From be638f25cb9d7021ba6b58a6d3baa5cca134c56f Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Mon, 21 Oct 2019 13:03:55 +0200 Subject: Reflected XSS vulnerability in saveNotification form fix. javax.validation.Validator used to fix this vulnerability. Issue-ID: OJSI-22 Change-Id: I5837e333f640a398ab6b25e8a0b9f611bb7d3af9 Signed-off-by: Dominik Mizyn --- .../portal/controller/ExternalAppsRestfulController.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'ecomp-portal-BE-common/src/main') diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java index 15ce305d..7615b660 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java @@ -66,6 +66,8 @@ import org.onap.portalapp.portal.transport.FunctionalMenuItem; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; import org.onap.portalapp.portal.utils.EcompPortalUtils; import org.onap.portalapp.portal.utils.PortalConstants; +import org.onap.portalapp.validation.DataValidator; +import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse; import org.slf4j.MDC; @@ -90,6 +92,7 @@ import io.swagger.annotations.ApiOperation; public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseController { private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(ExternalAppsRestfulController.class); + private final DataValidator DATA_VALIDATOR = new DataValidator(); @Autowired private FunctionalMenuService functionalMenuService; @@ -111,6 +114,11 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro @ResponseBody public PortalAPIResponse publishNotification(HttpServletRequest request, @RequestBody EpNotificationItem notificationItem) throws Exception { + + if(!DATA_VALIDATOR.isValid(notificationItem)){ + PortalAPIResponse response = new PortalAPIResponse(false, "failed"); + return response; + } String appKey = request.getHeader("uebkey"); EPApp app = findEpApp(appKey); List postRoleIds = new ArrayList(); @@ -119,8 +127,8 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro EPRole role = epRoleService.getRole(app.getId(), roleId); if (role != null) postRoleIds.add(role.getId()); - } - } + } + } // --- recreate the user notification object with the POrtal Role Ids EpNotificationItem postItem = new EpNotificationItem(); -- cgit 1.2.3-korg