Persistent XSS vulnerability in onboardingApps form fix

javax.validation.Validator used to fix this vulnerability issue.

Issue-ID: OJSI-18
Change-Id: I26ec795a23869c0dccd22c50e4469ae264cb7547
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
index 0be0d357..c34311c3 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
@@ -739,6 +739,11 @@ public class AppsController extends EPRestrictedBaseController {
 			user = EPUserUtils.getUserSession(request);
 			if (!adminRolesService.isSuperAdmin(user) && !adminRolesService.isAccountAdminOfAnyActiveorInactiveApplication(user, oldEPApp) ) {
 				EcompPortalUtils.setBadPermissions(user, response, "putOnboardingApp");
+			} else if(!dataValidator.isValid(modifiedOnboardingApp)){
+				logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApp is not valid");
+				EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =",
+												response.getStatus());
+				return fieldsValidator;
 			} else {
 				if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null))
 				{