From 604bf4f45cf1f1726f1b8129963627ffb90b5f4c Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Mon, 21 Oct 2019 13:46:35 +0200 Subject: Persistent XSS vulnerability in basicAuthAccount form fix javax.validation.Validator used to fix this vulnerability issue. Issue-ID: OJSI-20 Change-Id: I2e8188d9dabf634fcaf41b8d42d0f7160cc0886d Signed-off-by: Dominik Mizyn --- .../portal/controller/BasicAuthAccountController.java | 17 ++++++++++++++++- .../portalapp/portal/domain/BasicAuthCredentials.java | 11 +++++++---- .../org/onap/portalapp/portal/domain/EPEndpoint.java | 2 ++ .../portal/service/BasicAuthAccountServiceImpl.java | 7 ++++++- 4 files changed, 31 insertions(+), 6 deletions(-) (limited to 'ecomp-portal-BE-common/src/main') diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/BasicAuthAccountController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/BasicAuthAccountController.java index 9024570c..f655d352 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/BasicAuthAccountController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/BasicAuthAccountController.java @@ -53,6 +53,7 @@ import org.onap.portalapp.portal.logging.aop.EPAuditLog; import org.onap.portalapp.portal.service.AdminRolesService; import org.onap.portalapp.portal.service.BasicAuthAccountService; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.EnableAspectJAutoProxy; @@ -74,6 +75,7 @@ public class BasicAuthAccountController extends EPRestrictedBaseController { private static final String ADMIN_ONLY_OPERATIONS = "Admin Only Operation! "; private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(BasicAuthAccountController.class); + private final DataValidator dataValidator = new DataValidator(); @Autowired private BasicAuthAccountService basicAuthAccountService; @@ -98,6 +100,8 @@ public class BasicAuthAccountController extends EPRestrictedBaseController { public PortalRestResponse createBasicAuthAccount(HttpServletRequest request, HttpServletResponse response, @RequestBody BasicAuthCredentials newBasicAuthAccount) throws Exception { + + EPUser user = EPUserUtils.getUserSession(request); if (!adminRolesService.isSuperAdmin(user)) { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, AUTHORIZATION_REQUIRED, @@ -108,7 +112,18 @@ public class BasicAuthAccountController extends EPRestrictedBaseController { return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "newBasicAuthAccount cannot be null or empty"); } - long accountId = basicAuthAccountService.saveBasicAuthAccount(newBasicAuthAccount); + + if(!dataValidator.isValid(newBasicAuthAccount)){ + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "createBasicAuthAccount() failed, new credential are not safe", + ""); + } + + long accountId; + try { + accountId = basicAuthAccountService.saveBasicAuthAccount(newBasicAuthAccount); + } catch (Exception e){ + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, e.getMessage()); + } List endpointIdList = new ArrayList<>(); try { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/BasicAuthCredentials.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/BasicAuthCredentials.java index f0e93bcb..6d8a3f87 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/BasicAuthCredentials.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/BasicAuthCredentials.java @@ -39,21 +39,24 @@ package org.onap.portalapp.portal.domain; import java.util.List; +import javax.validation.Valid; +import org.hibernate.validator.constraints.SafeHtml; import org.onap.portalsdk.core.domain.support.DomainVo; public class BasicAuthCredentials extends DomainVo { private static final long serialVersionUID = 1L; - public BasicAuthCredentials() { - - } - private Long id; + @SafeHtml private String applicationName; + @SafeHtml private String username; + @SafeHtml private String password; + @SafeHtml private String isActive; + @Valid private List endpoints; public Long getId() { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/EPEndpoint.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/EPEndpoint.java index 92c8572b..97ecbcbe 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/EPEndpoint.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/EPEndpoint.java @@ -37,6 +37,7 @@ */ package org.onap.portalapp.portal.domain; +import org.hibernate.validator.constraints.SafeHtml; import org.onap.portalsdk.core.domain.support.DomainVo; public class EPEndpoint extends DomainVo { @@ -48,6 +49,7 @@ public class EPEndpoint extends DomainVo { } private Long id; + @SafeHtml private String name; public Long getId() { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImpl.java index 74cf1726..98b0f127 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImpl.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImpl.java @@ -49,6 +49,7 @@ import org.onap.portalapp.portal.domain.EPEndpoint; import org.onap.portalapp.portal.domain.EPEndpointAccount; import org.onap.portalapp.portal.logging.aop.EPMetricsLog; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.onboarding.util.CipherUtil; import org.onap.portalsdk.core.service.DataAccessService; @@ -62,12 +63,16 @@ import org.springframework.stereotype.Service; @EPMetricsLog public class BasicAuthAccountServiceImpl implements BasicAuthAccountService{ EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(MicroserviceServiceImpl.class); - + private final DataValidator dataValidator = new DataValidator(); @Autowired private DataAccessService dataAccessService; @Override public Long saveBasicAuthAccount(BasicAuthCredentials newCredential) throws Exception { + + if(!dataValidator.isValid(newCredential)){ + throw new Exception("saveBasicAuthAccount() failed, new credential are not safe"); + } if (newCredential.getPassword() != null) newCredential.setPassword(encryptedPassword(newCredential.getPassword())); try{ -- cgit 1.2.3-korg