XSS Vulnerability fix in AppsOSController

author Dominik Mizyn <d.mizyn@samsung.com>

Fri, 31 May 2019 06:55:42 +0000 (08:55 +0200)

committer Dominik Mizyn <d.mizyn@samsung.com>

Fri, 31 May 2019 06:56:01 +0000 (08:56 +0200)
author Dominik Mizyn <d.mizyn@samsung.com>
Fri, 31 May 2019 06:55:42 +0000 (08:55 +0200)
committer Dominik Mizyn <d.mizyn@samsung.com>
Fri, 31 May 2019 06:56:01 +0000 (08:56 +0200)
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java

index ed54055..915c5e0 100644 (file)
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java
@@ -40,8 +40,13 @@ package org.onap.portalapp.portal.controller;
  import java.util.HashMap;
  import java.util.Map;
  
+import java.util.Set;
  import javax.servlet.http.HttpServletRequest;
  
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
  import org.json.JSONObject;
  import org.onap.portalapp.portal.controller.AppsController;
  import org.onap.portalapp.portal.domain.EPUser;
@@ -53,6 +58,7 @@ import org.onap.portalapp.portal.service.EPAppService;
  import org.onap.portalapp.portal.service.PersUserAppService;
  import org.onap.portalapp.portal.service.UserService;
  import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
  import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.context.annotation.EnableAspectJAutoProxy;
@@ -67,6 +73,7 @@ import org.springframework.web.bind.annotation.RestController;
  @EnableAspectJAutoProxy
  @EPAuditLog
  public class AppsOSController extends AppsController {
+       private static final ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory();
         
         static final String FAILURE = "failure";
         EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsOSController.class);
@@ -113,9 +120,20 @@ public class AppsOSController extends AppsController {
         
         @RequestMapping(value = { "/portalApi/currentUserProfile/{loginId}" }, method = RequestMethod.GET, produces = "application/json")
         public String getCurrentUserProfile(HttpServletRequest request, @PathVariable("loginId") String loginId) {
+
+               if(loginId != null){
+                       Validator validator = validatorFactory.getValidator();
+                       SecureString secureString = new SecureString(loginId);
+                       Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+                       if (!constraintViolations.isEmpty()){
+                               return "loginId is not valid";
+                       }
+               }
+
                 
-               Map<String,String> map = new HashMap<String,String>();
-               EPUser user = null;
+               Map<String,String> map = new HashMap<>();
+               EPUser user;
                 try {
                          user = (EPUser) userService.getUserByUserId(loginId).get(0);
                          map.put("firstName", user.getFirstName());
@@ -128,7 +146,7 @@ public class AppsOSController extends AppsController {
                         logger.error(EELFLoggerDelegate.errorLogger, "Failed to get user info", e);
                 }
  
-               JSONObject j = new JSONObject(map);;
+               JSONObject j = new JSONObject(map);
                 return j.toString();
         }
  
diff --git a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java

index 0596e74..15fe1dd 100644 (file)
--- a/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
+++ b/ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java
@@ -175,6 +175,17 @@ public class AppsOSControllerTest {
                 assertEquals("{\"firstName\":\"test\",\"lastName\":\"test\"}", expectedString);
         }
  
+       @Test
+       public void getCurrentUserProfileXSSTest() {
+               String loginId = "<iframe/src=\"data:text/html,<svg &#111;&#110;load=alert(1)>\">";
+               EPUser user = mockUser.mockEPUser();
+               List<EPUser> expectedList = new ArrayList<>();
+               expectedList.add(user);
+               Mockito.when(userService.getUserByUserId(loginId)).thenReturn(expectedList);
+               String expectedString = appsOSController.getCurrentUserProfile(mockedRequest, loginId);
+               assertEquals("loginId is not valid", expectedString);
+       }
+
         @Test
         public void getCurrentUserProfileExceptionTest() {
                 String loginId = "guestT";
author	Dominik Mizyn <d.mizyn@samsung.com>
	Fri, 31 May 2019 06:55:42 +0000 (08:55 +0200)
committer	Dominik Mizyn <d.mizyn@samsung.com>
	Fri, 31 May 2019 06:56:01 +0000 (08:56 +0200)
ecomp-portal-BE-os/src/main/java/org/onap/portalapp/portal/controller/AppsOSController.java		patch \| blob \| history
ecomp-portal-BE-os/src/test/java/org/onap/portalapp/portal/controller/AppsOSControllerTest.java		patch \| blob \| history