import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.validation.ConstraintViolation;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.onap.portalapp.portal.domain.EPUser;
import org.onap.portalapp.portal.ecomp.model.PortalRestResponse;
import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum;
import org.onap.portalapp.portal.transport.EpNotificationItem;
import org.onap.portalapp.portal.transport.EpRoleNotificationItem;
import org.onap.portalapp.portal.utils.PortalConstants;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
@EnableAspectJAutoProxy
@EPAuditLog
public class TicketEventController implements BasicAuthenticationController {
-
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
@Autowired
private UserNotificationService userNotificationService;
logger.debug(EELFLoggerDelegate.debugLogger, "Ticket Event notification" + ticketEventJson);
PortalRestResponse<String> portalResponse = new PortalRestResponse<>();
+
+ if (ticketEventJson!=null){
+ SecureString secureString = new SecureString(ticketEventJson);
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+ if (!constraintViolations.isEmpty()){
+ portalResponse.setStatus(PortalRestStatusEnum.ERROR);
+ portalResponse.setMessage("Data is not valid");
+ return portalResponse;
+ }
+ }
+
try {
JsonNode ticketEventNotif = mapper.readTree(ticketEventJson);
assertTrue(actualPortalRestResponse.getStatus().compareTo(PortalRestStatusEnum.OK) == 0);
}
+ @Test
+ public void saveXSSTest() throws Exception {
+ String ticketEventJson = "<iframe %00 src=\"	javascript:prompt(1)	\"%00>";
+ PortalRestResponse<String> actualPortalRestResponse;
+ PortalRestResponse<String> expectedPortalRestResponse = new PortalRestResponse<>();
+ expectedPortalRestResponse.setStatus(PortalRestStatusEnum.ERROR);
+ expectedPortalRestResponse.setMessage("Data is not valid");
+ actualPortalRestResponse = ticketEventController.handleRequest(mockedRequest,
+ mockedResponse, ticketEventJson);
+ assertEquals(expectedPortalRestResponse, actualPortalRestResponse);
+ }
+
@Test
public void saveTestForException() throws Exception {
String ticketEventJson = "\"event\": {\"body\": {\"ticketStatePhrase\": \"We recently detected a problem with the equipment at your site. The event is in queue for immediate work.\", \"ivrNotificationFlag\": \"1\",\"expectedRestoreDate\": 0,\"bridgeTransport\": \"AOTS\", \"reptRequestType\": 0,\"ticketNum\": \"000002000857405\",\"assetID\": \"CISCO_1921C1_ISR_G2\", \"eventDate\": 1490545134601,\"eventAbstract\": \"ospfIfConfigError trap received from Cisco_1921c1_ISR_G2 with arguments: ospfRouterId=Cisco_1921c1_ISR_G2; ospfIfIpAddress=1921c1_288266; ospfAddressLessIf=0; ospfPacketSrc=172.17.0.11; ospfConfigErrorType=2; ospfPacketType=1\",\"severity\": \"2 - Major\",\"ticketPriority\": \"3\",\"reportedCustomerImpact\": 0,\"testAutoIndicator\": 0,\"supportGroupName\": \"US-TEST-ORT\",\"lastModifiedDate\": \"1487687703\",\"messageGroup\": \"SNMP\",\"csi\": 0,\"mfabRestoredTime\": 0},\"header\": {\"timestamp\": \"2017-02-21T14:35:05.219+0000\",\"eventSource\": \"aotstm\",\"entityId\": \"000002000857405\", \"sequenceNumber\": 2 },\"blinkMsgId\": \"f38c071e-1a47-4b55-9e72-1db830100a61\",\"sourceIP\": \"130.4.165.158\"},\"SubscriberInfo\": {\"UserList\": [\"hk8777\"] }}";
Code Review / portal.git / commitdiff