Fix critical cross site scripting
xss (cross site scripting) issue identified in sonarcloud
Issue-ID: SDC-3607
Signed-off-by: aribeiro <anderson.ribeiro@est.tech>
Change-Id: I729f14587154a02759ec62d5134cd115ac6eff38
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
index 6378b99..97c4ac6 100644
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
@@ -113,7 +113,7 @@
* @throws IOException
*/
private void addRequestHeadersUsingWebseal(final HttpServletRequest request, final HttpServletResponse response)
- throws ServletException, IOException {
+ throws ServletException, IOException, CipherUtilException {
response.setContentType("text/html");
// Create new request object to dispatch
MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(request);
@@ -243,12 +243,13 @@
* @param request
* @param headers
*/
- private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers) {
+ private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers)
+ throws CipherUtilException {
for (var i = 0; i < headers.length; i++) {
final var currHeader = ValidationUtils.sanitizeInputString(headers[i]);
final var headerValue = ValidationUtils.sanitizeInputString(request.getHeader(currHeader));
if (headerValue != null) {
- final var cookie = new Cookie(currHeader, headerValue);
+ final var cookie = new Cookie(currHeader, CipherUtil.encryptPKC(headerValue));
cookie.setSecure(true);
response.addCookie(cookie);
}