diff options
author | Manoop Talasila <talasila@research.att.com> | 2019-07-22 19:32:19 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2019-07-22 19:32:19 +0000 |
commit | 3efc4f4d7b5943a3ce3d3066f5935df1a82274f0 (patch) | |
tree | e45bdef21fd034e032252dc550ba6ec1216c3455 /ecomp-portal-BE-common | |
parent | 973207e0557c86a30723f3328b06cde5d0428373 (diff) | |
parent | b8a540c2aa08175b2d4c144c6a27d774c8e76acb (diff) |
Merge "XSS Vulnerability fix in AuxApiRequestMapperController"
Diffstat (limited to 'ecomp-portal-BE-common')
5 files changed, 352 insertions, 22 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java index 550d11df..49eb469c 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemRoleApproval.java @@ -38,13 +38,14 @@ package org.onap.portalapp.externalsystemapproval.model; import java.io.Serializable; +import org.hibernate.validator.constraints.SafeHtml; public class ExternalSystemRoleApproval implements Serializable { private static final long serialVersionUID = 6048830318039958615L; - + @SafeHtml private String roleName; - + @SafeHtml public String getRoleName() { return roleName; } diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java index cfe49267..fa6c04e1 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/externalsystemapproval/model/ExternalSystemUser.java @@ -40,15 +40,17 @@ package org.onap.portalapp.externalsystemapproval.model; import java.util.ArrayList; import java.util.List; +import javax.validation.Valid; +import org.hibernate.validator.constraints.SafeHtml; public class ExternalSystemUser { - + @SafeHtml private String loginId; - + @SafeHtml private String applicationName; - + @SafeHtml private String myloginrequestId; - + @Valid private List<ExternalSystemRoleApproval> roles; public ExternalSystemUser() { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java index fe2c349f..9ca88c0f 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperController.java @@ -36,6 +36,8 @@ */ package org.onap.portalapp.portal.controller; +import com.fasterxml.jackson.databind.ObjectMapper; +import io.swagger.annotations.ApiOperation; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.ArrayList; @@ -47,10 +49,8 @@ import java.util.Map; import java.util.jar.Attributes; import java.util.regex.Matcher; import java.util.regex.Pattern; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.portalapp.annotation.ApiVersion; import org.onap.portalapp.externalsystemapproval.model.ExternalSystemUser; @@ -67,6 +67,8 @@ import org.onap.portalapp.portal.transport.EpNotificationItem; import org.onap.portalapp.portal.transport.FavoritesFunctionalMenuItemJson; import org.onap.portalapp.portal.transport.FunctionalMenuItem; import org.onap.portalapp.portal.transport.OnboardingApp; +import org.onap.portalapp.validation.DataValidator; +import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.domain.Role; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse; @@ -76,6 +78,7 @@ import org.springframework.beans.BeansException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContextAware; +import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.EnableAspectJAutoProxy; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -85,18 +88,15 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.RestController; -import com.fasterxml.jackson.databind.ObjectMapper; - -import io.swagger.annotations.ApiOperation; - @RestController @RequestMapping("/auxapi") -@org.springframework.context.annotation.Configuration +@Configuration @EnableAspectJAutoProxy @EPAuditLog public class AuxApiRequestMapperController implements ApplicationContextAware, BasicAuthenticationController { private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AuxApiRequestMapperController.class); + private DataValidator dataValidator = new DataValidator(); ApplicationContext context = null; int minorVersion = 0; @@ -108,6 +108,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @RequestMapping(value = { "/v3/user/{loginId}" }, method = RequestMethod.GET, produces = "application/json") public String getUser(HttpServletRequest request, HttpServletResponse response, @PathVariable("loginId") String loginId) throws Exception { + if (loginId!=null){ + SecureString secureLoginId = new SecureString(loginId); + if (!dataValidator.isValid(secureLoginId)) + return "Provided data is not valid"; + } + + Map<String, Object> res = getMethod(request, response); String answer = null; try { @@ -198,6 +205,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @RequestMapping(value = { "/v3/function/{code}" }, method = RequestMethod.GET, produces = "application/json") public CentralV2RoleFunction getRoleFunction(HttpServletRequest request, HttpServletResponse response, @PathVariable("code") String code) throws Exception { + if (code!=null){ + SecureString secureCode = new SecureString(code); + if (!dataValidator.isValid(secureCode)) + return new CentralV2RoleFunction(); + } + Map<String, Object> res = getMethod(request, response); CentralV2RoleFunction roleFunction = null; try { @@ -214,13 +227,20 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @RequestBody String roleFunc) throws Exception { PortalRestResponse<String> result = null; + + if (roleFunc!=null){ + SecureString secureRoleFunc = new SecureString(roleFunc); + if(!dataValidator.isValid(secureRoleFunc)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed"); + } + Map<String, Object> res = getMethod(request, response); try { result = (PortalRestResponse<String>) invokeMethod(res, request, response, roleFunc); return result; } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "saveRoleFunction failed", e); - return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, e.getMessage(), "Failed"); + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage(), "Failed"); } } @@ -230,6 +250,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B public PortalRestResponse<String> deleteRoleFunction(HttpServletRequest request, HttpServletResponse response, @PathVariable("code") String code) throws Exception { PortalRestResponse<String> result = null; + + if (code!=null){ + SecureString secureCode = new SecureString(code); + if(!dataValidator.isValid(secureCode)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed"); + } + Map<String, Object> res = getMethod(request, response); try { result = (PortalRestResponse<String>) invokeMethod(res, request, response, code); @@ -276,6 +303,14 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B public String getEcompUser(HttpServletRequest request, HttpServletResponse response, @PathVariable("loginId") String loginId) throws Exception { Map<String, Object> res = getMethod(request, response); + + if (loginId!=null){ + SecureString secureLoginId = new SecureString(loginId); + + if (!dataValidator.isValid(secureLoginId)) + return null; + } + String answer = null; try { answer = (String) invokeMethod(res, request, response, loginId); @@ -319,6 +354,14 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @RequestMapping(value = { "/v3/extendSessionTimeOuts" }, method = RequestMethod.POST) public Boolean extendSessionTimeOuts(HttpServletRequest request, HttpServletResponse response, @RequestParam String sessionMap) throws Exception { + + if (sessionMap!=null){ + SecureString secureSessionMap = new SecureString(sessionMap); + if (!dataValidator.isValid(secureSessionMap)){ + return null; + } + } + Map<String, Object> res = getMethod(request, response); Boolean ans = null; try { @@ -347,6 +390,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @ApiOperation(value = "Accepts data from partner applications with web analytics data.", response = PortalAPIResponse.class) public PortalAPIResponse storeAnalyticsScript(HttpServletRequest request, HttpServletResponse response, @RequestBody Analytics analyticsMap) throws Exception { + + if (analyticsMap!=null){ + if (!dataValidator.isValid(analyticsMap)) + return new PortalAPIResponse(false, "analyticsScript is not valid"); + } + Map<String, Object> res = getMethod(request, response); PortalAPIResponse ans = new PortalAPIResponse(true, "error"); try { @@ -715,6 +764,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.POST, produces = "application/json") public PortalRestResponse<String> postUserProfile(HttpServletRequest request, @RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) { + + if (extSysUser!=null){ + if (!dataValidator.isValid(extSysUser)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + } + PortalRestResponse<String> result = null; Map<String, Object> res = getMethod(request, response); try { @@ -731,6 +786,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.PUT, produces = "application/json") public PortalRestResponse<String> putUserProfile(HttpServletRequest request, @RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) { + + if (extSysUser!=null){ + if (!dataValidator.isValid(extSysUser)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + } + PortalRestResponse<String> result = null; Map<String, Object> res = getMethod(request, response); try { @@ -747,6 +808,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @RequestMapping(value = { "/v3/userProfile" }, method = RequestMethod.DELETE, produces = "application/json") public PortalRestResponse<String> deleteUserProfile(HttpServletRequest request, @RequestBody ExternalSystemUser extSysUser, HttpServletResponse response) { + + if (extSysUser!=null){ + if (!dataValidator.isValid(extSysUser)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + } + PortalRestResponse<String> result = null; Map<String, Object> res = getMethod(request, response); try { @@ -763,6 +830,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @RequestMapping(value = { "/v3/ticketevent" }, method = RequestMethod.POST) public PortalRestResponse<String> handleRequest(HttpServletRequest request, HttpServletResponse response, @RequestBody String ticketEventJson) throws Exception { + + if (ticketEventJson!=null){ + SecureString secureTicketEventJson = new SecureString(ticketEventJson); + if (!dataValidator.isValid(secureTicketEventJson)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ticketEventJson is not valid", "Failed"); + } + PortalRestResponse<String> result = null; Map<String, Object> res = getMethod(request, response); try { @@ -780,6 +854,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @ResponseBody public PortalRestResponse<String> postPortalAdmin(HttpServletRequest request, HttpServletResponse response, @RequestBody EPUser epUser) { + + if (epUser!=null){ + if (!dataValidator.isValid(epUser)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "EPUser is not valid", "Failed"); + } + PortalRestResponse<String> result = null; Map<String, Object> res = getMethod(request, response); try { @@ -812,6 +892,12 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @ResponseBody public PortalRestResponse<String> postOnboardAppExternal(HttpServletRequest request, HttpServletResponse response, @RequestBody OnboardingApp newOnboardApp) { + + if (newOnboardApp!=null){ + if (!dataValidator.isValid(newOnboardApp)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed"); + } + PortalRestResponse<String> result = new PortalRestResponse<>(); Map<String, Object> res = getMethod(request, response); try { @@ -830,7 +916,13 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @ResponseBody public PortalRestResponse<String> putOnboardAppExternal(HttpServletRequest request, HttpServletResponse response, @PathVariable("appId") Long appId, @RequestBody OnboardingApp oldOnboardApp) { - PortalRestResponse<String> result = new PortalRestResponse<>(); + + if (oldOnboardApp!=null){ + if (!dataValidator.isValid(oldOnboardApp)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed"); + } + + PortalRestResponse<String> result; Map<String, Object> res = getMethod(request, response); try { result = (PortalRestResponse<String>) invokeMethod(res, request, response, appId, oldOnboardApp); @@ -845,12 +937,16 @@ public class AuxApiRequestMapperController implements ApplicationContextAware, B @RequestMapping(value = { "/v3/publishNotification" }, method = RequestMethod.POST, produces = "application/json") @ResponseBody public PortalAPIResponse publishNotification(HttpServletRequest request, - @RequestBody EpNotificationItem notificationItem, HttpServletResponse response) throws Exception { - PortalAPIResponse result = new PortalAPIResponse(true, "success"); + @RequestBody EpNotificationItem notificationItem, HttpServletResponse response) { + + if (notificationItem!=null){ + if (!dataValidator.isValid(notificationItem)) + return new PortalAPIResponse(false, "EpNotificationItem is not valid"); + } + Map<String, Object> res = getMethod(request, response); try { - result = (PortalAPIResponse) invokeMethod(res, request, response, notificationItem); - return result; + return (PortalAPIResponse) invokeMethod(res, request, response, notificationItem); } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "publishNotification failed", e); return new PortalAPIResponse(false, e.getMessage()); diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java index 2d85e8f2..f5ca1832 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/Analytics.java @@ -38,14 +38,19 @@ package org.onap.portalapp.portal.transport; import com.fasterxml.jackson.annotation.JsonInclude; +import org.hibernate.validator.constraints.SafeHtml; @JsonInclude(JsonInclude.Include.NON_NULL) public class Analytics { - + @SafeHtml private String action; + @SafeHtml private String page; + @SafeHtml private String function; + @SafeHtml private String userid; + @SafeHtml private String type; public String getType() { diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java index e7303313..5f49c744 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java @@ -45,10 +45,8 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -68,6 +66,7 @@ import org.onap.portalapp.portal.transport.Analytics; import org.onap.portalapp.portal.transport.EpNotificationItem; import org.onap.portalapp.portal.transport.OnboardingApp; import org.onap.portalsdk.core.domain.Role; +import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; @@ -114,6 +113,21 @@ public class AuxApiRequestMapperControllerTest { Mockito.when(mockedRequest.getMethod()).thenReturn("GET"); assertNull(auxApiRequestMapperController.getUser(mockedRequest, mockedResponse, "test12")); } + + @Test + public void getUserXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roles"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("GET"); + String expected = "Provided data is not valid"; + String actual = auxApiRequestMapperController.getUser(mockedRequest, mockedResponse, "“><script>alert(“XSS”)</script>"); + assertEquals(expected, actual); + } @Test public void getUserTestWithException() throws Exception { @@ -233,6 +247,7 @@ public class AuxApiRequestMapperControllerTest { assertNull(auxApiRequestMapperController.getRoleFunction(mockedRequest, mockedResponse, "test")); } + @Test public void saveRoleFunctionTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction"); @@ -248,6 +263,21 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void saveRoleFunctionXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + PortalRestResponse<String> actual = auxApiRequestMapperController.saveRoleFunction(mockedRequest, mockedResponse, "<script>alert(123)</script>"); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void deleteRoleFunctionTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction/test"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -261,6 +291,22 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void deleteRoleFunctionXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction/test"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("DELETE"); + PortalRestResponse<String> actual = auxApiRequestMapperController.deleteRoleFunction(mockedRequest, mockedResponse, + "<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}"); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void deleteRoleTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/deleteRole/1"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -300,6 +346,19 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void getEcompUserXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v4/user/test"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("GET"); + assertNull(auxApiRequestMapperController.getEcompUser(mockedRequest, mockedResponse, "<script>alert(‘XSS’)</script>")); + } + + @Test public void getEcompRolesOfApplicationTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v4/roles"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -340,6 +399,20 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void extendSessionTimeOutsXSSTest() throws Exception { + String sessionMap = "<script>alert(“XSS”)</script>"; + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/extendSessionTimeOuts"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", sessionCommunicationController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + assertNull(auxApiRequestMapperController.extendSessionTimeOuts(mockedRequest, mockedResponse, sessionMap)); + } + + @Test public void getAnalyticsScriptTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/analytics"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -367,6 +440,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void storeAnalyticsScriptXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/storeAnalytics"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", webAnalyticsExtAppController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + Analytics analyticsMap = new Analytics(); + analyticsMap.setPage("<script>alert(“XSS”);</script>"); + PortalAPIResponse actual = auxApiRequestMapperController.storeAnalyticsScript(mockedRequest, mockedResponse, analyticsMap); + PortalAPIResponse expected = new PortalAPIResponse(true, "analyticsScript is not valid"); + assertEquals(expected.getMessage(), actual.getMessage()); + } + + @Test public void bulkUploadFunctionsTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/upload/portal/functions"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -532,6 +622,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void postUserProfileXSSTest() { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesApprovalSystemController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + ExternalSystemUser extSysUser = new ExternalSystemUser(); + extSysUser.setLoginId("<script>alert(“XSS”);</script>"); + PortalRestResponse<String> actual = auxApiRequestMapperController.postUserProfile(mockedRequest, extSysUser, mockedResponse); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void putUserProfileTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -546,6 +653,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void putUserProfileXSSTest() { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesApprovalSystemController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + ExternalSystemUser extSysUser = new ExternalSystemUser(); + extSysUser.setLoginId("<script>alert(“XSS”);</script>"); + PortalRestResponse<String> actual = auxApiRequestMapperController.putUserProfile(mockedRequest, extSysUser, mockedResponse); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void deleteUserProfileTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -560,6 +684,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void deleteUserProfileXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesApprovalSystemController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("DELETE"); + ExternalSystemUser extSysUser = new ExternalSystemUser(); + extSysUser.setLoginId("<script>alert(“XSS”);</script>"); + PortalRestResponse<String> actual = auxApiRequestMapperController.deleteUserProfile(mockedRequest, extSysUser, mockedResponse); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void handleRequestTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/ticketevent"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -573,6 +714,21 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void handleRequestXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/ticketevent"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", ticketEventVersionController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + PortalRestResponse<String> actual = auxApiRequestMapperController.handleRequest(mockedRequest, mockedResponse, "<script>alert(“XSS”);</script>"); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ticketEventJson is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void postPortalAdminTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/portalAdmin"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -587,6 +743,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void postPortalAdminXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/portalAdmin"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", appsControllerExternalVersionRequest); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + EPUser epUser = new EPUser(); + epUser.setLoginId("<script>alert(/XSS”)</script>"); + PortalRestResponse<String> actual = auxApiRequestMapperController.postPortalAdmin(mockedRequest, mockedResponse, epUser); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "EPUser is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void getOnboardAppExternalTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -614,6 +787,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void postOnboardAppExternalXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", appsControllerExternalVersionRequest); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + OnboardingApp newOnboardApp = new OnboardingApp(); + newOnboardApp.setUebKey("�</form><input type=\"date\" onfocus=\"alert(1)\">"); + PortalRestResponse<String> actual = auxApiRequestMapperController.postOnboardAppExternal(mockedRequest, mockedResponse, newOnboardApp); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void putOnboardAppExternalTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -629,6 +819,24 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void putOnboardAppExternalXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", appsControllerExternalVersionRequest); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("PUT"); + OnboardingApp newOnboardApp = new OnboardingApp(); + newOnboardApp.setUebTopicName(" <blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}"); + PortalRestResponse<String> actual = auxApiRequestMapperController.putOnboardAppExternal(mockedRequest, mockedResponse, (long) 1, + newOnboardApp); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void publishNotificationTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/publishNotification"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -643,6 +851,24 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void publishNotificationXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/publishNotification"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", externalAppsRestfulVersionController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + EpNotificationItem notificationItem = new EpNotificationItem(); + notificationItem.setIsForAllRoles("</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}"); + PortalAPIResponse actual = auxApiRequestMapperController.publishNotification(mockedRequest, notificationItem, mockedResponse); + PortalAPIResponse expected = new PortalAPIResponse(false, "EpNotificationItem is not valid"); + assertEquals(expected.getMessage(), actual.getMessage()); + assertEquals(expected.getStatus(), actual.getStatus()); + } + + @Test public void getFavoritesForUserTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/getFavorites"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); |