[ALS-4981] PIC-SURE PSAMA FENCE medium findings (#135)

[ALS-4981] Validate fence code is alphanumeric
hms-dbmi · Sep 14, 2023 · 87b342b · 87b342b
1 parent 6a29a94
commit 87b342b
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/...main/java/edu/harvard/hms/dbmi/avillach/auth/service/auth/FENCEAuthenticationService.java b/...main/java/edu/harvard/hms/dbmi/avillach/auth/service/auth/FENCEAuthenticationService.java
@@ -157,6 +157,12 @@ public Response getFENCEProfile(String callback_url, Map<String, String> authReq
         logger.debug("getFENCEProfile() starting...");
         String fence_code  = authRequest.get("code");
 
+        // Validate that the fence code is alphanumeric
+        if (!fence_code.matches("[a-zA-Z0-9]+")) {
+            logger.error("getFENCEProfile() fence code is not alphanumeric");
+            throw new NotAuthorizedException("The fence code is not alphanumeric");
+        }
+
         JsonNode fence_user_profile = null;
         // Get the Gen3/FENCE user profile. It is a JsonNode object
         try {

diff --git a/.../main/java/edu/harvard/hms/dbmi/avillach/auth/service/auth/OpenAuthenticationService.java b/.../main/java/edu/harvard/hms/dbmi/avillach/auth/service/auth/OpenAuthenticationService.java
@@ -36,8 +36,12 @@ public Response authenticate(Map<String, String> authRequest) {
 
         // Try to get the user by UUID
         if (StringUtils.isNotBlank(userUUID)) {
-            UUID uuid = UUID.fromString(userUUID);
-            current_user = userRepository.findByUUID(uuid);
+            try {
+                UUID uuid = UUID.fromString(userUUID);
+                current_user = userRepository.findByUUID(uuid);
+            } catch (IllegalArgumentException e) {
+                logger.error("Invalid UUID: " + userUUID);
+            }
         }
 
         // If we can't find the user by UUID, create a new one