSearchResultController.class);
 
@@ -85,8 +93,11 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
 	@RequestMapping(value = "/widgetData", method = RequestMethod.GET, produces = "application/json")
 	public PortalRestResponse<CommonWidgetMeta> getWidgetData(HttpServletRequest request,
 			@RequestParam String resourceType) {
-		return new PortalRestResponse<CommonWidgetMeta>(PortalRestStatusEnum.OK, "success",
-				searchService.getWidgetData(resourceType));
+		if (stringIsNotSafeHtml(resourceType)) {
+				return new PortalRestResponse(PortalRestStatusEnum.ERROR, "resourceType: String string is not valid", "");
+		}
+		return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+			searchService.getWidgetData(resourceType));
 	}
 
 	/**
@@ -97,19 +108,26 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
 	 * @return Rest response wrapped around a String; e.g., "success" or "ERROR"
 	 */
 	@RequestMapping(value = "/widgetDataBulk", method = RequestMethod.POST, produces = "application/json")
-	public PortalRestResponse<String> saveWidgetDataBulk(@RequestBody CommonWidgetMeta commonWidgetMeta) {
+	public PortalRestResponse<String> saveWidgetDataBulk(@Valid @RequestBody CommonWidgetMeta commonWidgetMeta) {
 		logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetDataBulk: argument is {}", commonWidgetMeta);
-		if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals(""))
-			return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
-					"Category cannot be null or empty");
+		if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals("")){
+			return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+				"Cateogry cannot be null or empty");
+		}else {
+			Validator validator = VALIDATOR_FACTORY.getValidator();
+			Set<ConstraintViolation<CommonWidgetMeta>> constraintViolations = validator.validate(commonWidgetMeta);
+			if (!constraintViolations.isEmpty())
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+					"Category is not valid");
+		}
 		// validate dates
 		for (CommonWidget cw : commonWidgetMeta.getItems()) {
 			String err = validateCommonWidget(cw);
 			if (err != null)
-				return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
 		}
-		return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
-				searchService.saveWidgetDataBulk(commonWidgetMeta));
+		return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+			searchService.saveWidgetDataBulk(commonWidgetMeta));
 	}
 
 	/**
@@ -120,16 +138,23 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
 	 * @return Rest response wrapped around a String; e.g., "success" or "ERROR"
 	 */
 	@RequestMapping(value = "/widgetData", method = RequestMethod.POST, produces = "application/json")
-	public PortalRestResponse<String> saveWidgetData(@RequestBody CommonWidget commonWidget) {
+	public PortalRestResponse<String> saveWidgetData(@Valid @RequestBody CommonWidget commonWidget) {
 		logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetData: argument is {}", commonWidget);
-		if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals(""))
-			return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR",
-					"Cateogry cannot be null or empty");
+		if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals("")){
+			return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+				"Category cannot be null or empty");
+		}else {
+			Validator validator = VALIDATOR_FACTORY.getValidator();
+			Set<ConstraintViolation<CommonWidget>> constraintViolations = validator.validate(commonWidget);
+			if (!constraintViolations.isEmpty())
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+					"Category is not valid");
+		}
 		String err = validateCommonWidget(commonWidget);
 		if (err != null)
-			return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null);
-		return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
-				searchService.saveWidgetData(commonWidget));
+			return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null);
+		return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+			searchService.saveWidgetData(commonWidget));
 	}
 
 	/**
@@ -162,10 +187,17 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
 	 * @return Rest response wrapped around a String; e.g., "success" or "ERROR"
 	 */
 	@RequestMapping(value = "/deleteData", method = RequestMethod.POST, produces = "application/json")
-	public PortalRestResponse<String> deleteWidgetData(@RequestBody CommonWidget commonWidget) {
+	public PortalRestResponse<String> deleteWidgetData(@Valid @RequestBody CommonWidget commonWidget) {
+		if (commonWidget!=null){
+			Validator validator = VALIDATOR_FACTORY.getValidator();
+			Set<ConstraintViolation<CommonWidget>> constraintViolations = validator.validate(commonWidget);
+			if (!constraintViolations.isEmpty())
+				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR",
+					"CommonWidget is not valid");
+		}
 		logger.debug(EELFLoggerDelegate.debugLogger, "deleteWidgetData: argument is {}", commonWidget);
-		return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
-				searchService.deleteWidgetData(commonWidget));
+		return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success",
+			searchService.deleteWidgetData(commonWidget));
 	}
 
 	/**
@@ -185,11 +217,14 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
 			if (user == null) {
 				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
 						"searchPortal: User object is null? - check logs",
-						new HashMap<String, List<SearchResultItem>>());
+					new HashMap<>());
 			} else if (searchString == null || searchString.trim().length() == 0) {
 				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is null",
-						new HashMap<String, List<SearchResultItem>>());
-			} else {
+					new HashMap<>());
+			}else if (stringIsNotSafeHtml(searchString)){
+					return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is not valid",
+						new HashMap<>());
+			}else {
 				logger.debug(EELFLoggerDelegate.debugLogger, "searchPortal: user {}, search string '{}'",
 						user.getLoginId(), searchString);
 				Map<String, List<SearchResultItem>> results = searchService.searchResults(user.getLoginId(),
@@ -199,7 +234,7 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
 		} catch (Exception e) {
 			logger.error(EELFLoggerDelegate.errorLogger, "searchPortal failed", e);
 			return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage() + " - check logs.",
-					new HashMap<String, List<SearchResultItem>>());
+				new HashMap<>());
 		}
 	}
 
@@ -258,4 +293,13 @@ public class DashboardSearchResultController extends EPRestrictedBaseController
 		}
 	}
 
+	private boolean stringIsNotSafeHtml(String string){
+		SecureString secureString = new SecureString(string);
+
+		Validator validator = VALIDATOR_FACTORY.getValidator();
+
+		Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+		return !constraintViolations.isEmpty();
+	}
+
 }
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java
index ec27d987..3fbdc3e8 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidget.java
@@ -44,6 +44,7 @@ import javax.persistence.GenerationType;
 import javax.persistence.Id;
 import javax.persistence.Table;
 
+import org.hibernate.validator.constraints.SafeHtml;
 import org.onap.portalsdk.core.domain.support.DomainVo;
 import com.fasterxml.jackson.annotation.JsonInclude;
 
@@ -63,28 +64,33 @@ public class CommonWidget extends DomainVo{
 	private Long id;
 
 	@Column(name = "category")
+	@SafeHtml
 	public String category;
 	
 	@Column(name = "href")
+	@SafeHtml
 	public String href;
 
 	@Column(name = "title")
+	@SafeHtml
 	public String title;
 	
 	@Column(name = "content")
+	@SafeHtml
 	public String content;
 
 	@Column(name = "event_date")
+	@SafeHtml
 	public String eventDate;
 	
 	@Column(name = "sort_order")
 	public Integer sortOrder;
 
-	
+
 	public CommonWidget(){
-		
+
 	}
-	
+
 	public CommonWidget(String category, String href, String title, String content, String eventDate, Integer sortOrder){
 		this.category = category;
 		this.href = href;
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java
index 55dfc91a..51a02652 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/CommonWidgetMeta.java
@@ -38,14 +38,17 @@
 package org.onap.portalapp.portal.transport;
 
 import java.util.List;
+import javax.validation.Valid;
+import org.hibernate.validator.constraints.SafeHtml;
 
 public class CommonWidgetMeta {
-	
+	@SafeHtml
 	private String category;
+	@Valid
 	private List<CommonWidget> items;
-	
-	public CommonWidgetMeta(){	
-		
+
+	public CommonWidgetMeta(){
+
 	}
 
 	public CommonWidgetMeta(String category, List<CommonWidget> items){
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/SecureString.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/SecureString.java
new file mode 100644
index 00000000..ca2712a3
--- /dev/null
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/SecureString.java
@@ -0,0 +1,55 @@
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ *
+ */
+
+package org.onap.portalapp.validation;
+
+import org.hibernate.validator.constraints.SafeHtml;
+
+public class SecureString {
+
+       @SafeHtml
+       private String string;
+
+       public SecureString(String string) {
+              this.string = string;
+       }
+
+       public String getString() {
+              return string;
+       }
+}
author	Dominik Mizyn <d.mizyn@samsung.com>	2019-05-30 10:47:56 +0200
committer	Dominik Mizyn <d.mizyn@samsung.com>	2019-05-30 10:48:13 +0200
commit	1f4d93651fdc71e0b661728a7c7efc9b4f524b5a (patch)
tree	fdf232903f5ea43b9d8659758b169bc6dbdff2ed /ecomp-portal-BE-common/src/main
parent	c5b960eaa66fcfdd69c4a8201d2c0ff8ee1253a8 (diff)