From 604bf4f45cf1f1726f1b8129963627ffb90b5f4c Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Mon, 21 Oct 2019 13:46:35 +0200 Subject: Persistent XSS vulnerability in basicAuthAccount form fix javax.validation.Validator used to fix this vulnerability issue. Issue-ID: OJSI-20 Change-Id: I2e8188d9dabf634fcaf41b8d42d0f7160cc0886d Signed-off-by: Dominik Mizyn --- .../controller/BasicAuthAccountControllerTest.java | 22 ++++++++++++++++++++++ .../service/BasicAuthAccountServiceImplTest.java | 9 +++++++++ 2 files changed, 31 insertions(+) (limited to 'ecomp-portal-BE-common/src/test/java') diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java index c9d3c2fd..ff056d0d 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/BasicAuthAccountControllerTest.java @@ -134,6 +134,28 @@ public class BasicAuthAccountControllerTest extends MockitoTestSuite { assertEquals(actualResponse, expectedResponse); } + @Test + public void createBasicAuthAccountXSSTest() throws Exception { + BasicAuthCredentials basicAuthCredentials = basicAuthCredentials(); + basicAuthCredentials.setPassword(""); + + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true); + PortalRestResponse expectedResponse = new PortalRestResponse(); + expectedResponse.setMessage("createBasicAuthAccount() failed, new credential are not safe"); + expectedResponse.setResponse(""); + PortalRestStatusEnum portalRestStatusEnum = null; + expectedResponse.setStatus(portalRestStatusEnum.ERROR); + long accountd = 1; + + Mockito.when(basicAuthAccountService.saveBasicAuthAccount(basicAuthCredentials)).thenReturn(accountd); + + PortalRestResponse actualResponse = basicAuthAccountController.createBasicAuthAccount(mockedRequest, + mockedResponse, basicAuthCredentials); + assertEquals(actualResponse, expectedResponse); + } + @Test public void createBasicAuthAccountAdminTest() throws Exception { BasicAuthCredentials basicAuthCredentials = basicAuthCredentials(); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java index 4409a4fc..6382bef4 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/BasicAuthAccountServiceImplTest.java @@ -78,6 +78,15 @@ public class BasicAuthAccountServiceImplTest { Mockito.doNothing().when(dataAccessService).saveDomainObject(basicAuthCredentials, null); basicAuthAccountServiceImpl.saveBasicAuthAccount(basicAuthCredentials); + } + + @Test(expected= Exception.class) + public void saveBasicAuthAccountValidTest() throws Exception { + BasicAuthCredentials basicAuthCredentials = new BasicAuthCredentials(); + basicAuthCredentials.setPassword(""); + Mockito.doNothing().when(dataAccessService).saveDomainObject(basicAuthCredentials, null); + basicAuthAccountServiceImpl.saveBasicAuthAccount(basicAuthCredentials); + } @Test -- cgit 1.2.3-korg