Bug #14836

mmoqui · mmoqui · commit be38831b546c · 2025-04-30T16:19:58.000+02:00
The pb is the query part of the URI of HTTP GET requests isn't taken when
checking for attempt to perform a CRUD operation on a resource in Silverpeas.
Now all parts of the query is checked.
Ensure also to avoid regexp flooding.
diff --git a/core-rs/src/main/java/org/silverpeas/core/web/token/SynchronizerTokenService.java b/core-rs/src/main/java/org/silverpeas/core/web/token/SynchronizerTokenService.java
@@ -46,6 +46,7 @@
 import java.time.OffsetDateTime;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Optional;
 
 /**
  * A service to manage the synchronizer tokens used in Silverpeas to protect the user sessions or
@@ -65,12 +66,14 @@ public class SynchronizerTokenService {
   public static final String SESSION_TOKEN_KEY = "X-STKN";
   public static final String NAVIGATION_TOKEN_KEY = "X-NTKN";
   private static final String UNPROTECTED_URI_RULE =
-      "(?i)(?!.*(/icons/|/images/|/qaptcha|rpdcsearch/|rclipboard/|rselectionpeaswrapper/|rusernotification/|services/usernotifications/|blockingNews|services/password/)).*";
+      "(?i)(?![\\w/]{0,500}(/icons/|/images/|/qaptcha|rpdcsearch/|rclipboard" +
+          "/|rselectionpeaswrapper/|rusernotification/|services/usernotifications/|blockingNews" +
+          "|services/password/)).{0,500}";
   private static final String DEFAULT_GET_RULE_KEYWORDS = "(delete|update|creat|save|block)";
   private static final String DEFAULT_GET_RULE_ON_KEYWORD =
-      "(?i)^.*" + DEFAULT_GET_RULE_KEYWORDS + ".*$";
+      "(?i)^.{0,500}" + DEFAULT_GET_RULE_KEYWORDS + ".{0,500}$";
   private static final String DEFAULT_GET_RULE =
-      "(?i)^/\\w+[\\w/]*/jsp/.*" + DEFAULT_GET_RULE_KEYWORDS + ".*$";
+      "(?i)^/\\w+[\\w/]{0,500}/jsp/.{0,500}" + DEFAULT_GET_RULE_KEYWORDS + ".{0,500}$";
   private static final SilverLogger logger = SilverLogger.getLogger("silverpeas.core.security");
   private static final List<String> DEFAULT_PROTECTED_METHODS = Arrays.asList("POST", "PUT",
       "DELETE");
@@ -184,14 +187,21 @@ public void validate(HttpServletRequest request, final boolean onKeywordsOnly)
    * validated.
    */
   public boolean isAProtectedResource(HttpServletRequest request, final boolean onKeywordsOnly) {
+    // attempt to bypass the protection by overflowing the regexp matching
+    if (request.getRequestURI().length() > 500) {
+      return true;
+    }
     boolean isProtected = false;
     if (request.getRequestURI().matches(UNPROTECTED_URI_RULE)) {
       isProtected = DEFAULT_PROTECTED_METHODS.contains(request.getMethod());
       if (!isProtected && "GET".equals(request.getMethod())) {
         String path = getRequestPath(request);
+        String query = Optional.ofNullable(request.getQueryString())
+            .map(q -> "?" + q)
+            .orElse("");
         isProtected = onKeywordsOnly ?
-            path.matches(DEFAULT_GET_RULE_ON_KEYWORD) :
-            path.matches(DEFAULT_GET_RULE);
+            (path + query).matches(DEFAULT_GET_RULE_ON_KEYWORD) :
+            (path + query).matches(DEFAULT_GET_RULE);
       }
     }
     return isProtected;
diff --git a/core-war/src/main/java/org/silverpeas/web/todo/servlets/TodoRequestRouter.java b/core-war/src/main/java/org/silverpeas/web/todo/servlets/TodoRequestRouter.java
@@ -35,10 +35,6 @@
 
 import java.util.Collection;
 
-/**
- * Class declaration
- * @author
- */
 public class TodoRequestRouter extends ComponentRequestRouter<ToDoSessionController> {
 
   private static final long serialVersionUID = 6455939825707914384L;
@@ -74,17 +70,15 @@ public String getSessionControlBeanName() {
    */
   public String getDestination(String function, ToDoSessionController scc,
       HttpRequest request) {
-
-    String destination = "";
-
+    String destination;
     try {
 
       final String defaultDestination = "/todo/jsp/todo.jsp";
       if (function.startsWith("Main")) {
         scc.getSelectedTodoIds().clear();
         destination = defaultDestination;
       } else if (function.startsWith("searchResult")) {
-        destination = "/todo/jsp/todoEdit.jsp?Action=Update&ToDoId="
+        destination = "/todo/jsp/todoEdit.jsp?Action=Edit&ToDoId="
             + request.getParameter("Id");
       } else if (function.startsWith("diffusion")) {
         // initialisation du userPanel avec les participants
@@ -97,7 +91,7 @@ public String getDestination(String function, ToDoSessionController scc,
       } else if ("DeleteTodo".equals(function)) {
         request.mergeSelectedItemsInto(scc.getSelectedTodoIds());
         if (!scc.getSelectedTodoIds().isEmpty()) {
-          scc.removeTabToDo(scc.getSelectedTodoIds().toArray(new String[scc.getSelectedTodoIds().size()]));
+          scc.removeTabToDo(scc.getSelectedTodoIds().toArray(new String[0]));
         }
         scc.getSelectedTodoIds().clear();
         destination = defaultDestination;
diff --git a/core-war/src/main/webapp/todo/jsp/todoEdit.jsp b/core-war/src/main/webapp/todo/jsp/todoEdit.jsp
@@ -75,8 +75,8 @@ function gotoToDo()
 }
 
 function ifCorrectFormExecute(callback) {
-  var errorMsg = "";
-  var errorNb = 0;
+  let errorMsg = "";
+  let errorNb = 0;
 
   if (isWhitespace(document.todoEditForm.Name.value)) {
     errorMsg += "  - '<%=todo.getString("nomToDo")%>' <%=todo.getString("MustContainsText")%>\n";
@@ -89,7 +89,7 @@ function ifCorrectFormExecute(callback) {
     errorNb++;
   }
 
-  var dateErrors = isPeriodValid('StartDate', 'EndDate');
+  const dateErrors = isPeriodValid('StartDate', 'EndDate');
   $(dateErrors).each(function(index, error) {
     errorMsg += "  - " + error.message + "\n";
     errorNb++;
@@ -112,25 +112,25 @@ function ifCorrectFormExecute(callback) {
 }
 
 
-function reallyAdd()
+function save()
 {
   ifCorrectFormExecute(function() {
-    document.todoEditForm.Action.value = "ReallyAdd";
+    document.todoEditForm.Action.value = "Save";
     document.todoEditForm.submit();
   });
 }
 
-function reallyUpdate()
+function update()
 {
-	document.todoEditForm.Name.disabled = false;
+  document.todoEditForm.Name.disabled = false;
   document.todoEditForm.PercentCompleted.disabled = false;
   document.todoEditForm.Description.disabled = false;
   document.todoEditForm.StartDate.disabled = false;
   document.todoEditForm.EndDate.disabled = false;
   document.todoEditForm.Classification.disabled = false;
   document.todoEditForm.Priority.disabled = false;
   ifCorrectFormExecute(function() {
-   document.todoEditForm.Action.value = "ReallyUpdate";
+   document.todoEditForm.Action.value = "Update";
    document.todoEditForm.submit();
   });
 }
@@ -164,7 +164,7 @@ function test(){
   String toPrint = null;
 
 
-  if (action.equals("Add") || action.equals("Update")) {
+  if (action.equals("Add") || action.equals("Edit")) {
     todo.setCurrentToDoHeader(null);
     todo.setCurrentAttendees(null);
   }
@@ -177,12 +177,12 @@ function test(){
     String toDoId = request.getParameter("ToDoId");
 
     if (toDoId != null) {
-      if (toDoId.length() == 0) {
+      if (toDoId.isEmpty()) {
         toDoId = null;
       }
     }
 
-    /* Update et premier acces a la page */
+    /* Edit et premier acces a la page */
     if (toDoId != null) {
       todoHeader = todo.getToDoHeader(toDoId);
       attendees = todo.getToDoAttendees(toDoId);
@@ -264,8 +264,8 @@ function test(){
   </head>
 
   <%
-  /* ReallyAdd || ReallyUpdate */
-  if (action.equals("ReallyAdd") || action.equals("ReallyUpdate")) {
+  /* Save || Update */
+  if (action.equals("Save") || action.equals("Update")) {
     String name = request.getParameter("Name");
     String description = request.getParameter("Description");
     String priority = request.getParameter("Priority");
@@ -290,11 +290,11 @@ function test(){
                 Date date1 = null;
                 if (name == null)
                         throw new Exception("nameErreur");
-                else if (name.length() == 0)
+                else if (name.isEmpty())
                         throw new Exception("nameErreur");
 
                 try {
-                        if (startDate.trim().length() > 0)
+                        if (!startDate.trim().isEmpty())
                                 date1 = DateUtil.stringToDate(startDate, todo.getLanguage());
                 }
                 catch (java.text.ParseException e) {
@@ -304,7 +304,7 @@ function test(){
                 Date date2 = null;
 
                 try {
-                  if (endDate.trim().length() == 0)
+                  if (endDate.trim().isEmpty())
                         date2 = date1;
                   else
                                 date2 = DateUtil.stringToDate(endDate, todo.getLanguage());
@@ -325,7 +325,7 @@ function test(){
                         j++;
                 }
 
-                /* ReallyAdd */
+                /* Save */
                 // now diffusion list can be empty
                 if (todoHeader.getId() == null) {
                         String id = todo.addToDo(name, description, priority, classification, date1, startHour, date2, endHour, percent);
@@ -336,7 +336,7 @@ function test(){
                         return;
                 }
 
-                /* ReallyUpdate */
+                /* Update */
                 else {
                         if (todo.getUserId().equals(todoHeader.getDelegatorId())) {
                                 todo.updateToDo(todoHeader.getId(), name, description, priority, classification, date1, startHour, date2, endHour, percent);
@@ -416,8 +416,8 @@ function test(){
                 out.println("</div>");
   }
 
-  /* Add || Update || View || DiffusionListOK */
-  else if (action.equals("Update") || action.equals("Add") || action.equals("View") || action.equals("DiffusionListOK")) {
+  /* Add || Edit || View || DiffusionListOK */
+  else if (action.equals("Edit") || action.equals("Add") || action.equals("View") || action.equals("DiffusionListOK")) {
 %>
 <center>
 <view:board>
@@ -617,9 +617,9 @@ out.println(frame.printMiddle());
                                         ButtonPane pane = graphicFactory.getButtonPane();
                                         Button button = null;
                                         if (todoHeader.getId() != null)
-                                                button = graphicFactory.getFormButton(todo.getString("mettreAJour"), "javascript:onClick=reallyUpdate()", false);
+                                                button = graphicFactory.getFormButton(todo.getString("mettreAJour"), "javascript:onClick=update()", false);
                                         else
-                                                button = graphicFactory.getFormButton(todo.getString("ajouter"), "javascript:onClick=reallyAdd()", false);
+                                                button = graphicFactory.getFormButton(todo.getString("ajouter"), "javascript:onClick=save()", false);
 
                                         pane.addButton(button);
 
diff --git a/core-web/src/main/java/org/silverpeas/core/web/filter/exception/WebSecurityException.java b/core-web/src/main/java/org/silverpeas/core/web/filter/exception/WebSecurityException.java
@@ -36,7 +36,7 @@ public abstract class WebSecurityException extends SilverpeasException {
 
   /**
    * Default constructor.
-   * @param message
+   * @param message the reason of the exception
    */
   protected WebSecurityException(final String message) {
     super(message + LocalDateTime.now().format(DateTimeFormatter.ISO_DATE_TIME));
