From fbbbba21e22b18803dda7b9af1aee00b8aa08696 Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Mon, 15 Jul 2019 16:03:16 +0200 Subject: XSS Vulnerability fix in DashboardController Custom data validator used to fix this issue. Issue-ID: OJSI-15 Change-Id: I84bfb81e5d87f80211d46d1141cbf8e4075660fe Signed-off-by: Dominik Mizyn --- .../portal/controller/DashboardControllerTest.java | 100 +++++++++++++++++---- 1 file changed, 85 insertions(+), 15 deletions(-) (limited to 'ecomp-portal-BE-common/src/test/java') diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/DashboardControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/DashboardControllerTest.java index 417568da..cd130e9f 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/DashboardControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/DashboardControllerTest.java @@ -57,10 +57,8 @@ import org.mockito.Matchers; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; -import org.onap.portalapp.portal.controller.DashboardController; import org.onap.portalapp.portal.core.MockEPUser; import org.onap.portalapp.portal.domain.EPUser; -import org.onap.portalapp.portal.domain.EcompAuditLog; import org.onap.portalapp.portal.ecomp.model.PortalRestResponse; import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; import org.onap.portalapp.portal.ecomp.model.SearchResultItem; @@ -72,13 +70,10 @@ import org.onap.portalapp.portal.service.DashboardSearchServiceImpl; import org.onap.portalapp.portal.transport.CommonWidget; import org.onap.portalapp.portal.transport.CommonWidgetMeta; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; -import org.onap.portalapp.portal.utils.EcompPortalUtils; -import org.onap.portalapp.portal.utils.PortalConstants; import org.onap.portalapp.util.EPUserUtils; import org.onap.portalsdk.core.domain.AuditLog; import org.onap.portalsdk.core.domain.support.CollaborateList; import org.onap.portalsdk.core.service.AuditService; -import org.onap.portalsdk.core.service.AuditServiceImpl; import org.onap.portalsdk.core.util.SystemProperties; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; @@ -92,12 +87,9 @@ public class DashboardControllerTest { @Mock DashboardSearchService searchService = new DashboardSearchServiceImpl(); - - /*@Mock - AuditService auditService = new AuditServiceImpl();*/ - + @InjectMocks - DashboardController dashboardController = new DashboardController(); + DashboardController dashboardController; @Mock AdminRolesService adminRolesService = new AdminRolesServiceImpl(); @@ -129,7 +121,7 @@ public class DashboardControllerTest { commonWidget.setHref("testhref"); commonWidget.setTitle("testTitle"); commonWidget.setContent("testcontent"); - commonWidget.setEventDate("testDate"); + commonWidget.setEventDate("2017-03-24"); commonWidget.setSortOrder(1); widgetList.add(commonWidget); commonWidgetMeta.setItems(widgetList); @@ -163,8 +155,21 @@ public class DashboardControllerTest { PortalRestResponse actualResponse = dashboardController.getWidgetData(mockedRequest, resourceType); assertEquals(expectedData,actualResponse); - } - + } + + @Test + public void getWidgetDataTestXSS() { + + String resourceType = "“>"; + PortalRestResponse expectedData = new PortalRestResponse<>(); + expectedData.setStatus(PortalRestStatusEnum.ERROR); + expectedData.setMessage("Unexpected resource type “>"); + expectedData.setResponse(null); + + PortalRestResponse actualResponse = dashboardController.getWidgetData(mockedRequest, resourceType); + assertEquals(expectedData, actualResponse); + } + @Test public void getWidgetDataWithValidResourceTest() throws IOException { String resourceType = "EVENTS"; @@ -194,6 +199,20 @@ public class DashboardControllerTest { PortalRestResponse actualResponse = dashboardController.saveWidgetDataBulk(commonWidgetMeta); assertEquals(expectedData,actualResponse); } + + @Test + public void saveWidgetDataBulkXSSTest() { + CommonWidgetMeta commonWidgetMeta= mockCommonWidgetMeta(); + commonWidgetMeta.setCategory(""); + + PortalRestResponse expectedData = new PortalRestResponse<>(); + expectedData.setStatus(PortalRestStatusEnum.ERROR); + expectedData.setResponse("ERROR"); + expectedData.setMessage("Unsafe resource type " + commonWidgetMeta.toString()); + + PortalRestResponse actualResponse = dashboardController.saveWidgetDataBulk(commonWidgetMeta); + assertEquals(expectedData,actualResponse); + } @Test public void saveWidgetUnexpectedDataBulkTest() throws IOException { @@ -261,6 +280,24 @@ public class DashboardControllerTest { assertEquals(expectedData,actualResponse); } + + @Test + public void saveWidgetDataXSSTest() { + + CommonWidget commonWidget = mockCommonWidget(); + commonWidget.setId((long)1); + commonWidget.setContent("test"); + commonWidget.setCategory("
X"); + PortalRestResponse expectedData = new PortalRestResponse(); + expectedData.setStatus(PortalRestStatusEnum.ERROR); + expectedData.setResponse("ERROR"); + expectedData.setMessage("Unsafe resource type " + commonWidget.toString()); + + Mockito.when(adminRolesService.isSuperAdmin(Matchers.anyObject())).thenReturn(true); + PortalRestResponse actualResponse = dashboardController.saveWidgetData(commonWidget, mockedRequest, mockedResponse); + assertEquals(expectedData,actualResponse); + + } @Test public void saveWidgetDataTitleTest() throws IOException { @@ -268,6 +305,7 @@ public class DashboardControllerTest { commonWidget.setId((long)1); commonWidget.setContent("test"); commonWidget.setTitle("test"); + commonWidget.setEventDate("2017-05-06"); PortalRestResponse expectedData = new PortalRestResponse(); expectedData.setStatus(PortalRestStatusEnum.ERROR); expectedData.setMessage("Invalid category: test"); @@ -280,7 +318,8 @@ public class DashboardControllerTest { @Test public void saveWidgetDataErrorTest() throws IOException { - CommonWidget commonWidget = mockCommonWidget(); + CommonWidget commonWidget = mockCommonWidget(); + commonWidget.setEventDate("2017-03-05"); PortalRestResponse expectedData = new PortalRestResponse(); expectedData.setStatus(PortalRestStatusEnum.ERROR); expectedData.setMessage("Invalid category: test"); @@ -323,7 +362,7 @@ public class DashboardControllerTest { public void deleteWidgetDataTest() throws IOException { CommonWidget commonWidget = mockCommonWidget(); - + commonWidget.setEventDate("2017-03-25"); PortalRestResponse expectedData = new PortalRestResponse(); expectedData.setStatus(PortalRestStatusEnum.OK); expectedData.setMessage("success"); @@ -335,6 +374,20 @@ public class DashboardControllerTest { assertEquals(expectedData,actualResponse); } + + @Test + public void deleteWidgetDataXSSTest() { + + CommonWidget commonWidget = mockCommonWidget(); + commonWidget.setCategory("