[ES-1936] Added length check for cookies (#485)

Signed-off-by: pvsaidurga <[email protected]>
mosip · Dec 20, 2024 · 85c3763 · 85c3763
1 parent a19fb5a
commit 85c3763
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/signup-service/src/main/java/io/mosip/signup/services/WebSocketHandshakeHandler.java b/signup-service/src/main/java/io/mosip/signup/services/WebSocketHandshakeHandler.java
@@ -60,7 +60,11 @@ protected Principal determineUser(ServerHttpRequest request, WebSocketHandler ws
         if(transactionCookie.isEmpty())
             throw new HandshakeFailureException(ErrorConstants.INVALID_TRANSACTION);
 
-        String cookieValue = transactionCookie.get().split(SLOT_COOKIE_NAME)[1];
+        String[] cookieParts = transactionCookie.get().split(SLOT_COOKIE_NAME);
+        if (cookieParts.length < 2) {
+            throw new HandshakeFailureException(ErrorConstants.INVALID_TRANSACTION);
+        }
+        String cookieValue = cookieParts[1].trim();
         log.info("cookie  transactionId; {}", cookieValue);
         String transactionId = cookieValue.split(VALUE_SEPARATOR)[0].trim();
         IdentityVerificationTransaction transaction = cacheUtilService.getSlotAllottedTransaction(transactionId);

diff --git a/signup-service/src/test/java/io/mosip/signup/services/WebSocketHandshakeHandlerTest.java b/signup-service/src/test/java/io/mosip/signup/services/WebSocketHandshakeHandlerTest.java
@@ -112,4 +112,23 @@ public void determineUser_withInValidSlotId_thenFail() throws Exception {
         Mockito.verify(auditHelper).sendAuditTransaction(AuditEvent.HANDSHAKE_FAILED, AuditEventType.ERROR, "Slot", null);
     }
 
+    @Test
+    public void determineUser_withInvalidCookieLength_thenFail() throws Exception {
+
+        IdentityVerificationTransaction transaction = new IdentityVerificationTransaction();
+        transaction.setSlotId("123");
+        Mockito.when(cacheUtilService.getSlotAllottedTransaction(Mockito.anyString())).thenReturn(transaction);
+
+        ServerHttpRequest request = Mockito.mock(ServerHttpRequest.class);
+        HttpHeaders headers=new HttpHeaders();
+        headers.set("Cookie","IDV_SLOT_ALLOTTED=");
+        Mockito.when(request.getHeaders()).thenReturn(headers);
+        Mockito.when(request.getURI()).thenReturn(new URI("http://localhost?slotId=123"));
+        try{
+            webSocketHandshakeHandler.determineUser(request, Mockito.mock(WebSocketHandler.class), attributes);
+        }catch (HandshakeFailureException e){
+            Assert.assertEquals(ErrorConstants.INVALID_TRANSACTION, e.getMessage());
+        }
+    }
+
 }