Persistent XSS vulnerability in onboardingApps form fix

javax.validation.Validator used to fix this vulnerability issue.

Issue-ID: OJSI-18
Change-Id: I26ec795a23869c0dccd22c50e4469ae264cb7547
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
index 0be0d35..c34311c 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java
@@ -739,6 +739,11 @@ public class AppsController extends EPRestrictedBaseController {
                        user = EPUserUtils.getUserSession(request);
                        if (!adminRolesService.isSuperAdmin(user) && !adminRolesService.isAccountAdminOfAnyActiveorInactiveApplication(user, oldEPApp) ) {
                                EcompPortalUtils.setBadPermissions(user, response, "putOnboardingApp");
+                       } else if(!dataValidator.isValid(modifiedOnboardingApp)){
+                               logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApp is not valid");
+                               EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =",
+                                                                                               response.getStatus());
+                               return fieldsValidator;
                        } else {
                                if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null))
                                {

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
index 58745d2..f622fac 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java
@@ -128,6 +128,33 @@ public class AppsControllerTest extends MockitoTestSuite{
 
        MockEPUser mockUser = new MockEPUser();
 
+       @Test
+       public void putOnboardingAppXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               OnboardingApp onboardingApp = new OnboardingApp();
+               onboardingApp.setUebTopicName("test<img src=‘~‘ onerror=prompt(123)>");
+               Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true);
+               Mockito.when(appService.modifyOnboardingApp(onboardingApp, user)).thenReturn(null);
+               Mockito.when(mockedResponse.getStatus()).thenReturn(200);
+               FieldsValidator actualFieldValidator = appsController.putOnboardingApp(mockedRequest, onboardingApp,
+               mockedResponse);
+               assertNull(actualFieldValidator);
+       }
+
+       @Test
+       public void postOnboardingAppXSSTest() {
+               EPUser user = mockUser.mockEPUser();
+               Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+               OnboardingApp onboardingApp = new OnboardingApp();
+               onboardingApp.setUebKey("test<img src=‘~‘ onerror=prompt(123)>");
+               Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true);
+               Mockito.when(appService.addOnboardingApp(onboardingApp, user)).thenReturn(null);
+               FieldsValidator actualFieldValidator = appsController.postOnboardingApp(mockedRequest, onboardingApp,
+               mockedResponse);
+               assertNull(actualFieldValidator);
+       }
+
        @Test
        public void getUserAppsTest() {
                EPUser user = mockUser.mockEPUser();