From a665aa372b189efa98bfe17ce485c053bc0754e4 Mon Sep 17 00:00:00 2001
From: Dominik Mizyn <d.mizyn@samsung.com>
Date: Fri, 31 May 2019 15:35:38 +0200
Subject: XSS Vulnerability fix in TicketEventController

@SafeHtml and SecureString used to fix this issue;

Issue-ID: OJSI-209
Change-Id: I588872839696c824135bab88c100b31c23d960ba
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
---
 .../portal/controller/TicketEventController.java     | 20 +++++++++++++++++++-
 .../portal/controller/TicketEventControllerTest.java | 12 ++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/TicketEventController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/TicketEventController.java
index b9f6f76d..71f7f81a 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/TicketEventController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/TicketEventController.java
@@ -47,6 +47,10 @@ import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
 import org.onap.portalapp.portal.domain.EPUser;
 import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
 import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
@@ -56,6 +60,7 @@ import org.onap.portalapp.portal.service.UserNotificationService;
 import org.onap.portalapp.portal.transport.EpNotificationItem;
 import org.onap.portalapp.portal.transport.EpRoleNotificationItem;
 import org.onap.portalapp.portal.utils.PortalConstants;
+import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
@@ -80,7 +85,7 @@ import io.swagger.annotations.ApiOperation;
 @EnableAspectJAutoProxy
 @EPAuditLog
 public class TicketEventController implements BasicAuthenticationController {
-
+	private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
 
 	@Autowired
 	private UserNotificationService userNotificationService;
@@ -105,6 +110,19 @@ public class TicketEventController implements BasicAuthenticationController {
 
 		logger.debug(EELFLoggerDelegate.debugLogger, "Ticket Event notification" + ticketEventJson);
 		PortalRestResponse<String> portalResponse = new PortalRestResponse<>();
+
+		if (ticketEventJson!=null){
+			SecureString secureString = new SecureString(ticketEventJson);
+			Validator validator = VALIDATOR_FACTORY.getValidator();
+
+			Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+			if (!constraintViolations.isEmpty()){
+				portalResponse.setStatus(PortalRestStatusEnum.ERROR);
+				portalResponse.setMessage("Data is not valid");
+				return portalResponse;
+			}
+		}
+
 		try {
 			JsonNode ticketEventNotif = mapper.readTree(ticketEventJson);
 
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/TicketEventControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/TicketEventControllerTest.java
index aca7c1b3..211462d1 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/TicketEventControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/TicketEventControllerTest.java
@@ -150,6 +150,18 @@ public class TicketEventControllerTest {
 		assertTrue(actualPortalRestResponse.getStatus().compareTo(PortalRestStatusEnum.OK) == 0);
 	}
 
+	@Test
+	public void saveXSSTest() throws Exception {
+		String ticketEventJson = "<iframe %00 src=\"&Tab;javascript:prompt(1)&Tab;\"%00>";
+		PortalRestResponse<String> actualPortalRestResponse;
+		PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+		expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+		expectedPortalRestResponse.setMessage("Data is not valid");
+		actualPortalRestResponse = ticketEventController.handleRequest(mockedRequest,
+			mockedResponse, ticketEventJson);
+		assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+	}
+
 	@Test
 	public void saveTestForException() throws Exception {
 		String ticketEventJson = "\"event\": {\"body\": {\"ticketStatePhrase\": \"We recently detected a problem with the equipment at your site. The event is in queue for immediate work.\", \"ivrNotificationFlag\": \"1\",\"expectedRestoreDate\": 0,\"bridgeTransport\": \"AOTS\",  \"reptRequestType\": 0,\"ticketNum\": \"000002000857405\",\"assetID\": \"CISCO_1921C1_ISR_G2\", \"eventDate\": 1490545134601,\"eventAbstract\": \"ospfIfConfigError trap received from Cisco_1921c1_ISR_G2 with arguments: ospfRouterId=Cisco_1921c1_ISR_G2; ospfIfIpAddress=1921c1_288266; ospfAddressLessIf=0; ospfPacketSrc=172.17.0.11; ospfConfigErrorType=2; ospfPacketType=1\",\"severity\": \"2 - Major\",\"ticketPriority\": \"3\",\"reportedCustomerImpact\": 0,\"testAutoIndicator\": 0,\"supportGroupName\": \"US-TEST-ORT\",\"lastModifiedDate\": \"1487687703\",\"messageGroup\": \"SNMP\",\"csi\": 0,\"mfabRestoredTime\": 0},\"header\": {\"timestamp\": \"2017-02-21T14:35:05.219+0000\",\"eventSource\": \"aotstm\",\"entityId\": \"000002000857405\",      \"sequenceNumber\": 2 },\"blinkMsgId\": \"f38c071e-1a47-4b55-9e72-1db830100a61\",\"sourceIP\": \"130.4.165.158\"},\"SubscriberInfo\": {\"UserList\": [\"hk8777\"] }}";
-- 
cgit 1.2.3-korg