Merge "XSS Vulnerability fix in RoleManageController"

1 files changed, 79 insertions, 0 deletions

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/RoleManageControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/RoleManageControllerTest.java
index 8bfa39c3..9673cb2c 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/RoleManageControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/RoleManageControllerTest.java
@@ -371,6 +371,48 @@ public class RoleManageControllerTest {
 	}
 
 	@Test
+	public void saveRoleFunctionXSSTest() throws Exception {
+		PowerMockito.mockStatic(EPUserUtils.class);
+		PowerMockito.mockStatic(EcompPortalUtils.class);
+		EPUser user = mockUser.mockEPUser();
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		Mockito.when(EcompPortalUtils.checkIfRemoteCentralAccessAllowed()).thenReturn(true);
+		Mockito.when(adminRolesService.isAccountAdminOfApplication(user, CentralApp())).thenReturn(true);
+		Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
+		Mockito.doNothing().when(roleFunctionListController).saveRoleFunction(mockedRequest, mockedResponse, "test");
+		CentralV2RoleFunction addNewFunc = new CentralV2RoleFunction();
+		addNewFunc.setCode("“><script>alert(“XSS”)</script>");
+		addNewFunc.setType("Test");
+		addNewFunc.setAction("Test");
+		addNewFunc.setName("Test");
+		CentralV2RoleFunction roleFunction = mockCentralRoleFunction();
+		roleFunction.setCode("Test|Test|Test");
+		Mockito.when(externalAccessRolesService.getRoleFunction("Test|Test|Test", "test")).thenReturn(roleFunction);
+		Mockito.when(externalAccessRolesService.saveCentralRoleFunction(Matchers.anyObject(), Matchers.anyObject()))
+			.thenReturn(true);
+		Mockito.when(EcompPortalUtils.getFunctionCode(roleFunction.getCode())).thenReturn("Test");
+		Mockito.when(EcompPortalUtils.getFunctionType(roleFunction.getCode())).thenReturn("Test");
+		Mockito.when(EcompPortalUtils.getFunctionAction(roleFunction.getCode())).thenReturn("Test");
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		List<EPUser> userList = new ArrayList<>();
+		userList.add(user);
+		List<EPApp> appList = new ArrayList<>();
+		appList.add(CentralApp());
+		Mockito.when(externalAccessRolesService.getUser("guestT")).thenReturn(userList);
+		StringWriter sw = new StringWriter();
+		PrintWriter writer = new PrintWriter(sw);
+		Mockito.when(mockedResponse.getWriter()).thenReturn(writer);
+		ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK);
+		Mockito.when(externalAccessRolesService.getNameSpaceIfExists(Matchers.anyObject())).thenReturn(response);
+		Mockito.when(externalAccessRolesService.getApp(Matchers.anyString())).thenReturn(appList);
+		PortalRestResponse<String> actual = roleManageController.saveRoleFunction(mockedRequest, mockedResponse,
+			addNewFunc, (long) 1);
+		PortalRestResponse<String> expected = new PortalRestResponse<String>(PortalRestStatusEnum.ERROR,
+			"Data is not valid", "ERROR");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void saveRoleFunctionExceptionTest() throws Exception {
 		Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
 		Mockito.doNothing().when(roleFunctionListController).saveRoleFunction(mockedRequest, mockedResponse, "test");
@@ -421,6 +463,36 @@ public class RoleManageControllerTest {
 	}
 
 	@Test
+	public void removeRoleFunctionXSSTest() throws Exception {
+		PowerMockito.mockStatic(EPUserUtils.class);
+		PowerMockito.mockStatic(EcompPortalUtils.class);
+		EPUser user = mockUser.mockEPUser();
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		Mockito.when(EcompPortalUtils.checkIfRemoteCentralAccessAllowed()).thenReturn(true);
+		Mockito.when(adminRolesService.isAccountAdminOfApplication(user, CentralApp())).thenReturn(true);
+		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+		Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
+		String roleFun = "<script>alert(/XSS”)</script>";
+		CentralV2RoleFunction roleFunction = mockCentralRoleFunction();
+		Mockito.when(externalAccessRolesService.getRoleFunction("Test|Test|Test", "test")).thenReturn(roleFunction);
+		StringWriter sw = new StringWriter();
+		PrintWriter writer = new PrintWriter(sw);
+		Mockito.when(mockedResponse.getWriter()).thenReturn(writer);
+		Mockito.when(externalAccessRolesService.deleteCentralRoleFunction(Matchers.anyString(), Matchers.anyObject()))
+			.thenReturn(true);
+		List<EPApp> appList = new ArrayList<>();
+		appList.add(CentralApp());
+		ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK);
+		Mockito.when(externalAccessRolesService.getNameSpaceIfExists(Matchers.anyObject())).thenReturn(response);
+		Mockito.when(externalAccessRolesService.getApp(Matchers.anyString())).thenReturn(appList);
+		PortalRestResponse<String> actual = roleManageController.removeRoleFunction(mockedRequest, mockedResponse,
+			roleFun, (long) 1);
+		PortalRestResponse<String> expected = new PortalRestResponse<String>(PortalRestStatusEnum.ERROR,
+			"Data is not valid", "ERROR");
+		assertEquals(expected, actual);
+	}
+
+	@Test
 	public void removeRoleFunctionExceptionTest() throws Exception {
 		EPUser user = mockUser.mockEPUser();
 		Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
@@ -908,6 +980,13 @@ public class RoleManageControllerTest {
 		List<CentralizedApp> actual  = roleManageController.getCentralizedAppRoles(mockedRequest, mockedResponse, user.getOrgUserId());
 		assertEquals(cenApps.size(), actual.size());
 	}
+
+	@Test
+	public void getCentralizedAppRolesXSSTest() throws IOException {
+		String id = ("<ScRipT>alert(\"XSS\");</ScRipT>");
+		List<CentralizedApp> actual  = roleManageController.getCentralizedAppRoles(mockedRequest, mockedResponse, id);
+		assertNull(actual);
+	}
 	
 	@Test
 	public void getCentralizedAppRolesExceptionTest() throws IOException {