Skip to content

Commit

Permalink
Merge pull request #604 from abi231002/main
Browse files Browse the repository at this point in the history 
fixed: fix Log Injection CWE-117
  • Loading branch information
@ds-lcapellino
ds-lcapellino authored Sep 25, 2023
2 parents 7387829 + d358a3c commit 6358c0e
Show file tree
Hide file tree
Showing 4 changed files with 163 additions and 8 deletions.
40 changes: 40 additions & 0 deletions tx-backend/src/main/java/org/eclipse/tractusx/traceability/common/model/SecurityUtils.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/********************************************************************************
* Copyright (c) 2023 Contributors to the Eclipse Foundation
*
* See the NOTICE file(s) distributed with this work for additional
* information regarding copyright ownership.
*
* This program and the accompanying materials are made available under the
* terms of the Apache License, Version 2.0 which is available at
* https://www.apache.org/licenses/LICENSE-2.0.
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*
* SPDX-License-Identifier: Apache-2.0
********************************************************************************/

package org.eclipse.tractusx.traceability.common.model;


import java.util.ArrayList;
import java.util.List;

public class SecurityUtils {

public static String sanitize(String unSanitizedInput) {
return unSanitizedInput.replaceAll("\r\n|\r|\n", " ");
}

public static List<String> sanitize(List<String> unSanitizedList) {
List<String> cleanListOfAffectedItems = new ArrayList<>();
for (String affectedItem : unSanitizedList) {
String cleanAffectedItem = sanitize(affectedItem);
cleanListOfAffectedItems.add(cleanAffectedItem);
}
return cleanListOfAffectedItems;
}
}
18 changes: 15 additions & 3 deletions ...usx/traceability/qualitynotification/infrastructure/edc/model/EDCNotificationContent.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
/********************************************************************************
* Copyright (c) 2022, 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
* Copyright (c) 2022, 2023 ZF Friedrichshafen AG
* Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
* Copyright (c) 2023 Contributors to the Eclipse Foundation
*
* See the NOTICE file(s) distributed with this work for additional
* information regarding copyright ownership.
Expand All @@ -24,8 +22,22 @@

import java.util.List;

import static org.eclipse.tractusx.traceability.common.model.SecurityUtils.sanitize;



@JsonInclude(JsonInclude.Include.NON_NULL)
public record EDCNotificationContent(
String information,
List<String> listOfAffectedItems) {

@Override
public String toString() {

return "EDCNotificationContent{" +
"information='" + sanitize(information) + '\'' +
", listOfAffectedItems=" + sanitize(listOfAffectedItems) +
'}';
}

}
29 changes: 24 additions & 5 deletions ...tusx/traceability/qualitynotification/infrastructure/edc/model/EDCNotificationHeader.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
/********************************************************************************
* Copyright (c) 2022, 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
* Copyright (c) 2022, 2023 ZF Friedrichshafen AG
* Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
* Copyright (c) 2023 Contributors to the Eclipse Foundation
*
* See the NOTICE file(s) distributed with this work for additional
* information regarding copyright ownership.
Expand All @@ -22,8 +20,29 @@

import com.fasterxml.jackson.annotation.JsonInclude;

import static org.eclipse.tractusx.traceability.common.model.SecurityUtils.sanitize;

@JsonInclude(JsonInclude.Include.NON_NULL)
public record EDCNotificationHeader(String notificationId, String senderBPN, String senderAddress, String recipientBPN,
String classification, String severity, String relatedNotificationId,
String status, String targetDate, String messageId) {
String classification, String severity, String relatedNotificationId,
String status, String targetDate, String messageId) {


@Override
public String toString() {
return "EDCNotificationHeader{" +
"notificationId='" + sanitize(notificationId) + '\'' +
", senderBPN='" + sanitize(senderBPN) + '\'' +
", senderAddress='" + sanitize(senderAddress) + '\'' +
", recipientBPN='" + sanitize(recipientBPN) + '\'' +
", classification='" + sanitize(classification) + '\'' +
", severity='" + sanitize(severity) + '\'' +
", relatedNotificationId='" + sanitize(relatedNotificationId) + '\'' +
", status='" + sanitize(status) + '\'' +
", targetDate='" + sanitize(targetDate) + '\'' +
", messageId='" + sanitize(messageId) + '\'' +
'}';
}
}


84 changes: 84 additions & 0 deletions .../org/eclipse/tractusx/traceability/infrastructure/edc/model/EdcNotificationModelTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
/********************************************************************************
* Copyright (c) 2023 Contributors to the Eclipse Foundation
*
* See the NOTICE file(s) distributed with this work for additional
* information regarding copyright ownership.
*
* This program and the accompanying materials are made available under the
* terms of the Apache License, Version 2.0 which is available at
* https://www.apache.org/licenses/LICENSE-2.0.
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*
* SPDX-License-Identifier: Apache-2.0
********************************************************************************/
package org.eclipse.tractusx.traceability.infrastructure.edc.model;

import org.eclipse.tractusx.traceability.qualitynotification.infrastructure.edc.model.EDCNotificationContent;
import org.eclipse.tractusx.traceability.qualitynotification.infrastructure.edc.model.EDCNotificationHeader;
import org.junit.jupiter.api.Test;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

import static org.junit.jupiter.api.Assertions.assertEquals;


public class EdcNotificationModelTest {

@Test
public void testToStringEDCNotificationHeader() {

//GIVEN
EDCNotificationHeader header = new EDCNotificationHeader(
"12345", "SenderBPN", "Sender\nAddress", "RecipientBPN",
"Classification", "Severity", "Related\nNotificationId",
"Status", "2023-09-22", "MessageId"
);

String expected = "EDCNotificationHeader{" +
"notificationId='12345', " +
"senderBPN='SenderBPN', " +
"senderAddress='Sender Address', " +
"recipientBPN='RecipientBPN', " +
"classification='Classification', " +
"severity='Severity', " +
"relatedNotificationId='Related NotificationId', " +
"status='Status', " +
"targetDate='2023-09-22', " +
"messageId='MessageId'}";

//WHEN
String actual = header.toString();

//THEN
assertEquals(expected, actual);
}

@Test
public void testToStringEDCNotificationContent() {

//GIVEN
List<String> listOfAffectedItems = new ArrayList<>(Arrays.asList("Item1\nItem2", "Item3", "Item4\r\nItem5"));

EDCNotificationContent content = new EDCNotificationContent(
"Information\nwith\nline\nbreaks", listOfAffectedItems
);

String expected = "EDCNotificationContent{" +
"information='Information with line breaks', " +
"listOfAffectedItems=[Item1 Item2, Item3, Item4 Item5]" +
"}";

//WHEN
String actual = content.toString();

//THEN
assertEquals(expected, actual);
}
}

0 comments on commit 6358c0e

Please sign in to comment.