summaryrefslogtreecommitdiffstats
path: root/catalog-be/src
diff options
context:
space:
mode:
authorvasraz <vasyl.razinkov@est.tech>2021-10-21 17:32:16 +0100
committerMichael Morris <michael.morris@est.tech>2021-11-15 11:50:33 +0000
commitb08ac296b31f001c946b1371f213ac302ff9c12e (patch)
tree3be6bcc7c025a82ec15fc35061f5f0e7dc024aeb /catalog-be/src
parent7353fb39790b51c593cb0f72c6ab46d906758244 (diff)
Fix critical cross site scripting
Change-Id: I66a220f71a2e950055107a725191b46bcbe8c6a6 Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Issue-ID: SDC-3607 Issue-ID: SDC-3755
Diffstat (limited to 'catalog-be/src')
-rw-r--r--catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java15
-rwxr-xr-xcatalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json7
2 files changed, 15 insertions, 7 deletions
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
index f90440011d..62232beaf5 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java
@@ -33,6 +33,7 @@ import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.tinkerpop.gremlin.structure.Edge;
+import org.onap.portalsdk.core.onboarding.util.CipherUtil;
import org.openecomp.sdc.be.components.impl.exceptions.ByActionStatusComponentException;
import org.openecomp.sdc.be.dao.api.ActionStatus;
import org.openecomp.sdc.be.dao.utils.UserStatusEnum;
@@ -68,6 +69,7 @@ public class UserBusinessLogic {
}
public User getUser(String userId, boolean inTransaction) {
+ userId = decryptUserId(userId);
Either<User, ActionStatus> result = userAdminOperation.getUserData(userId, inTransaction);
if (result.isRight()) {
handleUserAccessAuditing(userId, result.right().value());
@@ -81,7 +83,19 @@ public class UserBusinessLogic {
return user;
}
+ private String decryptUserId(final String userId) {
+ if (StringUtils.isNotEmpty(userId)) {
+ try {
+ return CipherUtil.decryptPKC(userId);
+ } catch (final Exception e) {
+ return userId;
+ }
+ }
+ return userId;
+ }
+
public User getUser(String userId) {
+ userId = decryptUserId(userId);
UserContext userContext = ThreadLocalsHolder.getUserContext();
if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) {
log.info("USER_NOT_FOUND, user=" + userId);
@@ -106,6 +120,7 @@ public class UserBusinessLogic {
}
public boolean hasActiveUser(String userId) {
+ userId = decryptUserId(userId);
UserContext userContext = ThreadLocalsHolder.getUserContext();
if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) {
handleUserAccessAuditing(userId, ActionStatus.USER_NOT_FOUND);
diff --git a/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json b/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
index 9ce2be4dd3..ed3adafe66 100755
--- a/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
+++ b/catalog-be/src/main/resources/scripts/sdcBePy/users/data/users.json
@@ -7,13 +7,6 @@
"email": "demo@openecomp.org"
},
{
- "userId": "op0001",
- "firstName": "Oper",
- "lastName": "P",
- "role": "OPS",
- "email": "op0001@openecomp.org"
- },
- {
"userId": "gv0001",
"firstName": "Giuseppe",
"lastName": "Verdi",