Skip to content

Commit

Permalink
[AAE-16206] security code scan fixes (#1192)
Browse files Browse the repository at this point in the history 
* [AAE-16206] xxe fix

* [AAE-16206] xxe fix + regex fix

* [AAE-16206] csrf disabled removed

* [AAE-16206] test changes because csrf is on

* [AAE-16206] XXE XML logic moved

* [AAE-16206] init fix

* [AAE-16206] init fix

* [AAE-16206] init fix
  • Loading branch information
@wojciech-piotrowiak
wojciech-piotrowiak authored Sep 7, 2023
1 parent 419097d commit e170df5
Show file tree
Hide file tree
Showing 4 changed files with 71 additions and 9 deletions.
21 changes: 19 additions & 2 deletions ...org/activiti/cloud/services/modeling/rest/controller/ConnectorValidationControllerIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
package org.activiti.cloud.services.modeling.rest.controller;

import static io.restassured.module.mockmvc.RestAssuredMockMvc.given;
import static io.restassured.module.mockmvc.RestAssuredMockMvc.webAppContextSetup;
import static org.activiti.cloud.services.common.util.ContentTypeUtils.CONTENT_TYPE_JSON;
import static org.activiti.cloud.services.common.util.FileUtils.resourceAsByteArray;
import static org.activiti.cloud.services.modeling.asserts.AssertResponse.assertThatResponse;
Expand All @@ -41,6 +40,8 @@
import org.springframework.boot.test.mock.mockito.MockBean;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.context.WebApplicationContext;

Expand All @@ -65,11 +66,13 @@ public class ConnectorValidationControllerIT {
@MockBean
private SecurityManager securityManager;

private MockMvc mockMvc;

@BeforeEach
public void setUp() {
webAppContextSetup(context);
when(securityManager.getAuthenticatedUserId()).thenReturn("modeler");
connectorModel = modelRepository.createModel(connectorModel("connector-name"));
mockMvc = MockMvcBuilders.webAppContextSetup(context).build();
}

@AfterEach
Expand All @@ -80,6 +83,7 @@ public void cleanUp() {
@Test
public void should_returnStatusNoContent_when_validatingSimpleConnector() throws IOException {
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -98,6 +102,7 @@ public void should_returnStatusNoContent_when_validatingSimpleConnector() throws
@Test
public void should_returnStatusNoContent_when_validatingConnectorTextContentType() throws IOException {
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -116,6 +121,7 @@ public void should_returnStatusNoContent_when_validatingConnectorTextContentType
@Test
public void should_returnStatusNoContent_when_validatingConnectorWithEvents() throws IOException {
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -135,6 +141,7 @@ public void should_returnStatusNoContent_when_validatingConnectorWithEvents() th
public void should_throwSemanticValidationException_when_validatingInvalidSimpleConnector() throws IOException {
assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand Down Expand Up @@ -162,6 +169,7 @@ public void should_throwSemanticValidationException_when_validatingInvalidSimple
public void should_throwSyntacticValidationException_when_validatingJsonInvalidConnector() throws IOException {
assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -186,6 +194,7 @@ public void should_throwSyntacticValidationException_when_validatingInvalidConne
throws IOException {
assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -210,6 +219,7 @@ public void should_throwSemanticValidationException_when_validatingInvalidConnec
throws IOException {
assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -234,6 +244,7 @@ public void should_throwSemanticValidationException_when_validatingInvalidConnec
public void should_throwSemanticValidationException_when_validatingInvalidConnectorNameEmpty() throws IOException {
assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -259,6 +270,7 @@ public void should_throwSemanticValidationException_when_validatingInvalidConnec
throws IOException {
assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -281,6 +293,7 @@ public void should_throwSemanticValidationException_when_validatingInvalidConnec
throws IOException {
assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -301,6 +314,7 @@ public void should_throwSemanticValidationException_when_validatingInvalidConnec
public void should_returnStatusNoContent_when_validatingConnectorWithCustomTypesInEventsAndActions()
throws IOException {
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -319,6 +333,7 @@ public void should_returnStatusNoContent_when_validatingConnectorWithCustomTypes
@Test
public void should_returnStatusNoContent_when_validatingConnectorWithErrors() throws IOException {
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -339,6 +354,7 @@ public void should_throwSemanticValidationException_when_validatingInvalidConnec
throws IOException {
assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand All @@ -359,6 +375,7 @@ public void should_throwSemanticValidationException_when_validatingInvalidConnec
@Test
public void should_returnStatusNoContent_when_validatingConnectorEventWithModel() throws IOException {
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart(
Expand Down
20 changes: 18 additions & 2 deletions ...i/cloud/services/modeling/rest/controller/GenericJsonModelTypeValidationControllerIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
package org.activiti.cloud.services.modeling.rest.controller;

import static io.restassured.module.mockmvc.RestAssuredMockMvc.given;
import static io.restassured.module.mockmvc.RestAssuredMockMvc.webAppContextSetup;
import static org.activiti.cloud.services.common.util.FileUtils.resourceAsByteArray;
import static org.activiti.cloud.services.modeling.asserts.AssertResponse.assertThatResponse;
import static org.hamcrest.Matchers.emptyString;
Expand Down Expand Up @@ -54,6 +53,8 @@
import org.springframework.boot.test.mock.mockito.SpyBean;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.context.WebApplicationContext;

Expand Down Expand Up @@ -89,13 +90,15 @@ public class GenericJsonModelTypeValidationControllerIT {

private Model genericJsonModel;

private MockMvc mockMvc;

@BeforeEach
public void setUp() {
webAppContextSetup(context);
when(securityManager.getAuthenticatedUserId()).thenReturn("modeler");

genericJsonModel =
modelRepository.createModel(new ModelEntity(GENERIC_MODEL_NAME, genericJsonModelType.getName()));
mockMvc = MockMvcBuilders.webAppContextSetup(context).build();
}

@AfterEach
Expand Down Expand Up @@ -131,6 +134,7 @@ public void should_callGenericJsonContentValidatorAndNotCallGenericJsonExtension
byte[] fileContent = resourceAsByteArray("generic/model-simple.json");

given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model.json", fileContent, "application/json")
Expand All @@ -157,6 +161,7 @@ public void should_callGenericJsonContentValidatorAndNotCallGenericJsonExtension
byte[] fileContent = resourceAsByteArray("generic/model-simple.json");

given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model.json", fileContent, "text/plain")
Expand Down Expand Up @@ -186,6 +191,7 @@ public void should_throwExceptionAndCallGenericJsonContentValidatorAndNotCallGen

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "invalid-simple-model.json", fileContent, "application/json")
Expand Down Expand Up @@ -214,6 +220,7 @@ public void should_notCallGenericJsonContentValidatorAndCallGenericJsonExtension
byte[] fileContent = resourceAsByteArray("generic/model-simple-valid-extensions.json");

given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand All @@ -238,6 +245,7 @@ public void should_throwSemanticValidationException_when_validatingModelInvalidE

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand All @@ -264,6 +272,7 @@ public void should_throwSemanticValidationException_when_validatingModelInvalidN

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "model-simple-invalid-name-extensions.json", fileContent, "application/json")
Expand Down Expand Up @@ -291,6 +300,7 @@ public void should_throwSemanticValidationException_when_validatingModelMismatch

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "model-simple-mismatch-name-extensions.json", fileContent, "application/json")
Expand All @@ -317,6 +327,7 @@ public void should_throwSemanticValidationException_when_validatingModelLongName

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "model-simple-long-name-extensions.json", fileContent, "application/json")
Expand Down Expand Up @@ -347,6 +358,7 @@ public void should_throwSemanticValidationException_when_validatingModelEmptyNam

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "model-simple-empty-name-extensions.json", fileContent, "application/json")
Expand Down Expand Up @@ -376,6 +388,7 @@ public void should_throwSyntacticValidationException_when_validatingInvalidJsonE

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand Down Expand Up @@ -404,6 +417,7 @@ public void should_throwSemanticValidationException_when_validatingModelInvalidT

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand Down Expand Up @@ -432,6 +446,7 @@ public void should_throwException_when_validatingModelInvalidSemanticExtensions(

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand Down Expand Up @@ -472,6 +487,7 @@ public void should_throwExceptionAndCallGenericJsonContentUsageValidatorA_when_v

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "invalid-simple-model.json", fileContent, "application/json")
Expand Down
16 changes: 14 additions & 2 deletions ...loud/services/modeling/rest/controller/GenericNonJsonModelTypeValidationControllerIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
package org.activiti.cloud.services.modeling.rest.controller;

import static io.restassured.module.mockmvc.RestAssuredMockMvc.given;
import static io.restassured.module.mockmvc.RestAssuredMockMvc.webAppContextSetup;
import static org.activiti.cloud.services.common.util.FileUtils.resourceAsByteArray;
import static org.activiti.cloud.services.modeling.asserts.AssertResponse.assertThatResponse;
import static org.hamcrest.Matchers.emptyString;
Expand Down Expand Up @@ -51,6 +50,8 @@
import org.springframework.boot.test.mock.mockito.SpyBean;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.context.WebApplicationContext;

Expand Down Expand Up @@ -83,11 +84,13 @@ public class GenericNonJsonModelTypeValidationControllerIT {

private Model genericNonJsonModel;

private MockMvc mockMvc;

@BeforeEach
public void setUp() {
webAppContextSetup(context);
genericNonJsonModel =
modelRepository.createModel(new ModelEntity(GENERIC_MODEL_NAME, genericNonJsonModelType.getName()));
mockMvc = MockMvcBuilders.webAppContextSetup(context).build();
}

private void validateInvalidContent() {
Expand Down Expand Up @@ -117,6 +120,7 @@ public void testValidateModelContent() throws IOException {
byte[] fileContent = resourceAsByteArray("generic/model-simple.bin");

given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model.bin", fileContent, APPLICATION_OCTET_STREAM_VALUE)
Expand All @@ -143,6 +147,7 @@ public void should_callGenericNonJsonContentValidatorAndNotCallGenericNonJsonExt
byte[] fileContent = resourceAsByteArray("generic/model-simple.bin");

given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model.bin", fileContent, "text/plain")
Expand All @@ -169,6 +174,7 @@ public void should_callGenericNonJsonContentValidatorAndNotCallGnericNonJsonExte
byte[] fileContent = resourceAsByteArray("generic/model-simple.json");

given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model.json", fileContent, "application/json")
Expand Down Expand Up @@ -198,6 +204,7 @@ public void should_throwExceptionAndCallGenericNonJsonContentValidatorAndNotCall

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "invalid-simple-model.json", fileContent, APPLICATION_OCTET_STREAM_VALUE)
Expand Down Expand Up @@ -226,6 +233,7 @@ public void should_notCallGenericNonJsonContentValidatorAndCallGenericNonJsonExt
byte[] fileContent = resourceAsByteArray("generic/model-simple-valid-extensions.json");

given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand All @@ -250,6 +258,7 @@ public void should_throwSemanticValidationException_when_validatingModelInvalidE

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand All @@ -276,6 +285,7 @@ public void should_throwSyntacticValidationException_when_validatingInvalidJsonE

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand Down Expand Up @@ -304,6 +314,7 @@ public void should_throwSemanticValidationException_when_validatingModelInvalidT

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand Down Expand Up @@ -332,6 +343,7 @@ public void should_throwException_when_validatingModelInvalidSemanticExtensions(

assertThatResponse(
given()
.mockMvc(mockMvc)
.log()
.everything(true)
.multiPart("file", "simple-model-extensions.json", fileContent, "application/json")
Expand Down
Loading

0 comments on commit e170df5

Please sign in to comment.