diff options
| author |   Sunder Tattavarada <statta@research.att.com> | 2019-06-14 16:07:42 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <gerrit@onap.org> | 2019-06-14 16:07:42 +0000 |
| commit | e496b1b94a07e7995fefd8113c0fbe25953322ea (patch) | |
| tree | f3daff0ffe4a5709abd5814f82f108834e6538e4 /ecomp-portal-BE-os/src/main | |
| parent | 3462e289aec5880f3e2f2f23ce4b5f70160ba7f4 (diff) | |
| parent | 7b634d6019b6fb31a120f7810af095feb7a0317d (diff) | |
Merge "XSS Vulnerability fix in AppsOSController"
Diffstat (limited to 'ecomp-portal-BE-os/src/main')
| -rw-r--r-- | ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java index ed540551..915c5e08 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java @@ -40,8 +40,13 @@ package org.onap.portalapp.portal.controller; import java.util.HashMap; import java.util.Map; +import java.util.Set; import javax.servlet.http.HttpServletRequest; +import javax.validation.ConstraintViolation; +import javax.validation.Validation; +import javax.validation.Validator; +import javax.validation.ValidatorFactory; import org.json.JSONObject; import org.onap.portalapp.portal.controller.AppsController; import org.onap.portalapp.portal.domain.EPUser; @@ -53,6 +58,7 @@ import org.onap.portalapp.portal.service.EPAppService; import org.onap.portalapp.portal.service.PersUserAppService; import org.onap.portalapp.portal.service.UserService; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.EnableAspectJAutoProxy; @@ -67,6 +73,7 @@ import org.springframework.web.bind.annotation.RestController; @EnableAspectJAutoProxy @EPAuditLog public class AppsOSController extends AppsController { + private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); static final String FAILURE = "failure"; EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class); @@ -113,9 +120,20 @@ public class AppsOSController extends AppsController { @RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json") public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) { + + if(loginId != null){ + Validator validator = validatorFactory.getValidator(); + SecureString secureString = new SecureString(loginId); + Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString); + + if (!constraintViolations.isEmpty()){ + return "loginId is not valid"; + } + } + - Map<String,String> map = new HashMap<String,String>(); - EPUser user = null; + Map<String,String> map = new HashMap<>(); + EPUser user; try { user = (EPUser) userService.getUserByUserId(loginId).get(0); map.put("firstName", user.getFirstName()); @@ -128,7 +146,7 @@ public class AppsOSController extends AppsController { logger.error(EELFLoggerDelegate.errorLogger, "Failed to get user info", e); } - JSONObject j = new JSONObject(map);; + JSONObject j = new JSONObject(map); return j.toString(); } |