From: Manoop Talasila Date: Mon, 22 Jul 2019 19:32:31 +0000 (+0000) Subject: Merge "XSS Vulnerability fix in ExternalAccessRolesControllerDashboardController" X-Git-Tag: 3.2.0~238 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=portal.git;a=commitdiff_plain;h=9c5ca23557b2bebef4da3c0fac004eae0d70f32c;hp=caa971f0393d349985878a085e3519782335ac1f Merge "XSS Vulnerability fix in ExternalAccessRolesControllerDashboardController" --- diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java index 5da35523..b5876af8 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppContactUsController.java @@ -37,7 +37,6 @@ */ package org.onap.portalapp.portal.controller; -import java.util.Collections; import java.util.Comparator; import java.util.HashMap; import java.util.List; @@ -53,9 +52,11 @@ import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; import org.onap.portalapp.portal.logging.aop.EPAuditLog; import org.onap.portalapp.portal.service.AppContactUsService; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.util.SystemProperties; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.EnableAspectJAutoProxy; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -65,42 +66,51 @@ import org.springframework.web.bind.annotation.RestController; @RestController @RequestMapping("/portalApi/contactus") -@org.springframework.context.annotation.Configuration +@Configuration @EnableAspectJAutoProxy @EPAuditLog public class AppContactUsController extends EPRestrictedBaseController { - static final String FAILURE = "failure"; + private static final String FAILURE = "failure"; + private static final String SUCCESS= "success"; - private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppContactUsController.class); + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppContactUsController.class); + private static final DataValidator dataValidator = new DataValidator(); + private final Comparator appCategoryFunctionsItemComparator = Comparator + .comparing(AppCategoryFunctionsItem::getCategory); - @Autowired private AppContactUsService contactUsService; + @Autowired + public AppContactUsController(AppContactUsService contactUsService) { + this.contactUsService = contactUsService; + } + + /** * Answers a JSON object with three items from the system.properties file: * user self-help ticket URL, email for feedback, and Portal info link. - * + * * @param request HttpServletRequest * @return PortalRestResponse */ @RequestMapping(value = "/feedback", method = RequestMethod.GET, produces = "application/json") public PortalRestResponse getPortalDetails(HttpServletRequest request) { - PortalRestResponse portalRestResponse = null; + PortalRestResponse portalRestResponse; try { final String ticketUrl = SystemProperties.getProperty(EPCommonSystemProperties.USH_TICKET_URL); final String portalInfoUrl = SystemProperties.getProperty(EPCommonSystemProperties.PORTAL_INFO_URL); final String feedbackEmail = SystemProperties.getProperty(EPCommonSystemProperties.FEEDBACK_EMAIL_ADDRESS); - HashMap map = new HashMap(); + HashMap map = new HashMap<>(); map.put(EPCommonSystemProperties.USH_TICKET_URL, ticketUrl); map.put(EPCommonSystemProperties.PORTAL_INFO_URL, portalInfoUrl); map.put(EPCommonSystemProperties.FEEDBACK_EMAIL_ADDRESS, feedbackEmail); JSONObject j = new JSONObject(map); String contactUsPortalResponse = j.toString(); - portalRestResponse = new PortalRestResponse(PortalRestStatusEnum.OK, "success", - contactUsPortalResponse); + portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS, + contactUsPortalResponse); } catch (Exception e) { - return new PortalRestResponse(PortalRestStatusEnum.ERROR, FAILURE, e.getMessage()); + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, e.getMessage()); } return portalRestResponse; } @@ -108,21 +118,21 @@ public class AppContactUsController extends EPRestrictedBaseController { /** * Answers the contents of the contact-us table, extended with the * application name. - * + * * @param request HttpServletRequest * @return PortalRestResponse> */ @RequestMapping(value = "/list", method = RequestMethod.GET, produces = "application/json") public PortalRestResponse> getAppContactUsList(HttpServletRequest request) { - PortalRestResponse> portalRestResponse = null; + PortalRestResponse> portalRestResponse; try { List contents = contactUsService.getAppContactUs(); - portalRestResponse = new PortalRestResponse>(PortalRestStatusEnum.OK, "success", - contents); + portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS, + contents); } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getAppContactUsList failed", e); - portalRestResponse = new PortalRestResponse>(PortalRestStatusEnum.ERROR, - e.getMessage(), null); + portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, + e.getMessage(), null); } return portalRestResponse; } @@ -130,35 +140,25 @@ public class AppContactUsController extends EPRestrictedBaseController { /** * Answers a list of objects, one per application, extended with available * data on how to contact that app's organization (possibly none). - * + * * @param request HttpServletRequest * @return PortalRestResponse> */ @RequestMapping(value = "/allapps", method = RequestMethod.GET, produces = "application/json") public PortalRestResponse> getAppsAndContacts(HttpServletRequest request) { - PortalRestResponse> portalRestResponse = null; + PortalRestResponse> portalRestResponse; try { List contents = contactUsService.getAppsAndContacts(); - portalRestResponse = new PortalRestResponse>(PortalRestStatusEnum.OK, "success", - contents); + portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, SUCCESS, + contents); } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getAllAppsAndContacts failed", e); - portalRestResponse = new PortalRestResponse>(PortalRestStatusEnum.ERROR, - e.getMessage(), null); + portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, + e.getMessage(), null); } return portalRestResponse; } - /** - * Sorts by category name. - */ - private Comparator appCategoryFunctionsItemComparator = new Comparator() { - @Override - public int compare(AppCategoryFunctionsItem o1, AppCategoryFunctionsItem o2) { - return o1.getCategory().compareTo(o2.getCategory()); - } - }; - /** * Answers a list of objects with category-application-function details. Not * all applications participate in the functional menu. @@ -168,20 +168,17 @@ public class AppContactUsController extends EPRestrictedBaseController { */ @RequestMapping(value = "/functions", method = RequestMethod.GET, produces = "application/json") public PortalRestResponse> getAppCategoryFunctions(HttpServletRequest request) { - PortalRestResponse> portalRestResponse = null; + PortalRestResponse> portalRestResponse; try { List contents = contactUsService.getAppCategoryFunctions(); - // logger.debug(EELFLoggerDelegate.debugLogger, - // "getAppCategoryFunctions: result list size is " + - // contents.size()); - Collections.sort(contents, appCategoryFunctionsItemComparator); - portalRestResponse = new PortalRestResponse>(PortalRestStatusEnum.OK, - "success", contents); + contents.sort(appCategoryFunctionsItemComparator); + portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.OK, + SUCCESS, contents); } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getAppCategoryFunctions failed", e); // TODO build JSON error - portalRestResponse = new PortalRestResponse>(PortalRestStatusEnum.ERROR, - e.getMessage(), null); + portalRestResponse = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, + e.getMessage(), null); } return portalRestResponse; } @@ -195,29 +192,41 @@ public class AppContactUsController extends EPRestrictedBaseController { @RequestMapping(value = "/save", method = RequestMethod.POST, produces = "application/json") public PortalRestResponse save(@RequestBody AppContactUsItem contactUs) { - if (contactUs == null || contactUs.getAppName() == null) - return new PortalRestResponse(PortalRestStatusEnum.ERROR, FAILURE, - "AppName cannot be null or empty"); + if (contactUs == null || contactUs.getAppName() == null) { + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, + "AppName cannot be null or empty"); + }else if(!dataValidator.isValid(contactUs)){ + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "AppName is not valid."); + } String saveAppContactUs = FAILURE; try { saveAppContactUs = contactUsService.saveAppContactUs(contactUs); } catch (Exception e) { - return new PortalRestResponse(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage()); + logger.error(EELFLoggerDelegate.errorLogger, "save failed", e); + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage()); } - return new PortalRestResponse(PortalRestStatusEnum.OK, saveAppContactUs, ""); + return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, ""); } @RequestMapping(value = "/saveAll", method = RequestMethod.POST, produces = "application/json") public PortalRestResponse save(@RequestBody List contactUsList) { + if (contactUsList == null) { + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, + "AppNameList cannot be null or empty"); + }else if(!dataValidator.isValid(contactUsList)){ + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, FAILURE, "AppNameList is not valid."); + } + String saveAppContactUs = FAILURE; try { saveAppContactUs = contactUsService.saveAppContactUs(contactUsList); } catch (Exception e) { - return new PortalRestResponse(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage()); + logger.error(EELFLoggerDelegate.errorLogger, "save failed", e); + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage()); } - return new PortalRestResponse(PortalRestStatusEnum.OK, saveAppContactUs, ""); + return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, ""); } /** @@ -234,9 +243,10 @@ public class AppContactUsController extends EPRestrictedBaseController { try { saveAppContactUs = contactUsService.deleteContactUs(id); } catch (Exception e) { - return new PortalRestResponse(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage()); + logger.error(EELFLoggerDelegate.errorLogger, "delete failed", e); + return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, saveAppContactUs, e.getMessage()); } - return new PortalRestResponse(PortalRestStatusEnum.OK, saveAppContactUs, ""); + return new PortalRestResponse<>(PortalRestStatusEnum.OK, saveAppContactUs, ""); } } \ No newline at end of file diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java index 4b401e22..1224be82 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AppsController.java @@ -2,7 +2,7 @@ * ============LICENSE_START========================================== * ONAP Portal * =================================================================== - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. * =================================================================== * Modifications Copyright (c) 2019 Samsung * =================================================================== @@ -42,18 +42,12 @@ package org.onap.portalapp.portal.controller; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; import java.util.List; -import java.util.Map; import java.util.Set; -import java.util.stream.Stream; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - -import org.json.JSONArray; -import org.json.JSONObject; +import lombok.Getter; +import lombok.NoArgsConstructor; import org.onap.portalapp.controller.EPRestrictedBaseController; import org.onap.portalapp.portal.domain.AdminUserApplications; import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel; @@ -68,7 +62,6 @@ import org.onap.portalapp.portal.logging.logic.EPLogUtil; import org.onap.portalapp.portal.service.AdminRolesService; import org.onap.portalapp.portal.service.EPAppService; import org.onap.portalapp.portal.service.EPLeftMenuService; -import org.onap.portalapp.portal.service.ExternalAccessRolesService; import org.onap.portalapp.portal.transport.EPAppsManualPreference; import org.onap.portalapp.portal.transport.EPAppsSortPreference; import org.onap.portalapp.portal.transport.EPDeleteAppsManualSortPref; @@ -76,10 +69,10 @@ import org.onap.portalapp.portal.transport.EPWidgetsSortPreference; import org.onap.portalapp.portal.transport.FieldsValidator; import org.onap.portalapp.portal.transport.LocalRole; import org.onap.portalapp.portal.transport.OnboardingApp; -import org.onap.portalapp.portal.utils.EPCommonSystemProperties; import org.onap.portalapp.portal.utils.EcompPortalUtils; import org.onap.portalapp.portal.utils.PortalConstants; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.util.SystemProperties; import org.onap.portalsdk.core.web.support.AppUtils; @@ -87,7 +80,6 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.EnableAspectJAutoProxy; import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; -import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; import org.springframework.http.ResponseEntity; @@ -97,27 +89,27 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.client.HttpClientErrorException; -import org.springframework.web.client.HttpStatusCodeException; -import org.springframework.web.client.RestTemplate; @RestController @EnableAspectJAutoProxy @EPAuditLog +@NoArgsConstructor +@Getter public class AppsController extends EPRestrictedBaseController { - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsController.class); + private static final String GET_RESULT = "GET result ="; + private static final String PUT_RESULT = "PUT result ="; + private static final String PORTAL_API_ONBOARDING_APPS = "/portalApi/onboardingApps"; + private static final String PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF = "/portalApi/userAppsOrderBySortPref"; + + private final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(AppsController.class); + private final DataValidator dataValidator = new DataValidator(); @Autowired private AdminRolesService adminRolesService; - @Autowired private EPAppService appService; - @Autowired private EPLeftMenuService leftMenuService; - - @Autowired - private ExternalAccessRolesService externalAccessRolesService; - RestTemplate template = new RestTemplate(); /** * RESTful service method to fetch all Applications available to current @@ -139,7 +131,7 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "getUserApps"); } else { ecompApps = appService.transformAppsToEcompApps(appService.getUserApps(user)); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userApps", "GET result =", ecompApps); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userApps", GET_RESULT, ecompApps); } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getUserApps failed", e); @@ -174,7 +166,7 @@ public class AppsController extends EPRestrictedBaseController { else apps = appService.getPersUserApps(user); ecompApps = appService.transformAppsToEcompApps(apps); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userPersApps", "GET result =", ecompApps); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userPersApps", GET_RESULT, ecompApps); } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getPersUserApps failed", e); @@ -203,7 +195,7 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "getAdminApps"); } else { adminApps = appService.getAdminApps(user); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/adminApps", "GET result =", adminApps); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/adminApps", GET_RESULT, adminApps); } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getAdminApps failed", e); @@ -235,7 +227,7 @@ public class AppsController extends EPRestrictedBaseController { } else { adminApps = appService.getAppsForSuperAdminAndAccountAdmin(user); EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsForSuperAdminAndAccountAdmin", - "GET result =", adminApps); + GET_RESULT, adminApps); } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getAppsForSuperAdminAndAccountAdmin failed", e); @@ -245,7 +237,7 @@ public class AppsController extends EPRestrictedBaseController { } /** - * RESTful service method to fetch left menu items from the user's session. + * RESTful service method to fetch left menu items from the user'PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF session. * * @param request * HttpServletRequest @@ -267,7 +259,7 @@ public class AppsController extends EPRestrictedBaseController { try { menuList = leftMenuService.getLeftMenuItems(user, menuSet, roleFunctionSet); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/leftmenuItems", "GET result =", menuList); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/leftmenuItems", GET_RESULT, menuList); } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getLeftMenuItems failed", e); } @@ -275,7 +267,7 @@ public class AppsController extends EPRestrictedBaseController { } @RequestMapping(value = { - "/portalApi/userAppsOrderBySortPref" }, method = RequestMethod.GET, produces = "application/json") + PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF }, method = RequestMethod.GET, produces = "application/json") public List getUserAppsOrderBySortPref(HttpServletRequest request, HttpServletResponse response) { EPUser user = EPUserUtils.getUserSession(request); List ecompApps = null; @@ -284,28 +276,28 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "getUserAppsOrderBySortPref"); } else { String usrSortPref = request.getParameter("mparams"); - if (usrSortPref.equals("")) { + if (usrSortPref.isEmpty()) { usrSortPref = "N"; } switch (usrSortPref) { case "N": ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByName(user)); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =", + EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT, ecompApps); break; case "L": ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByLastUsed(user)); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =", + EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT, ecompApps); break; case "F": ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByMostUsed(user)); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =", + EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT, ecompApps); break; case "M": ecompApps = appService.transformAppsToEcompApps(appService.getAppsOrderByManual(user)); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsOrderBySortPref", "GET result =", + EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_USER_APPS_ORDER_BY_SORT_PREF, GET_RESULT, ecompApps); break; default: @@ -335,6 +327,13 @@ public class AppsController extends EPRestrictedBaseController { public FieldsValidator putUserAppsSortingManual(HttpServletRequest request, @RequestBody List epAppsManualPref, HttpServletResponse response) { FieldsValidator fieldsValidator = null; + + if (isNotNullAndNotValid(epAppsManualPref)){ + fieldsValidator = new FieldsValidator(); + fieldsValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + return fieldsValidator; + } + try { EPUser user = EPUserUtils.getUserSession(request); fieldsValidator = appService.saveAppsSortManual(epAppsManualPref, user); @@ -342,7 +341,7 @@ public class AppsController extends EPRestrictedBaseController { } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "putUserAppsSortingManual failed", e); } - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/saveUserAppsSortingManual", "PUT result =", + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/saveUserAppsSortingManual", PUT_RESULT, response.getStatus()); return fieldsValidator; } @@ -352,6 +351,13 @@ public class AppsController extends EPRestrictedBaseController { public FieldsValidator putUserWidgetsSortManual(HttpServletRequest request, @RequestBody List saveManualWidgetSData, HttpServletResponse response) { FieldsValidator fieldsValidator = null; + + if (isNotNullAndNotValid(saveManualWidgetSData)){ + fieldsValidator = new FieldsValidator(); + fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE); + return fieldsValidator; + } + try { EPUser user = EPUserUtils.getUserSession(request); fieldsValidator = appService.saveWidgetsSortManual(saveManualWidgetSData, user); @@ -359,8 +365,7 @@ public class AppsController extends EPRestrictedBaseController { } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "putUserWidgetsSortManual failed", e); } - // return fieldsValidator; - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortManual", "PUT result =", + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortManual", PUT_RESULT, response.getStatus()); return fieldsValidator; } @@ -370,6 +375,13 @@ public class AppsController extends EPRestrictedBaseController { public FieldsValidator putUserWidgetsSortPref(HttpServletRequest request, @RequestBody List delManualWidgetData, HttpServletResponse response) { FieldsValidator fieldsValidator = null; + + if (isNotNullAndNotValid(delManualWidgetData)){ + fieldsValidator = new FieldsValidator(); + fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE); + return fieldsValidator; + } + try { EPUser user = EPUserUtils.getUserSession(request); fieldsValidator = appService.deleteUserWidgetSortPref(delManualWidgetData, user); @@ -378,8 +390,7 @@ public class AppsController extends EPRestrictedBaseController { logger.error(EELFLoggerDelegate.errorLogger, "putUserWidgetsSortPref failed", e); } - // return fieldsValidator; - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortPref", "PUT result =", + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserWidgetsSortPref", PUT_RESULT, response.getStatus()); return fieldsValidator; } @@ -400,6 +411,7 @@ public class AppsController extends EPRestrictedBaseController { public FieldsValidator deleteUserAppSortManual(HttpServletRequest request, @RequestBody EPDeleteAppsManualSortPref delManualAppData, HttpServletResponse response) { FieldsValidator fieldsValidator = null; + try { EPUser user = EPUserUtils.getUserSession(request); fieldsValidator = appService.deleteUserAppSortManual(delManualAppData, user); @@ -408,8 +420,7 @@ public class AppsController extends EPRestrictedBaseController { logger.error(EELFLoggerDelegate.errorLogger, "deleteUserAppSortManual failed", e); } - // return fieldsValidator; - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/deleteUserAppSortManual", "PUT result =", + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/deleteUserAppSortManual", PUT_RESULT, response.getStatus()); return fieldsValidator; } @@ -428,8 +439,7 @@ public class AppsController extends EPRestrictedBaseController { } - // return fieldsValidator; - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserAppsSortingPreference", "PUT result =", + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/putUserAppsSortingPreference", PUT_RESULT, response.getStatus()); return fieldsValidator; } @@ -445,7 +455,7 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "userAppsSortTypePreference"); } else { userSortPreference = appService.getUserAppsSortTypePreference(user); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsSortTypePreference", "GET result =", + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/userAppsSortTypePreference", GET_RESULT, userSortPreference); } } catch (Exception e) { @@ -475,7 +485,7 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "getAppsAdministrators"); } else { admins = appService.getAppsAdmins(); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/accountAdmins", "GET result =", admins); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/accountAdmins", GET_RESULT, admins); } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getAppsAdministrators failed", e); @@ -493,7 +503,7 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "getApps"); } else { apps = appService.getAllApplications(false); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", "GET result =", apps); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", GET_RESULT, apps); } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getApps failed", e); @@ -522,7 +532,7 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "getApps"); } else { apps = appService.getAllApps(true); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", "GET result =", apps); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/availableApps", GET_RESULT, apps); } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getAllApps failed", e); @@ -547,7 +557,7 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "getAppsFullList"); } else { ecompApps = appService.getEcompAppAppsFullList(); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsFullList", "GET result =", ecompApps); + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appsFullList", GET_RESULT, ecompApps); } return ecompApps; } @@ -598,7 +608,7 @@ public class AppsController extends EPRestrictedBaseController { || (adminRolesService.isSuperAdmin(user) && requestedApp.getId() == PortalConstants.PORTAL_APP_ID))) { try { roleList = appService.getAppRoles(appId); - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appRoles/" + appId, "GET result =", + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/appRoles/" + appId, GET_RESULT, roleList); } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getAppRoles failed", e); @@ -626,8 +636,8 @@ public class AppsController extends EPRestrictedBaseController { String appName = request.getParameter("appParam"); app = appService.getAppDetailByAppName(appName); if (user != null && (adminRolesService.isAccountAdminOfApplication(user, app) - || (adminRolesService.isSuperAdmin(user) && app.getId() == PortalConstants.PORTAL_APP_ID))) - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfo" + appName, "GET result =", app); + || (adminRolesService.isSuperAdmin(user) && app.getId().equals(PortalConstants.PORTAL_APP_ID)))) + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfo" + appName, GET_RESULT, app); else{ app= null; EcompPortalUtils.setBadPermissions(user, response, "createAdmin"); @@ -659,8 +669,8 @@ public class AppsController extends EPRestrictedBaseController { app.setCentralAuth(false); } if (user != null && (adminRolesService.isAccountAdminOfApplication(user, app) - || (adminRolesService.isSuperAdmin(user) && app.getId() == PortalConstants.PORTAL_APP_ID))) - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfoById" + appId, "GET result =", app); + || (adminRolesService.isSuperAdmin(user) && app.getId().equals(PortalConstants.PORTAL_APP_ID)))) + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/singleAppInfoById" + appId, GET_RESULT, app); else{ app= null; EcompPortalUtils.setBadPermissions(user, response, "createAdmin"); @@ -680,7 +690,7 @@ public class AppsController extends EPRestrictedBaseController { * HTTP servlet response * @return List */ - @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.GET, produces = "application/json") + @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.GET, produces = "application/json") public List getOnboardingApps(HttpServletRequest request, HttpServletResponse response) { EPUser user = EPUserUtils.getUserSession(request); List onboardingApps = null; @@ -697,8 +707,8 @@ public class AppsController extends EPRestrictedBaseController { //get all his admin apps onboardingApps = appService.getAdminAppsOfUser(user); } - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "GET result =", - "onboardingApps of size " + onboardingApps.size()); + EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, GET_RESULT, + "onboardingApps of size " + (onboardingApps != null ? onboardingApps.size() : 0)); } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "getOnboardingApps failed", e); @@ -718,14 +728,12 @@ public class AppsController extends EPRestrictedBaseController { * @return FieldsValidator * @throws Exception */ - @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.PUT, produces = "application/json") + @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.PUT, produces = "application/json") public FieldsValidator putOnboardingApp(HttpServletRequest request, - @RequestBody OnboardingApp modifiedOnboardingApp, HttpServletResponse response) throws Exception { + @RequestBody OnboardingApp modifiedOnboardingApp, HttpServletResponse response) { FieldsValidator fieldsValidator = null; EPUser user = null; - EPApp oldEPApp = null; - oldEPApp = appService.getApp(modifiedOnboardingApp.id); - ResponseEntity res = null; + EPApp oldEPApp = appService.getApp(modifiedOnboardingApp.id); try { user = EPUserUtils.getUserSession(request); @@ -734,20 +742,7 @@ public class AppsController extends EPRestrictedBaseController { } else { if((oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && !oldEPApp.getNameSpace().equalsIgnoreCase(modifiedOnboardingApp.nameSpace) && modifiedOnboardingApp.nameSpace!= null ) || (!oldEPApp.getCentralAuth() && modifiedOnboardingApp.isCentralAuth && modifiedOnboardingApp.nameSpace!= null)) { - try { - res = appService.checkIfNameSpaceIsValid(modifiedOnboardingApp.nameSpace); - } catch (HttpClientErrorException e) { - logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e); - EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode()); - if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) { - fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response); - throw new InvalidApplicationException("Invalid NameSpace"); - }else{ - fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response); - throw e; - } - } - + checkIfNameSpaceIsValid(modifiedOnboardingApp, fieldsValidator, response); } modifiedOnboardingApp.normalize(); fieldsValidator = appService.modifyOnboardingApp(modifiedOnboardingApp, user); @@ -767,7 +762,7 @@ public class AppsController extends EPRestrictedBaseController { logger.error(EELFLoggerDelegate.errorLogger, "putOnboardingApps failed", e); } } - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "PUT result =", + EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, PUT_RESULT, response.getStatus()); return fieldsValidator; } @@ -784,7 +779,7 @@ public class AppsController extends EPRestrictedBaseController { * app to add * @return FieldsValidator */ - @RequestMapping(value = { "/portalApi/onboardingApps" }, method = RequestMethod.POST, produces = "application/json") + @RequestMapping(value = { PORTAL_API_ONBOARDING_APPS }, method = RequestMethod.POST, produces = "application/json") public FieldsValidator postOnboardingApp(HttpServletRequest request, @RequestBody OnboardingApp newOnboardingApp, HttpServletResponse response) { FieldsValidator fieldsValidator = null; @@ -794,21 +789,7 @@ public class AppsController extends EPRestrictedBaseController { EcompPortalUtils.setBadPermissions(user, response, "postOnboardingApps"); } else { newOnboardingApp.normalize(); - ResponseEntity res = null; - try { - if( !(newOnboardingApp.nameSpace == null) && !newOnboardingApp.nameSpace.isEmpty()) - res = appService.checkIfNameSpaceIsValid(newOnboardingApp.nameSpace); - } catch (HttpClientErrorException e) { - logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e); - EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode()); - if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) { - fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response); - throw new InvalidApplicationException("Invalid NameSpace"); - }else{ - fieldsValidator = setResponse(e.getStatusCode(),fieldsValidator,response); - throw e; - } - } + checkIfNameSpaceIsValid(newOnboardingApp, fieldsValidator, response); fieldsValidator = appService.addOnboardingApp(newOnboardingApp, user); response.setStatus(fieldsValidator.httpStatusCode.intValue()); } @@ -824,22 +805,22 @@ public class AppsController extends EPRestrictedBaseController { logger.error(EELFLoggerDelegate.errorLogger, "postOnboardingApp failed", e); } - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps", "POST result =", + EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS, "POST result =", response.getStatus()); return fieldsValidator; } - private FieldsValidator setResponse(HttpStatus statusCode,FieldsValidator fieldsValidator,HttpServletResponse response) + private FieldsValidator setResponse(HttpStatus statusCode, HttpServletResponse response) { - fieldsValidator = new FieldsValidator(); + FieldsValidator fieldsValidator = new FieldsValidator(); if (statusCode == HttpStatus.NOT_FOUND || statusCode == HttpStatus.FORBIDDEN) { - fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_NOT_FOUND); + fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_NOT_FOUND; logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed"+ "invalid namespace"); }else if (statusCode == HttpStatus.UNAUTHORIZED) { - fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_UNAUTHORIZED); + fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_UNAUTHORIZED; logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed"+ "unauthorized"); } else{ - fieldsValidator.httpStatusCode = new Long(HttpServletResponse.SC_BAD_REQUEST); + fieldsValidator.httpStatusCode = (long) HttpServletResponse.SC_BAD_REQUEST; logger.error(EELFLoggerDelegate.errorLogger, "setResponse failed ",statusCode); } @@ -880,7 +861,7 @@ public class AppsController extends EPRestrictedBaseController { response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } - EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/onboardingApps" + appId, "DELETE result =", + EcompPortalUtils.logAndSerializeObject(logger, PORTAL_API_ONBOARDING_APPS + appId, "DELETE result =", response.getStatus()); return fieldsValidator; } @@ -918,8 +899,29 @@ public class AppsController extends EPRestrictedBaseController { HttpHeaders header = new HttpHeaders(); header.setContentType(mediaType); header.setContentLength(app.getThumbnail().length); - return new HttpEntity(app.getThumbnail(), header); + return new HttpEntity<>(app.getThumbnail(), header); } + private void checkIfNameSpaceIsValid(OnboardingApp modifiedOnboardingApp, FieldsValidator fieldsValidator, HttpServletResponse response) + throws InvalidApplicationException { + try { + ResponseEntity res = appService.checkIfNameSpaceIsValid(modifiedOnboardingApp.nameSpace); + } catch (HttpClientErrorException e) { + logger.error(EELFLoggerDelegate.errorLogger, "checkIfNameSpaceExists failed", e); + EPLogUtil.logExternalAuthAccessAlarm(logger, e.getStatusCode()); + if (e.getStatusCode() == HttpStatus.NOT_FOUND || e.getStatusCode() == HttpStatus.FORBIDDEN) { + fieldsValidator = setResponse(e.getStatusCode(),response); + throw new InvalidApplicationException("Invalid NameSpace"); + }else{ + fieldsValidator = setResponse(e.getStatusCode(),response); + throw e; + } + } catch (Exception e) { + e.printStackTrace(); + } + } + private boolean isNotNullAndNotValid(Object o){ + return o!=null && !dataValidator.isValid(o); + } } diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java index 67d75666..cff8245a 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/AuditLogController.java @@ -43,6 +43,8 @@ import java.util.UUID; import javax.servlet.http.HttpServletRequest; +import org.onap.portalapp.validation.DataValidator; +import org.onap.portalapp.validation.SecureString; import org.slf4j.MDC; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.RequestMapping; @@ -68,14 +70,18 @@ import org.onap.portalsdk.core.util.SystemProperties; @RestController @RequestMapping("/portalApi/auditLog") public class AuditLogController extends EPRestrictedBaseController { - private static EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardController.class); + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(DashboardController.class); + private static final DataValidator dataValidator = new DataValidator(); - @Autowired private AuditService auditService; + @Autowired + public AuditLogController(AuditService auditService) { + this.auditService = auditService; + } /** * Store audit log of the specified access type. - * + * * @param request * HttpServletRequest * @param affectedAppId @@ -90,34 +96,50 @@ public class AuditLogController extends EPRestrictedBaseController { @RequestParam String comment) { logger.debug(EELFLoggerDelegate.debugLogger, "auditLog: appId {}, type {}, comment {}", affectedAppId, type, comment); - String cd_type = null; + String cdType = null; + + SecureString secureString0 = new SecureString(affectedAppId); + SecureString secureString1 = new SecureString(type); + SecureString secureString2 = new SecureString(comment); + if ( !dataValidator.isValid(secureString0) + ||!dataValidator.isValid(secureString1) + ||!dataValidator.isValid(secureString2)){ + return; + } + try { EPUser user = EPUserUtils.getUserSession(request); /* Check type of Activity CD */ - if (type.equals("app")) { - cd_type = AuditLog.CD_ACTIVITY_APP_ACCESS; - } else if (type.equals("tab")) { - cd_type = AuditLog.CD_ACTIVITY_TAB_ACCESS; - } else if (type.equals("functional")) { - cd_type = AuditLog.CD_ACTIVITY_FUNCTIONAL_ACCESS; - } else if (type.equals("leftMenu")) { - cd_type = AuditLog.CD_ACTIVITY_LEFT_MENU_ACCESS; - } else { - logger.error(EELFLoggerDelegate.errorLogger, + switch (type) { + case "app": + cdType = AuditLog.CD_ACTIVITY_APP_ACCESS; + break; + case "tab": + cdType = AuditLog.CD_ACTIVITY_TAB_ACCESS; + break; + case "functional": + cdType = AuditLog.CD_ACTIVITY_FUNCTIONAL_ACCESS; + break; + case "leftMenu": + cdType = AuditLog.CD_ACTIVITY_LEFT_MENU_ACCESS; + break; + default: + logger.error(EELFLoggerDelegate.errorLogger, "Storing auditLog failed! Activity CD type is not correct."); + break; } /* Store the audit log only if it contains valid Activity CD */ - if (cd_type != null) { + if (cdType != null) { AuditLog auditLog = new AuditLog(); - auditLog.setActivityCode(cd_type); + auditLog.setActivityCode(cdType); /* * Check affectedAppId and comment and see if these two values * are valid */ - if (comment != null && !comment.equals("") && !comment.equals("undefined")) + if (comment != null && !comment.isEmpty() && !"undefined".equals(comment)) auditLog.setComments( EcompPortalUtils.truncateString(comment, PortalConstants.AUDIT_LOG_COMMENT_SIZE)); - if (affectedAppId != null && !affectedAppId.equals("") && !affectedAppId.equals("undefined")) + if (affectedAppId != null && !affectedAppId.isEmpty() && !"undefined".equals(affectedAppId)) auditLog.setAffectedRecordId(affectedAppId); long userId = EPUserUtils.getUserId(request); auditLog.setUserId(userId); @@ -140,7 +162,7 @@ public class AuditLogController extends EPRestrictedBaseController { MDC.put(SystemProperties.MDC_TIMER, timeDifference); MDC.put(EPCommonSystemProperties.STATUS_CODE, "COMPLETE"); logger.info(EELFLoggerDelegate.auditLogger, EPLogUtil.formatAuditLogMessage( - "AuditLogController.auditLog", cd_type, user.getOrgUserId(), affectedAppId, comment)); + "AuditLogController.auditLog", cdType, user.getOrgUserId(), affectedAppId, comment)); MDC.remove(EPCommonSystemProperties.AUDITLOG_BEGIN_TIMESTAMP); MDC.remove(EPCommonSystemProperties.AUDITLOG_END_TIMESTAMP); } diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/SharedContextRestController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/SharedContextRestController.java index ba77c56f..9e3428e6 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/SharedContextRestController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/SharedContextRestController.java @@ -48,10 +48,13 @@ import javax.servlet.http.HttpServletResponse; import org.onap.portalapp.controller.EPRestrictedRESTfulBaseController; import org.onap.portalapp.portal.domain.SharedContext; +import org.onap.portalapp.portal.exceptions.NotValidDataException; import org.onap.portalapp.portal.logging.aop.EPAuditLog; import org.onap.portalapp.portal.service.SharedContextService; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; import org.onap.portalapp.portal.utils.PortalConstants; +import org.onap.portalapp.validation.DataValidator; +import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; @@ -85,33 +88,20 @@ import io.swagger.annotations.ApiOperation; @EnableAspectJAutoProxy @EPAuditLog public class SharedContextRestController extends EPRestrictedRESTfulBaseController { + private static final DataValidator dataValidator = new DataValidator(); + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SharedContextRestController.class); + private static final ObjectMapper mapper = new ObjectMapper(); - /** - * Model for a one-element JSON object returned by many methods. - */ - class SharedContextJsonResponse { - String response; - } - - /** - * Access to the database - */ - @Autowired private SharedContextService contextService; - /** - * Logger for debug etc. - */ - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SharedContextRestController.class); - - /** - * Reusable JSON (de)serializer - */ - private final ObjectMapper mapper = new ObjectMapper(); + @Autowired + public SharedContextRestController(SharedContextService contextService) { + this.contextService = contextService; + } /** * Gets a value for the specified context and key (RESTful service method). - * + * * @param request * HTTP servlet request * @param context_id @@ -127,13 +117,18 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll @RequestMapping(value = { "/get" }, method = RequestMethod.GET, produces = "application/json") public String getContext(HttpServletRequest request, @RequestParam String context_id, @RequestParam String ckey) throws Exception { - logger.debug(EELFLoggerDelegate.debugLogger, "getContext for ID " + context_id + ", key " + ckey); if (context_id == null || ckey == null) throw new Exception("Received null for context_id and/or ckey"); + SecureString secureContextId = new SecureString(context_id); + SecureString secureCKey = new SecureString(ckey); + + if(!dataValidator.isValid(secureContextId) || !dataValidator.isValid(secureCKey)){ + throw new NotValidDataException("Received not valid for context_id and/or ckey"); + } SharedContext context = contextService.getSharedContext(context_id, ckey); - String jsonResponse = ""; + String jsonResponse; if (context == null) jsonResponse = convertResponseToJSON(context); else @@ -144,7 +139,7 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll /** * Gets user information for the specified context (RESTful service method). - * + * * @param request * HTTP servlet request * @param context_id @@ -162,8 +157,11 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll logger.debug(EELFLoggerDelegate.debugLogger, "getUserContext for ID " + context_id); if (context_id == null) throw new Exception("Received null for context_id"); + SecureString secureContextId = new SecureString(context_id); + if (!dataValidator.isValid(secureContextId)) + throw new NotValidDataException("context_id is not valid"); - List listSharedContext = new ArrayList(); + List listSharedContext = new ArrayList<>(); SharedContext firstNameContext = contextService.getSharedContext(context_id, EPCommonSystemProperties.USER_FIRST_NAME); SharedContext lastNameContext = contextService.getSharedContext(context_id, @@ -179,14 +177,13 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll listSharedContext.add(emailContext); if (orgUserIdContext != null) listSharedContext.add(orgUserIdContext); - String jsonResponse = convertResponseToJSON(listSharedContext); - return jsonResponse; + return convertResponseToJSON(listSharedContext); } /** * Tests for presence of the specified key in the specified context (RESTful * service method). - * + * * @param request * HTTP servlet request * @param context_id @@ -208,19 +205,24 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll if (context_id == null || ckey == null) throw new Exception("Received null for contextId and/or key"); + SecureString secureContextId = new SecureString(context_id); + SecureString secureCKey = new SecureString(ckey); + + if (!dataValidator.isValid(secureContextId) || !dataValidator.isValid(secureCKey)) + throw new NotValidDataException("Not valid data for contextId and/or key"); + String response = null; SharedContext context = contextService.getSharedContext(context_id, ckey); if (context != null) response = "exists"; - String jsonResponse = convertResponseToJSON(response); - return jsonResponse; + return convertResponseToJSON(response); } /** * Removes the specified key in the specified context (RESTful service * method). - * + * * @param request * HTTP servlet request * @param context_id @@ -242,6 +244,12 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll if (context_id == null || ckey == null) throw new Exception("Received null for contextId and/or key"); + SecureString secureContextId = new SecureString(context_id); + SecureString secureCKey = new SecureString(ckey); + + if (!dataValidator.isValid(secureContextId) || !dataValidator.isValid(secureCKey)) + throw new NotValidDataException("Not valid data for contextId and/or key"); + SharedContext context = contextService.getSharedContext(context_id, ckey); String response = null; if (context != null) { @@ -249,14 +257,13 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll response = "removed"; } - String jsonResponse = convertResponseToJSON(response); - return jsonResponse; + return convertResponseToJSON(response); } /** * Clears all key-value pairs in the specified context (RESTful service * method). - * + * * @param request * HTTP servlet request * @param context_id @@ -275,16 +282,20 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll if (context_id == null) throw new Exception("clearContext: Received null for contextId"); + SecureString secureContextId = new SecureString(context_id); + + if (!dataValidator.isValid(secureContextId)) + throw new NotValidDataException("Not valid data for contextId"); + int count = contextService.deleteSharedContexts(context_id); - String jsonResponse = convertResponseToJSON(Integer.toString(count)); - return jsonResponse; + return convertResponseToJSON(Integer.toString(count)); } /** * Sets a context value for the specified context and key (RESTful service * method). Creates the context if no context with the specified ID-key pair * exists, overwrites the value if it exists already. - * + * * @param request * HTTP servlet request * @param userJson @@ -302,6 +313,11 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll @ApiOperation(value = "Sets a context value for the specified context and key. Creates the context if no context with the specified ID-key pair exists, overwrites the value if it exists already.", response = SharedContextJsonResponse.class) @RequestMapping(value = { "/set" }, method = RequestMethod.POST, produces = "application/json") public String setContext(HttpServletRequest request, @RequestBody String userJson) throws Exception { + if (userJson !=null){ + SecureString secureUserJson = new SecureString(userJson); + if (!dataValidator.isValid(secureUserJson)) + throw new NotValidDataException("Not valid data for userJson"); + } @SuppressWarnings("unchecked") Map userData = mapper.readValue(userJson, Map.class); @@ -313,7 +329,7 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll throw new Exception("setContext: received null for contextId and/or key"); logger.debug(EELFLoggerDelegate.debugLogger, "setContext: ID " + contextId + ", key " + key + "->" + value); - String response = null; + String response; SharedContext existing = contextService.getSharedContext(contextId, key); if (existing == null) { contextService.addSharedContext(contextId, key, value); @@ -322,53 +338,49 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll contextService.saveSharedContext(existing); } response = existing == null ? "added" : "replaced"; - String jsonResponse = convertResponseToJSON(response); - return jsonResponse; + return convertResponseToJSON(response); } /** * Creates a two-element JSON object tagged "response". - * + * * @param responseBody * @return JSON object as String * @throws JsonProcessingException */ private String convertResponseToJSON(String responseBody) throws JsonProcessingException { - Map responseMap = new HashMap(); + Map responseMap = new HashMap<>(); responseMap.put("response", responseBody); - String response = mapper.writeValueAsString(responseMap); - return response; + return mapper.writeValueAsString(responseMap); } /** * Converts a list of SharedContext objects to a JSON array. - * + * * @param contextList * @return JSON array as String * @throws JsonProcessingException */ private String convertResponseToJSON(List contextList) throws JsonProcessingException { - String jsonArray = mapper.writeValueAsString(contextList); - return jsonArray; + return mapper.writeValueAsString(contextList); } /** * Creates a JSON object with the content of the shared context; null is ok. - * + * * @param context * @return tag "response" with collection of context object's fields * @throws JsonProcessingException */ private String convertResponseToJSON(SharedContext context) throws JsonProcessingException { - Map responseMap = new HashMap(); + Map responseMap = new HashMap<>(); responseMap.put("response", context); - String responseBody = mapper.writeValueAsString(responseMap); - return responseBody; + return mapper.writeValueAsString(responseMap); } /** * Handles any exception thrown by a method in this controller. - * + * * @param e * Exception * @param response @@ -382,3 +394,7 @@ public class SharedContextRestController extends EPRestrictedRESTfulBaseControll } } +class SharedContextJsonResponse { + String response; +} + diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java index f2bba8b8..45035a25 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/WidgetsController.java @@ -52,10 +52,13 @@ import org.onap.portalapp.portal.service.PersUserWidgetService; import org.onap.portalapp.portal.service.WidgetService; import org.onap.portalapp.portal.transport.FieldsValidator; import org.onap.portalapp.portal.transport.OnboardingWidget; +import org.onap.portalapp.portal.transport.WidgetCatalogPersonalization; import org.onap.portalapp.portal.utils.EcompPortalUtils; import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.validation.DataValidator; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.EnableAspectJAutoProxy; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; @@ -64,30 +67,36 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; @RestController -@org.springframework.context.annotation.Configuration +@Configuration @EnableAspectJAutoProxy @EPAuditLog public class WidgetsController extends EPRestrictedBaseController { - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(WidgetsController.class); - - @Autowired + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(WidgetsController.class); + private static final DataValidator dataValidator = new DataValidator(); + private AdminRolesService adminRolesService; - @Autowired private WidgetService widgetService; - @Autowired private PersUserWidgetService persUserWidgetService; + @Autowired + public WidgetsController(AdminRolesService adminRolesService, + WidgetService widgetService, PersUserWidgetService persUserWidgetService) { + this.adminRolesService = adminRolesService; + this.widgetService = widgetService; + this.persUserWidgetService = persUserWidgetService; + } + @RequestMapping(value = { "/portalApi/widgets" }, method = RequestMethod.GET, produces = "application/json") public List getOnboardingWidgets(HttpServletRequest request, HttpServletResponse response) { EPUser user = EPUserUtils.getUserSession(request); List onboardingWidgets = null; - + if (user == null || user.isGuest()) { EcompPortalUtils.setBadPermissions(user, response, "getOnboardingWidgets"); } else { String getType = request.getHeader("X-Widgets-Type"); - if (!StringUtils.isEmpty(getType) && (getType.equals("managed") || getType.equals("all"))) { - onboardingWidgets = widgetService.getOnboardingWidgets(user, getType.equals("managed")); + if (!StringUtils.isEmpty(getType) && ("managed".equals(getType) || "all".equals(getType))) { + onboardingWidgets = widgetService.getOnboardingWidgets(user, "managed".equals(getType)); } else { logger.debug(EELFLoggerDelegate.debugLogger, "WidgetsController.getOnboardingApps - request must contain header 'X-Widgets-Type' with 'all' or 'managed'"); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); @@ -112,6 +121,14 @@ public class WidgetsController extends EPRestrictedBaseController { @RequestBody OnboardingWidget onboardingWidget, HttpServletResponse response) { EPUser user = EPUserUtils.getUserSession(request); FieldsValidator fieldsValidator = null; + if (onboardingWidget!=null){ + if(!dataValidator.isValid(onboardingWidget)){ + fieldsValidator = new FieldsValidator(); + fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE); + return fieldsValidator; + } + } + if (userHasPermissions(user, response, "putOnboardingWidget")) { onboardingWidget.id = widgetId; // ! onboardingWidget.normalize(); @@ -119,7 +136,7 @@ public class WidgetsController extends EPRestrictedBaseController { response.setStatus(fieldsValidator.httpStatusCode.intValue()); } EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets/" + widgetId, "GET result =", response.getStatus()); - + return fieldsValidator; } @@ -127,15 +144,23 @@ public class WidgetsController extends EPRestrictedBaseController { @RequestMapping(value = { "/portalApi/widgets" }, method = { RequestMethod.POST }, produces = "application/json") public FieldsValidator postOnboardingWidget(HttpServletRequest request, @RequestBody OnboardingWidget onboardingWidget, HttpServletResponse response) { EPUser user = EPUserUtils.getUserSession(request); - FieldsValidator fieldsValidator = null; ; - + FieldsValidator fieldsValidator = null; + + if (onboardingWidget!=null){ + if(!dataValidator.isValid(onboardingWidget)){ + fieldsValidator = new FieldsValidator(); + fieldsValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE); + return fieldsValidator; + } + } + if (userHasPermissions(user, response, "postOnboardingWidget")) { onboardingWidget.id = null; // ! onboardingWidget.normalize(); fieldsValidator = widgetService.setOnboardingWidget(user, onboardingWidget); response.setStatus(fieldsValidator.httpStatusCode.intValue()); } - + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets", "POST result =", response.getStatus()); return fieldsValidator; } @@ -143,17 +168,17 @@ public class WidgetsController extends EPRestrictedBaseController { @RequestMapping(value = { "/portalApi/widgets/{widgetId}" }, method = { RequestMethod.DELETE }, produces = "application/json") public FieldsValidator deleteOnboardingWidget(HttpServletRequest request, @PathVariable("widgetId") Long widgetId, HttpServletResponse response) { EPUser user = EPUserUtils.getUserSession(request); - FieldsValidator fieldsValidator = null; ; - + FieldsValidator fieldsValidator = null; + if (userHasPermissions(user, response, "deleteOnboardingWidget")) { fieldsValidator = widgetService.deleteOnboardingWidget(user, widgetId); response.setStatus(fieldsValidator.httpStatusCode.intValue()); } - + EcompPortalUtils.logAndSerializeObject(logger, "/portalApi/widgets/" + widgetId, "DELETE result =", response.getStatus()); return fieldsValidator; } - + /** * service to accept a user's action made on the application * catalog. @@ -167,9 +192,18 @@ public class WidgetsController extends EPRestrictedBaseController { */ @RequestMapping(value = { "portalApi/widgetCatalogSelection" }, method = RequestMethod.PUT, produces = "application/json") public FieldsValidator putWidgetCatalogSelection(HttpServletRequest request, - @RequestBody org.onap.portalapp.portal.transport.WidgetCatalogPersonalization persRequest, HttpServletResponse response) throws IOException { + @RequestBody WidgetCatalogPersonalization persRequest, HttpServletResponse response) throws IOException { FieldsValidator result = new FieldsValidator(); EPUser user = EPUserUtils.getUserSession(request); + + if (persRequest!=null){ + if(!dataValidator.isValid(persRequest)){ + result.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE; + return result; + } + } + + try { if (persRequest.getWidgetId() == null || user == null) { EcompPortalUtils.setBadPermissions(user, response, "putWidgetCatalogSelection"); @@ -180,7 +214,7 @@ public class WidgetsController extends EPRestrictedBaseController { logger.error(EELFLoggerDelegate.errorLogger, "Failed in putAppCatalogSelection", e); response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.toString()); } - result.httpStatusCode = new Long(HttpServletResponse.SC_OK); + result.httpStatusCode = (long) HttpServletResponse.SC_OK; return result; } } \ No newline at end of file diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java index c7c8ebcc..2d52626f 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/ecomp/model/AppContactUsItem.java @@ -40,6 +40,7 @@ package org.onap.portalapp.portal.ecomp.model; import javax.persistence.Entity; import javax.persistence.Id; +import org.hibernate.validator.constraints.SafeHtml; import org.onap.portalsdk.core.domain.support.DomainVo; import com.fasterxml.jackson.annotation.JsonInclude; @@ -55,11 +56,17 @@ public class AppContactUsItem extends DomainVo { @Id private Long appId; + @SafeHtml private String appName; + @SafeHtml private String description; + @SafeHtml private String contactName; + @SafeHtml private String contactEmail; + @SafeHtml private String url; + @SafeHtml private String activeYN; public Long getAppId() { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/exceptions/NotValidDataException.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/exceptions/NotValidDataException.java new file mode 100644 index 00000000..2a26ab31 --- /dev/null +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/exceptions/NotValidDataException.java @@ -0,0 +1,51 @@ +/*- + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * + */ + +package org.onap.portalapp.portal.exceptions; + +public class NotValidDataException extends Exception { + + public NotValidDataException(String msg) { + super(msg); + } + + @Override + public String toString() { + return "NotValidDataException{}: " + this.getMessage(); + } +} diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java index 0bd4db3a..1aa42193 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsManualPreference.java @@ -37,18 +37,24 @@ */ package org.onap.portalapp.portal.transport; +import org.hibernate.validator.constraints.SafeHtml; + public class EPAppsManualPreference { private Long appid; private int col; + @SafeHtml private String headerText; + @SafeHtml private String imageLink; private int order; private boolean restrictedApp; private int row; private int sizeX; private int sizeY; + @SafeHtml private String subHeaderText; + @SafeHtml private String url; private boolean addRemoveApps; diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java index 85a6a03b..796f67fb 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPAppsSortPreference.java @@ -37,10 +37,14 @@ */ package org.onap.portalapp.portal.transport; +import org.hibernate.validator.constraints.SafeHtml; + public class EPAppsSortPreference { private int index; + @SafeHtml private String value; + @SafeHtml private String title; public int getIndex() { diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java index 03b7c141..e1f5c292 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/EPWidgetsSortPreference.java @@ -38,15 +38,19 @@ package org.onap.portalapp.portal.transport; import java.util.List; +import org.hibernate.validator.constraints.SafeHtml; public class EPWidgetsSortPreference { private int SizeX; private int SizeY; + @SafeHtml private String headerText; + @SafeHtml private String url; private Long widgetid; private List attrb; + @SafeHtml private String widgetIdentifier; private int row; private int col; diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java index 4f0a7d60..40460796 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/transport/OnboardingWidget.java @@ -42,6 +42,7 @@ import java.io.Serializable; import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.Id; +import org.hibernate.validator.constraints.SafeHtml; @Entity public class OnboardingWidget implements Serializable { @@ -53,12 +54,14 @@ public class OnboardingWidget implements Serializable { public Long id; @Column(name = "WDG_NAME") + @SafeHtml public String name; @Column(name = "APP_ID") public Long appId; @Column(name = "APP_NAME") + @SafeHtml public String appName; @Column(name = "WDG_WIDTH") @@ -68,15 +71,16 @@ public class OnboardingWidget implements Serializable { public Integer height; @Column(name = "WDG_URL") + @SafeHtml public String url; public void normalize() { this.name = (this.name == null) ? "" : this.name.trim(); this.appName = (this.appName == null) ? "" : this.appName.trim(); if (this.width == null) - this.width = new Integer(0); + this.width = 0; if (this.height == null) - this.height = new Integer(0); + this.height = 0; this.url = (this.url == null) ? "" : this.url.trim(); } diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java index 46a60c81..9fe3a887 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/validation/DataValidator.java @@ -47,15 +47,25 @@ import org.springframework.stereotype.Component; @Component public class DataValidator { - private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory(); + private volatile static ValidatorFactory VALIDATOR_FACTORY; - public Set> getConstraintViolations(E classToValid){ + public DataValidator() { + if (VALIDATOR_FACTORY == null) { + synchronized (DataValidator.class) { + if (VALIDATOR_FACTORY == null) { + VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory(); + } + } + } + } + + public Set> getConstraintViolations(E classToValid) { Validator validator = VALIDATOR_FACTORY.getValidator(); Set> constraintViolations = validator.validate(classToValid); return constraintViolations; } - public boolean isValid(E classToValid){ + public boolean isValid(E classToValid) { Set> constraintViolations = getConstraintViolations(classToValid); return constraintViolations.isEmpty(); } diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java index b08a8769..f2b2d3da 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java @@ -78,7 +78,7 @@ public class AppContactUsControllerTest extends MockitoTestSuite{ AppContactUsService contactUsService = new AppContactUsServiceImpl(); @InjectMocks - AppContactUsController appContactUsController = new AppContactUsController(); + AppContactUsController appContactUsController; @Before public void setup() { @@ -232,6 +232,25 @@ public class AppContactUsControllerTest extends MockitoTestSuite{ assertEquals(actualSaveAppContactUS.getMessage(), "SUCCESS"); } + @Test + public void saveXSSTest() throws Exception { + PortalRestResponse actualSaveAppContactUS = null; + + AppContactUsItem contactUs = new AppContactUsItem(); + contactUs.setAppId((long) 1); + contactUs.setAppName(""); + contactUs.setDescription("Test"); + contactUs.setContactName("Test"); + contactUs.setContactEmail("person@onap.org"); + contactUs.setUrl("Test_URL"); + contactUs.setActiveYN("Y"); + + Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("FAILURE"); + actualSaveAppContactUS = appContactUsController.save(contactUs); + assertEquals("AppName is not valid.", actualSaveAppContactUS.getResponse()); + assertEquals("failure", actualSaveAppContactUS.getMessage()); + } + @Test public void saveExceptionTest() throws Exception { PortalRestResponse actualSaveAppContactUS = null; @@ -269,6 +288,19 @@ public class AppContactUsControllerTest extends MockitoTestSuite{ assertEquals(actualSaveAppContactUS.getMessage(), "SUCCESS"); } + @Test + public void saveAllXSSTest() throws Exception { + + List contactUs = mockResponse(); + AppContactUsItem appContactUsItem = new AppContactUsItem(); + appContactUsItem.setActiveYN(""); + contactUs.add(appContactUsItem); + PortalRestResponse actualSaveAppContactUS = null; + Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("failure"); + actualSaveAppContactUS = appContactUsController.save(contactUs); + assertEquals("failure", actualSaveAppContactUS.getMessage()); + } + @Test public void saveAllExceptionTest() throws Exception { diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java index 4df1c2ac..58745d22 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java @@ -58,7 +58,6 @@ import org.mockito.Matchers; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; -import org.onap.portalapp.portal.controller.AppsController; import org.onap.portalapp.portal.core.MockEPUser; import org.onap.portalapp.portal.domain.AdminUserApplications; import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel; @@ -82,7 +81,6 @@ import org.onap.portalapp.portal.transport.EPWidgetsSortPreference; import org.onap.portalapp.portal.transport.FieldsValidator; import org.onap.portalapp.portal.transport.LocalRole; import org.onap.portalapp.portal.transport.OnboardingApp; -import org.onap.portalapp.portal.utils.EcompPortalUtils; import org.onap.portalapp.util.EPUserUtils; import org.onap.portalsdk.core.util.SystemProperties; import org.onap.portalsdk.core.web.support.AppUtils; @@ -100,7 +98,7 @@ import org.springframework.web.client.HttpClientErrorException; public class AppsControllerTest extends MockitoTestSuite{ @InjectMocks - AppsController appsController = new AppsController(); + AppsController appsController; @Mock AdminRolesService adminRolesService = new AdminRolesServiceImpl(); @@ -368,6 +366,38 @@ public class AppsControllerTest extends MockitoTestSuite{ assertEquals(actualFieldValidator, expectedFieldValidator); } + @Test + public void putUserAppsSortingManualXSSTest() { + EPUser user = mockUser.mockEPUser(); + EPAppsManualPreference preference = new EPAppsManualPreference(); + preference.setHeaderText(""); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + List ePAppsManualPreference = new ArrayList<>(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE); + ePAppsManualPreference.add(preference); + Mockito.when(appService.saveAppsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator); + FieldsValidator actualFieldValidator = appsController.putUserAppsSortingManual(mockedRequest, ePAppsManualPreference, + mockedResponse); + assertEquals(actualFieldValidator, expectedFieldValidator); + } + + @Test + public void putUserWidgetsSortManualXSSTest() { + EPUser user = mockUser.mockEPUser(); + EPWidgetsSortPreference preference = new EPWidgetsSortPreference(); + preference.setHeaderText(""); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + List ePAppsManualPreference = new ArrayList<>(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE); + ePAppsManualPreference.add(preference); + Mockito.when(appService.saveWidgetsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator); + FieldsValidator actualFieldValidator = appsController.putUserWidgetsSortManual(mockedRequest, ePAppsManualPreference, + mockedResponse); + assertEquals(expectedFieldValidator, actualFieldValidator); + } + @Test public void putUserAppsSortingManualExceptionTest() throws IOException { EPUser user = mockUser.mockEPUser(); @@ -404,7 +434,7 @@ public class AppsControllerTest extends MockitoTestSuite{ } @Test - public void putUserWidgetsSortPrefTest() throws IOException { + public void putUserWidgetsSortPrefTest() { EPUser user = mockUser.mockEPUser(); Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); List ePWidgetsSortPreference = new ArrayList(); @@ -420,6 +450,24 @@ public class AppsControllerTest extends MockitoTestSuite{ assertEquals(actualFieldValidator, expectedFieldValidator); } + @Test + public void putUserWidgetsSortPrefXSSTest() { + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + List ePWidgetsSortPreference = new ArrayList<>(); + EPWidgetsSortPreference preference = new EPWidgetsSortPreference(); + preference.setHeaderText(""); + ePWidgetsSortPreference.add(preference); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + FieldsValidator actualFieldValidator; + Mockito.when(appService.deleteUserWidgetSortPref(ePWidgetsSortPreference, user)) + .thenReturn(expectedFieldValidator); + actualFieldValidator = appsController.putUserWidgetsSortPref(mockedRequest, ePWidgetsSortPreference, + mockedResponse); + assertEquals(actualFieldValidator, expectedFieldValidator); + } + @Test public void putUserWidgetsSortPrefExceptionTest() throws IOException { EPUser user = mockUser.mockEPUser(); @@ -475,6 +523,23 @@ public class AppsControllerTest extends MockitoTestSuite{ assertEquals(actualFieldValidator, expectedFieldValidator); } + @Test + public void putUserAppsSortingPreferenceXSSTest() { + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + EPAppsSortPreference userAppsValue = new EPAppsSortPreference(); + userAppsValue.setTitle(""); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + expectedFieldValidator.setFields(null); + expectedFieldValidator.setErrorCode(null); + FieldsValidator actualFieldValidator; + Mockito.when(appService.saveAppsSortPreference(userAppsValue, user)).thenReturn(expectedFieldValidator); + actualFieldValidator = appsController.putUserAppsSortingPreference(mockedRequest, userAppsValue, + mockedResponse); + assertEquals(actualFieldValidator, expectedFieldValidator); + } + @Test public void putUserAppsSortingPreferenceExceptionTest() throws IOException { EPUser user = mockUser.mockEPUser(); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java index d8ed8c84..dfee854e 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java @@ -66,7 +66,7 @@ public class AuditLogControllerTest { AuditService auditService; @InjectMocks - AuditLogController auditLogController = new AuditLogController(); + AuditLogController auditLogController; @Before public void setup() { diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java index 1607f423..49cccae5 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java @@ -38,24 +38,19 @@ package org.onap.portalapp.portal.controller; */ -import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; -import java.io.IOException; +import com.fasterxml.jackson.databind.ObjectMapper; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.UUID; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.drools.core.command.assertion.AssertEquals; import org.json.JSONObject; -import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -64,24 +59,15 @@ import org.mockito.Matchers; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; -import org.onap.portalapp.portal.controller.SharedContextRestClient; -import org.onap.portalapp.portal.controller.SharedContextTestProperties; import org.onap.portalapp.portal.core.MockEPUser; -import org.onap.portalapp.portal.domain.CentralV2RoleFunction; import org.onap.portalapp.portal.domain.SharedContext; +import org.onap.portalapp.portal.exceptions.NotValidDataException; import org.onap.portalapp.portal.framework.MockitoTestSuite; -import org.onap.portalapp.portal.scheduler.SchedulerProperties; import org.onap.portalapp.portal.service.SharedContextService; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; -import org.onap.portalsdk.core.util.SystemProperties; -import org.onap.portalsdk.core.web.support.UserUtils; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; -import org.springframework.beans.factory.annotation.Autowired; - -import com.fasterxml.jackson.databind.DeserializationFeature; -import com.fasterxml.jackson.databind.ObjectMapper; /** * Tests the endpoints exposed by the Shared Context controller in Portal. @@ -95,7 +81,7 @@ public class SharedContextRestControllerTest { SharedContextService contextService; @InjectMocks - SharedContextRestController sharedContextRestController=new SharedContextRestController(); + SharedContextRestController sharedContextRestController=new SharedContextRestController(contextService); @Before public void setup() { @@ -220,11 +206,31 @@ public class SharedContextRestControllerTest { public void getContextTestWithException() throws Exception{ sharedContextRestController.getContext(mockedRequest, null,null); } + + @Test(expected=NotValidDataException.class) + public void getContextTestNotValidDataException() throws Exception{ + sharedContextRestController.getContext(mockedRequest, "","test"); + } + + @Test(expected=NotValidDataException.class) + public void getContextTest2NotValidDataException() throws Exception{ + sharedContextRestController.getContext(mockedRequest, "test","“>"); + } + + @Test(expected=NotValidDataException.class) + public void getContextTest3NotValidDataException() throws Exception{ + sharedContextRestController.getContext(mockedRequest, "","“>"); + } - @Test(expected=Exception.class) + @Test(expected= Exception.class) public void getUserContextTest() throws Exception{ sharedContextRestController.getUserContext(mockedRequest, null); } + + @Test(expected= NotValidDataException.class) + public void getUserContextXSSTest() throws Exception{ + sharedContextRestController.getUserContext(mockedRequest, "alert(123);"); + } @Test public void removeContextTest() throws Exception{ @@ -283,6 +299,20 @@ public class SharedContextRestControllerTest { assertNotNull(actual); } + + @Test(expected=NotValidDataException.class) + public void removeContextTestWithContextXSS() throws Exception{ + SharedContext sharedContext=new SharedContext(); + sharedContext.setContext_id("test_contextid"); + sharedContext.setCkey("test_ckey"); + Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext); + + //Mockito.when(contextService.deleteSharedContext(sharedContext)); + String actual=sharedContextRestController.removeContext(mockedRequest, + " ",""); + assertNotNull(actual); + + } @Test(expected=Exception.class) public void clearContextTestwithContextIdNull() throws Exception{ @@ -293,6 +323,16 @@ public class SharedContextRestControllerTest { assertNotNull(actual); } + + @Test(expected=NotValidDataException.class) + public void clearContextTestwithContextXSS() throws Exception{ + + Mockito.when(contextService.deleteSharedContexts(Matchers.any())).thenReturn(12); + + String actual=sharedContextRestController.clearContext(mockedRequest,""); + assertNotNull(actual); + + } @Test public void clearContextTest() throws Exception{ @@ -350,4 +390,27 @@ public class SharedContextRestControllerTest { String actual=sharedContextRestController.setContext(mockedRequest,testUserJson.toString()); } + + @Test(expected=NotValidDataException.class) + public void setContextTestWithContextXSS() throws Exception{ + ObjectMapper mapper = new ObjectMapper(); + Map userData = new HashMap(); + userData.put("context_id", "test_contextId"); + userData.put("ckey", ""); + userData.put("cvalue", "test_cvalue"); + //String testUserJson=Matchers.anyString(); + JSONObject testUserJson = new JSONObject(); + testUserJson.put("context_id", "test1ContextId"); + testUserJson.put("ckey", "testCkey"); + testUserJson.put("cvalue", ""); + Map userData1 = mapper.readValue(testUserJson.toString(), Map.class); + SharedContext sharedContext=new SharedContext(); + sharedContext.setContext_id("test_contextid"); + sharedContext.setCkey("test_ckey"); + Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext); + // Mockito.when(mapper.readValue("true", Map.class)).thenReturn(userData); + String actual=sharedContextRestController.setContext(mockedRequest,testUserJson.toString()); + + } + } diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java index c6bd8001..f69ac99e 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java @@ -68,7 +68,7 @@ import org.springframework.web.client.RestClientException; public class WidgetsControllerTest extends MockitoTestSuite{ @InjectMocks - WidgetsController widgetsController = new WidgetsController(); + WidgetsController widgetsController; @Mock private AdminRolesService rolesService; @@ -150,7 +150,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List fields = new ArrayList<>(); @@ -161,6 +161,24 @@ public class WidgetsControllerTest extends MockitoTestSuite{ actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse); } + + @Test + public void putOnboardingWidgetXSSTest() { + FieldsValidator actualFieldsValidator = null; + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + OnboardingWidget onboardingWidget=new OnboardingWidget(); + onboardingWidget.id=12L; + onboardingWidget.name = ""; + onboardingWidget.normalize(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator); + actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse); + + assertEquals(expectedFieldValidator, actualFieldsValidator); + + } @Test public void putOnboardingWidgetWithUserPermissionTest() { @@ -172,7 +190,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List fields = new ArrayList<>(); @@ -209,6 +227,31 @@ public class WidgetsControllerTest extends MockitoTestSuite{ assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode()); assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields()); } + + @Test + public void postOnboardingWidgetXSSTest(){ + EPUser user=mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + FieldsValidator actualFieldsValidator = null; + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + Mockito.when(rolesService.isSuperAdmin(user)).thenReturn(true); + Mockito.when(rolesService.isAccountAdmin(user)).thenReturn(true); + OnboardingWidget onboardingWidget=new OnboardingWidget(); + onboardingWidget.id=12L; + onboardingWidget.appName=""; + onboardingWidget.normalize(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + List fields = new ArrayList<>(); + + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + expectedFieldValidator.setFields(fields); + expectedFieldValidator.setErrorCode(null); + Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator); + actualFieldsValidator = widgetsController.postOnboardingWidget(mockedRequest, onboardingWidget, mockedResponse); + assertEquals(expectedFieldValidator.getHttpStatusCode(), actualFieldsValidator.getHttpStatusCode()); + assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode()); + assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields()); + } @Test public void postOnboardingWidgetTestwiThoutUserPermission() { @@ -218,7 +261,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List fields = new ArrayList<>(); diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java deleted file mode 100644 index 703019f9..00000000 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ /dev/null @@ -1,185 +0,0 @@ -/*- - * ============LICENSE_START========================================== - * ONAP Portal - * =================================================================== - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * Modifications Copyright (c) 2019 Samsung - * =================================================================== - * - * Unless otherwise specified, all software contained herein is licensed - * under the Apache License, Version 2.0 (the "License"); - * you may not use this software except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Unless otherwise specified, all documentation contained herein is licensed - * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); - * you may not use this documentation except in compliance with the License. - * You may obtain a copy of the License at - * - * https://creativecommons.org/licenses/by/4.0/ - * - * Unless required by applicable law or agreed to in writing, documentation - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * ============LICENSE_END============================================ - * - * - */ - -package org.onap.portalapp.filter; - -import java.io.BufferedReader; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStreamReader; -import java.nio.charset.StandardCharsets; -import java.util.Enumeration; - -import javax.servlet.FilterChain; -import javax.servlet.ReadListener; -import javax.servlet.ServletInputStream; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; -import javax.servlet.http.HttpServletResponse; - -import org.apache.commons.io.IOUtils; -import org.apache.commons.lang.StringUtils; -import org.apache.http.HttpStatus; -import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; -import org.springframework.web.filter.OncePerRequestFilter; - -public class SecurityXssFilter extends OncePerRequestFilter { - - private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); - - private static final String APPLICATION_JSON = "application/json"; - - private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}"; - - private SecurityXssValidator validator = SecurityXssValidator.getInstance(); - - public class RequestWrapper extends HttpServletRequestWrapper { - - private ByteArrayOutputStream cachedBytes; - - public RequestWrapper(HttpServletRequest request) { - super(request); - } - - @Override - public ServletInputStream getInputStream() throws IOException { - if (cachedBytes == null) - cacheInputStream(); - - return new CachedServletInputStream(); - } - - @Override - public BufferedReader getReader() throws IOException { - return new BufferedReader(new InputStreamReader(getInputStream())); - } - - private void cacheInputStream() throws IOException { - cachedBytes = new ByteArrayOutputStream(); - IOUtils.copy(super.getInputStream(), cachedBytes); - } - - public class CachedServletInputStream extends ServletInputStream { - private ByteArrayInputStream input; - - public CachedServletInputStream() { - input = new ByteArrayInputStream(cachedBytes.toByteArray()); - } - - @Override - public int read() throws IOException { - return input.read(); - } - - @Override - public boolean isFinished() { - return false; - } - - @Override - public boolean isReady() { - return false; - } - - @Override - public void setReadListener(ReadListener readListener) { - // do nothing - } - } - } - - @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) - throws IOException { - StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString()); - String queryString = request.getQueryString(); - String requestUrl; - - if (queryString == null) { - requestUrl = requestURL.toString(); - } else { - requestUrl = requestURL.append('?').append(queryString).toString(); - } - - validateRequest(requestUrl, response); - StringBuilder headerValues = new StringBuilder(); - Enumeration headerNames = request.getHeaderNames(); - - while (headerNames.hasMoreElements()) { - String key = headerNames.nextElement(); - String value = request.getHeader(key); - headerValues.append(value); - } - - validateRequest(headerValues.toString(), response); - - if (validateRequestType(request)) { - request = new RequestWrapper(request); - String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString()); - validateRequest(requestData, response); - } - - try { - filterChain.doFilter(request, response); - } catch (Exception e) { - sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e); - response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request"); - } - } - - private boolean validateRequestType(HttpServletRequest request) { - return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT") - || request.getMethod().equalsIgnoreCase("DELETE")); - } - - private void validateRequest(String text, HttpServletResponse response) throws IOException { - try { - if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) { - response.setContentType(APPLICATION_JSON); - response.setStatus(HttpStatus.SC_BAD_REQUEST); - response.getWriter().write(ERROR_BAD_REQUEST); - throw new SecurityException(ERROR_BAD_REQUEST); - } - } catch (Exception e) { - sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); - response.getWriter().close(); - } - } -} diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java deleted file mode 100644 index c203f1f0..00000000 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java +++ /dev/null @@ -1,207 +0,0 @@ -/*- - * ============LICENSE_START========================================== - * ONAP Portal - * =================================================================== - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * =================================================================== - * - * Unless otherwise specified, all software contained herein is licensed - * under the Apache License, Version 2.0 (the "License"); - * you may not use this software except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Unless otherwise specified, all documentation contained herein is licensed - * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); - * you may not use this documentation except in compliance with the License. - * You may obtain a copy of the License at - * - * https://creativecommons.org/licenses/by/4.0/ - * - * Unless required by applicable law or agreed to in writing, documentation - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * ============LICENSE_END============================================ - * - * - */ -package org.onap.portalapp.filter; - -import java.util.ArrayList; -import java.util.List; -import java.util.concurrent.locks.Lock; -import java.util.concurrent.locks.ReentrantLock; -import java.util.regex.Pattern; - -import org.apache.commons.lang.NotImplementedException; -import org.apache.commons.lang.StringUtils; -import org.apache.commons.lang3.StringEscapeUtils; -import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; -import org.onap.portalsdk.core.util.SystemProperties; -import org.owasp.esapi.ESAPI; -import org.owasp.esapi.codecs.Codec; -import org.owasp.esapi.codecs.MySQLCodec; -import org.owasp.esapi.codecs.MySQLCodec.Mode; -import org.owasp.esapi.codecs.OracleCodec; - -public class SecurityXssValidator { - - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - - private static final String MYSQL_DB = "mysql"; - private static final String ORACLE_DB = "oracle"; - private static final String MARIA_DB = "mariadb"; - private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; - static SecurityXssValidator validator = null; - private static Codec instance; - private static final Lock lock = new ReentrantLock(); - - public static SecurityXssValidator getInstance() { - - if (validator == null) { - lock.lock(); - try { - if (validator == null) - validator = new SecurityXssValidator(); - } finally { - lock.unlock(); - } - } - - return validator; - } - - private SecurityXssValidator() { - // Avoid anything between script tags - XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS)); - - // avoid iframes - XSS_INPUT_PATTERNS.add(Pattern.compile("(.*?)", FLAGS)); - - // Avoid anything in a src='...' type of expression - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); - - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); - - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); - - // Remove any lonesome tag - XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS)); - - XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS)); - - XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS)); - - // Remove any lonesome