From b08ac296b31f001c946b1371f213ac302ff9c12e Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Thu, 21 Oct 2021 17:32:16 +0100
Subject: Fix critical cross site scripting

Change-Id: I66a220f71a2e950055107a725191b46bcbe8c6a6
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Issue-ID: SDC-3607
Issue-ID: SDC-3755
---
 .../org/openecomp/sdc/fe/servlets/PortalServlet.java     | 14 +++++++-------
 .../org/openecomp/sdc/fe/servlets/PortalServletTest.java | 16 ++++++++--------
 2 files changed, 15 insertions(+), 15 deletions(-)

(limited to 'catalog-fe')

diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
index 6378b996cf..228f65db85 100644
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
@@ -113,7 +113,7 @@ public class PortalServlet extends HttpServlet {
      * @throws IOException
      */
     private void addRequestHeadersUsingWebseal(final HttpServletRequest request, final HttpServletResponse response)
-        throws ServletException, IOException {
+        throws ServletException, IOException, CipherUtilException {
         response.setContentType("text/html");
         // Create new request object to dispatch
         MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(request);
@@ -170,7 +170,6 @@ public class PortalServlet extends HttpServlet {
             getValueFromCookie(request, Constants.HTTP_CSP_FIRSTNAME);
             getValueFromCookie(request, Constants.HTTP_CSP_LASTNAME);
             //To be fixed
-
             //addAuthCookie(response, userId, firstNameFromCookie, lastNameFromCookie);
             RequestDispatcher rd = request.getRequestDispatcher("index.html");
             rd.forward(mutableRequest, response);
@@ -180,7 +179,7 @@ public class PortalServlet extends HttpServlet {
     }
 
     boolean addAuthCookie(HttpServletResponse response, String userId, String firstName, String lastName) throws IOException {
-        boolean isBuildCookieCompleted = true;
+        boolean isBuildCookieCompleted = false;
         Cookie authCookie = null;
         Configuration.CookieConfig confCookie = ConfigurationManager.getConfigurationManager().getConfiguration().getAuthCookie();
         //create authentication and send it to encryption
@@ -188,9 +187,9 @@ public class PortalServlet extends HttpServlet {
         try {
             AuthenticationCookie authenticationCookie = new AuthenticationCookie(userId, firstName, lastName);
             String cookieAsJson = RepresentationUtils.toRepresentation(authenticationCookie);
-            encryptedCookie = org.onap.sdc.security.CipherUtil.encryptPKC(cookieAsJson, confCookie.getSecurityKey());
+            encryptedCookie = CipherUtil.encryptPKC(cookieAsJson, confCookie.getSecurityKey());
+            isBuildCookieCompleted = true;
         } catch (Exception e) {
-            isBuildCookieCompleted = false;
             log.error(" Cookie Encryption failed ", e);
         }
         authCookie = new Cookie(confCookie.getCookieName(), encryptedCookie);
@@ -243,12 +242,13 @@ public class PortalServlet extends HttpServlet {
      * @param request
      * @param headers
      */
-    private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers) {
+    private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers)
+        throws CipherUtilException {
         for (var i = 0; i < headers.length; i++) {
             final var currHeader = ValidationUtils.sanitizeInputString(headers[i]);
             final var headerValue = ValidationUtils.sanitizeInputString(request.getHeader(currHeader));
             if (headerValue != null) {
-                final var cookie = new Cookie(currHeader, headerValue);
+                final var cookie = new Cookie(currHeader, CipherUtil.encryptPKC(headerValue));
                 cookie.setSecure(true);
                 response.addCookie(cookie);
             }
diff --git a/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java b/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java
index b31b2f970e..11a4aecede 100644
--- a/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java
+++ b/catalog-fe/src/test/java/org/openecomp/sdc/fe/servlets/PortalServletTest.java
@@ -55,14 +55,14 @@ import org.openecomp.sdc.fe.config.ConfigurationManager;
 
 class PortalServletTest extends JerseyTest {
 
-    private final static HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
-    private final static HttpSession httpSession = Mockito.mock(HttpSession.class);
-    private final static ServletContext servletContext = Mockito.mock(ServletContext.class);
-    private final static ConfigurationManager configurationManager = Mockito.mock(ConfigurationManager.class);
-    private final static Configuration configuration = Mockito.mock(Configuration.class);
-    private final static HttpServletResponse response = Mockito.spy(HttpServletResponse.class);
-    private final static RequestDispatcher rd = Mockito.spy(RequestDispatcher.class);
-    final static Configuration.CookieConfig cookieConfiguration = Mockito.mock(Configuration.CookieConfig.class);
+    private static final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    private static final HttpSession httpSession = Mockito.mock(HttpSession.class);
+    private static final ServletContext servletContext = Mockito.mock(ServletContext.class);
+    private static final ConfigurationManager configurationManager = Mockito.mock(ConfigurationManager.class);
+    private static final Configuration configuration = Mockito.mock(Configuration.class);
+    private static final HttpServletResponse response = Mockito.spy(HttpServletResponse.class);
+    private static final RequestDispatcher rd = Mockito.spy(RequestDispatcher.class);
+    private static final Configuration.CookieConfig cookieConfiguration = Mockito.mock(Configuration.CookieConfig.class);
 
     @SuppressWarnings("serial")
     @BeforeAll
-- 
cgit 1.2.3-korg