diff options
author | vasraz <vasyl.razinkov@est.tech> | 2021-10-21 17:32:16 +0100 |
---|---|---|
committer | Michael Morris <michael.morris@est.tech> | 2021-11-15 11:50:33 +0000 |
commit | b08ac296b31f001c946b1371f213ac302ff9c12e (patch) | |
tree | 3be6bcc7c025a82ec15fc35061f5f0e7dc024aeb /catalog-be/src/main/java/org | |
parent | 7353fb39790b51c593cb0f72c6ab46d906758244 (diff) |
Fix critical cross site scripting
Change-Id: I66a220f71a2e950055107a725191b46bcbe8c6a6
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Issue-ID: SDC-3607
Issue-ID: SDC-3755
Diffstat (limited to 'catalog-be/src/main/java/org')
-rw-r--r-- | catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java index f90440011d..62232beaf5 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java @@ -33,6 +33,7 @@ import java.util.stream.Collectors; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang3.StringUtils; import org.apache.tinkerpop.gremlin.structure.Edge; +import org.onap.portalsdk.core.onboarding.util.CipherUtil; import org.openecomp.sdc.be.components.impl.exceptions.ByActionStatusComponentException; import org.openecomp.sdc.be.dao.api.ActionStatus; import org.openecomp.sdc.be.dao.utils.UserStatusEnum; @@ -68,6 +69,7 @@ public class UserBusinessLogic { } public User getUser(String userId, boolean inTransaction) { + userId = decryptUserId(userId); Either<User, ActionStatus> result = userAdminOperation.getUserData(userId, inTransaction); if (result.isRight()) { handleUserAccessAuditing(userId, result.right().value()); @@ -81,7 +83,19 @@ public class UserBusinessLogic { return user; } + private String decryptUserId(final String userId) { + if (StringUtils.isNotEmpty(userId)) { + try { + return CipherUtil.decryptPKC(userId); + } catch (final Exception e) { + return userId; + } + } + return userId; + } + public User getUser(String userId) { + userId = decryptUserId(userId); UserContext userContext = ThreadLocalsHolder.getUserContext(); if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) { log.info("USER_NOT_FOUND, user=" + userId); @@ -106,6 +120,7 @@ public class UserBusinessLogic { } public boolean hasActiveUser(String userId) { + userId = decryptUserId(userId); UserContext userContext = ThreadLocalsHolder.getUserContext(); if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) { handleUserAccessAuditing(userId, ActionStatus.USER_NOT_FOUND); |