DTS-43995: Log injection encode

Change-log: Cache change regression; added missing filter details to DB fetch method.
PublicisSapient · Feb 12, 2025 · dfe90fc · dfe90fc
1 parent 67fc2e4
commit dfe90fc
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 23 deletions.
diff --git a/.../com/publicissapient/kpidashboard/apis/userboardconfig/service/UserBoardConfigHelper.java b/.../com/publicissapient/kpidashboard/apis/userboardconfig/service/UserBoardConfigHelper.java
@@ -18,7 +18,6 @@
 package com.publicissapient.kpidashboard.apis.userboardconfig.service;
 
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -29,6 +28,7 @@
 import java.util.stream.Stream;
 
 import org.apache.commons.collections4.CollectionUtils;
+import org.owasp.encoder.Encode;
 
 import com.publicissapient.kpidashboard.apis.enums.UserBoardConfigEnum;
 import com.publicissapient.kpidashboard.common.model.application.KpiCategory;
@@ -172,10 +172,11 @@ public static void applyProjectConfigToUserBoard(UserBoardConfigDTO userBoardCon
 				.flatMap(config -> Stream.of(config.getScrum(), config.getKanban(), config.getOthers())
 						.flatMap(Collection::stream).flatMap(board -> board.getKpis().stream()))
 				.filter(kpi -> !kpi.isShown())
-				.collect(Collectors.toMap(BoardKpis::getKpiId, kpi -> false, (a, b) -> b));
+				.collect(Collectors.toMap(BoardKpis::getKpiId, kpi -> false, (a, b) -> a && b));
 
-		log.info("Disabled KPIs {} for user {} wrt selected projectIds {}", kpiWiseIsShownFlag,
-				userBoardConfig.getUsername(), sanitizeProjectIds(listOfRequestedProj.getBasicProjectConfigIds()));
+		log.debug("Applying project configuration: Disabled KPIs {} for user {} with selected project IDs {}",
+				kpiWiseIsShownFlag, userBoardConfig.getUsername(),
+				listOfRequestedProj.getBasicProjectConfigIds().stream().map(Encode::forJava).toList());
 
 		Stream.of(userBoardConfig.getScrum(), userBoardConfig.getKanban(), userBoardConfig.getOthers())
 				.flatMap(Collection::stream).forEach(boardDTO -> boardDTO.getKpis().forEach(boardKpis -> {
@@ -184,17 +185,4 @@ public static void applyProjectConfigToUserBoard(UserBoardConfigDTO userBoardCon
 				}));
 	}
 
-	/**
-	 * Sanitizes the Projects IDs for log injection prevention.
-	 *
-	 * @param projectIds
-	 *            the list of project IDs to sanitize
-	 * @return a sanitized list of project IDs with newline and carriage return
-	 *         characters removed
-	 */
-	public static List<String> sanitizeProjectIds(List<String> projectIds) {
-		return projectIds == null ? Collections.emptyList()
-				: projectIds.stream().filter(Objects::nonNull).map(id -> id.replaceAll("[\\r\\n]", ""))
-						.collect(Collectors.toList());
-	}
 }
diff --git a/...publicissapient/kpidashboard/apis/userboardconfig/service/UserBoardConfigServiceImpl.java b/...publicissapient/kpidashboard/apis/userboardconfig/service/UserBoardConfigServiceImpl.java
@@ -19,10 +19,8 @@
 import static com.publicissapient.kpidashboard.apis.userboardconfig.service.UserBoardConfigHelper.checkCategories;
 import static com.publicissapient.kpidashboard.apis.userboardconfig.service.UserBoardConfigHelper.checkKPIAddOrRemoveForExistingUser;
 import static com.publicissapient.kpidashboard.apis.userboardconfig.service.UserBoardConfigHelper.checkKPISubCategory;
-import static com.publicissapient.kpidashboard.apis.userboardconfig.service.UserBoardConfigHelper.sanitizeProjectIds;
 
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
 import java.util.List;
@@ -37,6 +35,7 @@
 
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.tuple.Pair;
+import org.owasp.encoder.Encode;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -616,8 +615,7 @@ public ServiceResponse saveBoardConfig(UserBoardConfigDTO userBoardConfigDTO, Co
 		boardConfig = userBoardConfigRepository.save(boardConfig);
 		cacheService.clearCache(CommonConstant.CACHE_USER_BOARD_CONFIG);
 		log.info("Successfully saved {} BoardConfig: {}", configLevel,
-				configLevel == ConfigLevel.PROJECT ? sanitizeProjectIds(Collections.singletonList(basicProjectConfigId))
-						: loggedInUser);
+				configLevel == ConfigLevel.PROJECT ? Encode.forJava(basicProjectConfigId) : loggedInUser);
 		return new ServiceResponse(true, "Successfully Saved board Configuration",
 				userBoardConfigMapper.toDto(boardConfig));
 	}
@@ -633,7 +631,7 @@ public void deleteUser(String userName) {
 		log.info("UserBoardConfigServiceImpl::deleteUser start");
 		userBoardConfigRepository.deleteByUsername(userName);
 		cacheService.clearCache(CommonConstant.CACHE_USER_BOARD_CONFIG);
-		log.info("{} deleted Successfully from user_board_config", userName.replaceAll("[^a-zA-Z0-9_-]", ""));
+		log.info("{} deleted Successfully from user_board_config", Encode.forJava(userName));
 	}
 
 	/**
@@ -646,7 +644,7 @@ public void deleteUser(String userName) {
 	public void deleteProjectBoardConfig(String basicProjectConfigId) {
 		userBoardConfigRepository.deleteByBasicProjectConfigId(basicProjectConfigId);
 		cacheService.clearCache(CommonConstant.CACHE_USER_BOARD_CONFIG);
-		log.info("Successfully deleted project board config: {}", basicProjectConfigId);
+		log.info("Successfully deleted project board config: {}", Encode.forJava(basicProjectConfigId));
 	}
 
 	/**