From b08ac296b31f001c946b1371f213ac302ff9c12e Mon Sep 17 00:00:00 2001 From: vasraz Date: Thu, 21 Oct 2021 17:32:16 +0100 Subject: Fix critical cross site scripting Change-Id: I66a220f71a2e950055107a725191b46bcbe8c6a6 Signed-off-by: Vasyl Razinkov Issue-ID: SDC-3607 Issue-ID: SDC-3755 --- .../java/org/openecomp/sdc/be/user/UserBusinessLogic.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'catalog-be/src/main/java/org') diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java index f90440011d..62232beaf5 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/user/UserBusinessLogic.java @@ -33,6 +33,7 @@ import java.util.stream.Collectors; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang3.StringUtils; import org.apache.tinkerpop.gremlin.structure.Edge; +import org.onap.portalsdk.core.onboarding.util.CipherUtil; import org.openecomp.sdc.be.components.impl.exceptions.ByActionStatusComponentException; import org.openecomp.sdc.be.dao.api.ActionStatus; import org.openecomp.sdc.be.dao.utils.UserStatusEnum; @@ -68,6 +69,7 @@ public class UserBusinessLogic { } public User getUser(String userId, boolean inTransaction) { + userId = decryptUserId(userId); Either result = userAdminOperation.getUserData(userId, inTransaction); if (result.isRight()) { handleUserAccessAuditing(userId, result.right().value()); @@ -81,7 +83,19 @@ public class UserBusinessLogic { return user; } + private String decryptUserId(final String userId) { + if (StringUtils.isNotEmpty(userId)) { + try { + return CipherUtil.decryptPKC(userId); + } catch (final Exception e) { + return userId; + } + } + return userId; + } + public User getUser(String userId) { + userId = decryptUserId(userId); UserContext userContext = ThreadLocalsHolder.getUserContext(); if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) { log.info("USER_NOT_FOUND, user=" + userId); @@ -106,6 +120,7 @@ public class UserBusinessLogic { } public boolean hasActiveUser(String userId) { + userId = decryptUserId(userId); UserContext userContext = ThreadLocalsHolder.getUserContext(); if (Objects.isNull(userContext) || Objects.isNull(userContext.getUserId())) { handleUserAccessAuditing(userId, ActionStatus.USER_NOT_FOUND); -- cgit 1.2.3-korg