Merge "XSS Vulnerability fix in WidgetsController"

author: Manoop Talasila <talasila@research.att.com> 2019-07-22 19:31:46 +0000
committer: Gerrit Code Review <gerrit@onap.org> 2019-07-22 19:31:46 +0000
commit: 7971d223f73c936027011a0241a0c73cc68fe8b0 (patch)
tree: 96f271f7f50aee17bed1329a1a2c095655b924f2 /ecomp-portal-BE-common/src/test/java
parent: 1f36ac393692177f00ed2c7ea8481585cd29d979 (diff)
parent: 5d37bb1bbd825616ef7b1622c71a2dce5239cc23 (diff)
1 files changed, 47 insertions, 4 deletions
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
index c6bd8001..f69ac99e 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
@@ -68,7 +68,7 @@ import org.springframework.web.client.RestClientException;
 public class WidgetsControllerTest  extends MockitoTestSuite{
 
 	@InjectMocks
-	WidgetsController widgetsController = new WidgetsController();
+	WidgetsController widgetsController;
 	
 	@Mock
 	private AdminRolesService rolesService;
@@ -150,7 +150,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		OnboardingWidget onboardingWidget=new OnboardingWidget();
 		onboardingWidget.id=12L;
 		onboardingWidget.normalize();
-		//Mockito.doNothing().when(onboardingWidget).normalize();	
+		//Mockito.doNothing().when(onboardingWidget).normalize();
 		FieldsValidator expectedFieldValidator = new FieldsValidator();
 		List<FieldName> fields = new ArrayList<>();
 
@@ -161,6 +161,24 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse);
 		
 	}
+
+	@Test
+	public void putOnboardingWidgetXSSTest() {
+		FieldsValidator actualFieldsValidator = null;
+		EPUser user = mockUser.mockEPUser();
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		OnboardingWidget onboardingWidget=new OnboardingWidget();
+		onboardingWidget.id=12L;
+		onboardingWidget.name = "<script>alert(/XSS”)</script>";
+		onboardingWidget.normalize();
+		FieldsValidator expectedFieldValidator = new FieldsValidator();
+		expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+		Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator);
+		actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse);
+
+		assertEquals(expectedFieldValidator, actualFieldsValidator);
+
+	}
 	
 	@Test
 	public void putOnboardingWidgetWithUserPermissionTest() {
@@ -172,7 +190,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		OnboardingWidget onboardingWidget=new OnboardingWidget();
 		onboardingWidget.id=12L;
 		onboardingWidget.normalize();
-		//Mockito.doNothing().when(onboardingWidget).normalize();	
+		//Mockito.doNothing().when(onboardingWidget).normalize();
 		FieldsValidator expectedFieldValidator = new FieldsValidator();
 		List<FieldName> fields = new ArrayList<>();
 
@@ -209,6 +227,31 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode());
 		assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields());
 	}
+
+	@Test
+	public void postOnboardingWidgetXSSTest(){
+		EPUser user=mockUser.mockEPUser();
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		FieldsValidator actualFieldsValidator = null;
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		Mockito.when(rolesService.isSuperAdmin(user)).thenReturn(true);
+		Mockito.when(rolesService.isAccountAdmin(user)).thenReturn(true);
+		OnboardingWidget onboardingWidget=new OnboardingWidget();
+		onboardingWidget.id=12L;
+		onboardingWidget.appName="<script>alert(/XSS”)</script>";
+		onboardingWidget.normalize();
+		FieldsValidator expectedFieldValidator = new FieldsValidator();
+		List<FieldName> fields = new ArrayList<>();
+
+		expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+		expectedFieldValidator.setFields(fields);
+		expectedFieldValidator.setErrorCode(null);
+		Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator);
+		actualFieldsValidator = widgetsController.postOnboardingWidget(mockedRequest, onboardingWidget, mockedResponse);
+		assertEquals(expectedFieldValidator.getHttpStatusCode(), actualFieldsValidator.getHttpStatusCode());
+		assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode());
+		assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields());
+	}
 	
 	@Test
 	public void postOnboardingWidgetTestwiThoutUserPermission() {
@@ -218,7 +261,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		OnboardingWidget onboardingWidget=new OnboardingWidget();
 		onboardingWidget.id=12L;
 		onboardingWidget.normalize();
-		//Mockito.doNothing().when(onboardingWidget).normalize();	
+		//Mockito.doNothing().when(onboardingWidget).normalize();
 		FieldsValidator expectedFieldValidator = new FieldsValidator();
 		List<FieldName> fields = new ArrayList<>();
author	Manoop Talasila <talasila@research.att.com>	2019-07-22 19:31:46 +0000
committer	Gerrit Code Review <gerrit@onap.org>	2019-07-22 19:31:46 +0000
commit	7971d223f73c936027011a0241a0c73cc68fe8b0 (patch)
tree	96f271f7f50aee17bed1329a1a2c095655b924f2 /ecomp-portal-BE-common/src/test/java
parent	1f36ac393692177f00ed2c7ea8481585cd29d979 (diff)
parent	5d37bb1bbd825616ef7b1622c71a2dce5239cc23 (diff)