summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common
diff options
context:
space:
mode:
authorDominik Mizyn <d.mizyn@samsung.com>2019-10-21 14:14:15 +0200
committerDominik Mizyn <d.mizyn@samsung.com>2019-10-24 15:54:49 +0200
commitbb6fb4c52904d119ba790d5d9c1f752649a74a0a (patch)
tree4c0ac451308e4dbb574f05243b0e59e4e9a78fde /ecomp-portal-BE-common
parent604bf4f45cf1f1726f1b8129963627ffb90b5f4c (diff)
Persistent XSS vulnerability in functionalMenuItem form fix
javax.validation.Validator used to fix this vulnerability issue. Issue-ID: OJSI-21 Change-Id: Ie13e17edb4c12c9d60baca7fc85cc46d4480b84b Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
Diffstat (limited to 'ecomp-portal-BE-common')
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java61
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java5
-rw-r--r--ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java22
3 files changed, 63 insertions, 25 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java
index 4326eac3..97af4373 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/FunctionalMenuController.java
@@ -33,7 +33,7 @@
*
* ============LICENSE_END============================================
*
- *
+ *
*/
package org.onap.portalapp.portal.controller;
@@ -71,9 +71,11 @@ import org.onap.portalapp.portal.transport.FunctionalMenuItemWithRoles;
import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.util.SystemProperties;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
@@ -86,12 +88,13 @@ import org.springframework.web.bind.annotation.RestController;
* Supports menus at the top of the Portal app landing page.
*/
@RestController
-@org.springframework.context.annotation.Configuration
+@Configuration
@EnableAspectJAutoProxy
@EPAuditLog
public class FunctionalMenuController extends EPRestrictedBaseController {
private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(FunctionalMenuController.class);
+ private final DataValidator dataValidator = new DataValidator();
@Autowired
private AdminRolesService adminRolesService;
@@ -104,7 +107,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to fetch all the FunctionalMenuItems.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -127,7 +130,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to get ONAP Portal Title.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -152,7 +155,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
* RESTful service method to fetch all the FunctionalMenuItems, both active and
* inactive, for the EditFunctionalMenu feature. Can only be accessed by the
* portal admin.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -182,7 +185,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to fetch all the FunctionalMenuItems, active , for the
* Functional menu in notification Tree feature.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -209,7 +212,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to fetch all FunctionalMenuItems associated with an
* application.
- *
+ *
* @param request
* HttpServletRequest
* @param appId
@@ -236,7 +239,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to fetch all FunctionalMenuItems associated with the
* applications and roles that a user has access to.
- *
+ *
* @param request
* HttpServletRequest
* @param orgUserId
@@ -264,7 +267,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to fetch all FunctionalMenuItems associated with the
* applications and roles that the authenticated user has access to.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -299,7 +302,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to fetch the details for a functional menu item.
* Requirement: you must be the ONAP portal super admin user.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -333,9 +336,9 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to create a new menu item.
- *
+ *
* Requirement: you must be the ONAP portal super admin user.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -349,6 +352,14 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
@RequestBody FunctionalMenuItemWithRoles menuItemJson, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
FieldsValidator fieldsValidator = null;
+
+ if(!dataValidator.isValid(menuItemJson)){
+ fieldsValidator = new FieldsValidator();
+ logger.warn(EELFLoggerDelegate.debugLogger,"FunctionalMenuController.createFunctionalMenuItem not valid object");
+ fieldsValidator.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE;
+ return fieldsValidator;
+ }
+
if (!adminRolesService.isSuperAdmin(user)) {
logger.debug(EELFLoggerDelegate.debugLogger,
"FunctionalMenuController.createFunctionalMenuItem bad permissions");
@@ -365,9 +376,9 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to update an existing menu item
- *
+ *
* Requirement: you must be the ONAP portal super admin user.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -381,6 +392,14 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
@RequestBody FunctionalMenuItemWithRoles menuItemJson, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
FieldsValidator fieldsValidator = null;
+
+ if(!dataValidator.isValid(menuItemJson)){
+ fieldsValidator = new FieldsValidator();
+ logger.warn(EELFLoggerDelegate.debugLogger,"FunctionalMenuController.createFunctionalMenuItem not valid object");
+ fieldsValidator.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE;
+ return fieldsValidator;
+ }
+
if (!adminRolesService.isSuperAdmin(user)) {
EcompPortalUtils.setBadPermissions(user, response, "editFunctionalMenuItem");
} else {
@@ -395,7 +414,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service method to delete a menu item
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -423,7 +442,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service to regenerate table
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -450,7 +469,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESful service to set a favorite item.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -476,7 +495,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service to get favorites for the current user as identified in the
* session
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -499,7 +518,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
/**
* RESTful service to delete a favorite menu item for the current user as
* identified in the session.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -528,7 +547,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
* session (i.e., the CSP cookie); if that fails, calls the shared context
* service to read the information from the database. Gives back what it found,
* any of which may be null, as a JSON collection.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@@ -611,7 +630,7 @@ public class FunctionalMenuController extends EPRestrictedBaseController {
};
/**
- *
+ *
* @param request
* HttpServletRequest
* @param userId
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java
index 825cad46..9226f220 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/FunctionalMenuItemWithRoles.java
@@ -39,6 +39,7 @@ package org.onap.portalapp.portal.transport;
import java.io.Serializable;
import java.util.List;
+import org.hibernate.validator.constraints.SafeHtml;
// This type is used to read the Json in from the API call from the Front End
public class FunctionalMenuItemWithRoles implements Serializable {
@@ -47,11 +48,11 @@ public class FunctionalMenuItemWithRoles implements Serializable {
public Long menuId;
public Integer column;
-
+ @SafeHtml
public String text;
public Integer parentMenuId;
-
+ @SafeHtml
public String url;
public Integer appid;
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java
index 84ee691e..79c85672 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/FunctionalMenuControllerTest.java
@@ -175,6 +175,24 @@ public class FunctionalMenuControllerTest extends MockitoTestSuite {
}
+ @Test
+ public void editFunctionalMenuItemXSSTest(){
+ FunctionalMenuItemWithRoles menuItemJson = new FunctionalMenuItemWithRoles();
+ menuItemJson.url = "1<b>tes<img src=‘~‘ onerror=prompt(32)>t_menu";
+ FieldsValidator actualFieldsValidator = new FieldsValidator();
+ FieldsValidator expectedFieldsValidator = new FieldsValidator();
+ List<FieldName> fields = new ArrayList<>();
+ expectedFieldsValidator.setHttpStatusCode(406L);
+ expectedFieldsValidator.setFields(fields);
+ expectedFieldsValidator.setErrorCode(null);
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true);
+ Mockito.when(functionalMenuService.editFunctionalMenuItem(menuItemJson)).thenReturn(actualFieldsValidator);
+ actualFieldsValidator = functionalMenuController.editFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse);
+ assertEquals(actualFieldsValidator, expectedFieldsValidator);
+ }
+
@Test
public void getAppListTestIfAppDoesnotExistsInBusinessCardApplicationRolesList() throws IOException {
@@ -459,7 +477,7 @@ public class FunctionalMenuControllerTest extends MockitoTestSuite {
Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(false);
Mockito.when(functionalMenuService.createFunctionalMenuItem(menuItemJson)).thenReturn(expectedFieldsValidator);
actualFieldsValidator = functionalMenuController.createFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse);
- assertEquals(actualFieldsValidator, expectedFieldsValidator);
+ assertEquals(expectedFieldsValidator, actualFieldsValidator);
}
@Test
@@ -574,7 +592,7 @@ public class FunctionalMenuControllerTest extends MockitoTestSuite {
Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(false);
Mockito.when(functionalMenuService.editFunctionalMenuItem(menuItemJson)).thenReturn(actualFieldsValidator);
actualFieldsValidator = functionalMenuController.editFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse);
- assertEquals(actualFieldsValidator, expectedFieldsValidator);
+ assertEquals(expectedFieldsValidator, actualFieldsValidator);
}
@Test