Reflected XSS vulnerability in saveNotification form fix.

javax.validation.Validator used to fix this vulnerability.

Issue-ID: OJSI-22
Change-Id: I5837e333f640a398ab6b25e8a0b9f611bb7d3af9
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
index 15ce305..7615b66 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java
@@ -66,6 +66,8 @@ import org.onap.portalapp.portal.transport.FunctionalMenuItem;
 import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
 import org.onap.portalapp.portal.utils.EcompPortalUtils;
 import org.onap.portalapp.portal.utils.PortalConstants;
+import org.onap.portalapp.validation.DataValidator;
+import org.onap.portalapp.validation.SecureString;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse;
 import org.slf4j.MDC;
@@ -90,6 +92,7 @@ import io.swagger.annotations.ApiOperation;
 public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseController {
 
        private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(ExternalAppsRestfulController.class);
+       private final DataValidator DATA_VALIDATOR = new DataValidator();
 
        @Autowired
        private FunctionalMenuService functionalMenuService;
@@ -111,6 +114,11 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro
        @ResponseBody
        public PortalAPIResponse publishNotification(HttpServletRequest request,
                        @RequestBody EpNotificationItem notificationItem) throws Exception {
+
+               if(!DATA_VALIDATOR.isValid(notificationItem)){
+                       PortalAPIResponse response = new PortalAPIResponse(false, "failed");
+                       return response;
+               }
                String appKey = request.getHeader("uebkey");
                EPApp app = findEpApp(appKey);
                List<Long> postRoleIds = new ArrayList<Long>();
@@ -119,8 +127,8 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro
             EPRole role = epRoleService.getRole(app.getId(), roleId);
             if (role != null)
                 postRoleIds.add(role.getId());
-        }
-    }
+               }
+       }
 
                // --- recreate the user notification object with the POrtal Role Ids
                EpNotificationItem postItem = new EpNotificationItem();

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java
index d8f98bb..d6cb42a 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java
@@ -296,6 +296,47 @@ public class ExternalAppsRestfulControllerTest {
         assertEquals(543L, createdNofification.getRoleIds().get(0).longValue());
     }
 
+       @Test
+       public void publishNotificationXSSTest() throws Exception {
+               // input
+               EpNotificationItem notificationItem = new EpNotificationItem();
+               List<Long> roleList = new ArrayList<Long>();
+               Long role1 = 1L;
+               roleList.add(role1);
+               notificationItem.setRoleIds(roleList);
+               notificationItem.setPriority(1L);
+               notificationItem.setMsgHeader("<script>alert(‘XSS’)</script>");
+               notificationItem.setMsgDescription("Test Description");
+               Date currentDate = new Date();
+               Calendar c = Calendar.getInstance();
+               c.setTime(currentDate);
+               c.add(Calendar.DATE, 1);
+               Date currentDatePlusOne = c.getTime();
+               notificationItem.setStartTime(currentDate);
+               notificationItem.setEndTime(currentDatePlusOne);
+
+               // mock calls
+               Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn("RxH3983AHiyBOQmj");
+               Map<String, String> params = new HashMap<>();
+               params.put("appKey", "RxH3983AHiyBOQmj");
+               List<EPApp> apps = new ArrayList<>();
+               EPApp app = new EPApp();
+               app.setId(123L);
+               apps.add(app);
+               Mockito.when(DataAccessService.executeNamedQuery("getMyAppDetailsByUebKey", params, null)).thenReturn(apps);
+               EPRole role = new EPRole();
+               role.setId(543L);
+               Mockito.when(epRoleService.getRole(123L, 1L)).thenReturn(role);
+
+               // run
+               Mockito.when(userNotificationService.saveNotification(notificationItem)).thenReturn("Test");
+               PortalAPIResponse response = externalAppsRestfulController.publishNotification(mockedRequest, notificationItem);
+               // verify answer
+               assertNotNull(response);
+               assertEquals("error", response.getStatus());
+               assertEquals("failed", response.getMessage());
+       }
+
     @Test
     public void publishNotificationTest_EmptyAppHeader() throws Exception {
         // input