<dependency>
<groupId>com.att.eelf</groupId>
<artifactId>eelf-core</artifactId>
- <version>${eelf.version}</version>
+ <version>1.0.0-oss</version>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
- <version>1.3.0.RELEASE</version>
+ <version>1.3.1.RELEASE</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
- <version>5.1.3.Final</version>
+ <version>5.2.5.Final</version>
</dependency>
<!-- hibernate-core depends on dom4j, which has optional dependencies.
On jenkins, contrary to doc, mvn 3.0.5 packages the optional dependencies
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-client</artifactId>
- <version>3.0.0-milestone1</version>
+ <version>3.1.16</version>
</dependency>
<!-- Mapper -->
<dependency>
<dependency>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
- <version>2.2.0</version>
+ <version>6.8.2</version>
<exclusions>
<exclusion>
<groupId>org.apache.lucene</groupId>
<dependency>
<groupId>io.searchbox</groupId>
<artifactId>jest</artifactId>
- <version>2.0.0</version>
+ <version>5.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.jcs</groupId>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-websocket</artifactId>
- <version>8.0.28</version>
+ <version>8.0.52</version>
<scope>provided</scope>
</dependency>
<dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
- <version>3.15</version>
+ <version>3.17</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
- <version>3.15</version>
+ <version>3.17</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-scratchpad</artifactId>
- <version>3.5-FINAL</version>
+ <version>3.17</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
- <version>1.59</version>
+ <version>1.60</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
- <version>1.9.3</version>
+ <version>1.9.4</version>
</dependency>
<dependency>
<groupId>com.ecwid.consul</groupId>
<artifactId>consul-api</artifactId>
- <version>1.2.1</version>
+ <version>1.3.0</version>
</dependency>
<dependency>
<groupId>com.orbitz.consul</groupId>
<artifactId>consul-client</artifactId>
- <version>0.13.8</version>
+ <version>1.3.6</version>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<dependency>
<groupId>com.fasterxml.jackson.jaxrs</groupId>
<artifactId>jackson-jaxrs-json-provider</artifactId>
- <version>2.8.10</version>
+ <version>2.10.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.glassfish.web/javax.el -->
<dependency>
<dependency>
<groupId>org.glassfish.jersey.connectors</groupId>
<artifactId>jersey-jetty-connector</artifactId>
- <version>2.23.1</version>
+ <version>2.28</version>
</dependency>
<!-- Jacoco for offline instrumentation -->
<dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
- <version>2.1.0.1</version>
+ <version>2.2.0.0</version>
<exclusions>
<exclusion>
<groupId>commons-beanutils</groupId>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.10</version>
+ <version>1.4.11</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
- <version>1.2.7</version>
+ <version>1.2.25</version>
</dependency>
</dependencies>
import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.portal.utils.PortalConstants;
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse;
import org.slf4j.MDC;
public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseController {
private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(ExternalAppsRestfulController.class);
+ private final DataValidator DATA_VALIDATOR = new DataValidator();
@Autowired
private FunctionalMenuService functionalMenuService;
@ResponseBody
public PortalAPIResponse publishNotification(HttpServletRequest request,
@RequestBody EpNotificationItem notificationItem) throws Exception {
+
+ if(!DATA_VALIDATOR.isValid(notificationItem)){
+ PortalAPIResponse response = new PortalAPIResponse(false, "failed");
+ return response;
+ }
String appKey = request.getHeader("uebkey");
EPApp app = findEpApp(appKey);
List<Long> postRoleIds = new ArrayList<Long>();
EPRole role = epRoleService.getRole(app.getId(), roleId);
if (role != null)
postRoleIds.add(role.getId());
- }
- }
+ }
+ }
// --- recreate the user notification object with the POrtal Role Ids
EpNotificationItem postItem = new EpNotificationItem();
assertEquals(543L, createdNofification.getRoleIds().get(0).longValue());
}
+ @Test
+ public void publishNotificationXSSTest() throws Exception {
+ // input
+ EpNotificationItem notificationItem = new EpNotificationItem();
+ List<Long> roleList = new ArrayList<Long>();
+ Long role1 = 1L;
+ roleList.add(role1);
+ notificationItem.setRoleIds(roleList);
+ notificationItem.setPriority(1L);
+ notificationItem.setMsgHeader("<script>alert(‘XSS’)</script>");
+ notificationItem.setMsgDescription("Test Description");
+ Date currentDate = new Date();
+ Calendar c = Calendar.getInstance();
+ c.setTime(currentDate);
+ c.add(Calendar.DATE, 1);
+ Date currentDatePlusOne = c.getTime();
+ notificationItem.setStartTime(currentDate);
+ notificationItem.setEndTime(currentDatePlusOne);
+
+ // mock calls
+ Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn("RxH3983AHiyBOQmj");
+ Map<String, String> params = new HashMap<>();
+ params.put("appKey", "RxH3983AHiyBOQmj");
+ List<EPApp> apps = new ArrayList<>();
+ EPApp app = new EPApp();
+ app.setId(123L);
+ apps.add(app);
+ Mockito.when(DataAccessService.executeNamedQuery("getMyAppDetailsByUebKey", params, null)).thenReturn(apps);
+ EPRole role = new EPRole();
+ role.setId(543L);
+ Mockito.when(epRoleService.getRole(123L, 1L)).thenReturn(role);
+
+ // run
+ Mockito.when(userNotificationService.saveNotification(notificationItem)).thenReturn("Test");
+ PortalAPIResponse response = externalAppsRestfulController.publishNotification(mockedRequest, notificationItem);
+ // verify answer
+ assertNotNull(response);
+ assertEquals("error", response.getStatus());
+ assertEquals("failed", response.getMessage());
+ }
+
@Test
public void publishNotificationTest_EmptyAppHeader() throws Exception {
// input
Code Review / portal.git / commitdiff