Code Review
/
policy
/
engine.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
Fix Fortify Header Manipulation Issue
[policy/engine.git]
/
ONAP-PAP-REST
/
src
/
main
/
java
/
org
/
onap
/
policy
/
pap
/
xacml
/
rest
/
handler
/
DeleteHandler.java
diff --git
a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
index
85b6e24
..
f3dda33
100644
(file)
--- a/
ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
+++ b/
ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
@@
-64,7
+64,7
@@
public class DeleteHandler {
public static final String POLICY_IN_PDP = "PolicyInPDP";
public static final String ERROR = "error";
public static final String UNKNOWN = "unknown";
public static final String POLICY_IN_PDP = "PolicyInPDP";
public static final String ERROR = "error";
public static final String UNKNOWN = "unknown";
-
+ private static final String REGEX = "[0-9a-zA-Z._]*";
public void doAPIDeleteFromPAP(HttpServletRequest request, HttpServletResponse response) throws IOException, SQLException {
// get the request content into a String
public void doAPIDeleteFromPAP(HttpServletRequest request, HttpServletResponse response) throws IOException, SQLException {
// get the request content into a String
@@
-320,6
+320,13
@@
public class DeleteHandler {
String groupId = request.getParameter("groupId");
String responseString = null;
String groupId = request.getParameter("groupId");
String responseString = null;
+ if(groupId != null && !groupId.matches(REGEX) ){
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ response.addHeader("error",ERROR);
+ response.addHeader("message", "Group Id is not valid");
+ return;
+ }
+
PolicyLogger.info("JSON request from API to Delete Policy from the PDP: " + policyName);
// for PUT operations the group may or may not need to exist before the operation can be done
PolicyLogger.info("JSON request from API to Delete Policy from the PDP: " + policyName);
// for PUT operations the group may or may not need to exist before the operation can be done