Medium Vulnerabilities CodeFix: 1. URL Redirection 2. AAF-1111

[aaf/authz.git] / auth / auth-hello / src / main / java / org / onap / aaf / auth / hello / API_Hello.java

diff --git a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java
index 4ffb178..cdaa6a7 100644 (file)
--- a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java
+++ b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java
@@ -35,6 +35,8 @@ import org.onap.aaf.auth.rserv.HttpMethods;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
 
+import org.owasp.encoder.Encode;
+
 /**
  * API Apis
  * @author Jonathan
@@ -70,7 +72,7 @@ public class API_Hello {
                 String perm = pathParam(req, "perm");
                 if (perm!=null && perm.length()>0) {
                     os.print('(');
-                    os.print(req.getUserPrincipal().getName());
+                    os.print(Encode.forJava(req.getUserPrincipal().getName()));
                     TimeTaken tt = trans.start("Authorize perm", Env.REMOTE);
                     try {
                         if (req.isUserInRole(perm)) {
@@ -82,7 +84,7 @@ public class API_Hello {
                         tt.done();
                     }
                     os.print("Permission: ");
-                    os.print(perm);
+                    os.print(Encode.forJava(perm));
                     os.print(')');
                 }
                 os.println();
@@ -144,7 +146,7 @@ public class API_Hello {
                 }
                 sb.append("}");
                 ServletOutputStream os = resp.getOutputStream();
-                os.println(sb.toString());
+                os.println(Encode.forJava(sb.toString()));
                 trans.info().printf("Said 'RESTful Hello' to %s, Authentication type: %s",trans.getUserPrincipal().getName(),trans.getUserPrincipal().getClass().getSimpleName());
             }
         },APPLICATION_JSON);
@@ -164,7 +166,7 @@ public class API_Hello {
                 trans.info().printf("Content from %s: %s\n", pathParam(req, ":id"),content);
                 if (content.startsWith("{") && content.endsWith("}")) {
                     resp.setStatus(200 /* OK */);
-                    resp.getOutputStream().print(content);
+                    resp.getOutputStream().print(Encode.forJava(content));
                 } else {
                     resp.getOutputStream().write(NOT_JSON);
                     resp.setStatus(406);