-
Notifications
You must be signed in to change notification settings - Fork 163
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* RHPAM-4719: Persistent Cross-Site Scripting (XSS) Fixes RHPAM-4716 & RHPAM-4717 by using StringEscapeUtils:: escapeHtml4() method in ProjectResource and by implementing helper method, using escapeHtml4(), to escape conrtributors names in OrganizationalUnitServiceImpl * RHPAM-4719: Add unit test cases for XSS data * RHPAM-4719: Replace single qoute with nothing * RHPAM-4917: Expand escaping to RepositoryService Refactors unit tests to use same methods as in main classes Add some unit tests * Fix code duplication Moves methods for escaping out of services * Increase coverage and remove code smells Co-authored-by: Dominik Hanák <[email protected]>
- Loading branch information
1 parent
f90fc31
commit eb4125d
Showing
10 changed files
with
306 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
...erfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
/* | ||
* Copyright 2023 Red Hat, Inc. and/or its affiliates. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.guvnor.structure.backend; | ||
|
||
import java.util.ArrayList; | ||
import java.util.Collection; | ||
|
||
import org.apache.commons.text.StringEscapeUtils; | ||
import org.uberfire.security.Contributor; | ||
|
||
/** | ||
* Utility class to provide input escaping or other | ||
* functionality needed by backend services to sanitize inputs. | ||
*/ | ||
public class InputEscapeUtils { | ||
|
||
private InputEscapeUtils() { | ||
// non-instantiable class | ||
} | ||
|
||
public static Collection<Contributor> escapeContributorsNames(Collection<Contributor> contributors) { | ||
Collection<Contributor> escapedContributors = new ArrayList<>(); | ||
contributors.forEach((contributor -> { | ||
String escapedName = escapeHtmlInput(contributor.getUsername()); | ||
escapedContributors.add(new Contributor(escapedName, contributor.getType())); | ||
})); | ||
return escapedContributors; | ||
} | ||
|
||
public static String escapeHtmlInput(String input) { | ||
if (input != null) { | ||
String escapedInput = StringEscapeUtils.escapeHtml4(input); | ||
escapedInput = escapedInput.replace("'", ""); | ||
return escapedInput; | ||
} else { | ||
return null; | ||
} | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
33 changes: 33 additions & 0 deletions
33
...re-structure-backend/src/test/java/org/guvnor/structure/backend/InputEscapeUtilsTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package org.guvnor.structure.backend; | ||
|
||
import org.apache.commons.text.StringEscapeUtils; | ||
import org.assertj.core.api.Assertions; | ||
import org.junit.Test; | ||
|
||
import static org.guvnor.structure.backend.InputEscapeUtils.escapeHtmlInput; | ||
|
||
public class InputEscapeUtilsTest { | ||
|
||
@Test | ||
public void testEscapeHtmlInput() { | ||
final String xssString = "<img/src/onerror=alert(\"XSS\")>"; | ||
final String expectedResult = StringEscapeUtils.escapeHtml4(xssString).replace("'", ""); | ||
final String result = escapeHtmlInput(xssString); | ||
Assertions.assertThat(result).isEqualTo(expectedResult); | ||
} | ||
|
||
@Test | ||
public void testEscapeHtmlInputWithSingleQoutes() { | ||
final String xssString = "<img/src/onerror=alert('XSS')>"; | ||
final String expectedResult = StringEscapeUtils.escapeHtml4(xssString).replace("'", ""); | ||
final String result = escapeHtmlInput(xssString); | ||
Assertions.assertThat(result).isEqualTo(expectedResult); | ||
} | ||
|
||
@Test | ||
public void testEscapeHtmlInputNull() { | ||
final String xssString = null; | ||
final String result = escapeHtmlInput(xssString); | ||
Assertions.assertThat(result).isNull(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.