From 3b4d9e772bc96effe948abf4f8e34737a1030148 Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Wed, 5 Jun 2019 16:24:35 +0200 Subject: XSS Vulnerability fix in DashboardSearchResultController Custom Validator is used to secure this endpoints. Issue-ID: OJSI-15 Change-Id: Idf523a53bc5fe9e1df8110526d56336953759c86 Signed-off-by: Dominik Mizyn --- .../DashboardSearchResultControllerTest.java | 104 +++++++++++++++++++++ 1 file changed, 104 insertions(+) (limited to 'ecomp-portal-BE-os/src/test/java/org') diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/DashboardSearchResultControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/DashboardSearchResultControllerTest.java index 9edf99e7..ff588daa 100644 --- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/DashboardSearchResultControllerTest.java +++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/DashboardSearchResultControllerTest.java @@ -98,6 +98,18 @@ public class DashboardSearchResultControllerTest { assertEquals(ecpectedPortalRestResponse.getStatus(), actualPortalRestResponse.getStatus()); } + @Test + public void getWidgetDataXSSTest() { + String resourceType = "\"\""; + PortalRestResponse expectedPortalRestResponse = new PortalRestResponse<>(); + expectedPortalRestResponse.setMessage("Provided data is invalid"); + expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + Mockito.when(searchService.getWidgetData(resourceType)).thenReturn(null); + PortalRestResponse acutualPoratlRestResponse = dashboardSearchResultController + .getWidgetData(mockedRequest, resourceType); + assertEquals(acutualPoratlRestResponse, expectedPortalRestResponse); + } + @Test public void saveWidgetDataBulkIfCatrgoryNullTest() { PortalRestResponse ecpectedPortalRestResponse = new PortalRestResponse(); @@ -151,6 +163,82 @@ public class DashboardSearchResultControllerTest { assertEquals(ecpectedPortalRestResponse, actualPortalRestResponse); } + @Test + public void saveWidgetDataBulkXSSTest() { + PortalRestResponse ecpectedPortalRestResponse = new PortalRestResponse<>(); + ecpectedPortalRestResponse.setMessage("ERROR"); + ecpectedPortalRestResponse.setResponse("Category is not valid"); + ecpectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + + CommonWidgetMeta commonWidgetMeta = new CommonWidgetMeta(); + commonWidgetMeta.setCategory("test"); + + List commonWidgetList = new ArrayList<>(); + CommonWidget commonWidget = new CommonWidget(); + commonWidget.setId((long) 1); + commonWidget.setCategory("test"); + commonWidget.setHref("\"\""); + commonWidget.setTitle("test_title"); + commonWidget.setContent("test_content"); + commonWidget.setEventDate(null); + commonWidget.setSortOrder(1); + + commonWidgetList.add(commonWidget); + + commonWidgetMeta.setItems(commonWidgetList); + + Mockito.when(searchService.saveWidgetDataBulk(commonWidgetMeta)).thenReturn(null); + + PortalRestResponse actualPortalRestResponse = dashboardSearchResultController + .saveWidgetDataBulk(commonWidgetMeta); + assertEquals(ecpectedPortalRestResponse, actualPortalRestResponse); + } + + @Test + public void saveWidgetDataXSSTest() { + PortalRestResponse expectedPortalRestResponse = new PortalRestResponse<>(); + expectedPortalRestResponse.setMessage("ERROR"); + expectedPortalRestResponse.setResponse("Category is not valid"); + expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + CommonWidget commonWidget = new CommonWidget(); + commonWidget.setId((long) 1); + commonWidget.setCategory("test"); + commonWidget.setHref("\"\""); + commonWidget.setTitle("test_title"); + commonWidget.setContent("test_content"); + commonWidget.setEventDate(null); + commonWidget.setSortOrder(1); + + Mockito.when(searchService.saveWidgetData(commonWidget)).thenReturn(null); + + PortalRestResponse actualPortalRestResponse = dashboardSearchResultController + .saveWidgetData(commonWidget); + assertEquals(expectedPortalRestResponse, actualPortalRestResponse); + + } + + @Test + public void deleteWidgetDataXSSTest() { + PortalRestResponse expectedPortalRestResponse = new PortalRestResponse<>(); + expectedPortalRestResponse.setMessage("ERROR"); + expectedPortalRestResponse.setResponse("Data is not valid"); + expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + CommonWidget commonWidget = new CommonWidget(); + commonWidget.setId((long) 1); + commonWidget.setCategory("test"); + commonWidget.setHref("test_href"); + commonWidget.setTitle("\"\""); + commonWidget.setContent("test_content"); + commonWidget.setEventDate(null); + commonWidget.setSortOrder(1); + Mockito.when(searchService.deleteWidgetData(commonWidget)).thenReturn(null); + + PortalRestResponse actualPortalRestResponse = dashboardSearchResultController + .deleteWidgetData(commonWidget); + + assertEquals(expectedPortalRestResponse, actualPortalRestResponse); + } + @Test public void saveWidgetDataIfCatagoryNullTest() { PortalRestResponse ecpectedPortalRestResponse = new PortalRestResponse(); @@ -339,6 +427,22 @@ public class DashboardSearchResultControllerTest { } + @Test + public void searchPortalXSS() { + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + String searchString = " "; + + PortalRestResponse>> expectedResult = new PortalRestResponse>>(); + expectedResult.setMessage("searchPortal: User object is invalid"); + expectedResult.setStatus(PortalRestStatusEnum.ERROR); + + PortalRestResponse>> actualResult = dashboardSearchResultController + .searchPortal(mockedRequest, searchString); + assertEquals(actualResult, expectedResult); + + } + @Test public void searchPortalIfSearchExcptionTest() { EPUser user = mockUser.mockEPUser(); -- cgit 1.2.3-korg