From: Dominik Mizyn <d.mizyn@samsung.com>
Date: Mon, 21 Oct 2019 13:14:46 +0000 (+0200)
Subject: Persistent XSS vulnerability in microservices form
X-Git-Tag: 3.2.0~71
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=portal.git;a=commitdiff_plain;h=31643c4db220bda9ffd9ac06d884f9035bbc4e1f

Persistent XSS vulnerability in microservices form

javax.validation.Validator used to fix this vulnerability issue.

Issue-ID: OJSI-19
Change-Id: I6993ca2ef750924a826f86de991ae0d2b47c3b57
Signed-off-by: Dominik Mizyn <d.mizyn@samsung.com>
---

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/MicroserviceController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/MicroserviceController.java
index 3f507726..2e1a2b46 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/MicroserviceController.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/MicroserviceController.java
@@ -58,6 +58,7 @@ import org.onap.portalapp.portal.logging.aop.EPAuditLog;
 import org.onap.portalapp.portal.service.WidgetMService;
 import org.onap.portalapp.portal.service.MicroserviceService;
 import org.onap.portalapp.portal.utils.EcompPortalUtils;
+import org.onap.portalapp.validation.DataValidator;
 import org.onap.portalsdk.core.util.SystemProperties;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
@@ -78,7 +79,7 @@ import org.springframework.web.client.RestTemplate;
 @EnableAspectJAutoProxy
 @EPAuditLog
 public class MicroserviceController extends EPRestrictedBaseController {
-	public static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+	private final DataValidator dataValidator = new DataValidator();
 	
 	String whatService = "widgets-service";
 	RestTemplate template = new RestTemplate();
@@ -96,10 +97,7 @@ public class MicroserviceController extends EPRestrictedBaseController {
 			return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE",
 				"MicroserviceData cannot be null or empty");
 		}else {
-			Validator validator = VALIDATOR_FACTORY.getValidator();
-
-			Set<ConstraintViolation<MicroserviceData>> constraintViolations = validator.validate(newServiceData);
-			if(!constraintViolations.isEmpty()){
+			if(!dataValidator.isValid(newServiceData)){
 				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
 					"ERROR", "MicroserviceData is not valid");
 			}
@@ -129,10 +127,7 @@ public class MicroserviceController extends EPRestrictedBaseController {
 			return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "FAILURE",
 				"MicroserviceData cannot be null or empty");
 		}else {
-			Validator validator = VALIDATOR_FACTORY.getValidator();
-
-			Set<ConstraintViolation<MicroserviceData>> constraintViolations = validator.validate(newServiceData);
-			if(!constraintViolations.isEmpty()){
+			if(!dataValidator.isValid(newServiceData)){
 				return new PortalRestResponse<>(PortalRestStatusEnum.ERROR,
 					"ERROR", "MicroserviceData is not valid");
 			}