diff options
| author |   Dominik Mizyn <d.mizyn@samsung.com> | 2019-05-31 15:35:38 +0200 |
|---|---|---|
| committer | Dominik Mizyn <d.mizyn@samsung.com> | 2019-05-31 15:35:47 +0200 |
| commit | a665aa372b189efa98bfe17ce485c053bc0754e4 (patch) | |
| tree | 8639f43c1bd9bcbe74e2b2ef208c7ebcaf246d09 /ecomp-portal-BE-common/src | |
| parent | 37f9e0c51405b634fea0d9fadafdb7d55190233d (diff) | |
XSS Vulnerability fix in TicketEventController
@SafeHtml and SecureString used to fix this issue;
Issue-ID: OJSI-209
Change-Id: I588872839696c824135bab88c100b31c23d960ba
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
Diffstat (limited to 'ecomp-portal-BE-common/src')
2 files changed, 31 insertions, 1 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/TicketEventController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/TicketEventController.java index b9f6f76d..71f7f81a 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/TicketEventController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/TicketEventController.java @@ -47,6 +47,10 @@ import java.util.Set; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.validation.ConstraintViolation; +import javax.validation.Validation; +import javax.validation.Validator; +import javax.validation.ValidatorFactory; import org.onap.portalapp.portal.domain.EPUser; import org.onap.portalapp.portal.ecomp.model.PortalRestResponse; import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; @@ -56,6 +60,7 @@ import org.onap.portalapp.portal.service.UserNotificationService; import org.onap.portalapp.portal.transport.EpNotificationItem; import org.onap.portalapp.portal.transport.EpRoleNotificationItem; import org.onap.portalapp.portal.utils.PortalConstants; +import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; @@ -80,7 +85,7 @@ import io.swagger.annotations.ApiOperation; @EnableAspectJAutoProxy @EPAuditLog public class TicketEventController implements BasicAuthenticationController { - + private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory(); @Autowired private UserNotificationService userNotificationService; @@ -105,6 +110,19 @@ public class TicketEventController implements BasicAuthenticationController { logger.debug(EELFLoggerDelegate.debugLogger, "Ticket Event notification" + ticketEventJson); PortalRestResponse<String> portalResponse = new PortalRestResponse<>(); + + if (ticketEventJson!=null){ + SecureString secureString = new SecureString(ticketEventJson); + Validator validator = VALIDATOR_FACTORY.getValidator(); + + Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString); + if (!constraintViolations.isEmpty()){ + portalResponse.setStatus(PortalRestStatusEnum.ERROR); + portalResponse.setMessage("Data is not valid"); + return portalResponse; + } + } + try { JsonNode ticketEventNotif = mapper.readTree(ticketEventJson); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/TicketEventControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/TicketEventControllerTest.java index aca7c1b3..211462d1 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/TicketEventControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/TicketEventControllerTest.java @@ -151,6 +151,18 @@ public class TicketEventControllerTest { } @Test + public void saveXSSTest() throws Exception { + String ticketEventJson = "<iframe %00 src=\"	javascript:prompt(1)	\"%00>"; + PortalRestResponse<String> actualPortalRestResponse; + PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>(); + expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + expectedPortalRestResponse.setMessage("Data is not valid"); + actualPortalRestResponse = ticketEventController.handleRequest(mockedRequest, + mockedResponse, ticketEventJson); + assertEquals(expectedPortalRestResponse, actualPortalRestResponse); + } + + @Test public void saveTestForException() throws Exception { String ticketEventJson = "\"event\": {\"body\": {\"ticketStatePhrase\": \"We recently detected a problem with the equipment at your site. The event is in queue for immediate work.\", \"ivrNotificationFlag\": \"1\",\"expectedRestoreDate\": 0,\"bridgeTransport\": \"AOTS\", \"reptRequestType\": 0,\"ticketNum\": \"000002000857405\",\"assetID\": \"CISCO_1921C1_ISR_G2\", \"eventDate\": 1490545134601,\"eventAbstract\": \"ospfIfConfigError trap received from Cisco_1921c1_ISR_G2 with arguments: ospfRouterId=Cisco_1921c1_ISR_G2; ospfIfIpAddress=1921c1_288266; ospfAddressLessIf=0; ospfPacketSrc=172.17.0.11; ospfConfigErrorType=2; ospfPacketType=1\",\"severity\": \"2 - Major\",\"ticketPriority\": \"3\",\"reportedCustomerImpact\": 0,\"testAutoIndicator\": 0,\"supportGroupName\": \"US-TEST-ORT\",\"lastModifiedDate\": \"1487687703\",\"messageGroup\": \"SNMP\",\"csi\": 0,\"mfabRestoredTime\": 0},\"header\": {\"timestamp\": \"2017-02-21T14:35:05.219+0000\",\"eventSource\": \"aotstm\",\"entityId\": \"000002000857405\", \"sequenceNumber\": 2 },\"blinkMsgId\": \"f38c071e-1a47-4b55-9e72-1db830100a61\",\"sourceIP\": \"130.4.165.158\"},\"SubscriberInfo\": {\"UserList\": [\"hk8777\"] }}"; PortalRestResponse<String> actualPortalRestResponse = ticketEventController.handleRequest(mockedRequest, |