From 85b0d73e7150af1cbebefa8e6f0ab4b5c96e6019 Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Mon, 21 Oct 2019 14:32:48 +0200 Subject: Persistent XSS vulnerability in onboardingApps form fix javax.validation.Validator used to fix this vulnerability issue. Issue-ID: OJSI-18 Change-Id: I26ec795a23869c0dccd22c50e4469ae264cb7547 Signed-off-by: Dominik Mizyn --- .../java/org/onap/portalapp/portal/controller/AppsController.java | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'ecomp-portal-BE-common/src/main/java/org/onap') diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java index 0be0d357..c34311c3 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java @@ -739,6 +739,11 @@ public class AppsController extends EPRestrictedBaseController { user = EPUserUtils.getUserSession(request); if (!adminRolesService.isSuperAdmin(user) && !adminRolesService.isAccountAdminOfAnyActiveorInactiveApplication(user, oldEPApp) ) { EcompPortalUtils.setBadPermissions(user, response, "putOnboardingApp"); + } else if(!dataValidator.isValid(modifiedOnboardingApp)){ + logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApp is not valid"); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =", + response.getStatus()); + return fieldsValidator; } else { if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null)) { -- cgit 1.2.3-korg