From be638f25cb9d7021ba6b58a6d3baa5cca134c56f Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Mon, 21 Oct 2019 13:03:55 +0200 Subject: [PATCH] Reflected XSS vulnerability in saveNotification form fix. javax.validation.Validator used to fix this vulnerability. Issue-ID: OJSI-22 Change-Id: I5837e333f640a398ab6b25e8a0b9f611bb7d3af9 Signed-off-by: Dominik Mizyn --- .../controller/ExternalAppsRestfulController.java | 12 +++++-- .../ExternalAppsRestfulControllerTest.java | 41 ++++++++++++++++++++++ 2 files changed, 51 insertions(+), 2 deletions(-) diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java index 15ce305d..7615b660 100644 --- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java +++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulController.java @@ -66,6 +66,8 @@ import org.onap.portalapp.portal.transport.FunctionalMenuItem; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; import org.onap.portalapp.portal.utils.EcompPortalUtils; import org.onap.portalapp.portal.utils.PortalConstants; +import org.onap.portalapp.validation.DataValidator; +import org.onap.portalapp.validation.SecureString; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse; import org.slf4j.MDC; @@ -90,6 +92,7 @@ import io.swagger.annotations.ApiOperation; public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseController { private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(ExternalAppsRestfulController.class); + private final DataValidator DATA_VALIDATOR = new DataValidator(); @Autowired private FunctionalMenuService functionalMenuService; @@ -111,6 +114,11 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro @ResponseBody public PortalAPIResponse publishNotification(HttpServletRequest request, @RequestBody EpNotificationItem notificationItem) throws Exception { + + if(!DATA_VALIDATOR.isValid(notificationItem)){ + PortalAPIResponse response = new PortalAPIResponse(false, "failed"); + return response; + } String appKey = request.getHeader("uebkey"); EPApp app = findEpApp(appKey); List postRoleIds = new ArrayList(); @@ -119,8 +127,8 @@ public class ExternalAppsRestfulController extends EPRestrictedRESTfulBaseContro EPRole role = epRoleService.getRole(app.getId(), roleId); if (role != null) postRoleIds.add(role.getId()); - } - } + } + } // --- recreate the user notification object with the POrtal Role Ids EpNotificationItem postItem = new EpNotificationItem(); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java index d8f98bb9..d6cb42a6 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAppsRestfulControllerTest.java @@ -296,6 +296,47 @@ public class ExternalAppsRestfulControllerTest { assertEquals(543L, createdNofification.getRoleIds().get(0).longValue()); } + @Test + public void publishNotificationXSSTest() throws Exception { + // input + EpNotificationItem notificationItem = new EpNotificationItem(); + List roleList = new ArrayList(); + Long role1 = 1L; + roleList.add(role1); + notificationItem.setRoleIds(roleList); + notificationItem.setPriority(1L); + notificationItem.setMsgHeader(""); + notificationItem.setMsgDescription("Test Description"); + Date currentDate = new Date(); + Calendar c = Calendar.getInstance(); + c.setTime(currentDate); + c.add(Calendar.DATE, 1); + Date currentDatePlusOne = c.getTime(); + notificationItem.setStartTime(currentDate); + notificationItem.setEndTime(currentDatePlusOne); + + // mock calls + Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn("RxH3983AHiyBOQmj"); + Map params = new HashMap<>(); + params.put("appKey", "RxH3983AHiyBOQmj"); + List apps = new ArrayList<>(); + EPApp app = new EPApp(); + app.setId(123L); + apps.add(app); + Mockito.when(DataAccessService.executeNamedQuery("getMyAppDetailsByUebKey", params, null)).thenReturn(apps); + EPRole role = new EPRole(); + role.setId(543L); + Mockito.when(epRoleService.getRole(123L, 1L)).thenReturn(role); + + // run + Mockito.when(userNotificationService.saveNotification(notificationItem)).thenReturn("Test"); + PortalAPIResponse response = externalAppsRestfulController.publishNotification(mockedRequest, notificationItem); + // verify answer + assertNotNull(response); + assertEquals("error", response.getStatus()); + assertEquals("failed", response.getMessage()); + } + @Test public void publishNotificationTest_EmptyAppHeader() throws Exception { // input -- 2.16.6