XSS Vulnerability fix in RoleManageController 34/89034/1
authorDominik Mizyn <d.mizyn@samsung.com>
Fri, 31 May 2019 13:23:46 +0000 (15:23 +0200)
committerDominik Mizyn <d.mizyn@samsung.com>
Fri, 31 May 2019 13:24:03 +0000 (15:24 +0200)
@SafeHtml and SecureString used to secure this class

Issue-ID: OJSI-208
Change-Id: Ie01799933add3419cacf0fc716ce2da6da0a2853
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/RoleManageController.java
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/domain/CentralV2RoleFunction.java
ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/RoleManageControllerTest.java

index c8e22d3..3fda539 100644 (file)
@@ -50,6 +50,11 @@ import java.util.TreeSet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
 import org.apache.commons.lang.StringUtils;
 import org.json.JSONObject;
 import org.onap.portalapp.controller.EPRestrictedBaseController;
@@ -79,6 +84,7 @@ import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
 import org.onap.portalapp.portal.utils.EcompPortalUtils;
 import org.onap.portalapp.portal.utils.PortalConstants;
 import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.domain.AuditLog;
 import org.onap.portalsdk.core.domain.Role;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
@@ -111,6 +117,8 @@ import com.fasterxml.jackson.databind.type.TypeFactory;
 @EnableAspectJAutoProxy
 @EPAuditLog
 public class RoleManageController extends EPRestrictedBaseController {
+       private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+
        private static final String PIPE = "|";
 
        private static final String ROLE_INVALID_CHARS = "%=():,\"\"";
@@ -497,8 +505,17 @@ public class RoleManageController extends EPRestrictedBaseController {
        }
 
        @RequestMapping(value = { "/portalApi/role_function_list/saveRoleFunction/{appId}" }, method = RequestMethod.POST)
-       public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @RequestBody CentralV2RoleFunction roleFunc,
+       public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @Valid @RequestBody CentralV2RoleFunction roleFunc,
                        @PathVariable("appId") Long appId) throws Exception {
+               if (roleFunc!=null) {
+                       Validator validator = VALIDATOR_FACTORY.getValidator();
+                       Set<ConstraintViolation<CentralV2RoleFunction>> constraintViolations = validator.validate(roleFunc);
+
+                       if(!constraintViolations.isEmpty()){
+                               logger.error(EELFLoggerDelegate.errorLogger, "saveRoleFunction: Failed");
+                               return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Data is not valid", "ERROR");
+                       }
+               }
                EPUser user = EPUserUtils.getUserSession(request);
                boolean saveOrUpdateResponse = false;
                try {
@@ -594,6 +611,19 @@ public class RoleManageController extends EPRestrictedBaseController {
        public PortalRestResponse<String> removeRoleFunction(HttpServletRequest request, HttpServletResponse response,
                        @RequestBody String roleFunc, @PathVariable("appId") Long appId) throws Exception {
                EPUser user = EPUserUtils.getUserSession(request);
+
+               if (roleFunc!=null) {
+                       SecureString secureString = new SecureString(roleFunc);
+
+                       Validator validator = VALIDATOR_FACTORY.getValidator();
+                       Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+                       if(!constraintViolations.isEmpty()){
+                               logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction: Failed");
+                               return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Data is not valid", "ERROR");
+                       }
+               }
+
                try {
                        EPApp requestedApp = appService.getApp(appId);
                        if (isAuthorizedUser(user, requestedApp)) {
@@ -656,6 +686,18 @@ public class RoleManageController extends EPRestrictedBaseController {
 
        @RequestMapping(value = { "/portalApi/centralizedApps" }, method = RequestMethod.GET)
        public List<CentralizedApp> getCentralizedAppRoles(HttpServletRequest request, HttpServletResponse response, String userId) throws IOException {
+               if(userId!=null) {
+                       SecureString secureString = new SecureString(userId);
+
+                       Validator validator = VALIDATOR_FACTORY.getValidator();
+                       Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+                       if(!constraintViolations.isEmpty()){
+                               logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction: Failed");
+                               return null;
+                       }
+               }
+
                EPUser user = EPUserUtils.getUserSession(request);
                List<CentralizedApp> applicationsList = null;
                        if (adminRolesService.isAccountAdmin(user) || adminRolesService.isSuperAdmin(user) || adminRolesService.isRoleAdmin(user)) {
index d2ded5a..a761103 100644 (file)
@@ -39,6 +39,7 @@ package org.onap.portalapp.portal.domain;
 
 import java.io.Serializable;
 
+import org.hibernate.validator.constraints.SafeHtml;
 import org.onap.portalsdk.core.domain.support.DomainVo;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
@@ -50,14 +51,18 @@ public class CentralV2RoleFunction extends DomainVo implements Serializable, Com
         * 
         */
        private static final long serialVersionUID = -4018975640065252688L;
+               @SafeHtml
           private String code;
+               @SafeHtml
           private String name;
           @JsonIgnore
           private Long appId;
           @JsonIgnore
           private Long roleId;
           private String type;
+          @SafeHtml
           private String action;
+          @SafeHtml
           private String editUrl;
           
           
index 8bfa39c..9673cb2 100644 (file)
@@ -370,6 +370,48 @@ public class RoleManageControllerTest {
                assertEquals(expected, actual);
        }
 
+       @Test
+       public void saveRoleFunctionXSSTest() throws Exception {
+               PowerMockito.mockStatic(EPUserUtils.class);
+               PowerMockito.mockStatic(EcompPortalUtils.class);
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               Mockito.when(EcompPortalUtils.checkIfRemoteCentralAccessAllowed()).thenReturn(true);
+               Mockito.when(adminRolesService.isAccountAdminOfApplication(user, CentralApp())).thenReturn(true);
+               Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
+               Mockito.doNothing().when(roleFunctionListController).saveRoleFunction(mockedRequest, mockedResponse, "test");
+               CentralV2RoleFunction addNewFunc = new CentralV2RoleFunction();
+               addNewFunc.setCode("“><script>alert(“XSS”)</script>");
+               addNewFunc.setType("Test");
+               addNewFunc.setAction("Test");
+               addNewFunc.setName("Test");
+               CentralV2RoleFunction roleFunction = mockCentralRoleFunction();
+               roleFunction.setCode("Test|Test|Test");
+               Mockito.when(externalAccessRolesService.getRoleFunction("Test|Test|Test", "test")).thenReturn(roleFunction);
+               Mockito.when(externalAccessRolesService.saveCentralRoleFunction(Matchers.anyObject(), Matchers.anyObject()))
+                       .thenReturn(true);
+               Mockito.when(EcompPortalUtils.getFunctionCode(roleFunction.getCode())).thenReturn("Test");
+               Mockito.when(EcompPortalUtils.getFunctionType(roleFunction.getCode())).thenReturn("Test");
+               Mockito.when(EcompPortalUtils.getFunctionAction(roleFunction.getCode())).thenReturn("Test");
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               List<EPUser> userList = new ArrayList<>();
+               userList.add(user);
+               List<EPApp> appList = new ArrayList<>();
+               appList.add(CentralApp());
+               Mockito.when(externalAccessRolesService.getUser("guestT")).thenReturn(userList);
+               StringWriter sw = new StringWriter();
+               PrintWriter writer = new PrintWriter(sw);
+               Mockito.when(mockedResponse.getWriter()).thenReturn(writer);
+               ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK);
+               Mockito.when(externalAccessRolesService.getNameSpaceIfExists(Matchers.anyObject())).thenReturn(response);
+               Mockito.when(externalAccessRolesService.getApp(Matchers.anyString())).thenReturn(appList);
+               PortalRestResponse<String> actual = roleManageController.saveRoleFunction(mockedRequest, mockedResponse,
+                       addNewFunc, (long) 1);
+               PortalRestResponse<String> expected = new PortalRestResponse<String>(PortalRestStatusEnum.ERROR,
+                       "Data is not valid", "ERROR");
+               assertEquals(expected, actual);
+       }
+
        @Test
        public void saveRoleFunctionExceptionTest() throws Exception {
                Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
@@ -420,6 +462,36 @@ public class RoleManageControllerTest {
                assertEquals(expected, actual);
        }
 
+       @Test
+       public void removeRoleFunctionXSSTest() throws Exception {
+               PowerMockito.mockStatic(EPUserUtils.class);
+               PowerMockito.mockStatic(EcompPortalUtils.class);
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               Mockito.when(EcompPortalUtils.checkIfRemoteCentralAccessAllowed()).thenReturn(true);
+               Mockito.when(adminRolesService.isAccountAdminOfApplication(user, CentralApp())).thenReturn(true);
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
+               String roleFun = "<script>alert(/XSS”)</script>";
+               CentralV2RoleFunction roleFunction = mockCentralRoleFunction();
+               Mockito.when(externalAccessRolesService.getRoleFunction("Test|Test|Test", "test")).thenReturn(roleFunction);
+               StringWriter sw = new StringWriter();
+               PrintWriter writer = new PrintWriter(sw);
+               Mockito.when(mockedResponse.getWriter()).thenReturn(writer);
+               Mockito.when(externalAccessRolesService.deleteCentralRoleFunction(Matchers.anyString(), Matchers.anyObject()))
+                       .thenReturn(true);
+               List<EPApp> appList = new ArrayList<>();
+               appList.add(CentralApp());
+               ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK);
+               Mockito.when(externalAccessRolesService.getNameSpaceIfExists(Matchers.anyObject())).thenReturn(response);
+               Mockito.when(externalAccessRolesService.getApp(Matchers.anyString())).thenReturn(appList);
+               PortalRestResponse<String> actual = roleManageController.removeRoleFunction(mockedRequest, mockedResponse,
+                       roleFun, (long) 1);
+               PortalRestResponse<String> expected = new PortalRestResponse<String>(PortalRestStatusEnum.ERROR,
+                       "Data is not valid", "ERROR");
+               assertEquals(expected, actual);
+       }
+
        @Test
        public void removeRoleFunctionExceptionTest() throws Exception {
                EPUser user = mockUser.mockEPUser();
@@ -908,6 +980,13 @@ public class RoleManageControllerTest {
                List<CentralizedApp> actual  = roleManageController.getCentralizedAppRoles(mockedRequest, mockedResponse, user.getOrgUserId());
                assertEquals(cenApps.size(), actual.size());
        }
+
+       @Test
+       public void getCentralizedAppRolesXSSTest() throws IOException {
+               String id = ("<ScRipT>alert(\"XSS\");</ScRipT>");
+               List<CentralizedApp> actual  = roleManageController.getCentralizedAppRoles(mockedRequest, mockedResponse, id);
+               assertNull(actual);
+       }
        
        @Test
        public void getCentralizedAppRolesExceptionTest() throws IOException {