From 5aab72338c356e035862b914be4ca294c9d17fc8 Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Thu, 6 Jun 2019 10:52:16 +0200 Subject: XSS Vulnerability fix in AppsController Custom XSS filter used to fix thisa issue. DataValidator upgrade to single instance of ValidatorFactory; Issue-ID: OJSI-15 Signed-off-by: Dominik Mizyn Change-Id: I7222cfb84e1e5bb240619aac9c7bca85d215229a --- .../portal/controller/AppsOSController.java | 28 +++++++++------------- .../portal/controller/AppsOSControllerTest.java | 5 +--- 2 files changed, 12 insertions(+), 21 deletions(-) (limited to 'ecomp-portal-BE-os') diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java index 915c5e08..e109ef5d 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java @@ -47,8 +47,8 @@ import javax.validation.ConstraintViolation; import javax.validation.Validation; import javax.validation.Validator; import javax.validation.ValidatorFactory; +import lombok.NoArgsConstructor; import org.json.JSONObject; -import org.onap.portalapp.portal.controller.AppsController; import org.onap.portalapp.portal.domain.EPUser; import org.onap.portalapp.portal.ecomp.model.PortalRestResponse; import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; @@ -61,6 +61,7 @@ import org.onap.portalapp.util.EPUserUtils; import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.EnableAspectJAutoProxy; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -69,27 +70,20 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; @RestController -@org.springframework.context.annotation.Configuration +@Configuration @EnableAspectJAutoProxy @EPAuditLog +@NoArgsConstructor public class AppsOSController extends AppsController { private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory(); - static final String FAILURE = "failure"; - EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class); + private static final String FAILURE = "failure"; + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class); - @Autowired - AdminRolesService adminRolesService; - @Autowired - EPAppService appService; - @Autowired - PersUserAppService persUserAppService; @Autowired UserService userService; - - - /** + /** * Create new application's contact us details. * * @param contactUs @@ -102,9 +96,9 @@ public class AppsOSController extends AppsController { return new PortalRestResponse(PortalRestStatusEnum.ERROR, FAILURE, "New User cannot be null or empty"); - if (!(adminRolesService.isSuperAdmin(user) || adminRolesService.isAccountAdmin(user))){ + if (!(super.getAdminRolesService().isSuperAdmin(user) || super.getAdminRolesService().isAccountAdmin(user))){ if(!user.getLoginId().equalsIgnoreCase(newUser.getLoginId())) - return new PortalRestResponse(PortalRestStatusEnum.ERROR, FAILURE, + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "UnAuthorized"); } @@ -113,9 +107,9 @@ public class AppsOSController extends AppsController { try { saveNewUser = userService.saveNewUser(newUser,checkDuplicate); } catch (Exception e) { - return new PortalRestResponse(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage()); + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage()); } - return new PortalRestResponse(PortalRestStatusEnum.OK, saveNewUser, ""); + return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveNewUser, ""); } @RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json") diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java index 15fe1dd9..1083aed2 100644 --- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java +++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java @@ -41,10 +41,8 @@ import static org.junit.Assert.assertEquals; import java.util.ArrayList; import java.util.List; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.junit.Before; import org.junit.Ignore; import org.junit.Test; @@ -52,7 +50,6 @@ import org.mockito.InjectMocks; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; -import org.onap.portalapp.portal.controller.AppsOSController; import org.onap.portalapp.portal.domain.EPUser; import org.onap.portalapp.portal.ecomp.model.PortalRestResponse; import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; @@ -87,7 +84,7 @@ public class AppsOSControllerTest { } @InjectMocks - AppsOSController appsOSController = new AppsOSController(); + AppsOSController appsOSController; MockitoTestSuite mockitoTestSuite = new MockitoTestSuite(); -- cgit 1.2.3-korg