diff options
| author |   Dominik Mizyn <d.mizyn@samsung.com> | 2019-10-21 13:46:35 +0200 |
|---|---|---|
| committer | Dominik Mizyn <d.mizyn@samsung.com> | 2019-10-24 15:54:49 +0200 |
| commit | 604bf4f45cf1f1726f1b8129963627ffb90b5f4c (patch) | |
| tree | addda23d07cb0fea818b193776edfd21cd8e766c /ecomp-portal-BE-common/src/test/java | |
| parent | 7c2e7e2dc9a82dda22929a586c5b10d089163b73 (diff) | |
Persistent XSS vulnerability in basicAuthAccount form fix
javax.validation.Validator used to fix this vulnerability issue.
Issue-ID: OJSI-20
Change-Id: I2e8188d9dabf634fcaf41b8d42d0f7160cc0886d
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
Diffstat (limited to 'ecomp-portal-BE-common/src/test/java')
2 files changed, 31 insertions, 0 deletions
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java index c9d3c2fd..ff056d0d 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java @@ -135,6 +135,28 @@ public class BasicAuthAccountControllerTest extends MockitoTestSuite { } @Test + public void createBasicAuthAccountXSSTest() throws Exception { + BasicAuthCredentials basicAuthCredentials = basicAuthCredentials(); + basicAuthCredentials.setPassword("<script>alert(“XSS”);</script>"); + + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true); + PortalRestResponse<String> expectedResponse = new PortalRestResponse<String>(); + expectedResponse.setMessage("createBasicAuthAccount() failed, new credential are not safe"); + expectedResponse.setResponse(""); + PortalRestStatusEnum portalRestStatusEnum = null; + expectedResponse.setStatus(portalRestStatusEnum.ERROR); + long accountd = 1; + + Mockito.when(basicAuthAccountService.saveBasicAuthAccount(basicAuthCredentials)).thenReturn(accountd); + + PortalRestResponse<String> actualResponse = basicAuthAccountController.createBasicAuthAccount(mockedRequest, + mockedResponse, basicAuthCredentials); + assertEquals(actualResponse, expectedResponse); + } + + @Test public void createBasicAuthAccountAdminTest() throws Exception { BasicAuthCredentials basicAuthCredentials = basicAuthCredentials(); EPUser user = mockUser.mockEPUser(); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java index 4409a4fc..6382bef4 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java @@ -79,6 +79,15 @@ public class BasicAuthAccountServiceImplTest { basicAuthAccountServiceImpl.saveBasicAuthAccount(basicAuthCredentials); } + + @Test(expected= Exception.class) + public void saveBasicAuthAccountValidTest() throws Exception { + BasicAuthCredentials basicAuthCredentials = new BasicAuthCredentials(); + basicAuthCredentials.setPassword("<IMG SRC=\"jav\tascript:alert('XSS');\">"); + Mockito.doNothing().when(dataAccessService).saveDomainObject(basicAuthCredentials, null); + basicAuthAccountServiceImpl.saveBasicAuthAccount(basicAuthCredentials); + + } @Test public void saveBasicAuthAccountTest_password() throws Exception{ |