Additional validation for AuditLog entity

2022-10-06 11:46:24 +03:00 · 2022-10-06 11:46:24 +03:00 · d86c20b354
commit d86c20b354
parent 1323edf5aa
4 changed files with 10 additions and 3 deletions
--- a/common/data/src/main/java/org/thingsboard/server/common/data/audit/AuditLog.java
+++ b/common/data/src/main/java/org/thingsboard/server/common/data/audit/AuditLog.java
@ -22,6 +22,7 @@ import lombok.Data;
 import lombok.EqualsAndHashCode;
 import org.thingsboard.server.common.data.BaseData;
 import org.thingsboard.server.common.data.id.*;
+import org.thingsboard.server.common.data.validation.NoXss;

@ApiModel
@EqualsAndHashCode(callSuper = true)
@ -34,10 +35,12 @@ public class AuditLog extends BaseData<AuditLogId> {
    private CustomerId customerId;
    @ApiModelProperty(position = 5, value = "JSON object with Entity id", accessMode = ApiModelProperty.AccessMode.READ_ONLY)
    private EntityId entityId;
+    @NoXss
    @ApiModelProperty(position = 6, value = "Name of the logged entity", example = "Thermometer", accessMode = ApiModelProperty.AccessMode.READ_ONLY)
    private String entityName;
    @ApiModelProperty(position = 7, value = "JSON object with User id.", accessMode = ApiModelProperty.AccessMode.READ_ONLY)
    private UserId userId;
+    @NoXss
    @ApiModelProperty(position = 8, value = "Unique user name(email) of the user that performed some action on logged entity", example = "tenant@thingsboard.org", accessMode = ApiModelProperty.AccessMode.READ_ONLY)
    private String userName;
    @ApiModelProperty(position = 9, value = "String represented Action type", example = "ADDED", accessMode = ApiModelProperty.AccessMode.READ_ONLY)
--- a/dao/src/main/java/org/thingsboard/server/dao/audit/AuditLogServiceImpl.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/audit/AuditLogServiceImpl.java
@ -382,7 +382,11 @@ public class AuditLogServiceImpl implements AuditLogService {
        AuditLog auditLogEntry = createAuditLogEntry(tenantId, entityId, entityName, customerId, userId, userName,
                actionType, actionData, actionStatus, actionFailureDetails);
        log.trace("Executing logAction [{}]", auditLogEntry);
-        auditLogValidator.validate(auditLogEntry, AuditLog::getTenantId);
+        try {
+            auditLogValidator.validate(auditLogEntry, AuditLog::getTenantId);
+        } catch (Exception e) {
+            return Futures.immediateFailedFuture(e);
+        }
        List<ListenableFuture<Void>> futures = Lists.newArrayListWithExpectedSize(INSERTS_PER_ENTRY);
        futures.add(auditLogDao.saveByTenantId(auditLogEntry));

--- a/dao/src/main/java/org/thingsboard/server/dao/service/DataValidator.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/service/DataValidator.java
@ -62,7 +62,7 @@ public abstract class DataValidator<D extends BaseData<?>> {
            }
            return old;
        } catch (DataValidationException e) {
-            log.error("Data object is invalid: [{}]", e.getMessage());
+            log.error("{} object is invalid: [{}]", data == null ? "Data" : data.getClass().getSimpleName(), e.getMessage());
            throw e;
        }
    }
--- a/dao/src/test/java/org/thingsboard/server/dao/service/NoXssValidatorTest.java
+++ b/dao/src/test/java/org/thingsboard/server/dao/service/NoXssValidatorTest.java
@ -42,7 +42,7 @@ public class NoXssValidatorTest {
            "<p><a href=\"http://htmlbook.ru/example/knob.html\">Link!!!</a></p>1221",
            "<h3>Please log in to proceed</h3> <form action=http://192.168.149.128>Username:<br><input type=\"username\" name=\"username\"></br>Password:<br><input type=\"password\" name=\"password\"></br><br><input type=\"submit\" value=\"Log in\"></br>",
            "   <img src= \"http://site.com/\"  >  ",
-            "123 <input type=text value=a onfocus=alert(1337) AUTOFOCUS>bebe",
+            "123 <input type=text value=a onfocus=alert(1337) AUTOFOCUS>bebe"
    })
    public void testIsNotValid(String stringWithXss) {
        boolean isValid = validator.isValid(stringWithXss, mock(ConstraintValidatorContext.class));