summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2019-06-14Merge "FunctionalMenuItem DB constraints fix"Sunder Tattavarada2-8/+15
2019-06-14Merge "FunctionalMenuItem DB constraints add"Sunder Tattavarada2-13/+47
2019-06-14Merge "XSS Vulnerability fix in DashboardSearchResultController"Sunder Tattavarada2-11/+143
2019-06-14Merge "Custom data validator"Sunder Tattavarada3-3/+164
2019-06-14Merge "XSS Vulnerability fix in TicketEventController"Sunder Tattavarada2-1/+31
2019-06-14Merge "XSS Vulnerability fix in RoleManageController"Sunder Tattavarada3-1/+127
2019-06-14Merge "Fix sql injection vulnerability"Sunder Tattavarada2-3/+34
2019-06-14Merge "XSS Vulnerability fix in AppsOSController"Sunder Tattavarada2-3/+32
2019-06-14Merge "XSS Vulnerability fix in AppsControllerExternalRequest"Sunder Tattavarada8-30/+210
2019-06-14Merge "Sonar issue: Correct this "&" to "&&" in MicroserviceServiceImpl"Sunder Tattavarada1-25/+22
2019-06-14Merge "XSS Vulnerability fix in MicroserviceController"Sunder Tattavarada4-67/+112
2019-06-14Merge "XSS Vulnerability fix in DashboardSearchResultController"Sunder Tattavarada6-58/+270
2019-06-13Merge "Fix sonar issue: Override "equals(Object obj)""Sunder Tattavarada2-1/+27
2019-06-13FunctionalMenuItem DB constraints fixDominik Mizyn2-8/+15
Add @Digits to secure Long type fields Issue-ID: PORTAL-626 Change-Id: I59080c9103369d96a42c574356f0635265335d0a Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-13FunctionalMenuItem DB constraints addDominik Mizyn2-13/+47
Java Bean Validation SR 380 annotations added to classes Unnecessary boxing removed. Issue-ID: PORTAL-626 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com> Change-Id: Ic1c20870fd781d46061077fd14b81a65dea93e6e
2019-06-11Updated Dublin Release NotesWelch, Lorraine (lb2391)1-9/+10
Issue-ID: PORTAL-592 Signed-off-by: Welch, Lorraine (lb2391) <lb2391@att.com> Change-Id: I4d1e7e8bd83ed2adb7df25ccf4c694b1c81ef879
2019-06-07Added lorraineawelch to INFO.yamlWelch, Lorraine (lb2391)1-0/+5
Issue-ID: PORTAL-618 Signed-off-by: Welch, Lorraine (lb2391) <lb2391@att.com> Change-Id: I3d7f57c8cc20347f8adeefbada2eaffde0940262
2019-06-05XSS Vulnerability fix in DashboardSearchResultControllerDominik Mizyn2-11/+143
Custom Validator is used to secure this endpoints. Issue-ID: OJSI-15 Change-Id: Idf523a53bc5fe9e1df8110526d56336953759c86 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-05Custom data validatorDominik Mizyn3-3/+164
By creating custom data validator we can reduce code duplications. Issue-ID: OJSI-15 Change-Id: I39decf1d6ded559322c4445f0956fad2a159878d Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-31XSS Vulnerability fix in TicketEventControllerDominik Mizyn2-1/+31
@SafeHtml and SecureString used to fix this issue; Issue-ID: OJSI-209 Change-Id: I588872839696c824135bab88c100b31c23d960ba Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-31XSS Vulnerability fix in RoleManageControllerDominik Mizyn3-1/+127
@SafeHtml and SecureString used to secure this class Issue-ID: OJSI-208 Change-Id: Ie01799933add3419cacf0fc716ce2da6da0a2853 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-31XSS Vulnerability fix in AppsOSControllerDominik Mizyn2-3/+32
SecureString class used to secure PathVariable. Issue-ID: OJSI-207 Change-Id: I6275c5db4d8d97dc60ef1676b651e3d8802ad9f7 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30Merge changes I1c586793,I47249407,Idad22dea,I5c3bee06,I5cb96956Manoop Talasila1-0/+6
* changes: Document OJSI-190 vulnerability Document OJSI-174 (CVE-2019-12318) vulnerability Document OJSI-92 (CVE-2019-12121) vulnerability Document OJSI-65 (CVE-2019-1212) vulnerability Document OJSI-15 (CVE-2019-12317) vulnerability
2019-05-30Merge "Don't give the user the exact stack trace of the exception"Manoop Talasila1-20/+26
2019-05-30Merge "Don't give user the exact exception description"Manoop Talasila1-0/+8
2019-05-30Document OJSI-190 vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-190 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I1c586793b744a5807e7b1a7a1d416dfd43409ab0
2019-05-30Document OJSI-174 (CVE-2019-12318) vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-174 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I47249407ccb62ca7ffd1d8edc9ada8793f4c53c9
2019-05-30Document OJSI-92 (CVE-2019-12121) vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-92 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Idad22deafb262da539c52fa8733e7ea098fd1361
2019-05-30Document OJSI-65 (CVE-2019-1212) vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-65 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I5c3bee06c2b1da3eca2bb583c57decb35b0f32c0
2019-05-30Document OJSI-15 (CVE-2019-12317) vulnerabilityKrzysztof Opasiak1-0/+2
Issue-ID: OJSI-15 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I5cb96956f25e09a390ef24a52f6222c0cc7b9e94
2019-05-30XSS Vulnerability fix in AppsControllerExternalRequestDominik Mizyn8-30/+210
@SafeHtml annotation is used to fix this problem. This patch also fix some minor issues: * isAuxRESTfulCall() method delete. Method was nowhere used. * '.length() == 0' changed to '.isEmpty()' Issue-ID: PORTAL-604 Change-Id: Ib7091622081f507812654b50275ad7ac4c97bfc3 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30Sonar issue: Correct this "&" to "&&" in MicroserviceServiceImplDominik Mizyn1-25/+22
This patch also fix some minor issues: * 'fori' loop replaced with 'foreach' * Sonar issue: Replace the type specification in this constructor call with the diamond operator ("<>"). * redundant 'throws'. Exception will never throw * unnecessary temporary local variable Issue-ID: PORTAL-603 Change-Id: If23afb9f4a10f0ad06c712cb95a38b54dc5cd089 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30XSS Vulnerability fix in MicroserviceControllerDominik Mizyn4-67/+112
@SafeHtml annotation is used to fix this problem. This commit also fix: * redundant local variable issue * sonar issue: Replace the type specification in this constructor call with the diamond operator ("<>"). * performance issue - String concatenation argument as argument to 'StringBuilder.append()' call * redundant cast * redundant 'throws Exception'. 'Exception' is never thrown * access static member via instance reference * unused declarations Issue-ID: PORTAL-602 Change-Id: Id92fe2d9cfe239474403f611f3d5d0170acf63cc Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30XSS Vulnerability fix in DashboardSearchResultControllerDominik Mizyn6-58/+270
@SafeHtml annotation is used to fix this problem. New class 'SecureString' must be added to project to valid incoming Strings from '@RequestParam String incoming String' pom.xml file update. This patch also fix: * remove unnecessary semicolon * Sonar issue: Replace the type specification in this constructor call with the diamond operator ("<>") Issue-ID: PORTAL-601 Change-Id: Id214b6e65f0c486141679fd23725a7fb66443acd Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30Fix sonar issue: Override "equals(Object obj)"Dominik Mizyn2-1/+27
This commit provide equals method for CentralV2UserApp and test for this method. Issue-ID: PORTAL-599 Change-Id: Ied44c680032831ec6a02211f658ec16f0aad8f4a Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30Fix sql injection vulnerabilityDominik Orliński2-3/+34
Use a variable binding instead of concatenation. Add new test for function 'createLocalUserIfNecessary'. Issue-ID: OJSI-174 Change-Id: Iddd65893bb2cb16c90d4f8db59816fdf261874bc Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
2019-05-29Don't give the user the exact stack trace of the exceptionPiotr Borelowski1-20/+26
Catching the exception in the SecurityXssFilter class. Issue-ID: OJSI-192 Change-Id: I8d9d7a3032f98afcb58285b13b13d5ce35fddadd Signed-off-by: Piotr Borelowski <p.borelowski@partner.samsung.com>
2019-05-28Merge "Removed user password from portal's profile API"Manoop Talasila3-13/+7
2019-05-28Don't give user the exact exception descriptionPiotr Borelowski1-0/+8
The exact description of the exception especially if related to cryptography cannot be given to the user as it may be abused by the attacker. To fix that, we started to use @ExceptionHandler for all exceptions in the LoginController as well. CVE: CVE-2019-12121 Issue-ID: OJSI-92 Change-Id: I100b37ff33d28ebccc2411c3acc62bdb7ce11ca8 Signed-off-by: Piotr Borelowski <p.borelowski@partner.samsung.com> Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com> Acked-by: Manoop Talasila <talasila@research.att.com>
2019-05-28Removed user password from portal's profile APIr.bogacki3-13/+7
ONAP Portal allowed to retrieve password of currently active user via "/portalApi/loggedinUser" endpoint. Prefilled "Login Password" field has been changed to "*****" and password is not send anymore to the frontend. Only after change of this default value password will be updated. Confirm Password field has been removed from the UI. In the future password change could be additionally also checked on the backend side to verify current password before updating it. Issue-ID: OJSI-65 Signed-off-by: Robert Bogacki <r.bogacki@samsung.com> Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com> Acked-by: Manoop Talasila <talasila@research.att.com> Change-Id: I00b7713557247d211927c437f31f118095ad0726
2019-05-27Document OJSI-106 vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-106 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I549009cf3c313b0f5307b99ce22b56243e933f8f
2019-05-24Document OJSI-105 vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-105 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I8c3a00ce98886f7175e5cf85f09309bd50ef702c
2019-05-24Document OJSI-97 vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-97 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I56d194918b91580d5d9f6b25e564923fe29c51f3
2019-05-24Improve security release notesKrzysztof Opasiak1-6/+12
In order to provide users with more details of project's state in terms of security let's divide the security release notes into three sections: - Fixed Security Issues Contains a list of security fixes merged during this release (especially those reported via OJSI tickets). - Known Security Issues Contains a list of vulnerabilities detected in project during release which have not been fixed yet and thus should be mitigated by the user. - Known Vulnerabilities in Used Modules Contains information about NexusIQ scan results Issue-ID: SECCOM-238 Change-Id: Ief8825c38c7723c26e8c7e10a6a13f4b8f9c169d Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
2019-05-23Dublin Release Notes for PortalWelch, Lorraine (lb2391)1-1/+51
Issue-ID: PORTAL-592 Signed-off-by: Welch, Lorraine (lb2391) <lb2391@att.com> Change-Id: I93a2ff82f52f709d12bfa92c0d14859d2298b6a1
2019-05-10Merge "Added Functional Menu Entries, del bad thumbnail"Manoop Talasila1-60/+73
2019-05-09Merge "Revert "Update oparent version""Manoop Talasila2-56/+56
2019-05-08Revert "Update oparent version"Sunder Tattavarada2-56/+56
Issue-ID: PORTAL-571 This reverts commit 64c7491aa9208ed3024b81ab78a73751c1cc859e. Change-Id: I72fefbceccea7d723d02e0b38efebf9aafc7018e Signed-off-by: statta <statta@research.att.com>
2019-05-03Update version textstatta1-1/+1
Issue-ID: PORTAL-557 Change-Id: Id3feb4f800d6593c373efd5a35b6f19e4ddc7044 Signed-off-by: statta <statta@research.att.com>
2019-05-02Added Functional Menu Entries, del bad thumbnailWelch, Lorraine (lb2391)1-60/+73
Issue-ID: PORTAL-515 Change-Id: Ibac6ae65fc4df39a7bab2a98946d664bf47413b8 Signed-off-by: Welch, Lorraine (lb2391) <lb2391@att.com>