Code Review / sdc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 47bcc63)
Fix critical cross site scripting 16/123216/2
authoraribeiro <anderson.ribeiro@est.tech>
Mon, 9 Aug 2021 21:08:42 +0000 (22:08 +0100)
committerMichael Morris <michael.morris@est.tech>
Wed, 11 Aug 2021 08:24:08 +0000 (08:24 +0000)
xss (cross site scripting) issue identified in sonarcloud

Issue-ID: SDC-3607
Signed-off-by: aribeiro <anderson.ribeiro@est.tech>
Change-Id: I729f14587154a02759ec62d5134cd115ac6eff38

catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java patch | blob | history

diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
index 6378b99..97c4ac6 100644 (file)
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
@@ -113,7 +113,7 @@ public class PortalServlet extends HttpServlet {
      * @throws IOException
      */
     private void addRequestHeadersUsingWebseal(final HttpServletRequest request, final HttpServletResponse response)
-        throws ServletException, IOException {
+        throws ServletException, IOException, CipherUtilException {
         response.setContentType("text/html");
         // Create new request object to dispatch
         MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(request);
@@ -243,12 +243,13 @@ public class PortalServlet extends HttpServlet {
      * @param request
      * @param headers
      */
-    private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers) {
+    private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers)
+        throws CipherUtilException {
         for (var i = 0; i < headers.length; i++) {
             final var currHeader = ValidationUtils.sanitizeInputString(headers[i]);
             final var headerValue = ValidationUtils.sanitizeInputString(request.getHeader(currHeader));
             if (headerValue != null) {
-                final var cookie = new Cookie(currHeader, headerValue);
+                final var cookie = new Cookie(currHeader, CipherUtil.encryptPKC(headerValue));
                 cookie.setSecure(true);
                 response.addCookie(cookie);
             }
SDC Parent Project Catalog FE and BE