XSS Vulnerability fix in WidgetsController

Custom data validator used to fix this issue. Issue-ID: OJSI-15 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com> Change-Id: I0113097b2118656780f4f9bca8b4ee99e85b6f6d
author: Dominik Mizyn <d.mizyn@samsung.com> 2019-06-06 11:39:35 +0200
committer: Dominik Mizyn <d.mizyn@samsung.com> 2019-07-12 11:55:25 +0200
commit: 5d37bb1bbd825616ef7b1622c71a2dce5239cc23 (patch)
tree: 1a80faf69a9459f17700e5b9115ae21cee935855 /ecomp-portal-BE-common/src/test
parent: 73248465fc2867a3dd1a6494afb6b0774c9028f2 (diff)
1 files changed, 47 insertions, 4 deletions
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
index c6bd8001..f69ac99e 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java
@@ -68,7 +68,7 @@ import org.springframework.web.client.RestClientException;
 public class WidgetsControllerTest  extends MockitoTestSuite{
 
 	@InjectMocks
-	WidgetsController widgetsController = new WidgetsController();
+	WidgetsController widgetsController;
 	
 	@Mock
 	private AdminRolesService rolesService;
@@ -150,7 +150,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		OnboardingWidget onboardingWidget=new OnboardingWidget();
 		onboardingWidget.id=12L;
 		onboardingWidget.normalize();
-		//Mockito.doNothing().when(onboardingWidget).normalize();	
+		//Mockito.doNothing().when(onboardingWidget).normalize();
 		FieldsValidator expectedFieldValidator = new FieldsValidator();
 		List<FieldName> fields = new ArrayList<>();
 
@@ -161,6 +161,24 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse);
 		
 	}
+
+	@Test
+	public void putOnboardingWidgetXSSTest() {
+		FieldsValidator actualFieldsValidator = null;
+		EPUser user = mockUser.mockEPUser();
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		OnboardingWidget onboardingWidget=new OnboardingWidget();
+		onboardingWidget.id=12L;
+		onboardingWidget.name = "<script>alert(/XSS”)</script>";
+		onboardingWidget.normalize();
+		FieldsValidator expectedFieldValidator = new FieldsValidator();
+		expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+		Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator);
+		actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse);
+
+		assertEquals(expectedFieldValidator, actualFieldsValidator);
+
+	}
 	
 	@Test
 	public void putOnboardingWidgetWithUserPermissionTest() {
@@ -172,7 +190,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		OnboardingWidget onboardingWidget=new OnboardingWidget();
 		onboardingWidget.id=12L;
 		onboardingWidget.normalize();
-		//Mockito.doNothing().when(onboardingWidget).normalize();	
+		//Mockito.doNothing().when(onboardingWidget).normalize();
 		FieldsValidator expectedFieldValidator = new FieldsValidator();
 		List<FieldName> fields = new ArrayList<>();
 
@@ -209,6 +227,31 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode());
 		assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields());
 	}
+
+	@Test
+	public void postOnboardingWidgetXSSTest(){
+		EPUser user=mockUser.mockEPUser();
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		FieldsValidator actualFieldsValidator = null;
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		Mockito.when(rolesService.isSuperAdmin(user)).thenReturn(true);
+		Mockito.when(rolesService.isAccountAdmin(user)).thenReturn(true);
+		OnboardingWidget onboardingWidget=new OnboardingWidget();
+		onboardingWidget.id=12L;
+		onboardingWidget.appName="<script>alert(/XSS”)</script>";
+		onboardingWidget.normalize();
+		FieldsValidator expectedFieldValidator = new FieldsValidator();
+		List<FieldName> fields = new ArrayList<>();
+
+		expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+		expectedFieldValidator.setFields(fields);
+		expectedFieldValidator.setErrorCode(null);
+		Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator);
+		actualFieldsValidator = widgetsController.postOnboardingWidget(mockedRequest, onboardingWidget, mockedResponse);
+		assertEquals(expectedFieldValidator.getHttpStatusCode(), actualFieldsValidator.getHttpStatusCode());
+		assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode());
+		assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields());
+	}
 	
 	@Test
 	public void postOnboardingWidgetTestwiThoutUserPermission() {
@@ -218,7 +261,7 @@ public class WidgetsControllerTest  extends MockitoTestSuite{
 		OnboardingWidget onboardingWidget=new OnboardingWidget();
 		onboardingWidget.id=12L;
 		onboardingWidget.normalize();
-		//Mockito.doNothing().when(onboardingWidget).normalize();	
+		//Mockito.doNothing().when(onboardingWidget).normalize();
 		FieldsValidator expectedFieldValidator = new FieldsValidator();
 		List<FieldName> fields = new ArrayList<>();
author	Dominik Mizyn <d.mizyn@samsung.com>	2019-06-06 11:39:35 +0200
committer	Dominik Mizyn <d.mizyn@samsung.com>	2019-07-12 11:55:25 +0200
commit	5d37bb1bbd825616ef7b1622c71a2dce5239cc23 (patch)
tree	1a80faf69a9459f17700e5b9115ae21cee935855 /ecomp-portal-BE-common/src/test
parent	73248465fc2867a3dd1a6494afb6b0774c9028f2 (diff)