From: david.mcweeney <david.mcweeney@est.tech>
Date: Thu, 10 Mar 2022 11:39:53 +0000 (+0000)
Subject: DMAAP-1624 Cross Scripting sonar check
X-Git-Tag: 2.1.10~2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;ds=sidebyside;h=116700ba242cc0b67c2b0f23bd412340ba60d952;p=dmaap%2Fdatarouter.git

DMAAP-1624 Cross Scripting sonar check

Change-Id: Id5a10c3a9dd037d28caaee5e7a1831477cca3dad
Signed-off-by: david.mcweeney <david.mcweeney@est.tech>
Issue-ID: DMAAP-1624
---

diff --git a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
index aa827de1..139c7492 100644
--- a/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
+++ b/datarouter-node/src/main/java/org/onap/dmaap/datarouter/node/NodeServlet.java
@@ -253,7 +253,7 @@ public class NodeServlet extends HttpServlet {
                 return;
             }
             fileid = fileid.substring(18);
-            pubid = req.getHeader("X-DMAAP-DR-PUBLISH-ID");
+            pubid = generateAndValidatePublishId(req);
 
             user = "datartr";   // SP6 : Added usr as datartr to avoid null entries for internal routing
             targets = config.parseRouting(req.getHeader("X-DMAAP-DR-ROUTING"));
@@ -466,6 +466,17 @@ public class NodeServlet extends HttpServlet {
         }
     }
 
+    private String generateAndValidatePublishId(HttpServletRequest req) throws IOException {
+        String newPubId = req.getHeader("X-DMAAP-DR-PUBLISH-ID");
+
+        String regex = ".*";
+
+        if(newPubId.matches(regex)){
+            return newPubId;
+        }
+        throw new IOException("Invalid Header X-DMAAP-DR-PUBLISH-ID");
+    }
+
     private String writeInputStreamToFile(HttpServletRequest req, File data) {
         byte[] buf = new byte[1024 * 1024];
         int bytesRead;