XSS Vulnerability fix in AppsController

Custom XSS filter used to fix thisa issue. DataValidator upgrade to single instance of ValidatorFactory; Issue-ID: OJSI-15 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com> Change-Id: I7222cfb84e1e5bb240619aac9c7bca85d215229a
author: Dominik Mizyn <d.mizyn@samsung.com> 2019-06-06 10:52:16 +0200
committer: Dominik Mizyn <d.mizyn@samsung.com> 2019-07-12 11:21:04 +0200
commit: 5aab72338c356e035862b914be4ca294c9d17fc8 (patch)
tree: 38cf51ce3bc3c08765a62d05540014e07b90dc50 /ecomp-portal-BE-common/src/test/java/org/onap
parent: 73248465fc2867a3dd1a6494afb6b0774c9028f2 (diff)
1 files changed, 69 insertions, 4 deletions
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
index 4df1c2ac..58745d22 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
@@ -58,7 +58,6 @@ import org.mockito.Matchers;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.AppsController;
 import org.onap.portalapp.portal.core.MockEPUser;
 import org.onap.portalapp.portal.domain.AdminUserApplications;
 import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel;
@@ -82,7 +81,6 @@ import org.onap.portalapp.portal.transport.EPWidgetsSortPreference;
 import org.onap.portalapp.portal.transport.FieldsValidator;
 import org.onap.portalapp.portal.transport.LocalRole;
 import org.onap.portalapp.portal.transport.OnboardingApp;
-import org.onap.portalapp.portal.utils.EcompPortalUtils;
 import org.onap.portalapp.util.EPUserUtils;
 import org.onap.portalsdk.core.util.SystemProperties;
 import org.onap.portalsdk.core.web.support.AppUtils;
@@ -100,7 +98,7 @@ import org.springframework.web.client.HttpClientErrorException;
 public class AppsControllerTest extends MockitoTestSuite{
 
 	@InjectMocks
-	AppsController appsController = new AppsController();
+	AppsController appsController;
 
 	@Mock
 	AdminRolesService adminRolesService = new AdminRolesServiceImpl();
@@ -369,6 +367,38 @@ public class AppsControllerTest extends MockitoTestSuite{
 	}
 
 	@Test
+	public void putUserAppsSortingManualXSSTest() {
+		EPUser user = mockUser.mockEPUser();
+		EPAppsManualPreference preference = new EPAppsManualPreference();
+		preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		List<EPAppsManualPreference> ePAppsManualPreference = new ArrayList<>();
+		FieldsValidator expectedFieldValidator = new FieldsValidator();
+		expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+		ePAppsManualPreference.add(preference);
+		Mockito.when(appService.saveAppsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator);
+		FieldsValidator actualFieldValidator = appsController.putUserAppsSortingManual(mockedRequest, ePAppsManualPreference,
+			mockedResponse);
+		assertEquals(actualFieldValidator, expectedFieldValidator);
+	}
+
+	@Test
+	public void putUserWidgetsSortManualXSSTest() {
+		EPUser user = mockUser.mockEPUser();
+		EPWidgetsSortPreference preference = new EPWidgetsSortPreference();
+		preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		List<EPWidgetsSortPreference> ePAppsManualPreference = new ArrayList<>();
+		FieldsValidator expectedFieldValidator = new FieldsValidator();
+		expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+		ePAppsManualPreference.add(preference);
+		Mockito.when(appService.saveWidgetsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator);
+		FieldsValidator actualFieldValidator = appsController.putUserWidgetsSortManual(mockedRequest, ePAppsManualPreference,
+			mockedResponse);
+		assertEquals(expectedFieldValidator, actualFieldValidator);
+	}
+
+	@Test
 	public void putUserAppsSortingManualExceptionTest() throws IOException {
 		EPUser user = mockUser.mockEPUser();
 		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
@@ -404,7 +434,7 @@ public class AppsControllerTest extends MockitoTestSuite{
 	}
 
 	@Test
-	public void putUserWidgetsSortPrefTest() throws IOException {
+	public void putUserWidgetsSortPrefTest() {
 		EPUser user = mockUser.mockEPUser();
 		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
 		List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<EPWidgetsSortPreference>();
@@ -421,6 +451,24 @@ public class AppsControllerTest extends MockitoTestSuite{
 	}
 
 	@Test
+	public void putUserWidgetsSortPrefXSSTest() {
+		EPUser user = mockUser.mockEPUser();
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<>();
+		EPWidgetsSortPreference preference = new EPWidgetsSortPreference();
+		preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+		ePWidgetsSortPreference.add(preference);
+		FieldsValidator expectedFieldValidator = new FieldsValidator();
+		expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+		FieldsValidator actualFieldValidator;
+		Mockito.when(appService.deleteUserWidgetSortPref(ePWidgetsSortPreference, user))
+			.thenReturn(expectedFieldValidator);
+		actualFieldValidator = appsController.putUserWidgetsSortPref(mockedRequest, ePWidgetsSortPreference,
+			mockedResponse);
+		assertEquals(actualFieldValidator, expectedFieldValidator);
+	}
+
+	@Test
 	public void putUserWidgetsSortPrefExceptionTest() throws IOException {
 		EPUser user = mockUser.mockEPUser();
 		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
@@ -476,6 +524,23 @@ public class AppsControllerTest extends MockitoTestSuite{
 	}
 
 	@Test
+	public void putUserAppsSortingPreferenceXSSTest() {
+		EPUser user = mockUser.mockEPUser();
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		EPAppsSortPreference userAppsValue = new EPAppsSortPreference();
+		userAppsValue.setTitle("</script><script>alert(1)</script>");
+		FieldsValidator expectedFieldValidator = new FieldsValidator();
+		expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+		expectedFieldValidator.setFields(null);
+		expectedFieldValidator.setErrorCode(null);
+		FieldsValidator actualFieldValidator;
+		Mockito.when(appService.saveAppsSortPreference(userAppsValue, user)).thenReturn(expectedFieldValidator);
+		actualFieldValidator = appsController.putUserAppsSortingPreference(mockedRequest, userAppsValue,
+			mockedResponse);
+		assertEquals(actualFieldValidator, expectedFieldValidator);
+	}
+
+	@Test
 	public void putUserAppsSortingPreferenceExceptionTest() throws IOException {
 		EPUser user = mockUser.mockEPUser();
 		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
author	Dominik Mizyn <d.mizyn@samsung.com>	2019-06-06 10:52:16 +0200
committer	Dominik Mizyn <d.mizyn@samsung.com>	2019-07-12 11:21:04 +0200
commit	5aab72338c356e035862b914be4ca294c9d17fc8 (patch)
tree	38cf51ce3bc3c08765a62d05540014e07b90dc50 /ecomp-portal-BE-common/src/test/java/org/onap
parent	73248465fc2867a3dd1a6494afb6b0774c9028f2 (diff)