summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2019-06-14Merge "XSS Vulnerability fix in RoleManageController"Sunder Tattavarada3-1/+127
2019-06-14Merge "Fix sql injection vulnerability"Sunder Tattavarada2-3/+34
2019-06-14Merge "XSS Vulnerability fix in AppsOSController"Sunder Tattavarada2-3/+32
2019-06-14Merge "XSS Vulnerability fix in AppsControllerExternalRequest"Sunder Tattavarada8-30/+210
2019-06-14Merge "Sonar issue: Correct this "&" to "&&" in MicroserviceServiceImpl"Sunder Tattavarada1-25/+22
2019-06-14Merge "XSS Vulnerability fix in MicroserviceController"Sunder Tattavarada4-67/+112
2019-06-14Merge "XSS Vulnerability fix in DashboardSearchResultController"Sunder Tattavarada6-58/+270
2019-06-14PortalAdminUserRole class DB constraintsDominik Mizyn1-0/+4
Java Bean Validation SR 380 annotations added to classes Issue-ID: PORTAL-636 Change-Id: I8fb4f50e672e17b9e169303eb09255fe57288b45 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-14MicroserviceParameter class DB constraintsDominik Mizyn1-32/+13
Java Bean Validation SR 380 annotations added to classes Issue-ID: PORTAL-635 Change-Id: Idcca0d46d1779d5fae874aff38cfd7f59f73c9b0 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-14MicroserviceDataApp class DB constraintsDominik Mizyn1-72/+26
Java Bean Validation SR 380 annotations added to classes Issue-ID: PORTAL-634 Change-Id: Ife3b0116b986d52fd17612937b2a74fa76062ed9 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-14WidgetFileApp class DB constraintsDominik Mizyn1-56/+13
Java Bean Validation SR 380 annotations added to classes Issue-ID: PORTAL-633 Change-Id: Id7b45dedafe2e5f9e799a93d219baef46c88d124 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-14FavoritesFunctionalMenuItem class DB constraintsDominik Mizyn1-0/+3
Java Bean Validation SR 380 annotations added to classes Issue-ID: PORTAL-632 Change-Id: Ia7c2f4ad0aa5cc85db73142d0fecd46da535c3d9 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-13Merge "Fix sonar issue: Override "equals(Object obj)""Sunder Tattavarada2-1/+27
2019-06-13WidgetCatalog class DB constraintsDominik Mizyn1-72/+21
Java Bean Validation SR 380 annotations added to classes Plains getter/setter converted to lombok annotation Issue-ID: PORTAL-630 Change-Id: Id866ec4bc0dc428adfbb7cdc64fe15f7faf837f7 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-13RoleApp class DB constraintsDominik Mizyn3-126/+28
Java Bean Validation SR 380 annotations added to classes Lombod added to widget-ms Plains getter/setter converted to lombok annotation Issue-ID: PORTAL-629 Change-Id: I31639672510994412149ed8be92cb8e1b022f646 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-13App class DB constraintsDominik Mizyn1-1/+9
Java Bean Validation SR 380 annotations added to classes Issue-ID: PORTAL-627 Change-Id: I827f99ef75c6af3f9881fe68f1cb245795ba2734 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-13FunctionalMenuItem DB constraints fixDominik Mizyn2-8/+15
Add @Digits to secure Long type fields Issue-ID: PORTAL-626 Change-Id: I59080c9103369d96a42c574356f0635265335d0a Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-13FunctionalMenuItem DB constraints addDominik Mizyn2-13/+47
Java Bean Validation SR 380 annotations added to classes Unnecessary boxing removed. Issue-ID: PORTAL-626 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com> Change-Id: Ic1c20870fd781d46061077fd14b81a65dea93e6e
2019-06-11Updated Dublin Release NotesWelch, Lorraine (lb2391)1-9/+10
Issue-ID: PORTAL-592 Signed-off-by: Welch, Lorraine (lb2391) <lb2391@att.com> Change-Id: I4d1e7e8bd83ed2adb7df25ccf4c694b1c81ef879
2019-06-10Sonar critical fixes in MicroserviceServiceImplr.bogacki1-4/+4
Fixed critical issues according to the Sonar analysis: -Fixed imports. -Fixed logical comparisons. Issue-ID: PORTAL-591 Signed-off-by: Robert Bogacki <r.bogacki@samsung.com> Change-Id: Icc2b6fb45777582486e1060245cdf94e4f6d685d
2019-06-10Sonar fix: make "dateFormat" an instance variabler.bogacki8-83/+126
Fixed critical Sonar issue. SimpleDateFormat was declared as a static but it is not tread-safe and it keeps an internal state. Compliant solution has been applied with additional DateUtil class. Issue-ID: PORTAL-590 Signed-off-by: Robert Bogacki <r.bogacki@samsung.com> Change-Id: Ic6243052804a410cb750c6c219c702469c86ff78
2019-06-10Sonar critical fixes in EPAppCommonServiceImplr.bogacki1-6/+7
Fixed issues according to the Sonar analysis: -Fixed imports. -Fixed logical comparisons. -Fixed comparisons between unrelated types. Issue-ID: PORTAL-588 Signed-off-by: Robert Bogacki <r.bogacki@samsung.com> Change-Id: Ibc204e0218788bb82f947c668d68fb6e88db7043
2019-06-07Added lorraineawelch to INFO.yamlWelch, Lorraine (lb2391)1-0/+5
Issue-ID: PORTAL-618 Signed-off-by: Welch, Lorraine (lb2391) <lb2391@att.com> Change-Id: I3d7f57c8cc20347f8adeefbada2eaffde0940262
2019-06-05XSS Vulnerability fix in DashboardSearchResultControllerDominik Mizyn2-11/+143
Custom Validator is used to secure this endpoints. Issue-ID: OJSI-15 Change-Id: Idf523a53bc5fe9e1df8110526d56336953759c86 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-06-05Custom data validatorDominik Mizyn3-3/+164
By creating custom data validator we can reduce code duplications. Issue-ID: OJSI-15 Change-Id: I39decf1d6ded559322c4445f0956fad2a159878d Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-31XSS Vulnerability fix in TicketEventControllerDominik Mizyn2-1/+31
@SafeHtml and SecureString used to fix this issue; Issue-ID: OJSI-209 Change-Id: I588872839696c824135bab88c100b31c23d960ba Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-31XSS Vulnerability fix in RoleManageControllerDominik Mizyn3-1/+127
@SafeHtml and SecureString used to secure this class Issue-ID: OJSI-208 Change-Id: Ie01799933add3419cacf0fc716ce2da6da0a2853 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-31XSS Vulnerability fix in AppsOSControllerDominik Mizyn2-3/+32
SecureString class used to secure PathVariable. Issue-ID: OJSI-207 Change-Id: I6275c5db4d8d97dc60ef1676b651e3d8802ad9f7 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30Merge changes I1c586793,I47249407,Idad22dea,I5c3bee06,I5cb96956Manoop Talasila1-0/+6
* changes: Document OJSI-190 vulnerability Document OJSI-174 (CVE-2019-12318) vulnerability Document OJSI-92 (CVE-2019-12121) vulnerability Document OJSI-65 (CVE-2019-1212) vulnerability Document OJSI-15 (CVE-2019-12317) vulnerability
2019-05-30Merge "Don't give the user the exact stack trace of the exception"Manoop Talasila1-20/+26
2019-05-30Merge "Don't give user the exact exception description"Manoop Talasila1-0/+8
2019-05-30Document OJSI-190 vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-190 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I1c586793b744a5807e7b1a7a1d416dfd43409ab0
2019-05-30Document OJSI-174 (CVE-2019-12318) vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-174 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I47249407ccb62ca7ffd1d8edc9ada8793f4c53c9
2019-05-30Document OJSI-92 (CVE-2019-12121) vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-92 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Idad22deafb262da539c52fa8733e7ea098fd1361
2019-05-30Document OJSI-65 (CVE-2019-1212) vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-65 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I5c3bee06c2b1da3eca2bb583c57decb35b0f32c0
2019-05-30Document OJSI-15 (CVE-2019-12317) vulnerabilityKrzysztof Opasiak1-0/+2
Issue-ID: OJSI-15 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I5cb96956f25e09a390ef24a52f6222c0cc7b9e94
2019-05-30XSS Vulnerability fix in AppsControllerExternalRequestDominik Mizyn8-30/+210
@SafeHtml annotation is used to fix this problem. This patch also fix some minor issues: * isAuxRESTfulCall() method delete. Method was nowhere used. * '.length() == 0' changed to '.isEmpty()' Issue-ID: PORTAL-604 Change-Id: Ib7091622081f507812654b50275ad7ac4c97bfc3 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30Sonar issue: Correct this "&" to "&&" in MicroserviceServiceImplDominik Mizyn1-25/+22
This patch also fix some minor issues: * 'fori' loop replaced with 'foreach' * Sonar issue: Replace the type specification in this constructor call with the diamond operator ("<>"). * redundant 'throws'. Exception will never throw * unnecessary temporary local variable Issue-ID: PORTAL-603 Change-Id: If23afb9f4a10f0ad06c712cb95a38b54dc5cd089 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30XSS Vulnerability fix in MicroserviceControllerDominik Mizyn4-67/+112
@SafeHtml annotation is used to fix this problem. This commit also fix: * redundant local variable issue * sonar issue: Replace the type specification in this constructor call with the diamond operator ("<>"). * performance issue - String concatenation argument as argument to 'StringBuilder.append()' call * redundant cast * redundant 'throws Exception'. 'Exception' is never thrown * access static member via instance reference * unused declarations Issue-ID: PORTAL-602 Change-Id: Id92fe2d9cfe239474403f611f3d5d0170acf63cc Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30XSS Vulnerability fix in DashboardSearchResultControllerDominik Mizyn6-58/+270
@SafeHtml annotation is used to fix this problem. New class 'SecureString' must be added to project to valid incoming Strings from '@RequestParam String incoming String' pom.xml file update. This patch also fix: * remove unnecessary semicolon * Sonar issue: Replace the type specification in this constructor call with the diamond operator ("<>") Issue-ID: PORTAL-601 Change-Id: Id214b6e65f0c486141679fd23725a7fb66443acd Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30Fix sonar issue: Override "equals(Object obj)"Dominik Mizyn2-1/+27
This commit provide equals method for CentralV2UserApp and test for this method. Issue-ID: PORTAL-599 Change-Id: Ied44c680032831ec6a02211f658ec16f0aad8f4a Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-30Fix sql injection vulnerabilityDominik Orliński2-3/+34
Use a variable binding instead of concatenation. Add new test for function 'createLocalUserIfNecessary'. Issue-ID: OJSI-174 Change-Id: Iddd65893bb2cb16c90d4f8db59816fdf261874bc Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
2019-05-29Sonar: Reduce cyclomatic complexityDominik Mizyn2-14/+31
Reduce the number of conditional operators for equals(). Improve testEquals() to better cover this method. This patch also: * immediately returns expression instead of assigning it to the temporary variable "str", * adds the "@Override" annotation above equals() method signature. Issue-ID: PORTAL-595 Change-Id: I15f600acce873eb3f22cc405d06a50890c7e87c3 Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
2019-05-29Don't give the user the exact stack trace of the exceptionPiotr Borelowski1-20/+26
Catching the exception in the SecurityXssFilter class. Issue-ID: OJSI-192 Change-Id: I8d9d7a3032f98afcb58285b13b13d5ce35fddadd Signed-off-by: Piotr Borelowski <p.borelowski@partner.samsung.com>
2019-05-28Merge "Removed user password from portal's profile API"Manoop Talasila3-13/+7
2019-05-28Don't give user the exact exception descriptionPiotr Borelowski1-0/+8
The exact description of the exception especially if related to cryptography cannot be given to the user as it may be abused by the attacker. To fix that, we started to use @ExceptionHandler for all exceptions in the LoginController as well. CVE: CVE-2019-12121 Issue-ID: OJSI-92 Change-Id: I100b37ff33d28ebccc2411c3acc62bdb7ce11ca8 Signed-off-by: Piotr Borelowski <p.borelowski@partner.samsung.com> Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com> Acked-by: Manoop Talasila <talasila@research.att.com>
2019-05-28Removed user password from portal's profile APIr.bogacki3-13/+7
ONAP Portal allowed to retrieve password of currently active user via "/portalApi/loggedinUser" endpoint. Prefilled "Login Password" field has been changed to "*****" and password is not send anymore to the frontend. Only after change of this default value password will be updated. Confirm Password field has been removed from the UI. In the future password change could be additionally also checked on the backend side to verify current password before updating it. Issue-ID: OJSI-65 Signed-off-by: Robert Bogacki <r.bogacki@samsung.com> Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com> Acked-by: Manoop Talasila <talasila@research.att.com> Change-Id: I00b7713557247d211927c437f31f118095ad0726
2019-05-27Document OJSI-106 vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-106 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I549009cf3c313b0f5307b99ce22b56243e933f8f
2019-05-24Document OJSI-105 vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-105 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I8c3a00ce98886f7175e5cf85f09309bd50ef702c
2019-05-24Document OJSI-97 vulnerabilityKrzysztof Opasiak1-0/+1
Issue-ID: OJSI-97 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I56d194918b91580d5d9f6b25e564923fe29c51f3