From 89fe88168e2a1284e2e2b2601de4c65decd8f988 Mon Sep 17 00:00:00 2001
From: aribeiro <anderson.ribeiro@est.tech>
Date: Fri, 23 Jul 2021 15:10:54 +0100
Subject: [PATCH] fix security vulnerability

Issue-ID: SDC-3607
Signed-off-by: aribeiro <anderson.ribeiro@est.tech>
Change-Id: I935898fcf1ae74dc8f162153ff2cf4744b8f2f99
---
 .../java/org/openecomp/sdc/fe/servlets/PortalServlet.java     | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
index 64b8cb1e69..6378b996cf 100644
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
@@ -37,6 +37,7 @@ import org.onap.sdc.security.AuthenticationCookie;
 import org.onap.sdc.security.RepresentationUtils;
 import org.openecomp.sdc.common.impl.MutableHttpServletRequest;
 import org.openecomp.sdc.common.log.wrappers.Logger;
+import org.openecomp.sdc.common.util.ValidationUtils;
 import org.openecomp.sdc.fe.Constants;
 import org.openecomp.sdc.fe.config.Configuration;
 import org.openecomp.sdc.fe.config.ConfigurationManager;
@@ -242,12 +243,12 @@ public class PortalServlet extends HttpServlet {
      * @param request
      * @param headers
      */
-    private void addCookies(HttpServletResponse response, HttpServletRequest request, String[] headers) {
-        for (int i = 0; i < headers.length; i++) {
-            String currHeader = headers[i];
-            String headerValue = request.getHeader(currHeader);
+    private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers) {
+        for (var i = 0; i < headers.length; i++) {
+            final var currHeader = ValidationUtils.sanitizeInputString(headers[i]);
+            final var headerValue = ValidationUtils.sanitizeInputString(request.getHeader(currHeader));
             if (headerValue != null) {
-                final Cookie cookie = new Cookie(currHeader, headerValue);
+                final var cookie = new Cookie(currHeader, headerValue);
                 cookie.setSecure(true);
                 response.addCookie(cookie);
             }
-- 
2.16.6