Persistent XSS vulnerability in onboardingApps form fix
[portal.git] / ecomp-portal-BE-common / src / main / java / org / onap / portalapp / portal / controller / AppsController.java
index 1224be8..c34311c 100644 (file)
@@ -739,6 +739,11 @@ public class AppsController extends EPRestrictedBaseController {
                        user = EPUserUtils.getUserSession(request);
                        if (!adminRolesService.isSuperAdmin(user) && !adminRolesService.isAccountAdminOfAnyActiveorInactiveApplication(user, oldEPApp) ) {
                                EcompPortalUtils.setBadPermissions(user, response, "putOnboardingApp");
+                       } else if(!dataValidator.isValid(modifiedOnboardingApp)){
+                               logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApp is not valid");
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =",
+                                                                                               response.getStatus());
+                               return fieldsValidator;
                        } else {
                                if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null))
                                {
@@ -789,7 +794,8 @@ public class AppsController extends EPRestrictedBaseController {
                                EcompPortalUtils.setBadPermissions(user, response, "postOnboardingApps");
                        } else {
                                newOnboardingApp.normalize();
-                               checkIfNameSpaceIsValid(newOnboardingApp, fieldsValidator, response);
+                               if(newOnboardingApp.isCentralAuth != null && newOnboardingApp.isCentralAuth)
+                                       checkIfNameSpaceIsValid(newOnboardingApp, fieldsValidator, response);
                                fieldsValidator = appService.addOnboardingApp(newOnboardingApp, user);
                                response.setStatus(fieldsValidator.httpStatusCode.intValue());
                        }
@@ -917,7 +923,7 @@ public class AppsController extends EPRestrictedBaseController {
                                throw e;
                        }
                } catch (Exception e) {
-                       e.printStackTrace();
+                   logger.error(EELFLoggerDelegate.errorLogger, "Exception in checkIfNameSpaceIsValid", e);
                }
        }