Code Review / policy / engine.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: aff7dbd)
Fix Fortify Header Manipulation Issue 03/41203/4
authorWang,Frank(gw1218) <gw1218@att.com>
Thu, 5 Apr 2018 14:22:50 +0000 (09:22 -0500)
committerWang,Frank(gw1218) <gw1218@att.com>
Wed, 11 Apr 2018 18:01:09 +0000 (13:01 -0500)
Fix Forfity issue on group Id by adding a validation on this input
value.

Issue-ID: POLICY-734
Change-Id: I83321a5ffd1ddca84f985b5fd8659e502ca967d7
Signed-off-by: Wang,Frank(gw1218) <gw1218@att.com>
ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java patch | blob | history

diff --git a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
index 85b6e24..f3dda33 100644 (file)
--- a/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
+++ b/ONAP-PAP-REST/src/main/java/org/onap/policy/pap/xacml/rest/handler/DeleteHandler.java
@@ -64,7 +64,7 @@ public class DeleteHandler {
        public static final String POLICY_IN_PDP = "PolicyInPDP";
        public static final String ERROR = "error";
        public static final String UNKNOWN = "unknown";
        public static final String POLICY_IN_PDP = "PolicyInPDP";
        public static final String ERROR = "error";
        public static final String UNKNOWN = "unknown";
-
+       private static final String REGEX = "[0-9a-zA-Z._]*";
 
        public void doAPIDeleteFromPAP(HttpServletRequest request, HttpServletResponse response) throws IOException, SQLException  {
                // get the request content into a String
 
        public void doAPIDeleteFromPAP(HttpServletRequest request, HttpServletResponse response) throws IOException, SQLException  {
                // get the request content into a String
@@ -320,6 +320,13 @@ public class DeleteHandler {
                String groupId = request.getParameter("groupId");
                String responseString = null;
                
                String groupId = request.getParameter("groupId");
                String responseString = null;
                
+               if(groupId != null && !groupId.matches(REGEX) ){
+                       response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+                       response.addHeader("error",ERROR);
+                       response.addHeader("message", "Group Id is not valid");
+                       return;
+               }
+                               
                PolicyLogger.info("JSON request from API to Delete Policy from the PDP: " + policyName);
 
                // for PUT operations the group may or may not need to exist before the operation can be done
                PolicyLogger.info("JSON request from API to Delete Policy from the PDP: " + policyName);
 
                // for PUT operations the group may or may not need to exist before the operation can be done
-- Archived 06/09/2021