+ @Test
+ public void saveRoleFunctionXSSTest() throws Exception {
+ List<EPApp> applicationList = new ArrayList<>();
+ EPUser user = mockUser.mockEPUser();
+ List<EPUser> userList = new ArrayList<>();
+ userList.add(user);
+ EPApp app = mockApp();
+ app.setCentralAuth(true);
+ applicationList.add(app);
+ JSONObject roleFunc = new JSONObject();
+ roleFunc.put("type", "<script>alert(“XSS”)</script> ");
+ roleFunc.put("code", "test_instance");
+ roleFunc.put("action", "test_action");
+ roleFunc.put("name", "test_name");
+ ObjectMapper mapper = new ObjectMapper();
+ mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+ CentralV2RoleFunction saveRoleFunc = mapper.readValue(roleFunc.toString(), CentralV2RoleFunction.class);
+ saveRoleFunc.setAppId(app.getId());
+ Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList);
+ PortalRestResponse<String> portalRestResponse = null;
+ PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>();
+ expectedportalRestResponse.setMessage("Failed to roleFunc, not valid data.");
+ expectedportalRestResponse.setResponse("Failed");
+ expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn(uebKey);
+ Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader("uebkey"))).thenReturn(applicationList);
+ ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.FOUND);
+ Mockito.when(externalAccessRolesService.getNameSpaceIfExists(applicationList.get(0))).thenReturn(response);
+ Mockito.when(externalAccessRolesService.getRoleFunction("test_type|test_instance|test_action", app.getUebKey()))
+ .thenReturn(null);
+ Mockito.when(externalAccessRolesService.saveCentralRoleFunction(Matchers.any(CentralV2RoleFunction.class),
+ Matchers.any(EPApp.class))).thenReturn(true);
+ Mockito.when(externalAccessRolesService.getUser(mockedRequest.getHeader(Matchers.anyString())))
+ .thenReturn(userList);
+ Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(Matchers.anyString())))
+ .thenReturn(applicationList);
+ portalRestResponse = externalAccessRolesController.saveRoleFunction(mockedRequest, mockedResponse,
+ roleFunc.toString());
+ assertEquals(expectedportalRestResponse, portalRestResponse);
+ }
+