From ddb9d5a7637b382be9ac7a96ad023a983c41c342 Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Fri, 14 Oct 2022 13:35:39 +0100
Subject: Fix security risk 'Improper Input Validation'

Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I6a52148aec3b567db43ec57109214e52d106f73c
Issue-ID: SDC-4189
---
 catalog-be/src/main/resources/config/configuration.yaml       | 3 +++
 catalog-be/src/main/resources/config/error-configuration.yaml | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'catalog-be/src/main/resources')

diff --git a/catalog-be/src/main/resources/config/configuration.yaml b/catalog-be/src/main/resources/config/configuration.yaml
index c34d6742a1..820034eca2 100644
--- a/catalog-be/src/main/resources/config/configuration.yaml
+++ b/catalog-be/src/main/resources/config/configuration.yaml
@@ -930,3 +930,6 @@ directives:
 
 #Space separated list of permitted ancestors
 permittedAncestors: ""
+
+# Comma separated list of excluded URLs by the DataValidatorFilter
+dataValidatorFilterExcludedUrls: "/healthCheck,/followed,/authorize"
diff --git a/catalog-be/src/main/resources/config/error-configuration.yaml b/catalog-be/src/main/resources/config/error-configuration.yaml
index 0081525647..0830dda7b4 100644
--- a/catalog-be/src/main/resources/config/error-configuration.yaml
+++ b/catalog-be/src/main/resources/config/error-configuration.yaml
@@ -2411,7 +2411,7 @@ errors:
       # %1 - property name
         code: 400,
         message: 'Error: Invalid Content. %1 has invalid format.',
-        messageId: "SVC4723"
+        messageId: "SVC4731"
     }
     #---------SVC4734------------------------------
     # %1 - list of validation errors
@@ -2822,6 +2822,13 @@ errors:
         message: "Capability '%1' not found in '%2' '%3'."
         messageId: "SVC4186"
 
+    #---------SVC4001------------------------------
+    NOT_PERMITTED_SPECIAL_CHARS: {
+        code: 406,
+        message: 'Error: HTML elements not permitted in field values.',
+        messageId: "SVC4001"
+    }
+
     # %1 - The data type Uid
     DATA_TYPE_NOT_FOUND:
         code: 404
-- 
cgit 1.2.3-korg