diff options
author | vasraz <vasyl.razinkov@est.tech> | 2021-10-21 17:32:16 +0100 |
---|---|---|
committer | Michael Morris <michael.morris@est.tech> | 2021-11-15 11:50:33 +0000 |
commit | b08ac296b31f001c946b1371f213ac302ff9c12e (patch) | |
tree | 3be6bcc7c025a82ec15fc35061f5f0e7dc024aeb /catalog-fe | |
parent | 7353fb39790b51c593cb0f72c6ab46d906758244 (diff) |
Fix critical cross site scripting
Change-Id: I66a220f71a2e950055107a725191b46bcbe8c6a6
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Issue-ID: SDC-3607
Issue-ID: SDC-3755
Diffstat (limited to 'catalog-fe')
-rw-r--r-- | catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java | 14 | ||||
-rw-r--r-- | catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java | 16 |
2 files changed, 15 insertions, 15 deletions
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java index 6378b996cf..228f65db85 100644 --- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java +++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java @@ -113,7 +113,7 @@ public class PortalServlet extends HttpServlet { * @throws IOException */ private void addRequestHeadersUsingWebseal(final HttpServletRequest request, final HttpServletResponse response) - throws ServletException, IOException { + throws ServletException, IOException, CipherUtilException { response.setContentType("text/html"); // Create new request object to dispatch MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(request); @@ -170,7 +170,6 @@ public class PortalServlet extends HttpServlet { getValueFromCookie(request, Constants.HTTP_CSP_FIRSTNAME); getValueFromCookie(request, Constants.HTTP_CSP_LASTNAME); //To be fixed - //addAuthCookie(response, userId, firstNameFromCookie, lastNameFromCookie); RequestDispatcher rd = request.getRequestDispatcher("index.html"); rd.forward(mutableRequest, response); @@ -180,7 +179,7 @@ public class PortalServlet extends HttpServlet { } boolean addAuthCookie(HttpServletResponse response, String userId, String firstName, String lastName) throws IOException { - boolean isBuildCookieCompleted = true; + boolean isBuildCookieCompleted = false; Cookie authCookie = null; Configuration.CookieConfig confCookie = ConfigurationManager.getConfigurationManager().getConfiguration().getAuthCookie(); //create authentication and send it to encryption @@ -188,9 +187,9 @@ public class PortalServlet extends HttpServlet { try { AuthenticationCookie authenticationCookie = new AuthenticationCookie(userId, firstName, lastName); String cookieAsJson = RepresentationUtils.toRepresentation(authenticationCookie); - encryptedCookie = org.onap.sdc.security.CipherUtil.encryptPKC(cookieAsJson, confCookie.getSecurityKey()); + encryptedCookie = CipherUtil.encryptPKC(cookieAsJson, confCookie.getSecurityKey()); + isBuildCookieCompleted = true; } catch (Exception e) { - isBuildCookieCompleted = false; log.error(" Cookie Encryption failed ", e); } authCookie = new Cookie(confCookie.getCookieName(), encryptedCookie); @@ -243,12 +242,13 @@ public class PortalServlet extends HttpServlet { * @param request * @param headers */ - private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers) { + private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers) + throws CipherUtilException { for (var i = 0; i < headers.length; i++) { final var currHeader = ValidationUtils.sanitizeInputString(headers[i]); final var headerValue = ValidationUtils.sanitizeInputString(request.getHeader(currHeader)); if (headerValue != null) { - final var cookie = new Cookie(currHeader, headerValue); + final var cookie = new Cookie(currHeader, CipherUtil.encryptPKC(headerValue)); cookie.setSecure(true); response.addCookie(cookie); } diff --git a/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java b/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java index b31b2f970e..11a4aecede 100644 --- a/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java +++ b/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java @@ -55,14 +55,14 @@ import org.openecomp.sdc.fe.config.ConfigurationManager; class PortalServletTest extends JerseyTest { - private final static HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - private final static HttpSession httpSession = Mockito.mock(HttpSession.class); - private final static ServletContext servletContext = Mockito.mock(ServletContext.class); - private final static ConfigurationManager configurationManager = Mockito.mock(ConfigurationManager.class); - private final static Configuration configuration = Mockito.mock(Configuration.class); - private final static HttpServletResponse response = Mockito.spy(HttpServletResponse.class); - private final static RequestDispatcher rd = Mockito.spy(RequestDispatcher.class); - final static Configuration.CookieConfig cookieConfiguration = Mockito.mock(Configuration.CookieConfig.class); + private static final HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + private static final HttpSession httpSession = Mockito.mock(HttpSession.class); + private static final ServletContext servletContext = Mockito.mock(ServletContext.class); + private static final ConfigurationManager configurationManager = Mockito.mock(ConfigurationManager.class); + private static final Configuration configuration = Mockito.mock(Configuration.class); + private static final HttpServletResponse response = Mockito.spy(HttpServletResponse.class); + private static final RequestDispatcher rd = Mockito.spy(RequestDispatcher.class); + private static final Configuration.CookieConfig cookieConfiguration = Mockito.mock(Configuration.CookieConfig.class); @SuppressWarnings("serial") @BeforeAll |