From 5d37bb1bbd825616ef7b1622c71a2dce5239cc23 Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Thu, 6 Jun 2019 11:39:35 +0200 Subject: XSS Vulnerability fix in WidgetsController Custom data validator used to fix this issue. Issue-ID: OJSI-15 Signed-off-by: Dominik Mizyn Change-Id: I0113097b2118656780f4f9bca8b4ee99e85b6f6d --- .../portal/controller/WidgetsControllerTest.java | 51 ++++++++++++++++++++-- 1 file changed, 47 insertions(+), 4 deletions(-) (limited to 'ecomp-portal-BE-common/src/test/java/org/onap') diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java index c6bd8001..f69ac99e 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java @@ -68,7 +68,7 @@ import org.springframework.web.client.RestClientException; public class WidgetsControllerTest extends MockitoTestSuite{ @InjectMocks - WidgetsController widgetsController = new WidgetsController(); + WidgetsController widgetsController; @Mock private AdminRolesService rolesService; @@ -150,7 +150,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List fields = new ArrayList<>(); @@ -161,6 +161,24 @@ public class WidgetsControllerTest extends MockitoTestSuite{ actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse); } + + @Test + public void putOnboardingWidgetXSSTest() { + FieldsValidator actualFieldsValidator = null; + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + OnboardingWidget onboardingWidget=new OnboardingWidget(); + onboardingWidget.id=12L; + onboardingWidget.name = ""; + onboardingWidget.normalize(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator); + actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse); + + assertEquals(expectedFieldValidator, actualFieldsValidator); + + } @Test public void putOnboardingWidgetWithUserPermissionTest() { @@ -172,7 +190,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List fields = new ArrayList<>(); @@ -209,6 +227,31 @@ public class WidgetsControllerTest extends MockitoTestSuite{ assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode()); assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields()); } + + @Test + public void postOnboardingWidgetXSSTest(){ + EPUser user=mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + FieldsValidator actualFieldsValidator = null; + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + Mockito.when(rolesService.isSuperAdmin(user)).thenReturn(true); + Mockito.when(rolesService.isAccountAdmin(user)).thenReturn(true); + OnboardingWidget onboardingWidget=new OnboardingWidget(); + onboardingWidget.id=12L; + onboardingWidget.appName=""; + onboardingWidget.normalize(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + List fields = new ArrayList<>(); + + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + expectedFieldValidator.setFields(fields); + expectedFieldValidator.setErrorCode(null); + Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator); + actualFieldsValidator = widgetsController.postOnboardingWidget(mockedRequest, onboardingWidget, mockedResponse); + assertEquals(expectedFieldValidator.getHttpStatusCode(), actualFieldsValidator.getHttpStatusCode()); + assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode()); + assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields()); + } @Test public void postOnboardingWidgetTestwiThoutUserPermission() { @@ -218,7 +261,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List fields = new ArrayList<>(); -- cgit 1.2.3-korg