DTS-37340 Develop : codeql log injection issue fix for Marriott

customapi/src/main/java/com/publicissapient/kpidashboard/apis/rbac/accessrequests/rest/AccessRequestsController.java

@@ -100,6 +100,7 @@
 	@GetMapping(value = "/{id}")
 	@PreAuthorize("hasPermission(null,'GET_ACCESS_REQUEST')")
 	public ResponseEntity<ServiceResponse> getAccessRequestById(@PathVariable("id") String id) {
+
 		log.info("Getting request@{}", id);
 		return ResponseEntity.status(HttpStatus.OK).body(accessRequestsHelperService.getAccessRequestById(id));
 	}
@@ -114,6 +115,7 @@
 	@GetMapping(value = "/user/{username}")
 	@PreAuthorize("hasPermission(#username,'GET_ACCESS_REQUESTS_OF_USER')")
 	public ResponseEntity<ServiceResponse> getAccessRequestByUsername(@PathVariable("username") String username) {
+		CommonUtils.sanitizeUserInput(username);
 		log.info("Getting all requests under user {}", username);
 		return ResponseEntity.status(HttpStatus.OK)
 				.body(accessRequestsHelperService.getAccessRequestByUsername(username));
@@ -129,6 +131,7 @@
 	@GetMapping(value = "/status/{status}")
 	@PreAuthorize("hasPermission(#status,'ACCESS_REQUEST_STATUS')")
 	public ResponseEntity<ServiceResponse> getAccessRequestByStatus(@PathVariable("status") String status) {
+		CommonUtils.sanitizeUserInput(status);
 		log.info("Getting all requests with current status {}", status);
 		return ResponseEntity.status(HttpStatus.OK).body(accessRequestsHelperService.getAccessRequestByStatus(status));
 	}
@@ -148,7 +151,7 @@
 			@Valid @RequestBody AccessRequestDecision accessRequestDecision) {
 
 		ServiceResponse[] serviceResponse = new ServiceResponse[1];
-
+		CommonUtils.sanitizeUserInput(id);
 		if (Constant.ACCESS_REQUEST_STATUS_APPROVED.equalsIgnoreCase(accessRequestDecision.getStatus())) {
 			log.info("Approve access {}", id);
 
@@ -229,9 +232,8 @@
 	 */
 	@DeleteMapping("/{id}")
 	public ResponseEntity<ServiceResponse> deleteAccessRequestById(@PathVariable("id") String id) {
-		log.info("request received for deleting access request with id @{}", id);
-
 		id = CommonUtils.handleCrossScriptingTaintedValue(id);
+		log.info("request received for deleting access request with id @{}", id);
 		ServiceResponse response = null;
 
 		if (projectAccessManager.deleteAccessRequestById(id)) {
@@ -255,6 +257,7 @@
 	@RequestMapping(value = "/{status}/notification", method = RequestMethod.GET, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) // NOSONAR
 	public ResponseEntity<ServiceResponse> getNotificationByStatus(@PathVariable("status") String status,
 			HttpServletRequest request) {
+		CommonUtils.sanitizeUserInput(status);
 		log.info("Getting requests count with current status {}", status);
 		return ResponseEntity.status(HttpStatus.OK)
 				.body(accessRequestsHelperService.getNotificationByStatus(status , false));
@@ -271,6 +274,7 @@
 	@RequestMapping(value = "/{status}/notification/central", method = RequestMethod.GET, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) // NOSONAR
 	public ResponseEntity<ServiceResponse> getNotificationByStatusForCentral(@PathVariable("status") String status,
 			HttpServletRequest request) {
+		CommonUtils.sanitizeUserInput(status);
 		log.info("Getting requests count with current status {}", status);
 		return ResponseEntity.status(HttpStatus.OK)
 				.body(accessRequestsHelperService.getNotificationByStatus(status , true));

customapi/src/main/java/com/publicissapient/kpidashboard/apis/userboardconfig/service/UserBoardConfigServiceImpl.java

@@ -31,6 +31,7 @@
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;
 
+import com.publicissapient.kpidashboard.apis.util.CommonUtils;
 import org.apache.commons.collections4.CollectionUtils;
 import org.bson.types.ObjectId;
 import org.modelmapper.ModelMapper;
@@ -680,7 +681,7 @@ public UserBoardConfigDTO saveUserBoardConfig(UserBoardConfigDTO userBoardConfig
 	public void deleteUser(String userName) {
 		log.info("UserBoardConfigServiceImpl::deleteUser start");
 		userBoardConfigRepository.deleteByUsername(userName);
-		log.info(userName + " deleted Successfully from user_board_config");
+		log.info(CommonUtils.sanitizeUserInput(userName) + " deleted Successfully from user_board_config");
 	}
 
 	/**

customapi/src/main/java/com/publicissapient/kpidashboard/apis/util/CommonUtils.java

@@ -44,7 +44,6 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.web.util.UriComponentsBuilder;
 
-import com.publicissapient.kpidashboard.apis.auth.AuthProperties;
 import com.publicissapient.kpidashboard.apis.constant.Constant;
 import com.publicissapient.kpidashboard.apis.enums.KPISource;
 import com.publicissapient.kpidashboard.apis.model.SymbolValueUnit;
@@ -60,6 +59,7 @@
  */
 @Slf4j
 public final class CommonUtils {
+	private static final Pattern ALPHANUMERIC_PATTERN = Pattern.compile("[^a-zA-Z0-9]");
 
 	public static final int FIFTH_DAY_OF_WEEK = 5;
 
@@ -581,4 +581,8 @@ public static String getAPIEndPointURL(String centralAuthEndPoint, String resour
 	}
 
 	// -- auth-N-auth changes ends here ------
+	public static String sanitizeUserInput(String input) {
+		return ALPHANUMERIC_PATTERN.matcher(input).replaceAll("");
+	}
+
 }

customapi/src/main/java/com/publicissapient/kpidashboard/apis/util/KPIHelperUtil.java

@@ -256,17 +256,18 @@
 		}
 
 		if (null == root) {
-			throw new ApplicationException(KpiRequest.class, "kpiRequestTrackerId", kpiRequest.getRequestTrackerId());
+			throw new ApplicationException(KpiRequest.class, "kpiRequestTrackerId", CommonUtils.sanitizeUserInput(kpiRequest.getRequestTrackerId()));
+		}
+		if (kpiRequest.getRequestTrackerId().matches("\\w*")) {
+			log.debug("[CREATED-TREE][{}]. Tree created from nodes {}", kpiRequest.getRequestTrackerId(), root);
 		}
-
-		log.debug("[CREATED-TREE][{}]. Tree created from nodes {}", kpiRequest.getRequestTrackerId(), root);
 
 		List<Node> leafNodeList = new ArrayList<>();
 		List<Node> projectNodeList = new ArrayList<>();
 		getLeafNodes(root, leafNodeList);
 		getProjectNodes(root, projectNodeList);
 
-		log.debug("[LEAF_NODES][{}]. Leaf nodes of the tree {}", kpiRequest.getRequestTrackerId(), leafNodeList);
+		log.debug("[LEAF_NODES][{}]. Leaf nodes of the tree {}", CommonUtils.sanitizeUserInput(kpiRequest.getRequestTrackerId()), leafNodeList);
 
 		Map<String, List<Node>> result = leafNodeList.stream().distinct()
 				.collect(Collectors.groupingBy(Node::getGroupName, Collectors.toList()));