diff options
Diffstat (limited to 'ecomp-portal-BE-os/src')
6 files changed, 202 insertions, 54 deletions
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java index ed540551..915c5e08 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java @@ -40,8 +40,13 @@ package org.onap.portalapp.portal.controller; import java.util.HashMap; import java.util.Map; +import java.util.Set; import javax.servlet.http.HttpServletRequest; +import javax.validation.ConstraintViolation; +import javax.validation.Validation; +import javax.validation.Validator; +import javax.validation.ValidatorFactory; import org.json.JSONObject; import org.onap.portalapp.portal.controller.AppsController; import org.onap.portalapp.portal.domain.EPUser; @@ -53,6 +58,7 @@ import org.onap.portalapp.portal.service.EPAppService; import org.onap.portalapp.portal.service.PersUserAppService; import org.onap.portalapp.portal.service.UserService; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.EnableAspectJAutoProxy; @@ -67,6 +73,7 @@ import org.springframework.web.bind.annotation.RestController; @EnableAspectJAutoProxy @EPAuditLog public class AppsOSController extends AppsController { + private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); static final String FAILURE = "failure"; EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class); @@ -113,9 +120,20 @@ public class AppsOSController extends AppsController { @RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json") public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) { + + if(loginId != null){ + Validator validator = validatorFactory.getValidator(); + SecureString secureString = new SecureString(loginId); + Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString); + + if (!constraintViolations.isEmpty()){ + return "loginId is not valid"; + } + } + - Map<String,String> map = new HashMap<String,String>(); - EPUser user = null; + Map<String,String> map = new HashMap<>(); + EPUser user; try { user = (EPUser) userService.getUserByUserId(loginId).get(0); map.put("firstName", user.getFirstName()); @@ -128,7 +146,7 @@ public class AppsOSController extends AppsController { logger.error(EELFLoggerDelegate.errorLogger, "Failed to get user info", e); } - JSONObject j = new JSONObject(map);; + JSONObject j = new JSONObject(map); return j.toString(); } diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java index 0be57120..1dff6040 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/DashboardSearchResultController.java @@ -48,7 +48,6 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; import org.onap.portalapp.controller.EPRestrictedBaseController; -import org.onap.portalapp.portal.controller.DashboardSearchResultController; import org.onap.portalapp.portal.domain.EPUser; import org.onap.portalapp.portal.ecomp.model.PortalRestResponse; import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; @@ -57,6 +56,8 @@ import org.onap.portalapp.portal.service.DashboardSearchService; import org.onap.portalapp.portal.transport.CommonWidget; import org.onap.portalapp.portal.transport.CommonWidgetMeta; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.DataValidator; +import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.domain.support.CollaborateList; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; @@ -71,6 +72,7 @@ import org.springframework.web.bind.annotation.RestController; public class DashboardSearchResultController extends EPRestrictedBaseController { private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardSearchResultController.class); + private DataValidator dataValidator = new DataValidator(); @Autowired private DashboardSearchService searchService; @@ -86,7 +88,12 @@ public class DashboardSearchResultController extends EPRestrictedBaseController @RequestMapping(value = "/widgetData", method = RequestMethod.GET, produces = "application/json") public PortalRestResponse<CommonWidgetMeta> getWidgetData(HttpServletRequest request, @RequestParam String resourceType) { - return new PortalRestResponse<CommonWidgetMeta>(PortalRestStatusEnum.OK, "success", + if (resourceType !=null){ + SecureString secureString = new SecureString(resourceType); + if (!dataValidator.isValid(secureString)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is invalid", null); + } + return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success", searchService.getWidgetData(resourceType)); } @@ -100,9 +107,14 @@ public class DashboardSearchResultController extends EPRestrictedBaseController @RequestMapping(value = "/widgetDataBulk", method = RequestMethod.POST, produces = "application/json") public PortalRestResponse<String> saveWidgetDataBulk(@RequestBody CommonWidgetMeta commonWidgetMeta) { logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetDataBulk: argument is {}", commonWidgetMeta); - if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals("")) + if (commonWidgetMeta.getCategory() == null || commonWidgetMeta.getCategory().trim().equals("")){ return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR", "Category cannot be null or empty"); + }else { + if(!dataValidator.isValid(commonWidgetMeta)) + return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR", + "Category is not valid"); + } // validate dates for (CommonWidget cw : commonWidgetMeta.getItems()) { String err = validateCommonWidget(cw); @@ -123,13 +135,18 @@ public class DashboardSearchResultController extends EPRestrictedBaseController @RequestMapping(value = "/widgetData", method = RequestMethod.POST, produces = "application/json") public PortalRestResponse<String> saveWidgetData(@RequestBody CommonWidget commonWidget) { logger.debug(EELFLoggerDelegate.debugLogger, "saveWidgetData: argument is {}", commonWidget); - if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals("")) - return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, "ERROR", + if (commonWidget.getCategory() == null || commonWidget.getCategory().trim().equals("")){ + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR", "Cateogry cannot be null or empty"); + }else { + if(!dataValidator.isValid(commonWidget)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR", + "Category is not valid"); + } String err = validateCommonWidget(commonWidget); if (err != null) - return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, err, null); - return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success", + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, err, null); + return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success", searchService.saveWidgetData(commonWidget)); } @@ -165,7 +182,10 @@ public class DashboardSearchResultController extends EPRestrictedBaseController @RequestMapping(value = "/deleteData", method = RequestMethod.POST, produces = "application/json") public PortalRestResponse<String> deleteWidgetData(@RequestBody CommonWidget commonWidget) { logger.debug(EELFLoggerDelegate.debugLogger, "deleteWidgetData: argument is {}", commonWidget); - return new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success", + if(!dataValidator.isValid(commonWidget)) + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ERROR", + "Data is not valid"); + return new PortalRestResponse<>(PortalRestStatusEnum.OK, "success", searchService.deleteWidgetData(commonWidget)); } @@ -180,16 +200,24 @@ public class DashboardSearchResultController extends EPRestrictedBaseController @RequestMapping(value = "/allPortal", method = RequestMethod.GET, produces = "application/json") public PortalRestResponse<Map<String, List<SearchResultItem>>> searchPortal(HttpServletRequest request, @RequestParam String searchString) { + if(searchString!=null){ + SecureString secureString = new SecureString(searchString); + if(!dataValidator.isValid(secureString)){ + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, + "searchPortal: User object is invalid", + null); + } + } EPUser user = EPUserUtils.getUserSession(request); try { if (user == null) { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: User object is null? - check logs", - new HashMap<String, List<SearchResultItem>>()); + new HashMap<>()); } else if (searchString == null || searchString.trim().length() == 0) { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "searchPortal: String string is null", - new HashMap<String, List<SearchResultItem>>()); + new HashMap<>()); } else { logger.debug(EELFLoggerDelegate.debugLogger, "searchPortal: user {}, search string '{}'", user.getLoginId(), searchString); @@ -200,7 +228,7 @@ public class DashboardSearchResultController extends EPRestrictedBaseController } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "searchPortal failed", e); return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, e.getMessage() + " - check logs.", - new HashMap<String, List<SearchResultItem>>()); + new HashMap<>()); } } diff --git a/ecomp-portal-BE-os/src/main/webapp/WEB-INF/conf/sql.properties b/ecomp-portal-BE-os/src/main/webapp/WEB-INF/conf/sql.properties index 83779052..8663cd44 100644 --- a/ecomp-portal-BE-os/src/main/webapp/WEB-INF/conf/sql.properties +++ b/ecomp-portal-BE-os/src/main/webapp/WEB-INF/conf/sql.properties @@ -291,19 +291,6 @@ random.string = select ( 'Z' || round(random() * 1000000000000)) scheduler.user.emails = SELECT au.user_id FROM (SELECT rs.schedule_id, rs.rep_id FROM cr_report_schedule rs WHERE rs.enabled_yn='Y' AND rs.start_date <= now() AND rs.end_date >= now() AND rs.run_date IS NOT NULL AND rs.schedule_id = [p_schedule_id] ) x, cr_report r, fn_user au WHERE x.rep_id = r.rep_id AND au.user_id IN (SELECT rsu.user_id FROM cr_report_schedule_users rsu WHERE rsu.schedule_id = x.schedule_id and rsu.schedule_id = [p_schedule_id] UNION SELECT ur.user_id FROM fn_user_role ur WHERE ur.role_id IN (SELECT rsu2.role_id FROM cr_report_schedule_users rsu2 WHERE rsu2.schedule_id = x.schedule_id and rsu2.schedule_id = [p_schedule_id])) - -# my logins - -app.query = SELECT APP_ID, ML_APP_NAME, MOTS_ID from fn_app where ((enabled = 'Y' and open = 'N') or app_id = 1 ) - -user.log.query = SELECT DISTINCT IFNULL(ORG_USER_ID, '') CUID, '' AWID, CONCAT('"',IFNULL(ORG_USER_ID, ''),'"') APPLICATIONUSERID, CONCAT('"',IFNULL(FIRST_NAME, ''),'"') FIRST_NAME, CONCAT('"',substr(IFNULL(MIDDLE_NAME, ''), 0, 1),'"') MIDDLE_INITIAL, CONCAT('"',IFNULL(LAST_NAME, ''),'"') LAST_NAME, IFNULL(DATE_FORMAT(LAST_LOGIN_DATE, '%Y/%m/%d'), '') LAST_LOGON_DATE, DATE_FORMAT(CREATED_DATE, '%Y/%m/%d') ACCOUNT_ACTIVATION_DATE, IFNULL(DATE_FORMAT(MODIFIED_DATE, '%Y/%m/%d'), '') LAST_DATE_ACCOUNT_MODIFIED, '' LAST_PASSWORD_CHANGE_DATE, CONCAT('"',IFNULL(FIRST_NAME, ''),' ',IFNULL(MIDDLE_NAME, ''),' ',IFNULL(LAST_NAME, ''),'"') FULL_USER_NAME, '' NT_ID, IFNULL(EMAIL, '') EMAIL FROM FN_USER FU, FN_USER_ROLE FUR, FN_ROLE FR WHERE FU.USER_ID = FUR.USER_ID and FUR.ROLE_ID = FR.ROLE_ID and ((FUR.APP_ID = 1 and FUR.APP_ID = ? and FR.ROLE_NAME <> 'Standard User') or (FUR.APP_ID = ? and FUR.APP_ID <> 1)) and FU.ACTIVE_YN = 'Y' and FU.org_user_id is not null order by 1 - -profile.log.query = SELECT DISTINCT CONCAT('"' , ROLE_NAME , '"') PROFILE_NAME, '""' SECURITY_SETTINGS FROM FN_ROLE FR, FN_USER_ROLE FUR WHERE FUR.ROLE_ID = FR.ROLE_ID and FR.ACTIVE_YN = 'Y' and ((FUR.APP_ID = 1 and FUR.APP_ID = ? and FR.ROLE_NAME <> 'Standard User') or (FUR.APP_ID = ? and FUR.APP_ID <> 1)) ORDER BY 1 - -user.profile.log.query = SELECT DISTINCT IFNULL(ORG_USER_ID, '') CUID, '' AWID, CONCAT('"' , IFNULL(ORG_USER_ID, '') , '"') APPLICATIONUSERID , CONCAT('"' , ROLE_NAME , '"') PROFILE_NAME FROM FN_USER A, FN_USER_ROLE B, FN_ROLE C WHERE A.USER_ID = B.USER_ID AND B.ROLE_ID = C.ROLE_ID AND A.ACTIVE_YN = 'Y' AND C.ACTIVE_YN = 'Y' AND a.ORG_USER_ID is not null AND ((B.APP_ID = 1 and B.APP_ID = ? and C.ROLE_NAME <> 'Standard User') or (B.APP_ID = ? and B.APP_ID <> 1)) ORDER BY 1 - -all.accounts.log.query = SELECT DISTINCT IFNULL(ORG_USER_ID, '') CUID, (case when A.ACTIVE_YN='Y' then 'ACTIVE' else 'INACTIVE' end) ACTIVE_YN, CONCAT('"' , IFNULL(ORG_USER_ID, '') , '"') APPLICATIONUSERID , IFNULL(DATE_FORMAT(LAST_LOGIN_DATE, '%Y/%m/%d'), '') LAST_LOGON_DATE, '' LAST_PASSWORD_CHANGE_DATE, CONCAT('"' , ROLE_NAME , '"') PROFILE_NAME FROM FN_USER A, FN_USER_ROLE B, FN_ROLE C WHERE A.USER_ID = B.USER_ID AND B.ROLE_ID = C.ROLE_ID AND a.ORG_USER_ID is not null AND ((B.APP_ID = 1 and B.APP_ID = ? and C.ROLE_NAME <> 'Standard User') or (B.APP_ID = ? and B.APP_ID <> 1)) ORDER BY 1 - # basic sql seq.next.val = SELECT nextval('[sequenceName]') AS id diff --git a/ecomp-portal-BE-os/src/main/webapp/WEB-INF/web.xml b/ecomp-portal-BE-os/src/main/webapp/WEB-INF/web.xml index 1181a2fd..af712d4e 100644 --- a/ecomp-portal-BE-os/src/main/webapp/WEB-INF/web.xml +++ b/ecomp-portal-BE-os/src/main/webapp/WEB-INF/web.xml @@ -106,32 +106,32 @@ <filter-name>SecurityXssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - <!-- <filter> - <filter-name>CadiAuthFilter</filter-name> - <filter-class>org.onap.portalsdk.core.onboarding.crossapi.CadiAuthFilter</filter-class> - <init-param> - <param-name>cadi_prop_files</param-name> - Add Absolute path of cadi.properties - <param-value>{Path}/cadi.properties - </param-value> - </init-param> - Add param values with comma delimited values - <init-param> - <param-name>include_url_endpoints</param-name> - <param-value>/auxapi/*</param-value> - </init-param> - <init-param> - <param-name>exclude_url_endpoints</param-name> - <param-value>/api/v3/analytics,/api/v3/storeAnalytics</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>CadiAuthFilter</filter-name> - <url-pattern>/auxapi/v3/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>CadiAuthFilter</filter-name> - <url-pattern>/auxapi/v4/*</url-pattern> +<!-- <filter> --> +<!-- <filter-name>CadiAuthFilter</filter-name> --> +<!-- <filter-class>org.onap.portalsdk.core.onboarding.crossapi.CadiAuthFilter</filter-class> --> +<!-- <init-param> --> +<!-- <param-name>cadi_prop_files</param-name> --> +<!-- Add Absolute path of cadi.properties --> +<!-- <param-value>{Path}/cadi.properties --> +<!-- </param-value> --> +<!-- </init-param> --> +<!-- Add param values with comma delimited values --> +<!-- <init-param> --> +<!-- <param-name>include_url_endpoints</param-name> --> +<!-- <param-value>/auxapi/*</param-value> --> +<!-- </init-param> --> +<!-- <init-param> --> +<!-- <param-name>exclude_url_endpoints</param-name> --> +<!-- <param-value>/api/v3/analytics,/api/v3/storeAnalytics</param-value> --> +<!-- </init-param> --> +<!-- </filter> --> +<!-- <filter-mapping> --> +<!-- <filter-name>CadiAuthFilter</filter-name> --> +<!-- <url-pattern>/auxapi/v3/*</url-pattern> --> +<!-- </filter-mapping> --> +<!-- <filter-mapping> --> +<!-- <filter-name>CadiAuthFilter</filter-name> --> +<!-- <url-pattern>/auxapi/v4/*</url-pattern> --> - </filter-mapping> --> +<!-- </filter-mapping> --> </web-app> diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java index 0596e749..15fe1dd9 100644 --- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java +++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java @@ -176,6 +176,17 @@ public class AppsOSControllerTest { } @Test + public void getCurrentUserProfileXSSTest() { + String loginId = "<iframe/src=\"data:text/html,<svg onload=alert(1)>\">"; + EPUser user = mockUser.mockEPUser(); + List<EPUser> expectedList = new ArrayList<>(); + expectedList.add(user); + Mockito.when(userService.getUserByUserId(loginId)).thenReturn(expectedList); + String expectedString = appsOSController.getCurrentUserProfile(mockedRequest, loginId); + assertEquals("loginId is not valid", expectedString); + } + + @Test public void getCurrentUserProfileExceptionTest() { String loginId = "guestT"; EPUser user = mockUser.mockEPUser(); diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/DashboardSearchResultControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/DashboardSearchResultControllerTest.java index 9edf99e7..ff588daa 100644 --- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/DashboardSearchResultControllerTest.java +++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/DashboardSearchResultControllerTest.java @@ -99,6 +99,18 @@ public class DashboardSearchResultControllerTest { } @Test + public void getWidgetDataXSSTest() { + String resourceType = "\"<IMG SRC=\\\"jav\\tascript:alert('XSS');\\\">\""; + PortalRestResponse expectedPortalRestResponse = new PortalRestResponse<>(); + expectedPortalRestResponse.setMessage("Provided data is invalid"); + expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + Mockito.when(searchService.getWidgetData(resourceType)).thenReturn(null); + PortalRestResponse acutualPoratlRestResponse = dashboardSearchResultController + .getWidgetData(mockedRequest, resourceType); + assertEquals(acutualPoratlRestResponse, expectedPortalRestResponse); + } + + @Test public void saveWidgetDataBulkIfCatrgoryNullTest() { PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>(); ecpectedPortalRestResponse.setMessage("ERROR"); @@ -152,6 +164,82 @@ public class DashboardSearchResultControllerTest { } @Test + public void saveWidgetDataBulkXSSTest() { + PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<>(); + ecpectedPortalRestResponse.setMessage("ERROR"); + ecpectedPortalRestResponse.setResponse("Category is not valid"); + ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + + CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta(); + commonWidgetMeta.setCategory("test"); + + List<CommonWidget> commonWidgetList = new ArrayList<>(); + CommonWidget commonWidget = new CommonWidget(); + commonWidget.setId((long) 1); + commonWidget.setCategory("test"); + commonWidget.setHref("\"<IMG SRC=\\\"jav\\tascript:alert('XSS');\\\">\""); + commonWidget.setTitle("test_title"); + commonWidget.setContent("test_content"); + commonWidget.setEventDate(null); + commonWidget.setSortOrder(1); + + commonWidgetList.add(commonWidget); + + commonWidgetMeta.setItems(commonWidgetList); + + Mockito.when(searchService.saveWidgetDataBulk(commonWidgetMeta)).thenReturn(null); + + PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController + .saveWidgetDataBulk(commonWidgetMeta); + assertEquals(ecpectedPortalRestResponse, actualPortalRestResponse); + } + + @Test + public void saveWidgetDataXSSTest() { + PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>(); + expectedPortalRestResponse.setMessage("ERROR"); + expectedPortalRestResponse.setResponse("Category is not valid"); + expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + CommonWidget commonWidget = new CommonWidget(); + commonWidget.setId((long) 1); + commonWidget.setCategory("test"); + commonWidget.setHref("\"<IMG SRC=\"jav\\tascript:alert('XSS');\">\""); + commonWidget.setTitle("test_title"); + commonWidget.setContent("test_content"); + commonWidget.setEventDate(null); + commonWidget.setSortOrder(1); + + Mockito.when(searchService.saveWidgetData(commonWidget)).thenReturn(null); + + PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController + .saveWidgetData(commonWidget); + assertEquals(expectedPortalRestResponse, actualPortalRestResponse); + + } + + @Test + public void deleteWidgetDataXSSTest() { + PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>(); + expectedPortalRestResponse.setMessage("ERROR"); + expectedPortalRestResponse.setResponse("Data is not valid"); + expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + CommonWidget commonWidget = new CommonWidget(); + commonWidget.setId((long) 1); + commonWidget.setCategory("test"); + commonWidget.setHref("test_href"); + commonWidget.setTitle("\"<IMG SRC=\"jav\\tascript:alert('XSS');\">\""); + commonWidget.setContent("test_content"); + commonWidget.setEventDate(null); + commonWidget.setSortOrder(1); + Mockito.when(searchService.deleteWidgetData(commonWidget)).thenReturn(null); + + PortalRestResponse<String> actualPortalRestResponse = dashboardSearchResultController + .deleteWidgetData(commonWidget); + + assertEquals(expectedPortalRestResponse, actualPortalRestResponse); + } + + @Test public void saveWidgetDataIfCatagoryNullTest() { PortalRestResponse<String> ecpectedPortalRestResponse = new PortalRestResponse<String>(); ecpectedPortalRestResponse.setMessage("ERROR"); @@ -340,6 +428,22 @@ public class DashboardSearchResultControllerTest { } @Test + public void searchPortalXSS() { + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + String searchString = "<script>alert(“XSS”)</script> "; + + PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<Map<String, List<SearchResultItem>>>(); + expectedResult.setMessage("searchPortal: User object is invalid"); + expectedResult.setStatus(PortalRestStatusEnum.ERROR); + + PortalRestResponse<Map<String, List<SearchResultItem>>> actualResult = dashboardSearchResultController + .searchPortal(mockedRequest, searchString); + assertEquals(actualResult, expectedResult); + + } + + @Test public void searchPortalIfSearchExcptionTest() { EPUser user = mockUser.mockEPUser(); ; |