Role management; security vulnerabilities.

Extend user/role management interface to allow role deletion. Add filters to defend against common web Javascript attacks. Drop Greensock code with unusable license. Use OParent in EPSDK web application. Issue: US324470, US342324, PORTAL-127 Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142 Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
author: Christopher Lott (cl778h) <clott@research.att.com> 2017-10-20 08:22:19 -0400
committer: Christopher Lott (cl778h) <clott@research.att.com> 2017-10-20 08:44:33 -0400
commit: e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch)
tree: 07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
parent: ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
index 8165801c..8478c73c 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
@@ -105,7 +105,9 @@ import org.onap.portalsdk.analytics.xmlobj.PredefinedValueList;
 import org.onap.portalsdk.core.controller.RestrictedBaseController;
 import org.onap.portalsdk.core.domain.User;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SecurityCodecUtil;
 import org.onap.portalsdk.core.web.support.UserUtils;
+import org.owasp.esapi.ESAPI;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -1415,10 +1417,10 @@ public class RaptorControllerAsync extends RestrictedBaseController {
 					for (int i = 0; i < reqParameters.length; i++) {
 						if (!reqParameters[i].startsWith("ff"))
 							sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]",
-									request.getParameter(reqParameters[i].toUpperCase()));
+									ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i].toUpperCase())));
 						else
-							sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]",
-									request.getParameter(reqParameters[i]));
+														sql = Utils.replaceInString(sql, "[" + reqParameters[i].toUpperCase() + "]",
+									ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),request.getParameter(reqParameters[i])));
 					}
 				}
 				if (session != null) {
author	Christopher Lott (cl778h) <clott@research.att.com>	2017-10-20 08:22:19 -0400
committer	Christopher Lott (cl778h) <clott@research.att.com>	2017-10-20 08:44:33 -0400
commit	e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch)
tree	07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/system/fusion/web/RaptorControllerAsync.java
parent	ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff)