summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common/src/test
diff options
context:
space:
mode:
authorDominik Mizyn <d.mizyn@samsung.com>2019-06-06 12:28:51 +0200
committerDominik Mizyn <d.mizyn@samsung.com>2019-07-12 12:01:35 +0200
commitcb9cdfc7f1fb2d519172269f0d9b608b76925f4e (patch)
tree4f56b9f9df0f298c2d596579a2a4260a685c232a /ecomp-portal-BE-common/src/test
parent73248465fc2867a3dd1a6494afb6b0774c9028f2 (diff)
XSS Vulnerability fix in SharedContextRestController
Custom data validator used to secure this class Issue-ID: OJSI-15 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com> Change-Id: I231731b9deb60310b698d70179cddd471cffd7fb
Diffstat (limited to 'ecomp-portal-BE-common/src/test')
-rw-r--r--ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java99
1 files changed, 81 insertions, 18 deletions
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java
index 1607f423..49cccae5 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java
@@ -38,24 +38,19 @@ package org.onap.portalapp.portal.controller;
*/
-import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
-import java.io.IOException;
+import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.drools.core.command.assertion.AssertEquals;
import org.json.JSONObject;
-import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -64,24 +59,15 @@ import org.mockito.Matchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.SharedContextRestClient;
-import org.onap.portalapp.portal.controller.SharedContextTestProperties;
import org.onap.portalapp.portal.core.MockEPUser;
-import org.onap.portalapp.portal.domain.CentralV2RoleFunction;
import org.onap.portalapp.portal.domain.SharedContext;
+import org.onap.portalapp.portal.exceptions.NotValidDataException;
import org.onap.portalapp.portal.framework.MockitoTestSuite;
-import org.onap.portalapp.portal.scheduler.SchedulerProperties;
import org.onap.portalapp.portal.service.SharedContextService;
import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.onap.portalsdk.core.web.support.UserUtils;
import org.powermock.api.mockito.PowerMockito;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.junit4.PowerMockRunner;
-import org.springframework.beans.factory.annotation.Autowired;
-
-import com.fasterxml.jackson.databind.DeserializationFeature;
-import com.fasterxml.jackson.databind.ObjectMapper;
/**
* Tests the endpoints exposed by the Shared Context controller in Portal.
@@ -95,7 +81,7 @@ public class SharedContextRestControllerTest {
SharedContextService contextService;
@InjectMocks
- SharedContextRestController sharedContextRestController=new SharedContextRestController();
+ SharedContextRestController sharedContextRestController=new SharedContextRestController(contextService);
@Before
public void setup() {
@@ -220,11 +206,31 @@ public class SharedContextRestControllerTest {
public void getContextTestWithException() throws Exception{
sharedContextRestController.getContext(mockedRequest, null,null);
}
+
+ @Test(expected=NotValidDataException.class)
+ public void getContextTestNotValidDataException() throws Exception{
+ sharedContextRestController.getContext(mockedRequest, "<script>alert(\"hellox worldss\");</script>","test");
+ }
+
+ @Test(expected=NotValidDataException.class)
+ public void getContextTest2NotValidDataException() throws Exception{
+ sharedContextRestController.getContext(mockedRequest, "test","“><script>alert(“XSS”)</script>");
+ }
+
+ @Test(expected=NotValidDataException.class)
+ public void getContextTest3NotValidDataException() throws Exception{
+ sharedContextRestController.getContext(mockedRequest, "<ScRipT>alert(\"XSS\");</ScRipT>","“><script>alert(“XSS”)</script>");
+ }
- @Test(expected=Exception.class)
+ @Test(expected= Exception.class)
public void getUserContextTest() throws Exception{
sharedContextRestController.getUserContext(mockedRequest, null);
}
+
+ @Test(expected= NotValidDataException.class)
+ public void getUserContextXSSTest() throws Exception{
+ sharedContextRestController.getUserContext(mockedRequest, "<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}");
+ }
@Test
public void getUserContextTestWithContext() throws Exception{
@@ -257,6 +263,16 @@ public class SharedContextRestControllerTest {
Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext);
sharedContextRestController.checkContext(mockedRequest, null,null);
}
+
+ @Test(expected=NotValidDataException.class)
+ public void checkContextTestWithContextXSSl() throws Exception{
+ SharedContext sharedContext=new SharedContext();
+ sharedContext.setContext_id("test_contextid");
+ sharedContext.setCkey("test_ckey");
+ Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext);
+ sharedContextRestController.checkContext(mockedRequest,
+ "<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?","<script>alert(123);</script>");
+ }
@Test
public void removeContextTest() throws Exception{
@@ -283,6 +299,20 @@ public class SharedContextRestControllerTest {
assertNotNull(actual);
}
+
+ @Test(expected=NotValidDataException.class)
+ public void removeContextTestWithContextXSS() throws Exception{
+ SharedContext sharedContext=new SharedContext();
+ sharedContext.setContext_id("test_contextid");
+ sharedContext.setCkey("test_ckey");
+ Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext);
+
+ //Mockito.when(contextService.deleteSharedContext(sharedContext));
+ String actual=sharedContextRestController.removeContext(mockedRequest,
+ "<script>alert(“XSS”)</script> ","<script>alert(/XSS/)</script>");
+ assertNotNull(actual);
+
+ }
@Test(expected=Exception.class)
public void clearContextTestwithContextIdNull() throws Exception{
@@ -293,6 +323,16 @@ public class SharedContextRestControllerTest {
assertNotNull(actual);
}
+
+ @Test(expected=NotValidDataException.class)
+ public void clearContextTestwithContextXSS() throws Exception{
+
+ Mockito.when(contextService.deleteSharedContexts(Matchers.any())).thenReturn(12);
+
+ String actual=sharedContextRestController.clearContext(mockedRequest,"<script>alert(123)</script>");
+ assertNotNull(actual);
+
+ }
@Test
public void clearContextTest() throws Exception{
@@ -350,4 +390,27 @@ public class SharedContextRestControllerTest {
String actual=sharedContextRestController.setContext(mockedRequest,testUserJson.toString());
}
+
+ @Test(expected=NotValidDataException.class)
+ public void setContextTestWithContextXSS() throws Exception{
+ ObjectMapper mapper = new ObjectMapper();
+ Map<String, Object> userData = new HashMap<String, Object>();
+ userData.put("context_id", "test_contextId");
+ userData.put("ckey", "<script>alert(‘XSS’)</script>");
+ userData.put("cvalue", "test_cvalue");
+ //String testUserJson=Matchers.anyString();
+ JSONObject testUserJson = new JSONObject();
+ testUserJson.put("context_id", "test1ContextId");
+ testUserJson.put("ckey", "testCkey");
+ testUserJson.put("cvalue", "<script>alert(‘XSS’)</script>");
+ Map<String, Object> userData1 = mapper.readValue(testUserJson.toString(), Map.class);
+ SharedContext sharedContext=new SharedContext();
+ sharedContext.setContext_id("test_contextid");
+ sharedContext.setCkey("test_ckey");
+ Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext);
+ // Mockito.when(mapper.readValue("true", Map.class)).thenReturn(userData);
+ String actual=sharedContextRestController.setContext(mockedRequest,testUserJson.toString());
+
+ }
+
}