From 7b634d6019b6fb31a120f7810af095feb7a0317d Mon Sep 17 00:00:00 2001
From: Dominik Mizyn <d.mizyn@samsung.com>
Date: Fri, 31 May 2019 08:55:42 +0200
Subject: XSS Vulnerability fix in AppsOSController

SecureString class used to secure PathVariable.

Issue-ID: OJSI-207
Change-Id: I6275c5db4d8d97dc60ef1676b651e3d8802ad9f7
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
---
 .../portalapp/portal/controller/AppsOSControllerTest.java     | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'ecomp-portal-BE-os/src/test/java/org')

diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
index 0596e749..15fe1dd9 100644
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
+++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
@@ -175,6 +175,17 @@ public class AppsOSControllerTest {
 		assertEquals("{\"firstName\":\"test\",\"lastName\":\"test\"}", expectedString);
 	}
 
+	@Test
+	public void getCurrentUserProfileXSSTest() {
+		String loginId = "<iframe/src=\"data:text/html,<svg &#111;&#110;load=alert(1)>\">";
+		EPUser user = mockUser.mockEPUser();
+		List<EPUser> expectedList = new ArrayList<>();
+		expectedList.add(user);
+		Mockito.when(userService.getUserByUserId(loginId)).thenReturn(expectedList);
+		String expectedString = appsOSController.getCurrentUserProfile(mockedRequest, loginId);
+		assertEquals("loginId is not valid", expectedString);
+	}
+
 	@Test
 	public void getCurrentUserProfileExceptionTest() {
 		String loginId = "guestT";
-- 
cgit 1.2.3-korg