summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-os
diff options
context:
space:
mode:
authorDominik Mizyn <d.mizyn@samsung.com>2019-10-21 15:29:52 +0200
committerDominik Mizyn <d.mizyn@samsung.com>2019-10-24 15:54:49 +0200
commit2bd26995f7ac5a0c1f19c1ca0ab1f5f0b50ea5c2 (patch)
tree435327d15ed809258c1d6e4285a4ab3f33b615a1 /ecomp-portal-BE-os
parent31643c4db220bda9ffd9ac06d884f9035bbc4e1f (diff)
Persistent XSS vulnerability in saveNewUser form fix
javax.validation.Validator used to fix this vulnerability issue. Issue-ID: OJSI-16 Change-Id: I50a7acc4f7e9294170628fd5b2894ee6cbdba8f0 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
Diffstat (limited to 'ecomp-portal-BE-os')
-rw-r--r--ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java14
1 files changed, 7 insertions, 7 deletions
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
index b1154aa3..8314e7b9 100644
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
@@ -52,6 +52,7 @@ import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
import org.onap.portalapp.portal.logging.aop.EPAuditLog;
import org.onap.portalapp.portal.service.UserService;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
@@ -70,7 +71,7 @@ import lombok.NoArgsConstructor;
@EPAuditLog
@NoArgsConstructor
public class AppsOSController extends AppsController {
- private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory();
+ private final DataValidator dataValidator = new DataValidator();
private static final String FAILURE = "failure";
private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
@@ -90,7 +91,10 @@ public class AppsOSController extends AppsController {
if (newUser == null)
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
"New User cannot be null or empty");
-
+ if (!dataValidator.isValid(newUser)) {
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
+ "New User is not safe html");
+ }
if (!(super.getAdminRolesService().isSuperAdmin(user) || super.getAdminRolesService().isAccountAdmin(user))
&& !user.getLoginId().equalsIgnoreCase(newUser.getLoginId())) {
return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
@@ -113,11 +117,7 @@ public class AppsOSController extends AppsController {
public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) {
if (loginId != null) {
- Validator validator = validatorFactory.getValidator();
- SecureString secureString = new SecureString(loginId);
- Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
-
- if (!constraintViolations.isEmpty()) {
+ if (!dataValidator.isValid(new SecureString(loginId))) {
return "loginId is not valid";
}
}