From 29ff0e2cd2a78f7149422c40b1cff6dd4d1f23e3 Mon Sep 17 00:00:00 2001
From: Dominik Mizyn <d.mizyn@samsung.com>
Date: Thu, 6 Jun 2019 11:18:50 +0200
Subject: XSS Vulnerability fix in AppContactUsController

Custom data validator used to fix this issue.

Issue-ID: OJSI-15
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
Change-Id: Ie8df4df552cfe53e3839c7021284f0226ea56a39
---
 .../controller/AppContactUsControllerTest.java     | 34 +++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

(limited to 'ecomp-portal-BE-common/src/test')

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java
index b08a8769..f2b2d3da 100644
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java
@@ -78,7 +78,7 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
 	AppContactUsService contactUsService = new AppContactUsServiceImpl();
 
 	@InjectMocks
-	AppContactUsController appContactUsController = new AppContactUsController();
+	AppContactUsController appContactUsController;
 
 	@Before
 	public void setup() {
@@ -232,6 +232,25 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
 		assertEquals(actualSaveAppContactUS.getMessage(), "SUCCESS");
 	}
 
+	@Test
+	public void saveXSSTest() throws Exception {
+		PortalRestResponse<String> actualSaveAppContactUS = null;
+
+		AppContactUsItem contactUs = new AppContactUsItem();
+		contactUs.setAppId((long) 1);
+		contactUs.setAppName("<meta content=\"&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)\" http-equiv=\"refresh\"/>");
+		contactUs.setDescription("Test");
+		contactUs.setContactName("Test");
+		contactUs.setContactEmail("person@onap.org");
+		contactUs.setUrl("Test_URL");
+		contactUs.setActiveYN("Y");
+
+		Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("FAILURE");
+		actualSaveAppContactUS = appContactUsController.save(contactUs);
+		assertEquals("AppName is not valid.", actualSaveAppContactUS.getResponse());
+		assertEquals("failure", actualSaveAppContactUS.getMessage());
+	}
+
 	@Test
 	public void saveExceptionTest() throws Exception {
 		PortalRestResponse<String> actualSaveAppContactUS = null;
@@ -269,6 +288,19 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
 		assertEquals(actualSaveAppContactUS.getMessage(), "SUCCESS");
 	}
 
+	@Test
+	public void saveAllXSSTest() throws Exception {
+
+		List<AppContactUsItem> contactUs = mockResponse();
+		AppContactUsItem appContactUsItem = new AppContactUsItem();
+		appContactUsItem.setActiveYN("<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>");
+		contactUs.add(appContactUsItem);
+		PortalRestResponse<String> actualSaveAppContactUS = null;
+		Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("failure");
+		actualSaveAppContactUS = appContactUsController.save(contactUs);
+		assertEquals("failure", actualSaveAppContactUS.getMessage());
+	}
+
 	@Test
 	public void saveAllExceptionTest() throws Exception {
 
-- 
cgit 1.2.3-korg