prevent rest deserialization of critical data

Author: Alexander Geist

multibanking-encrypted/src/main/java/org/adorsys/psd2/hbci/service/HbciService.java

@@ -38,7 +38,7 @@ public HbciService(EncryptionService encryptionService) {
 			@ApiResponse(code = 400, message = "Bad request", responseHeaders=@ResponseHeader(name="ERROR_KEY", description="BAD_REQUEST"))})
 	public EncryptedListOfHbciBankAccounts loadBankAccounts(@ApiParam(value="The encrypted bank access object") EncryptedHbciLoadAccountRequest encryptedRequest) {
 		HbciLoadAccountsRequest request = encryptionService.decrypt(encryptedRequest.getJweString(), HbciLoadAccountsRequest.class);
-		List<BankAccount> bancAccountList = onlineBankingService.loadBankAccounts(request.getBankAccess(), request.getPin());
+		List<BankAccount> bancAccountList = onlineBankingService.loadBankAccounts(null, request.getBankAccess(), request.getPin());
 
 		String encryptedJwe = encryptionService.encrypt(bancAccountList, request);
 		EncryptedListOfHbciBankAccounts resp = new EncryptedListOfHbciBankAccounts();
@@ -51,7 +51,7 @@ public EncryptedListOfHbciBankAccounts loadBankAccounts(@ApiParam(value="The enc
 			@ApiResponse(code = 400, message = "Bad request", responseHeaders=@ResponseHeader(name="ERROR_KEY", description="BAD_REQUEST"))})
 	public EncryptedListOfHbciBookings loadPostings(@ApiParam(value="The encrypted bank access object") EncryptedHbciLoadBookingsRequest encryptedRequest) {
 		HbciLoadBookingsRequest request = encryptionService.decrypt(encryptedRequest.getJweString(), HbciLoadBookingsRequest.class);
-		List<Booking> bookingList = onlineBankingService.loadBookings(request.getBankAccess(), request.getBankAccount(), request.getPin());
+		List<Booking> bookingList = onlineBankingService.loadBookings(null, request.getBankAccess(), request.getBankAccount(), request.getPin());
 
 		String encryptedJwe = encryptionService.encrypt(bookingList, request);
 		EncryptedListOfHbciBookings resp = new EncryptedListOfHbciBookings();

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/BankAccessEntity.java

@@ -1,6 +1,9 @@
 package de.adorsys.multibanking.domain;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import de.adorsys.multibanking.encrypt.Encrypted;
 import domain.BankAccess;
 import lombok.Data;
@@ -11,12 +14,14 @@
 import org.springframework.data.mongodb.core.index.Indexed;
 import org.springframework.data.mongodb.core.mapping.Document;
 
+import java.io.IOException;
+
 /**
  * Created by alexg on 07.02.17.
  */
 @Data
 @Document
-@JsonIgnoreProperties({"getPassportState", "getPin"})
+@JsonIgnoreProperties(value = {"pin", "passportState", "externalIdMap"}, allowSetters = true)
 @Encrypted(exclude = {"_id", "userId"})
 public class BankAccessEntity extends BankAccess {
 
@@ -30,4 +35,30 @@ public BankAccessEntity id(String id) {
         this.id = id;
         return this;
     }
+
+    public static void main(String[] args) {
+        ObjectMapper mapper = new ObjectMapper();
+
+        BankAccessEntity bankAccessEntity = new BankAccessEntity();
+        bankAccessEntity.setPin("pin12345");
+        bankAccessEntity.setUserId("userasdfasdf");
+
+        try {
+            System.out.println(mapper.writeValueAsString(bankAccessEntity));
+        } catch (JsonProcessingException e) {
+            // TODO Auto-generated catch block
+            e.printStackTrace();
+        }
+
+        String jsonString = "{ \"pin\":\"pin12345\",\"userId\":\"userasdfasdf\" }";
+        try {
+            bankAccessEntity = mapper.readValue(jsonString, BankAccessEntity.class);
+
+            System.out.println(bankAccessEntity.getPin());
+        } catch (IOException e) {
+            // TODO Auto-generated catch block
+            e.printStackTrace();
+        }
+
+    }
 }

multibanking-persistence/src/main/java/de/adorsys/multibanking/domain/BookingEntity.java

@@ -18,7 +18,7 @@
         @CompoundIndex(name = "booking_index", def = "{'userId': 1, 'accountId': 1}"),
         @CompoundIndex(name = "booking_unique_index", def = "{'externalId': 1, 'accountId': 1}", unique = true)
 })
-@Encrypted(exclude = {"_id", "accountId", "externalId", "userId", "valutaDate", "bookingDate"})
+@Encrypted(exclude = {"_id", "accountId", "externalId", "userId", "valutaDate", "bookingDate", "bankApi"})
 public class BookingEntity extends Booking {
 
     @Id

multibanking-persistence/src/main/java/de/adorsys/multibanking/repository/BookingRepository.java

@@ -1,6 +1,7 @@
 package de.adorsys.multibanking.repository;
 
 import de.adorsys.multibanking.domain.BookingEntity;
+import domain.BankApi;
 import org.springframework.data.mongodb.repository.MongoRepository;
 import org.springframework.stereotype.Repository;
 
@@ -13,7 +14,7 @@
 @Repository
 public interface BookingRepository extends MongoRepository<BookingEntity, String> {
 
-    List<BookingEntity> findByUserIdAndAccountId(String userId, String bankAccountId);
+    List<BookingEntity> findByUserIdAndAccountIdAndBankApi(String userId, String bankAccountId, BankApi bankApi);
 
     Optional<BookingEntity> findByUserIdAndId(String userId, String bookingId);