Merge branch 'dev' into dev-pg

Author: mtwomey

src/main/java/com/appirio/tech/core/service/identity/resource/UserResource.java

@@ -1360,9 +1360,24 @@ protected boolean isValidStatusValue(String status) {
 
     protected String getResetPasswordUrlPrefix(HttpServletRequest request) {
         String resetPasswordUrlPrefix = request.getParameter("resetPasswordUrlPrefix");
-        if(resetPasswordUrlPrefix!=null)
+        if(resetPasswordUrlPrefix!=null) {
+            // Sanitize / ensure domains other than topcoder.com or topcoder-dev.com can't be used.
+            int i = resetPasswordUrlPrefix.indexOf("://");
+            i = i < 0 ? 0 : i + 3;
+            String domainName = resetPasswordUrlPrefix.substring(i);
+            i = domainName.indexOf("/");
+            i = i < 0 ? domainName.length() : i;
+            domainName = domainName.substring(0, i);
+            i = domainName.lastIndexOf(".");
+            i = domainName.lastIndexOf(".", i - 1);
+            domainName = domainName.substring(i + 1);
+            if (!(domainName.equals("topcoder.com") || domainName.equals("topcoder-dev.com"))) {
+                resetPasswordUrlPrefix = null;
+            }
+
             return resetPasswordUrlPrefix;
-        
+        }
+
         String source = request.getParameter("source");
         String domain = getDomain()!=null ? getDomain() : "topcoder.com";
         String template = "https://%s.%s/reset-password";

src/test/java/com/appirio/tech/core/service/identity/resource/UserResourceTest.java

@@ -3678,7 +3678,7 @@ public void testGetResetPasswordUrlPrefix_SpecificDomain_Connect() {
     public void testGetResetPasswordUrlPrefix_UrlSpecified() {
         // mock
         String source = "connect";
-        String prefix = "DUMMY-PREFIX";
+        String prefix = "DUMMY-HOST.topcoder-dev.com";
         HttpServletRequest request = mock(HttpServletRequest.class);
         doReturn(source).when(request).getParameter("source");
         doReturn(prefix).when(request).getParameter("resetPasswordUrlPrefix");