diff options
author | aribeiro <anderson.ribeiro@est.tech> | 2021-02-15 17:24:11 +0000 |
---|---|---|
committer | Christophe Closset <christophe.closset@intl.att.com> | 2021-03-16 13:27:37 +0000 |
commit | 7010ea90e14305837a30764db8a5e4bc1338e378 (patch) | |
tree | 31a674fad95261e123e1cd2348f24c11f51373c4 /openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org | |
parent | 77680c6f9d99adcf5c6a97380043f1d86b0d46fa (diff) |
Fix Security Vulnerabilities
Issue-ID: SDC-3500
Signed-off-by: aribeiro <anderson.ribeiro@est.tech>
Change-Id: I3fa2ed2bc3a170d8256fbc91c98bbfbaf5c0a403
Diffstat (limited to 'openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org')
1 files changed, 7 insertions, 3 deletions
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java index 073400fd68..b393153ece 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java @@ -1,6 +1,7 @@ /* * Copyright © 2016-2018 European Support Limited * Copyright © 2021 Nokia + * Copyright © 2021 Nordix Foundation * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +33,7 @@ import java.util.Optional; import javax.activation.DataHandler; import javax.inject.Named; import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.Status; import org.apache.commons.lang3.tuple.Pair; import org.apache.cxf.jaxrs.ext.multipart.Attachment; import org.openecomp.sdc.activitylog.ActivityLogManager; @@ -39,6 +41,7 @@ import org.openecomp.sdc.activitylog.ActivityLogManagerFactory; import org.openecomp.sdc.activitylog.dao.type.ActivityLogEntity; import org.openecomp.sdc.activitylog.dao.type.ActivityType; import org.openecomp.sdc.common.errors.Messages; +import org.openecomp.sdc.common.util.ValidationUtils; import org.openecomp.sdc.common.utils.SdcCommon; import org.openecomp.sdc.datatypes.error.ErrorLevel; import org.openecomp.sdc.datatypes.error.ErrorMessage; @@ -100,13 +103,13 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate final Attachment fileToUpload, final String user) { final byte[] fileToUploadBytes = fileToUpload.getObject(byte[].class); final DataHandler dataHandler = fileToUpload.getDataHandler(); - final String filename = dataHandler.getName(); + final String filename = ValidationUtils.sanitizeInputString(dataHandler.getName()); final OnboardingPackageProcessor onboardingPackageProcessor = new OnboardingPackageProcessor(filename, fileToUploadBytes); if (onboardingPackageProcessor.hasErrors()) { final UploadFileResponseDto uploadFileResponseDto = buildUploadResponseWithError(onboardingPackageProcessor.getErrorMessages().toArray(new ErrorMessage[0])); - return Response.ok(uploadFileResponseDto).build(); + return Response.status(Status.NOT_ACCEPTABLE).entity(uploadFileResponseDto).build(); } final OnboardPackageInfo onboardPackageInfo = onboardingPackageProcessor.getOnboardPackageInfo().orElse(null); @@ -117,7 +120,8 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate return Response.ok(uploadFileResponseDto).build(); } - final VspDetails vspDetails = new VspDetails(vspId, new Version(versionId)); + final VspDetails vspDetails = new VspDetails(ValidationUtils.sanitizeInputString(vspId), + new Version(ValidationUtils.sanitizeInputString(versionId))); return processOnboardPackage(onboardPackageInfo, vspDetails); } |