Merge "XSS Vulnerability fix in WidgetsController"

author Manoop Talasila <talasila@research.att.com>

Mon, 22 Jul 2019 19:31:46 +0000 (19:31 +0000)

committer Gerrit Code Review <gerrit@onap.org>

Mon, 22 Jul 2019 19:31:46 +0000 (19:31 +0000)
author Manoop Talasila <talasila@research.att.com>
Mon, 22 Jul 2019 19:31:46 +0000 (19:31 +0000)
committer Gerrit Code Review <gerrit@onap.org>
Mon, 22 Jul 2019 19:31:46 +0000 (19:31 +0000)
diff --git a/ecomp-portal-BE-common/pom.xml b/ecomp-portal-BE-common/pom.xml

index 61f166d..58ae584 100644 (file)
--- a/ecomp-portal-BE-common/pom.xml
+++ b/ecomp-portal-BE-common/pom.xml
@@ -179,6 +179,11 @@
                         <artifactId>spring-test</artifactId>
                         <version>${springframework.version}</version>
                 </dependency>
+               <dependency>
+                       <groupId>javax.xml.bind</groupId>
+                       <artifactId>jaxb-api</artifactId>
+                       <version>2.4.0-b180830.0359</version>
+               </dependency>
                 <dependency>
                         <groupId>org.springframework.boot</groupId>
                         <artifactId>spring-boot-starter</artifactId>
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java

index 5da3552..b5876af 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java
@@ -37,7 +37,6 @@
   */
  package org.onap.portalapp.portal.controller;
  
-import java.util.Collections;
  import java.util.Comparator;
  import java.util.HashMap;
  import java.util.List;
@@ -53,9 +52,11 @@ import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
  import org.onap.portalapp.portal.logging.aop.EPAuditLog;
  import org.onap.portalapp.portal.service.AppContactUsService;
  import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
+import org.onap.portalapp.validation.DataValidator;
  import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
  import org.onap.portalsdk.core.util.SystemProperties;
  import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
  import org.springframework.context.annotation.EnableAspectJAutoProxy;
  import org.springframework.web.bind.annotation.PathVariable;
  import org.springframework.web.bind.annotation.RequestBody;
@@ -65,42 +66,51 @@ import org.springframework.web.bind.annotation.RestController;
  
  @RestController
  @RequestMapping("/portalApi/contactus")
-@org.springframework.context.annotation.Configuration
+@Configuration
  @EnableAspectJAutoProxy
  @EPAuditLog
  public class AppContactUsController extends EPRestrictedBaseController {
  
-       static final String FAILURE = "failure";
+       private static final String FAILURE = "failure";
+       private static final String SUCCESS= "success";
  
-       private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppContactUsController.class);
+       private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppContactUsController.class);
+       private static final DataValidator dataValidator = new DataValidator();
+       private final Comparator<AppCategoryFunctionsItem> appCategoryFunctionsItemComparator = Comparator
+               .comparing(AppCategoryFunctionsItem::getCategory);
  
-       @Autowired
         private AppContactUsService contactUsService;
  
+       @Autowired
+       public AppContactUsController(AppContactUsService contactUsService) {
+               this.contactUsService = contactUsService;
+       }
+
+
         /**
          * Answers a JSON object with three items from the system.properties file:
          * user self-help ticket URL, email for feedback, and Portal info link.
-        * 
+        *
          * @param request HttpServletRequest
          * @return PortalRestResponse
          */
         @RequestMapping(value = "/feedback", method = RequestMethod.GET, produces = "application/json")
         public PortalRestResponse<String> getPortalDetails(HttpServletRequest request) {
-               PortalRestResponse<String> portalRestResponse = null;
+               PortalRestResponse<String> portalRestResponse;
                 try {
                         final String ticketUrl = SystemProperties.getProperty(EPCommonSystemProperties.USH_TICKET_URL);
                         final String portalInfoUrl = SystemProperties.getProperty(EPCommonSystemProperties.PORTAL_INFO_URL);
                         final String feedbackEmail = SystemProperties.getProperty(EPCommonSystemProperties.FEEDBACK_EMAIL_ADDRESS);
-                       HashMap<String, String> map = new HashMap<String, String>();
+                       HashMap<String, String> map = new HashMap<>();
                         map.put(EPCommonSystemProperties.USH_TICKET_URL, ticketUrl);
                         map.put(EPCommonSystemProperties.PORTAL_INFO_URL, portalInfoUrl);
                         map.put(EPCommonSystemProperties.FEEDBACK_EMAIL_ADDRESS, feedbackEmail);
                         JSONObject j = new JSONObject(map);
                         String contactUsPortalResponse = j.toString();
-                       portalRestResponse = new PortalRestResponse<String>(PortalRestStatusEnum.OK, "success",
-                                       contactUsPortalResponse);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS,
+                               contactUsPortalResponse);
                 } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE, e.getMessage());
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, e.getMessage());
                 }
                 return portalRestResponse;
         }
@@ -108,21 +118,21 @@ public class AppContactUsController extends EPRestrictedBaseController {
         /**
          * Answers the contents of the contact-us table, extended with the
          * application name.
-        * 
+        *
          * @param request HttpServletRequest
          * @return PortalRestResponse<List<AppContactUsItem>>
          */
         @RequestMapping(value = "/list", method = RequestMethod.GET, produces = "application/json")
         public PortalRestResponse<List<AppContactUsItem>> getAppContactUsList(HttpServletRequest request) {
-               PortalRestResponse<List<AppContactUsItem>> portalRestResponse = null;
+               PortalRestResponse<List<AppContactUsItem>> portalRestResponse;
                 try {
                         List<AppContactUsItem> contents = contactUsService.getAppContactUs();
-                       portalRestResponse = new PortalRestResponse<List<AppContactUsItem>>(PortalRestStatusEnum.OK, "success",
-                                       contents);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS,
+                               contents);
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getAppContactUsList failed", e);
-                       portalRestResponse = new PortalRestResponse<List<AppContactUsItem>>(PortalRestStatusEnum.ERROR,
-                                       e.getMessage(), null);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+                               e.getMessage(), null);
                 }
                 return portalRestResponse;
         }
@@ -130,35 +140,25 @@ public class AppContactUsController extends EPRestrictedBaseController {
         /**
          * Answers a list of objects, one per application, extended with available
          * data on how to contact that app's organization (possibly none).
-        * 
+        *
          * @param request HttpServletRequest
          * @return PortalRestResponse<List<AppContactUsItem>>
          */
         @RequestMapping(value = "/allapps", method = RequestMethod.GET, produces = "application/json")
         public PortalRestResponse<List<AppContactUsItem>> getAppsAndContacts(HttpServletRequest request) {
-               PortalRestResponse<List<AppContactUsItem>> portalRestResponse = null;
+               PortalRestResponse<List<AppContactUsItem>> portalRestResponse;
                 try {
                         List<AppContactUsItem> contents = contactUsService.getAppsAndContacts();
-                       portalRestResponse = new PortalRestResponse<List<AppContactUsItem>>(PortalRestStatusEnum.OK, "success",
-                                       contents);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS,
+                               contents);
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getAllAppsAndContacts failed", e);
-                       portalRestResponse = new PortalRestResponse<List<AppContactUsItem>>(PortalRestStatusEnum.ERROR,
-                                       e.getMessage(), null);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+                               e.getMessage(), null);
                 }
                 return portalRestResponse;
         }
  
-       /**
-        * Sorts by category name.
-        */
-       private Comparator<AppCategoryFunctionsItem> appCategoryFunctionsItemComparator = new Comparator<AppCategoryFunctionsItem>() {
-               @Override
-               public int compare(AppCategoryFunctionsItem o1, AppCategoryFunctionsItem o2) {
-                       return o1.getCategory().compareTo(o2.getCategory());
-               }
-       };
-       
         /**
          * Answers a list of objects with category-application-function details. Not
          * all applications participate in the functional menu.
@@ -168,20 +168,17 @@ public class AppContactUsController extends EPRestrictedBaseController {
          */
         @RequestMapping(value = "/functions", method = RequestMethod.GET, produces = "application/json")
         public PortalRestResponse<List<AppCategoryFunctionsItem>> getAppCategoryFunctions(HttpServletRequest request) {
-               PortalRestResponse<List<AppCategoryFunctionsItem>> portalRestResponse = null;
+               PortalRestResponse<List<AppCategoryFunctionsItem>> portalRestResponse;
                 try {
                         List<AppCategoryFunctionsItem> contents = contactUsService.getAppCategoryFunctions();
-                       // logger.debug(EELFLoggerDelegate.debugLogger,
-                       // "getAppCategoryFunctions: result list size is " +
-                       // contents.size());
-                       Collections.sort(contents, appCategoryFunctionsItemComparator);
-                       portalRestResponse = new PortalRestResponse<List<AppCategoryFunctionsItem>>(PortalRestStatusEnum.OK,
-                                       "success", contents);
+                       contents.sort(appCategoryFunctionsItemComparator);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK,
+                               SUCCESS, contents);
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getAppCategoryFunctions failed", e);
                         // TODO build JSON error
-                       portalRestResponse = new PortalRestResponse<List<AppCategoryFunctionsItem>>(PortalRestStatusEnum.ERROR,
-                                       e.getMessage(), null);
+                       portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
+                               e.getMessage(), null);
                 }
                 return portalRestResponse;
         }
@@ -195,29 +192,41 @@ public class AppContactUsController extends EPRestrictedBaseController {
         @RequestMapping(value = "/save", method = RequestMethod.POST, produces = "application/json")
         public PortalRestResponse<String> save(@RequestBody AppContactUsItem contactUs) {
  
-               if (contactUs == null || contactUs.getAppName() == null)
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE,
-                                       "AppName cannot be null or empty");
+               if (contactUs == null || contactUs.getAppName() == null) {
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
+                               "AppName cannot be null or empty");
+               }else if(!dataValidator.isValid(contactUs)){
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "AppName is not valid.");
+               }
  
                 String saveAppContactUs = FAILURE;
                 try {
                         saveAppContactUs = contactUsService.saveAppContactUs(contactUs);
                 } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
+                       logger.error(EELFLoggerDelegate.errorLogger, "save failed", e);
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
                 }
-               return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveAppContactUs, "");
+               return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, "");
         }
  
         @RequestMapping(value = "/saveAll", method = RequestMethod.POST, produces = "application/json")
         public PortalRestResponse<String> save(@RequestBody List<AppContactUsItem> contactUsList) {
  
+               if (contactUsList == null) {
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
+                               "AppNameList cannot be null or empty");
+               }else if(!dataValidator.isValid(contactUsList)){
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "AppNameList is not valid.");
+               }
+
                 String saveAppContactUs = FAILURE;
                 try {
                         saveAppContactUs = contactUsService.saveAppContactUs(contactUsList);
                 } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
+                       logger.error(EELFLoggerDelegate.errorLogger, "save failed", e);
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
                 }
-               return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveAppContactUs, "");
+               return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, "");
         }
  
         /**
@@ -234,9 +243,10 @@ public class AppContactUsController extends EPRestrictedBaseController {
                 try {
                         saveAppContactUs = contactUsService.deleteContactUs(id);
                 } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
+                       logger.error(EELFLoggerDelegate.errorLogger, "delete failed", e);
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage());
                 }
-               return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveAppContactUs, "");
+               return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, "");
         }
  
  }
 \ No newline at end of file
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java

index 4b401e2..1224be8 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
@@ -2,7 +2,7 @@
   * ============LICENSE_START==========================================
   * ONAP Portal
   * ===================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved.
   * ===================================================================
   * Modifications Copyright (c) 2019 Samsung
   * ===================================================================
@@ -42,18 +42,12 @@ package org.onap.portalapp.portal.controller;
  import com.fasterxml.jackson.core.JsonProcessingException;
  import com.fasterxml.jackson.databind.ObjectMapper;
  import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
  import java.util.List;
-import java.util.Map;
  import java.util.Set;
-import java.util.stream.Stream;
-
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
-
-import org.json.JSONArray;
-import org.json.JSONObject;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
  import org.onap.portalapp.controller.EPRestrictedBaseController;
  import org.onap.portalapp.portal.domain.AdminUserApplications;
  import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel;
@@ -68,7 +62,6 @@ import org.onap.portalapp.portal.logging.logic.EPLogUtil;
  import org.onap.portalapp.portal.service.AdminRolesService;
  import org.onap.portalapp.portal.service.EPAppService;
  import org.onap.portalapp.portal.service.EPLeftMenuService;
-import org.onap.portalapp.portal.service.ExternalAccessRolesService;
  import org.onap.portalapp.portal.transport.EPAppsManualPreference;
  import org.onap.portalapp.portal.transport.EPAppsSortPreference;
  import org.onap.portalapp.portal.transport.EPDeleteAppsManualSortPref;
@@ -76,10 +69,10 @@ import org.onap.portalapp.portal.transport.EPWidgetsSortPreference;
  import org.onap.portalapp.portal.transport.FieldsValidator;
  import org.onap.portalapp.portal.transport.LocalRole;
  import org.onap.portalapp.portal.transport.OnboardingApp;
-import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
  import org.onap.portalapp.portal.utils.EcompPortalUtils;
  import org.onap.portalapp.portal.utils.PortalConstants;
  import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
  import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
  import org.onap.portalsdk.core.util.SystemProperties;
  import org.onap.portalsdk.core.web.support.AppUtils;
@@ -87,7 +80,6 @@ import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.context.annotation.EnableAspectJAutoProxy;
  import org.springframework.http.HttpEntity;
  import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpMethod;
  import org.springframework.http.HttpStatus;
  import org.springframework.http.MediaType;
  import org.springframework.http.ResponseEntity;
@@ -97,27 +89,27 @@ import org.springframework.web.bind.annotation.RequestMapping;
  import org.springframework.web.bind.annotation.RequestMethod;
  import org.springframework.web.bind.annotation.RestController;
  import org.springframework.web.client.HttpClientErrorException;
-import org.springframework.web.client.HttpStatusCodeException;
-import org.springframework.web.client.RestTemplate;
  
  @RestController
  @EnableAspectJAutoProxy
  @EPAuditLog
+@NoArgsConstructor
+@Getter
  public class AppsController extends EPRestrictedBaseController {
-       private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsController.class);
+       private static final String GET_RESULT = "GET result =";
+       private static final String PUT_RESULT = "PUT result =";
+       private static final String PORTAL_API_ONBOARDING_APPS = "/portalApi/onboardingApps";
+       private static final String PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF = "/portalApi/userAppsOrderBySortPref";
+
+       private final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsController.class);
+       private final DataValidator dataValidator = new DataValidator();
  
         @Autowired
         private AdminRolesService adminRolesService;
-
         @Autowired
         private EPAppService appService;
-
         @Autowired
         private EPLeftMenuService leftMenuService;
-       
-       @Autowired
-       private ExternalAccessRolesService externalAccessRolesService;
-       RestTemplate template = new RestTemplate();
  
         /**
          * RESTful service method to fetch all Applications available to current
@@ -139,7 +131,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 EcompPortalUtils.setBadPermissions(user, response, "getUserApps");
                         } else {
                                 ecompApps = appService.transformAppsToEcompApps(appService.getUserApps(user));
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userApps", "GET result =", ecompApps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userApps", GET_RESULT, ecompApps);
                         }
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getUserApps failed", e);
@@ -174,7 +166,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 else
                                         apps = appService.getPersUserApps(user);
                                 ecompApps = appService.transformAppsToEcompApps(apps);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userPersApps", "GET result =", ecompApps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userPersApps", GET_RESULT, ecompApps);
                         }
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getPersUserApps failed", e);
@@ -203,7 +195,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 EcompPortalUtils.setBadPermissions(user, response, "getAdminApps");
                         } else {
                                 adminApps = appService.getAdminApps(user);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/adminApps", "GET result =", adminApps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/adminApps", GET_RESULT, adminApps);
                         }
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getAdminApps failed", e);
@@ -235,7 +227,7 @@ public class AppsController extends EPRestrictedBaseController {
                         } else {
                                 adminApps = appService.getAppsForSuperAdminAndAccountAdmin(user);
                                 EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsForSuperAdminAndAccountAdmin",
-                                               "GET result =", adminApps);
+                                               GET_RESULT, adminApps);
                         }
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getAppsForSuperAdminAndAccountAdmin failed", e);
@@ -245,7 +237,7 @@ public class AppsController extends EPRestrictedBaseController {
         }
  
         /**
-        * RESTful service method to fetch left menu items from the user's session.
+        * RESTful service method to fetch left menu items from the user'PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF session.
          * 
          * @param request
          *            HttpServletRequest
@@ -267,7 +259,7 @@ public class AppsController extends EPRestrictedBaseController {
  
                 try {
                         menuList = leftMenuService.getLeftMenuItems(user, menuSet, roleFunctionSet);
-                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/leftmenuItems", "GET result =", menuList);
+                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/leftmenuItems", GET_RESULT, menuList);
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getLeftMenuItems failed", e);
                 }
@@ -275,7 +267,7 @@ public class AppsController extends EPRestrictedBaseController {
         }
  
         @RequestMapping(value = {
-                       "/portalApi/userAppsOrderBySortPref" }, method = RequestMethod.GET, produces = "application/json")
+                       PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF }, method = RequestMethod.GET, produces = "application/json")
         public List<EcompApp> getUserAppsOrderBySortPref(HttpServletRequest request, HttpServletResponse response) {
                 EPUser user = EPUserUtils.getUserSession(request);
                 List<EcompApp> ecompApps = null;
@@ -284,28 +276,28 @@ public class AppsController extends EPRestrictedBaseController {
                                 EcompPortalUtils.setBadPermissions(user, response, "getUserAppsOrderBySortPref");
                         } else {
                                 String usrSortPref = request.getParameter("mparams");
-                               if (usrSortPref.equals("")) {
+                               if (usrSortPref.isEmpty()) {
                                         usrSortPref = "N";
                                 }
                                 switch (usrSortPref) {
                                 case "N":
                                         ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByName(user));
-                                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+                                       EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
                                                         ecompApps);
                                         break;
                                 case "L":
                                         ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByLastUsed(user));
-                                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+                                       EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
                                                         ecompApps);
                                         break;
                                 case "F":
                                         ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByMostUsed(user));
-                                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+                                       EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
                                                         ecompApps);
                                         break;
                                 case "M":
                                         ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByManual(user));
-                                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =",
+                                       EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT,
                                                         ecompApps);
                                         break;
                                 default:
@@ -335,6 +327,13 @@ public class AppsController extends EPRestrictedBaseController {
         public FieldsValidator putUserAppsSortingManual(HttpServletRequest request,
                         @RequestBody List<EPAppsManualPreference> epAppsManualPref, HttpServletResponse response) {
                 FieldsValidator fieldsValidator = null;
+
+               if (isNotNullAndNotValid(epAppsManualPref)){
+                       fieldsValidator = new FieldsValidator();
+                       fieldsValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+                       return fieldsValidator;
+               }
+
                 try {
                         EPUser user = EPUserUtils.getUserSession(request);
                         fieldsValidator = appService.saveAppsSortManual(epAppsManualPref, user);
@@ -342,7 +341,7 @@ public class AppsController extends EPRestrictedBaseController {
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "putUserAppsSortingManual failed", e);
                 }
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/saveUserAppsSortingManual", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/saveUserAppsSortingManual", PUT_RESULT,
                                 response.getStatus());
                 return fieldsValidator;
         }
@@ -352,6 +351,13 @@ public class AppsController extends EPRestrictedBaseController {
         public FieldsValidator putUserWidgetsSortManual(HttpServletRequest request,
                         @RequestBody List<EPWidgetsSortPreference> saveManualWidgetSData, HttpServletResponse response) {
                 FieldsValidator fieldsValidator = null;
+
+               if (isNotNullAndNotValid(saveManualWidgetSData)){
+                       fieldsValidator = new FieldsValidator();
+                       fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+                       return fieldsValidator;
+               }
+
                 try {
                         EPUser user = EPUserUtils.getUserSession(request);
                         fieldsValidator = appService.saveWidgetsSortManual(saveManualWidgetSData, user);
@@ -359,8 +365,7 @@ public class AppsController extends EPRestrictedBaseController {
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "putUserWidgetsSortManual failed", e);
                 }
-               // return fieldsValidator;
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortManual", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortManual", PUT_RESULT,
                                 response.getStatus());
                 return fieldsValidator;
         }
@@ -370,6 +375,13 @@ public class AppsController extends EPRestrictedBaseController {
         public FieldsValidator putUserWidgetsSortPref(HttpServletRequest request,
                         @RequestBody List<EPWidgetsSortPreference> delManualWidgetData, HttpServletResponse response) {
                 FieldsValidator fieldsValidator = null;
+
+               if (isNotNullAndNotValid(delManualWidgetData)){
+                       fieldsValidator = new FieldsValidator();
+                       fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+                       return fieldsValidator;
+               }
+
                 try {
                         EPUser user = EPUserUtils.getUserSession(request);
                         fieldsValidator = appService.deleteUserWidgetSortPref(delManualWidgetData, user);
@@ -378,8 +390,7 @@ public class AppsController extends EPRestrictedBaseController {
                         logger.error(EELFLoggerDelegate.errorLogger, "putUserWidgetsSortPref failed", e);
  
                 }
-               // return fieldsValidator;
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortPref", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortPref", PUT_RESULT,
                                 response.getStatus());
                 return fieldsValidator;
         }
@@ -400,6 +411,7 @@ public class AppsController extends EPRestrictedBaseController {
         public FieldsValidator deleteUserAppSortManual(HttpServletRequest request,
                         @RequestBody EPDeleteAppsManualSortPref delManualAppData, HttpServletResponse response) {
                 FieldsValidator fieldsValidator = null;
+
                 try {
                         EPUser user = EPUserUtils.getUserSession(request);
                         fieldsValidator = appService.deleteUserAppSortManual(delManualAppData, user);
@@ -408,8 +420,7 @@ public class AppsController extends EPRestrictedBaseController {
                         logger.error(EELFLoggerDelegate.errorLogger, "deleteUserAppSortManual failed", e);
  
                 }
-               // return fieldsValidator;
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/deleteUserAppSortManual", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/deleteUserAppSortManual", PUT_RESULT,
                                 response.getStatus());
                 return fieldsValidator;
         }
@@ -428,8 +439,7 @@ public class AppsController extends EPRestrictedBaseController {
  
                 }
  
-               // return fieldsValidator;
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserAppsSortingPreference", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserAppsSortingPreference", PUT_RESULT,
                                 response.getStatus());
                 return fieldsValidator;
         }
@@ -445,7 +455,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 EcompPortalUtils.setBadPermissions(user, response, "userAppsSortTypePreference");
                         } else {
                                 userSortPreference = appService.getUserAppsSortTypePreference(user);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsSortTypePreference", "GET result =",
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsSortTypePreference", GET_RESULT,
                                                 userSortPreference);
                         }
                 } catch (Exception e) {
@@ -475,7 +485,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 EcompPortalUtils.setBadPermissions(user, response, "getAppsAdministrators");
                         } else {
                                 admins = appService.getAppsAdmins();
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/accountAdmins", "GET result =", admins);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/accountAdmins", GET_RESULT, admins);
                         }
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getAppsAdministrators failed", e);
@@ -493,7 +503,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 EcompPortalUtils.setBadPermissions(user, response, "getApps");
                         } else {
                                 apps = appService.getAllApplications(false);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", "GET result =", apps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", GET_RESULT, apps);
                         }
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getApps failed", e);
@@ -522,7 +532,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 EcompPortalUtils.setBadPermissions(user, response, "getApps");
                         } else {
                                 apps = appService.getAllApps(true);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", "GET result =", apps);
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", GET_RESULT, apps);
                         }
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getAllApps failed", e);
@@ -547,7 +557,7 @@ public class AppsController extends EPRestrictedBaseController {
                         EcompPortalUtils.setBadPermissions(user, response, "getAppsFullList");
                 } else {
                         ecompApps = appService.getEcompAppAppsFullList();
-                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsFullList", "GET result =", ecompApps);
+                       EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsFullList", GET_RESULT, ecompApps);
                 }
                 return ecompApps;
         }
@@ -598,7 +608,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 || (adminRolesService.isSuperAdmin(user) && requestedApp.getId() == PortalConstants.PORTAL_APP_ID))) {
                         try {
                                 roleList = appService.getAppRoles(appId);
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appRoles/" + appId, "GET result =",
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appRoles/" + appId, GET_RESULT,
                                                 roleList);
                         } catch (Exception e) {
                                 logger.error(EELFLoggerDelegate.errorLogger, "getAppRoles failed", e);
@@ -626,8 +636,8 @@ public class AppsController extends EPRestrictedBaseController {
                         String appName = request.getParameter("appParam");
                         app = appService.getAppDetailByAppName(appName);
                         if (user != null && (adminRolesService.isAccountAdminOfApplication(user, app)
-                                       || (adminRolesService.isSuperAdmin(user) && app.getId() == PortalConstants.PORTAL_APP_ID)))
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfo" + appName, "GET result =", app);
+                                       || (adminRolesService.isSuperAdmin(user) && app.getId().equals(PortalConstants.PORTAL_APP_ID))))
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfo" + appName, GET_RESULT, app);
                         else{
                                 app= null;
                                 EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
@@ -659,8 +669,8 @@ public class AppsController extends EPRestrictedBaseController {
                                 app.setCentralAuth(false);
                         }
                         if (user != null && (adminRolesService.isAccountAdminOfApplication(user, app)
-                                       || (adminRolesService.isSuperAdmin(user) && app.getId() == PortalConstants.PORTAL_APP_ID)))
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfoById" + appId, "GET result =", app);
+                                       || (adminRolesService.isSuperAdmin(user) && app.getId().equals(PortalConstants.PORTAL_APP_ID))))
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfoById" + appId, GET_RESULT, app);
                         else{
                                 app= null;
                                 EcompPortalUtils.setBadPermissions(user, response, "createAdmin");
@@ -680,7 +690,7 @@ public class AppsController extends EPRestrictedBaseController {
          *            HTTP servlet response
          * @return List<OnboardingApp>
          */
-       @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.GET, produces = "application/json")
+       @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.GET, produces = "application/json")
         public List<OnboardingApp> getOnboardingApps(HttpServletRequest request, HttpServletResponse response) {
                 EPUser user = EPUserUtils.getUserSession(request);
                 List<OnboardingApp> onboardingApps = null;
@@ -697,8 +707,8 @@ public class AppsController extends EPRestrictedBaseController {
                                         //get all his admin apps
                                         onboardingApps =  appService.getAdminAppsOfUser(user);
                                 }
-                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "GET result =",
-                                               "onboardingApps of size " + onboardingApps.size());
+                               EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, GET_RESULT,
+                                               "onboardingApps of size " + (onboardingApps != null ? onboardingApps.size() : 0));
                         }
                 } catch (Exception e) {
                         logger.error(EELFLoggerDelegate.errorLogger, "getOnboardingApps failed", e);
@@ -718,14 +728,12 @@ public class AppsController extends EPRestrictedBaseController {
          * @return FieldsValidator
          * @throws Exception 
          */
-       @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.PUT, produces = "application/json")
+       @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.PUT, produces = "application/json")
         public FieldsValidator putOnboardingApp(HttpServletRequest request,
-                       @RequestBody OnboardingApp modifiedOnboardingApp, HttpServletResponse response) throws Exception {
+                       @RequestBody OnboardingApp modifiedOnboardingApp, HttpServletResponse response) {
                 FieldsValidator fieldsValidator = null;
                 EPUser user = null;
-               EPApp oldEPApp = null;
-               oldEPApp = appService.getApp(modifiedOnboardingApp.id);
-               ResponseEntity<String> res = null;
+               EPApp oldEPApp = appService.getApp(modifiedOnboardingApp.id);
                 
                 try {
                         user = EPUserUtils.getUserSession(request);
@@ -734,20 +742,7 @@ public class AppsController extends EPRestrictedBaseController {
                         } else {
                                 if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null))
                                 {
-                                       try {
-                                               res = appService.checkIfNameSpaceIsValid(modifiedOnboardingApp.nameSpace);
-                                       } catch (HttpClientErrorException e) {
-                                               logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
-                                               EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
-                                               if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
-                                                       fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
-                                                       throw new InvalidApplicationException("Invalid NameSpace");
-                                               }else{
-                                                       fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
-                                                       throw e;
-                                               }
-                                       }
-
+                                       checkIfNameSpaceIsValid(modifiedOnboardingApp, fieldsValidator, response);
                                 }       
                                 modifiedOnboardingApp.normalize();
                                 fieldsValidator = appService.modifyOnboardingApp(modifiedOnboardingApp, user);
@@ -767,7 +762,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApps failed", e);
                         }
                 }
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "PUT result =",
+               EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, PUT_RESULT,
                                 response.getStatus());
                 return fieldsValidator;
         }
@@ -784,7 +779,7 @@ public class AppsController extends EPRestrictedBaseController {
          *            app to add
          * @return FieldsValidator
          */
-       @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.POST, produces = "application/json")
+       @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.POST, produces = "application/json")
         public FieldsValidator postOnboardingApp(HttpServletRequest request, @RequestBody OnboardingApp newOnboardingApp,
                         HttpServletResponse response) {
                 FieldsValidator fieldsValidator = null;
@@ -794,21 +789,7 @@ public class AppsController extends EPRestrictedBaseController {
                                 EcompPortalUtils.setBadPermissions(user, response, "postOnboardingApps");
                         } else {
                                 newOnboardingApp.normalize();
-                               ResponseEntity<String> res = null;
-                               try {
-                                       if( !(newOnboardingApp.nameSpace == null) && !newOnboardingApp.nameSpace.isEmpty()) 
-                                           res = appService.checkIfNameSpaceIsValid(newOnboardingApp.nameSpace);
-                               } catch (HttpClientErrorException e) {
-                                       logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
-                                       EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
-                                       if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
-                                               fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
-                                               throw new InvalidApplicationException("Invalid NameSpace");
-                                       }else{
-                                               fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response);
-                                               throw e;
-                                       }
-                               }
+                               checkIfNameSpaceIsValid(newOnboardingApp, fieldsValidator, response);
                                 fieldsValidator = appService.addOnboardingApp(newOnboardingApp, user);
                                 response.setStatus(fieldsValidator.httpStatusCode.intValue());
                         }
@@ -824,22 +805,22 @@ public class AppsController extends EPRestrictedBaseController {
                         logger.error(EELFLoggerDelegate.errorLogger, "postOnboardingApp failed", e);                            
                 }
  
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =",
+               EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, "POST result =",
                                 response.getStatus());
                 return fieldsValidator;
         }
         
-       private FieldsValidator setResponse(HttpStatus statusCode,FieldsValidator fieldsValidator,HttpServletResponse response)
+       private FieldsValidator setResponse(HttpStatus statusCode, HttpServletResponse response)
         {
-               fieldsValidator = new FieldsValidator();
+               FieldsValidator fieldsValidator = new FieldsValidator();
                 if (statusCode == HttpStatus.NOT_FOUND || statusCode == HttpStatus.FORBIDDEN) {
-                       fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_NOT_FOUND);
+                       fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_NOT_FOUND;
                         logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed"+ "invalid namespace");
                 }else if (statusCode == HttpStatus.UNAUTHORIZED) {
-                       fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_UNAUTHORIZED);
+                       fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_UNAUTHORIZED;
                         logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed"+ "unauthorized");
                 } else{
-                       fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_BAD_REQUEST);
+                       fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_BAD_REQUEST;
                         logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed ",statusCode);
  
                 }
@@ -880,7 +861,7 @@ public class AppsController extends EPRestrictedBaseController {
                         response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                 }
                 
-               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps" + appId, "DELETE result =",
+               EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS + appId, "DELETE result =",
                                 response.getStatus());
                 return fieldsValidator;
         }
@@ -918,8 +899,29 @@ public class AppsController extends EPRestrictedBaseController {
                 HttpHeaders header = new HttpHeaders();
                 header.setContentType(mediaType);
                 header.setContentLength(app.getThumbnail().length);
-               return new HttpEntity<byte[]>(app.getThumbnail(), header);
+               return new HttpEntity<>(app.getThumbnail(), header);
         }
         
+       private void checkIfNameSpaceIsValid(OnboardingApp modifiedOnboardingApp, FieldsValidator fieldsValidator, HttpServletResponse response)
+               throws InvalidApplicationException {
+               try {
+                       ResponseEntity<String> res  = appService.checkIfNameSpaceIsValid(modifiedOnboardingApp.nameSpace);
+               } catch (HttpClientErrorException e) {
+                       logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e);
+                       EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode());
+                       if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) {
+                               fieldsValidator = setResponse(e.getStatusCode(),response);
+                               throw new InvalidApplicationException("Invalid NameSpace");
+                       }else{
+                               fieldsValidator = setResponse(e.getStatusCode(),response);
+                               throw e;
+                       }
+               } catch (Exception e) {
+                       e.printStackTrace();
+               }
+       }
  
+       private boolean isNotNullAndNotValid(Object o){
+               return o!=null && !dataValidator.isValid(o);
+       }
  }
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java

index 67d7566..cff8245 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java
@@ -43,6 +43,8 @@ import java.util.UUID;
  
  import javax.servlet.http.HttpServletRequest;
  
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
  import org.slf4j.MDC;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.web.bind.annotation.RequestMapping;
@@ -68,14 +70,18 @@ import org.onap.portalsdk.core.util.SystemProperties;
  @RestController
  @RequestMapping("/portalApi/auditLog")
  public class AuditLogController extends EPRestrictedBaseController {
-       private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardController.class);
+       private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardController.class);
+       private static final DataValidator dataValidator = new DataValidator();
  
-       @Autowired
         private AuditService auditService;
+       @Autowired
+       public AuditLogController(AuditService auditService) {
+               this.auditService = auditService;
+       }
  
         /**
          * Store audit log of the specified access type.
-        * 
+        *
          * @param request
          *            HttpServletRequest
          * @param affectedAppId
@@ -90,34 +96,50 @@ public class AuditLogController extends EPRestrictedBaseController {
                         @RequestParam String comment) {
                 logger.debug(EELFLoggerDelegate.debugLogger, "auditLog: appId {}, type {}, comment {}", affectedAppId, type,
                                 comment);
-               String cd_type = null;
+               String cdType = null;
+
+               SecureString secureString0 = new SecureString(affectedAppId);
+               SecureString secureString1 = new SecureString(type);
+               SecureString secureString2 = new SecureString(comment);
+               if (  !dataValidator.isValid(secureString0)
+                       ||!dataValidator.isValid(secureString1)
+                       ||!dataValidator.isValid(secureString2)){
+                       return;
+               }
+
                 try {
                         EPUser user = EPUserUtils.getUserSession(request);
                         /* Check type of Activity CD */
-                       if (type.equals("app")) {
-                               cd_type = AuditLog.CD_ACTIVITY_APP_ACCESS;
-                       } else if (type.equals("tab")) {
-                               cd_type = AuditLog.CD_ACTIVITY_TAB_ACCESS;
-                       } else if (type.equals("functional")) {
-                               cd_type = AuditLog.CD_ACTIVITY_FUNCTIONAL_ACCESS;
-                       } else if (type.equals("leftMenu")) {
-                               cd_type = AuditLog.CD_ACTIVITY_LEFT_MENU_ACCESS;
-                       } else {
-                               logger.error(EELFLoggerDelegate.errorLogger,
+                       switch (type) {
+                               case "app":
+                                       cdType = AuditLog.CD_ACTIVITY_APP_ACCESS;
+                                       break;
+                               case "tab":
+                                       cdType = AuditLog.CD_ACTIVITY_TAB_ACCESS;
+                                       break;
+                               case "functional":
+                                       cdType = AuditLog.CD_ACTIVITY_FUNCTIONAL_ACCESS;
+                                       break;
+                               case "leftMenu":
+                                       cdType = AuditLog.CD_ACTIVITY_LEFT_MENU_ACCESS;
+                                       break;
+                               default:
+                                       logger.error(EELFLoggerDelegate.errorLogger,
                                                 "Storing auditLog failed! Activity CD type is not correct.");
+                                       break;
                         }
                         /* Store the audit log only if it contains valid Activity CD */
-                       if (cd_type != null) {
+                       if (cdType != null) {
                                 AuditLog auditLog = new AuditLog();
-                               auditLog.setActivityCode(cd_type);
+                               auditLog.setActivityCode(cdType);
                                 /*
                                  * Check affectedAppId and comment and see if these two values
                                  * are valid
                                  */
-                               if (comment != null && !comment.equals("") && !comment.equals("undefined"))
+                               if (comment != null && !comment.isEmpty() && !"undefined".equals(comment))
                                         auditLog.setComments(
                                                         EcompPortalUtils.truncateString(comment, PortalConstants.AUDIT_LOG_COMMENT_SIZE));
-                               if (affectedAppId != null && !affectedAppId.equals("") && !affectedAppId.equals("undefined"))
+                               if (affectedAppId != null && !affectedAppId.isEmpty() && !"undefined".equals(affectedAppId))
                                         auditLog.setAffectedRecordId(affectedAppId);
                                 long userId = EPUserUtils.getUserId(request);
                                 auditLog.setUserId(userId);
@@ -140,7 +162,7 @@ public class AuditLogController extends EPRestrictedBaseController {
                                 MDC.put(SystemProperties.MDC_TIMER, timeDifference);
                                 MDC.put(EPCommonSystemProperties.STATUS_CODE, "COMPLETE");
                                 logger.info(EELFLoggerDelegate.auditLogger, EPLogUtil.formatAuditLogMessage(
-                                               "AuditLogController.auditLog", cd_type, user.getOrgUserId(), affectedAppId, comment));
+                                               "AuditLogController.auditLog", cdType, user.getOrgUserId(), affectedAppId, comment));
                                 MDC.remove(EPCommonSystemProperties.AUDITLOG_BEGIN_TIMESTAMP);
                                 MDC.remove(EPCommonSystemProperties.AUDITLOG_END_TIMESTAMP);
                         }
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java

index c7c8ebc..2d52626 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java
@@ -40,6 +40,7 @@ package org.onap.portalapp.portal.ecomp.model;
  import javax.persistence.Entity;
  import javax.persistence.Id;
  
+import org.hibernate.validator.constraints.SafeHtml;
  import org.onap.portalsdk.core.domain.support.DomainVo;
  import com.fasterxml.jackson.annotation.JsonInclude;
  
@@ -55,11 +56,17 @@ public class AppContactUsItem extends DomainVo {
  
         @Id
         private Long appId;
+       @SafeHtml
         private String appName;
+       @SafeHtml
         private String description;
+       @SafeHtml
         private String contactName;
+       @SafeHtml
         private String contactEmail;
+       @SafeHtml
         private String url;
+       @SafeHtml
         private String activeYN;
  
         public Long getAppId() {
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java

index 0bd4db3..1aa4219 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java
@@ -37,18 +37,24 @@
   */
  package org.onap.portalapp.portal.transport;
  
+import org.hibernate.validator.constraints.SafeHtml;
+
  public class EPAppsManualPreference {
         
         private Long appid;
         private int col;
+       @SafeHtml
         private String headerText;
+       @SafeHtml
         private String imageLink;
         private int order;
         private boolean restrictedApp;
         private int row;
         private int sizeX;
         private int sizeY;
+       @SafeHtml
         private String subHeaderText;
+       @SafeHtml
         private String url;
         private boolean addRemoveApps;
         
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java

index 85a6a03..796f67f 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java
@@ -37,10 +37,14 @@
   */
  package org.onap.portalapp.portal.transport;
  
+import org.hibernate.validator.constraints.SafeHtml;
+
  public class EPAppsSortPreference {
         
         private int index;
+       @SafeHtml
         private String value;
+       @SafeHtml
         private String title;
         
         public int getIndex() {
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java

index 03b7c14..e1f5c29 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java
@@ -38,15 +38,19 @@
  package org.onap.portalapp.portal.transport;
  
  import java.util.List;
+import org.hibernate.validator.constraints.SafeHtml;
  
  public class EPWidgetsSortPreference {
         
         private int SizeX;
         private int SizeY;
+       @SafeHtml
         private String headerText;
+       @SafeHtml
         private String url;
         private Long widgetid;
         private List<Object> attrb;
+       @SafeHtml
         private String widgetIdentifier;
         private int row;
         private int col;
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java

index 46a60c8..9fe3a88 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java
@@ -47,15 +47,25 @@ import org.springframework.stereotype.Component;
  
  @Component
  public class DataValidator {
-       private static final ValidatorFactory VALIDATOR_FACTORY  = Validation.buildDefaultValidatorFactory();
+       private volatile static ValidatorFactory VALIDATOR_FACTORY;
  
-       public <E> Set<ConstraintViolation<E>> getConstraintViolations(E classToValid){
+       public DataValidator() {
+              if (VALIDATOR_FACTORY == null) {
+                     synchronized (DataValidator.class) {
+                            if (VALIDATOR_FACTORY == null) {
+                                   VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+                            }
+                     }
+              }
+       }
+
+       public <E> Set<ConstraintViolation<E>> getConstraintViolations(E classToValid) {
                Validator validator = VALIDATOR_FACTORY.getValidator();
                Set<ConstraintViolation<E>> constraintViolations = validator.validate(classToValid);
                return constraintViolations;
         }
  
-       public <E> boolean isValid(E classToValid){
+       public <E> boolean isValid(E classToValid) {
                Set<ConstraintViolation<E>> constraintViolations = getConstraintViolations(classToValid);
                return constraintViolations.isEmpty();
         }
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java

index b08a876..f2b2d3d 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java
@@ -78,7 +78,7 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
         AppContactUsService contactUsService = new AppContactUsServiceImpl();
  
         @InjectMocks
-       AppContactUsController appContactUsController = new AppContactUsController();
+       AppContactUsController appContactUsController;
  
         @Before
         public void setup() {
@@ -232,6 +232,25 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
                 assertEquals(actualSaveAppContactUS.getMessage(), "SUCCESS");
         }
  
+       @Test
+       public void saveXSSTest() throws Exception {
+               PortalRestResponse<String> actualSaveAppContactUS = null;
+
+               AppContactUsItem contactUs = new AppContactUsItem();
+               contactUs.setAppId((long) 1);
+               contactUs.setAppName("<meta content=\"&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)\" http-equiv=\"refresh\"/>");
+               contactUs.setDescription("Test");
+               contactUs.setContactName("Test");
+               contactUs.setContactEmail("person@onap.org");
+               contactUs.setUrl("Test_URL");
+               contactUs.setActiveYN("Y");
+
+               Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("FAILURE");
+               actualSaveAppContactUS = appContactUsController.save(contactUs);
+               assertEquals("AppName is not valid.", actualSaveAppContactUS.getResponse());
+               assertEquals("failure", actualSaveAppContactUS.getMessage());
+       }
+
         @Test
         public void saveExceptionTest() throws Exception {
                 PortalRestResponse<String> actualSaveAppContactUS = null;
@@ -269,6 +288,19 @@ public class AppContactUsControllerTest extends MockitoTestSuite{
                 assertEquals(actualSaveAppContactUS.getMessage(), "SUCCESS");
         }
  
+       @Test
+       public void saveAllXSSTest() throws Exception {
+
+               List<AppContactUsItem> contactUs = mockResponse();
+               AppContactUsItem appContactUsItem = new AppContactUsItem();
+               appContactUsItem.setActiveYN("<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>");
+               contactUs.add(appContactUsItem);
+               PortalRestResponse<String> actualSaveAppContactUS = null;
+               Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("failure");
+               actualSaveAppContactUS = appContactUsController.save(contactUs);
+               assertEquals("failure", actualSaveAppContactUS.getMessage());
+       }
+
         @Test
         public void saveAllExceptionTest() throws Exception {
  
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java

index 4df1c2a..58745d2 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
@@ -58,7 +58,6 @@ import org.mockito.Matchers;
  import org.mockito.Mock;
  import org.mockito.Mockito;
  import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.AppsController;
  import org.onap.portalapp.portal.core.MockEPUser;
  import org.onap.portalapp.portal.domain.AdminUserApplications;
  import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel;
@@ -82,7 +81,6 @@ import org.onap.portalapp.portal.transport.EPWidgetsSortPreference;
  import org.onap.portalapp.portal.transport.FieldsValidator;
  import org.onap.portalapp.portal.transport.LocalRole;
  import org.onap.portalapp.portal.transport.OnboardingApp;
-import org.onap.portalapp.portal.utils.EcompPortalUtils;
  import org.onap.portalapp.util.EPUserUtils;
  import org.onap.portalsdk.core.util.SystemProperties;
  import org.onap.portalsdk.core.web.support.AppUtils;
@@ -100,7 +98,7 @@ import org.springframework.web.client.HttpClientErrorException;
  public class AppsControllerTest extends MockitoTestSuite{
  
         @InjectMocks
-       AppsController appsController = new AppsController();
+       AppsController appsController;
  
         @Mock
         AdminRolesService adminRolesService = new AdminRolesServiceImpl();
@@ -368,6 +366,38 @@ public class AppsControllerTest extends MockitoTestSuite{
                 assertEquals(actualFieldValidator, expectedFieldValidator);
         }
  
+       @Test
+       public void putUserAppsSortingManualXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               EPAppsManualPreference preference = new EPAppsManualPreference();
+               preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               List<EPAppsManualPreference> ePAppsManualPreference = new ArrayList<>();
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+               ePAppsManualPreference.add(preference);
+               Mockito.when(appService.saveAppsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator);
+               FieldsValidator actualFieldValidator = appsController.putUserAppsSortingManual(mockedRequest, ePAppsManualPreference,
+                       mockedResponse);
+               assertEquals(actualFieldValidator, expectedFieldValidator);
+       }
+
+       @Test
+       public void putUserWidgetsSortManualXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               EPWidgetsSortPreference preference = new EPWidgetsSortPreference();
+               preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               List<EPWidgetsSortPreference> ePAppsManualPreference = new ArrayList<>();
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE);
+               ePAppsManualPreference.add(preference);
+               Mockito.when(appService.saveWidgetsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator);
+               FieldsValidator actualFieldValidator = appsController.putUserWidgetsSortManual(mockedRequest, ePAppsManualPreference,
+                       mockedResponse);
+               assertEquals(expectedFieldValidator, actualFieldValidator);
+       }
+
         @Test
         public void putUserAppsSortingManualExceptionTest() throws IOException {
                 EPUser user = mockUser.mockEPUser();
@@ -404,7 +434,7 @@ public class AppsControllerTest extends MockitoTestSuite{
         }
  
         @Test
-       public void putUserWidgetsSortPrefTest() throws IOException {
+       public void putUserWidgetsSortPrefTest() {
                 EPUser user = mockUser.mockEPUser();
                 Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
                 List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<EPWidgetsSortPreference>();
@@ -420,6 +450,24 @@ public class AppsControllerTest extends MockitoTestSuite{
                 assertEquals(actualFieldValidator, expectedFieldValidator);
         }
  
+       @Test
+       public void putUserWidgetsSortPrefXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<>();
+               EPWidgetsSortPreference preference = new EPWidgetsSortPreference();
+               preference.setHeaderText("<script>alert(\"hellox worldss\");</script>");
+               ePWidgetsSortPreference.add(preference);
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+               FieldsValidator actualFieldValidator;
+               Mockito.when(appService.deleteUserWidgetSortPref(ePWidgetsSortPreference, user))
+                       .thenReturn(expectedFieldValidator);
+               actualFieldValidator = appsController.putUserWidgetsSortPref(mockedRequest, ePWidgetsSortPreference,
+                       mockedResponse);
+               assertEquals(actualFieldValidator, expectedFieldValidator);
+       }
+
         @Test
         public void putUserWidgetsSortPrefExceptionTest() throws IOException {
                 EPUser user = mockUser.mockEPUser();
@@ -475,6 +523,23 @@ public class AppsControllerTest extends MockitoTestSuite{
                 assertEquals(actualFieldValidator, expectedFieldValidator);
         }
  
+       @Test
+       public void putUserAppsSortingPreferenceXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               EPAppsSortPreference userAppsValue = new EPAppsSortPreference();
+               userAppsValue.setTitle("</script><script>alert(1)</script>");
+               FieldsValidator expectedFieldValidator = new FieldsValidator();
+               expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE);
+               expectedFieldValidator.setFields(null);
+               expectedFieldValidator.setErrorCode(null);
+               FieldsValidator actualFieldValidator;
+               Mockito.when(appService.saveAppsSortPreference(userAppsValue, user)).thenReturn(expectedFieldValidator);
+               actualFieldValidator = appsController.putUserAppsSortingPreference(mockedRequest, userAppsValue,
+                       mockedResponse);
+               assertEquals(actualFieldValidator, expectedFieldValidator);
+       }
+
         @Test
         public void putUserAppsSortingPreferenceExceptionTest() throws IOException {
                 EPUser user = mockUser.mockEPUser();
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java

index d8ed8c8..dfee854 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java
@@ -66,7 +66,7 @@ public class AuditLogControllerTest {
         AuditService auditService;
         
         @InjectMocks
-     AuditLogController auditLogController = new AuditLogController();
+     AuditLogController auditLogController;
  
         @Before
         public void setup() {
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java

deleted file mode 100644 (file)

index 703019f..0000000
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ /dev/null
@@ -1,185 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * Modifications Copyright (c) 2019 Samsung
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- * 
- */
-
-package org.onap.portalapp.filter;
-
-import java.io.BufferedReader;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
-import java.util.Enumeration;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ReadListener;
-import javax.servlet.ServletInputStream;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang.StringUtils;
-import org.apache.http.HttpStatus;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-public class SecurityXssFilter extends OncePerRequestFilter {
-
-       private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
-       private static final String APPLICATION_JSON = "application/json";
-
-       private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}";
-
-       private SecurityXssValidator validator = SecurityXssValidator.getInstance();
-
-       public class RequestWrapper extends HttpServletRequestWrapper {
-
-               private ByteArrayOutputStream cachedBytes;
-
-               public RequestWrapper(HttpServletRequest request) {
-                       super(request);
-               }
-
-               @Override
-               public ServletInputStream getInputStream() throws IOException {
-                       if (cachedBytes == null)
-                               cacheInputStream();
-
-                       return new CachedServletInputStream();
-               }
-
-               @Override
-               public BufferedReader getReader() throws IOException {
-                       return new BufferedReader(new InputStreamReader(getInputStream()));
-               }
-
-               private void cacheInputStream() throws IOException {
-                       cachedBytes = new ByteArrayOutputStream();
-                       IOUtils.copy(super.getInputStream(), cachedBytes);
-               }
-
-               public class CachedServletInputStream extends ServletInputStream {
-                       private ByteArrayInputStream input;
-
-                       public CachedServletInputStream() {
-                               input = new ByteArrayInputStream(cachedBytes.toByteArray());
-                       }
-
-                       @Override
-                       public int read() throws IOException {
-                               return input.read();
-                       }
-
-                       @Override
-                       public boolean isFinished() {
-                               return false;
-                       }
-
-                       @Override
-                       public boolean isReady() {
-                               return false;
-                       }
-
-                       @Override
-                       public void setReadListener(ReadListener readListener) {
-                               // do nothing
-                       }
-               }
-       }
-
-       @Override
-       protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
-                       throws IOException {
-               StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString());
-               String queryString = request.getQueryString();
-               String requestUrl;
-
-               if (queryString == null) {
-                       requestUrl = requestURL.toString();
-               } else {
-                       requestUrl = requestURL.append('?').append(queryString).toString();
-               }
-
-               validateRequest(requestUrl, response);
-               StringBuilder headerValues = new StringBuilder();
-               Enumeration<String> headerNames = request.getHeaderNames();
-
-               while (headerNames.hasMoreElements()) {
-                       String key = headerNames.nextElement();
-                       String value = request.getHeader(key);
-                       headerValues.append(value);
-               }
-
-               validateRequest(headerValues.toString(), response);
-
-               if (validateRequestType(request)) {
-                       request = new RequestWrapper(request);
-                       String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
-                       validateRequest(requestData, response);
-               }
-
-               try {
-                       filterChain.doFilter(request, response);
-               } catch (Exception e) {
-                       sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e);
-                       response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request");
-               }
-       }
-
-       private boolean validateRequestType(HttpServletRequest request) {
-               return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")
-                               || request.getMethod().equalsIgnoreCase("DELETE"));
-       }
-       
-       private void validateRequest(String text, HttpServletResponse response) throws IOException {
-               try {
-                       if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) {
-                               response.setContentType(APPLICATION_JSON);
-                               response.setStatus(HttpStatus.SC_BAD_REQUEST);
-                               response.getWriter().write(ERROR_BAD_REQUEST);
-                               throw new SecurityException(ERROR_BAD_REQUEST);
-                       }
-               } catch (Exception e) {
-                       sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
-                       response.getWriter().close();
-               }
-       }
-}
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java

deleted file mode 100644 (file)

index c203f1f..0000000
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- * 
- */
-package org.onap.portalapp.filter;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
-import java.util.regex.Pattern;
-
-import org.apache.commons.lang.NotImplementedException;
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.lang3.StringEscapeUtils;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.codecs.Codec;
-import org.owasp.esapi.codecs.MySQLCodec;
-import org.owasp.esapi.codecs.MySQLCodec.Mode;
-import org.owasp.esapi.codecs.OracleCodec;
-
-public class SecurityXssValidator {
-
-       private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
-
-       private static final String MYSQL_DB = "mysql";
-       private static final String ORACLE_DB = "oracle";
-       private static final String MARIA_DB = "mariadb";
-       private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
-       static SecurityXssValidator validator = null;
-       private static Codec instance;
-       private static final Lock lock = new ReentrantLock();
-
-       public static SecurityXssValidator getInstance() {
-
-               if (validator == null) {
-                       lock.lock();
-                       try {
-                               if (validator == null)
-                                       validator = new SecurityXssValidator();
-                       } finally {
-                               lock.unlock();
-                       }
-               }
-
-               return validator;
-       }
-
-       private SecurityXssValidator() {
-               // Avoid anything between script tags
-               XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
-
-               // avoid iframes
-               XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
-
-               // Avoid anything in a src='...' type of expression
-               XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
-
-               XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
-
-               XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
-
-               // Remove any lonesome </script> tag
-               XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
-
-               XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
-
-               XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
-
-               // Remove any lonesome <script ...> tag
-               XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
-
-               // Avoid eval(...) expressions
-               XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
-
-               // Avoid expression(...) expressions
-               XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
-
-               // Avoid javascript:... expressions
-               XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
-
-               // Avoid onload= expressions
-               XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
-       }
-
-       private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
-
-       /**
-        * * This method takes a string and strips out any potential script injections.
-        * 
-        * @param value
-        * @return String - the new "sanitized" string.
-        */
-       public String stripXSS(String value) {
-
-               try {
-
-                       if (StringUtils.isNotBlank(value)) {
-
-                               value = StringEscapeUtils.escapeHtml4(value);
-
-                               value = ESAPI.encoder().canonicalize(value);
-
-                               // Avoid null characters
-                               value = value.replaceAll("\0", "");
-
-                               for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
-                                       value = xssInputPattern.matcher(value).replaceAll("");
-                               }
-                       }
-
-               } catch (Exception e) {
-                       logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
-               }
-
-               return value;
-       }
-
-       public Boolean denyXSS(String value) {
-               Boolean flag = Boolean.FALSE;
-               try {
-                       if (StringUtils.isNotBlank(value)) {
-                               value = ESAPI.encoder().canonicalize(value);
-                               for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
-                                       if (xssInputPattern.matcher(value).matches()) {
-                                               flag = Boolean.TRUE;
-                                               break;
-                                       }
-
-                               }
-                       }
-
-               } catch (Exception e) {
-                       logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
-               }
-
-               return flag;
-       }
-
-       public Codec getCodec() {
-               try {
-                       if (null == instance) {
-                               if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
-                                               || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-                                                               MARIA_DB)) {
-                                       instance = new MySQLCodec(Mode.STANDARD);
-
-                               } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-                                               ORACLE_DB)) {
-                                       instance = new OracleCodec();
-                               } else {
-                                       throw new NotImplementedException("Handling for data base \""
-                                                       + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
-                               }
-                       }
-
-               } catch (Exception ex) {
-                       logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
-               }
-               return instance;
-
-       }
-
-       public List<Pattern> getXSS_INPUT_PATTERNS() {
-               return XSS_INPUT_PATTERNS;
-       }
-
-       public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
-               XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
-       }
-
-}
-\ No newline at end of file
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java

index 915c5e0..e109ef5 100644 (file)
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
@@ -47,8 +47,8 @@ import javax.validation.ConstraintViolation;
  import javax.validation.Validation;
  import javax.validation.Validator;
  import javax.validation.ValidatorFactory;
+import lombok.NoArgsConstructor;
  import org.json.JSONObject;
-import org.onap.portalapp.portal.controller.AppsController;
  import org.onap.portalapp.portal.domain.EPUser;
  import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
  import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
@@ -61,6 +61,7 @@ import org.onap.portalapp.util.EPUserUtils;
  import org.onap.portalapp.validation.SecureString;
  import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
  import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
  import org.springframework.context.annotation.EnableAspectJAutoProxy;
  import org.springframework.web.bind.annotation.PathVariable;
  import org.springframework.web.bind.annotation.RequestBody;
@@ -69,27 +70,20 @@ import org.springframework.web.bind.annotation.RequestMethod;
  import org.springframework.web.bind.annotation.RestController;
  
  @RestController
-@org.springframework.context.annotation.Configuration
+@Configuration
  @EnableAspectJAutoProxy
  @EPAuditLog
+@NoArgsConstructor
  public class AppsOSController extends AppsController {
         private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory();
         
-       static final String FAILURE = "failure";
-       EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
+       private static final String FAILURE = "failure";
+       private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
  
-       @Autowired
-       AdminRolesService adminRolesService;
-       @Autowired
-       EPAppService appService;
-       @Autowired
-       PersUserAppService persUserAppService;
         @Autowired
         UserService userService;
  
-       
-       
-       /**
+       /**
          * Create new application's contact us details.
          * 
          * @param contactUs
@@ -102,9 +96,9 @@ public class AppsOSController extends AppsController {
                         return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE,
                                         "New User cannot be null or empty");
                 
-               if (!(adminRolesService.isSuperAdmin(user) || adminRolesService.isAccountAdmin(user))){
+               if (!(super.getAdminRolesService().isSuperAdmin(user) || super.getAdminRolesService().isAccountAdmin(user))){
                         if(!user.getLoginId().equalsIgnoreCase(newUser.getLoginId()))
-                               return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, FAILURE,
+                               return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE,
                                                 "UnAuthorized");
                 }
                         
@@ -113,9 +107,9 @@ public class AppsOSController extends AppsController {
                 try {
                         saveNewUser = userService.saveNewUser(newUser,checkDuplicate);
                 } catch (Exception e) {
-                       return new PortalRestResponse<String>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage());
+                       return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveNewUser, e.getMessage());
                 }
-               return new PortalRestResponse<String>(PortalRestStatusEnum.OK, saveNewUser, "");
+               return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveNewUser, "");
         }
         
         @RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json")
diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java

deleted file mode 100644 (file)

index 7a4eac8..0000000
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *             https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- * 
- */
-package org.onap.portalapp.filter;
-
-import org.junit.Assert;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.InjectMocks;
-import org.mockito.Mockito;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.codecs.Codec;
-import org.powermock.api.mockito.PowerMockito;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-import org.powermock.modules.junit4.PowerMockRunner;
-
-@RunWith(PowerMockRunner.class)
-@PrepareForTest({ESAPI.class, SystemProperties.class})
-public class SecurityXssValidatorTest {
-       @InjectMocks
-       SecurityXssValidator securityXssValidator;
-
-       @Test
-       public void stripXSSTest() {
-        securityXssValidator=  SecurityXssValidator.getInstance();
-               String value ="Test";
-               securityXssValidator.stripXSS(value);
-       }
-       
-       @Test
-       public void testDenyXss() {
-        securityXssValidator=  SecurityXssValidator.getInstance();
-               String value ="Test";
-               securityXssValidator.denyXSS(value);
-       }
-       
-       @Test
-               public void getCodecMySqlTest() {
-                       PowerMockito.mockStatic(SystemProperties.class);
-                       Mockito.when(SystemProperties.getProperty(SystemProperties.DB_DRIVER)).thenReturn("mysql");
-                       SecurityXssValidator validator = SecurityXssValidator.getInstance();
-                       Codec codec = validator.getCodec();
-                       Assert.assertNotNull(codec);
-               }
-       
-       /*//@Test
-       public void stripXSSExceptionTest() {
-               String value ="Test";
-               SecurityXssValidator validator = SecurityXssValidator.getInstance();
-               String reponse = validator.stripXSS(value);
-               Assert.assertEquals(value, reponse);;
-       }
-       
-       //@Test
-       public void denyXSSTest() {
-               String value ="<script>Test</script>";
-               PowerMockito.mockStatic(ESAPI.class);
-               Encoder mockEncoder = Mockito.mock(Encoder.class);
-               Mockito.when(ESAPI.encoder()).thenReturn(mockEncoder);
-               Mockito.when(mockEncoder.canonicalize(value)).thenReturn(value);
-               SecurityXssValidator validator = SecurityXssValidator.getInstance();
-               Boolean flag = validator.denyXSS(value);
-               Assert.assertTrue(flag);
-       }
-       
-       //@Test
-       public void denyXSSFalseTest() {
-               String value ="test";
-               PowerMockito.mockStatic(ESAPI.class);
-               Encoder mockEncoder = Mockito.mock(Encoder.class);
-               Mockito.when(ESAPI.encoder()).thenReturn(mockEncoder);
-               Mockito.when(mockEncoder.canonicalize(value)).thenReturn(value);
-               SecurityXssValidator validator = SecurityXssValidator.getInstance();
-               Boolean flag = validator.denyXSS(value);
-               Assert.assertFalse(flag);
-       }
-
-       //@Test
-       public void getCodecMySqlTest() {
-               PowerMockito.mockStatic(SystemProperties.class);
-               Mockito.when(SystemProperties.getProperty(SystemProperties.DB_DRIVER)).thenReturn("mysql");
-               SecurityXssValidator validator = SecurityXssValidator.getInstance();
-               Codec codec = validator.getCodec();
-               Assert.assertNotNull(codec);
-       }*/
-                               
-}
diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java

index 15fe1dd..1083aed 100644 (file)
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
+++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
@@ -41,10 +41,8 @@ import static org.junit.Assert.assertEquals;
  
  import java.util.ArrayList;
  import java.util.List;
-
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
-
  import org.junit.Before;
  import org.junit.Ignore;
  import org.junit.Test;
@@ -52,7 +50,6 @@ import org.mockito.InjectMocks;
  import org.mockito.Mock;
  import org.mockito.Mockito;
  import org.mockito.MockitoAnnotations;
-import org.onap.portalapp.portal.controller.AppsOSController;
  import org.onap.portalapp.portal.domain.EPUser;
  import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
  import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
@@ -87,7 +84,7 @@ public class AppsOSControllerTest {
         }
  
         @InjectMocks
-       AppsOSController appsOSController = new AppsOSController();
+       AppsOSController appsOSController;
  
         MockitoTestSuite mockitoTestSuite = new MockitoTestSuite();
author	Manoop Talasila <talasila@research.att.com>
	Mon, 22 Jul 2019 19:31:46 +0000 (19:31 +0000)
committer	Gerrit Code Review <gerrit@onap.org>
	Mon, 22 Jul 2019 19:31:46 +0000 (19:31 +0000)
ecomp-portal-BE-common/pom.xml		patch \| blob \| history
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java		patch \| blob \| history
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java		patch \| blob \| history
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java		patch \| blob \| history
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java		patch \| blob \| history
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java		patch \| blob \| history
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java		patch \| blob \| history
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java		patch \| blob \| history
ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java		patch \| blob \| history
ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java		patch \| blob \| history
ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java		patch \| blob \| history
ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java		patch \| blob \| history
ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java	[deleted file]	patch \| blob \| history
ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java	[deleted file]	patch \| blob \| history
ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java		patch \| blob \| history
ecomp-portal-BE-os/src/test/java/org/onap/portalapp/filter/SecurityXssValidatorTest.java	[deleted file]	patch \| blob \| history
ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java		patch \| blob \| history