Fix #55,#56 xxs inject

.gitignore

@@ -37,4 +37,5 @@ web/sim.pid
 sim.pid
 .DS_Store
 .vscode
-tomcat.*
+tomcat.*
+/web/src/main/webapp/include/templates/default-2019/

bin/version.sh

@@ -0,0 +1,6 @@
+baseVersion=2.1
+releaseVersion=${baseVersion}.${1}
+nextVersion=${baseVersion}.$((${1}+1))
+./mvnw versions:set -DnewVersion=${releaseVersion}
+git add -A
+git commit -m '[shell-release]release version '${releaseVersion}

common/src/main/java/com/zrlog/web/util/WebTools.java

@@ -1,6 +1,7 @@
 package com.zrlog.web.util;
 
 import com.zrlog.util.ZrLogUtil;
+import org.apache.http.conn.util.InetAddressUtils;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -16,11 +17,14 @@ public class WebTools {
      * @return
      */
     public static String getRealIp(HttpServletRequest request) {
+        String ip = null;
         //bae env
         if (ZrLogUtil.isBae() && request.getHeader("clientip") != null) {
-            return request.getHeader("clientip");
+            ip = request.getHeader("clientip");
+        }
+        if (ip == null || ip.length() == 0) {
+            ip = request.getHeader("X-forwarded-for");
         }
-        String ip = request.getHeader("X-forwarded-for");
         if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
             ip = request.getHeader("X-Real-IP");
         }
@@ -33,7 +37,10 @@ public static String getRealIp(HttpServletRequest request) {
         if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
             ip = request.getRemoteAddr();
         }
-        return ip;
+        if (InetAddressUtils.isIPv4Address(ip) || InetAddressUtils.isIPv6Address(ip)) {
+            return ip;
+        }
+        throw new IllegalArgumentException(ip + " not ipAddress");
     }
 
     public static String getHomeUrlWithHost(HttpServletRequest request) {

pom.xml

@@ -22,6 +22,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <servlet.version>3.1.0</servlet.version>
         <maven.test.skip>true</maven.test.skip>
+        <finalName>zrlog</finalName>
     </properties>
 
     <developers>

service/src/main/java/com/zrlog/service/CommentService.java

@@ -1,5 +1,6 @@
 package com.zrlog.service;
 
+import com.hibegin.common.util.StringUtils;
 import com.zrlog.common.Constants;
 import com.zrlog.common.request.CreateCommentRequest;
 import com.zrlog.common.request.PageableRequest;
@@ -27,16 +28,29 @@ private boolean isAllowComment(int articleId) {
         return (log != null && log.getBoolean("canComment")) && isAllowComment();
     }
 
+    private static boolean isValidEmailAddress(String email) {
+        String ePattern = "^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\])|(([a-zA-Z\\-0-9]+\\.)+[a-zA-Z]{2,}))$";
+        java.util.regex.Pattern p = java.util.regex.Pattern.compile(ePattern);
+        java.util.regex.Matcher m = p.matcher(email);
+        return m.matches();
+    }
+
     public CreateCommentResponse save(CreateCommentRequest createCommentRequest) {
         CreateCommentResponse createCommentResponse = new CreateCommentResponse();
         if (createCommentRequest.getLogId() != null && createCommentRequest.getComment() != null) {
-            if (isAllowComment(Integer.valueOf(createCommentRequest.getLogId()))) {
+            if (isAllowComment(Integer.parseInt(createCommentRequest.getLogId()))) {
                 String comment = Jsoup.clean(createCommentRequest.getComment(), Whitelist.basic());
+                String email = createCommentRequest.getMail();
+                if (StringUtils.isNotEmpty(email) || !isValidEmailAddress(email)) {
+                    throw new IllegalArgumentException(email + "not email address");
+                }
+                String nickname = Jsoup.clean(createCommentRequest.getUserName(), Whitelist.basic());
+                String userHome = Jsoup.clean(createCommentRequest.getUserHome(), Whitelist.basic());
                 if (comment.length() > 0 && !ParseUtil.isGarbageComment(comment)) {
-                    new Comment().set("userHome", createCommentRequest.getUserHome())
-                            .set("userMail", createCommentRequest.getComment())
+                    new Comment().set("userHome", userHome)
+                            .set("userMail", email)
                             .set("userIp", createCommentRequest.getIp())
-                            .set("userName", createCommentRequest.getUserName())
+                            .set("userName", nickname)
                             .set("logId", createCommentRequest.getLogId())
                             .set("userComment", comment)
                             .set("user_agent", createCommentRequest.getUserAgent())

web/pom.xml

@@ -15,7 +15,7 @@
     <properties>
         <tomcat7Version>9.0.27</tomcat7Version>
         <tomcat-scope>compile</tomcat-scope>
-        <contextPath>/</contextPath>
+        <contextPath>/${finalName}</contextPath>
     </properties>
 
     <dependencies>
@@ -69,7 +69,7 @@
     </dependencies>
 
     <build>
-        <finalName>zrlog-${project.version}</finalName>
+        <finalName>${finalName}-${project.version}</finalName>
         <plugins>
             <plugin>
                 <groupId>org.apache.tomcat.maven</groupId>

web/src/main/java/com/zrlog/web/Application.java

@@ -24,7 +24,7 @@ public static void main(String[] args) throws LifecycleException {
             webPort = "8080";
         }
 
-        tomcat.setPort(Integer.valueOf(webPort));
+        tomcat.setPort(Integer.parseInt(webPort));
         tomcat.getConnector();
 
         // Declare an alternative location for your "WEB-INF/classes" dir

web/src/main/java/com/zrlog/web/config/ZrLogConfig.java

@@ -4,6 +4,7 @@
 import com.hibegin.common.util.IOUtil;
 import com.hibegin.common.util.StringUtils;
 import com.jfinal.config.*;
+import com.jfinal.core.Const;
 import com.jfinal.core.JFinal;
 import com.jfinal.kit.PathKit;
 import com.jfinal.plugin.IPlugin;
@@ -28,6 +29,7 @@
 import com.zrlog.web.interceptor.MyI18nInterceptor;
 import com.zrlog.web.interceptor.RouterInterceptor;
 import com.zrlog.web.plugin.*;
+import com.zrlog.web.render.BlogFrontendFreeMarkerRender;
 import com.zrlog.web.version.UpgradeVersionHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -239,6 +241,12 @@ private void tryUpgradeDbPropertiesFile(String dbFile, Properties properties) th
     @Override
     public void afterJFinalStart() {
         FreeMarkerRender.getConfiguration().setClassForTemplateLoading(ZrLogConfig.class, com.zrlog.common.Constants.FTL_VIEW_PATH);
+        try {
+            BlogFrontendFreeMarkerRender.getConfiguration().setDirectoryForTemplateLoading(new File(PathKit.getWebRootPath()));
+            BlogFrontendFreeMarkerRender.init(JFinal.me().getServletContext(), Locale.getDefault(), Const.DEFAULT_FREEMARKER_TEMPLATE_UPDATE_DELAY);
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
         super.afterJFinalStart();
         if (isInstalled()) {
             initDatabaseVersion();

web/src/main/java/com/zrlog/web/controller/blog/ArticleController.java

@@ -7,15 +7,17 @@
 import com.zrlog.model.Log;
 import com.zrlog.model.Type;
 import com.zrlog.service.ArticleService;
-import com.zrlog.web.cache.CacheService;
 import com.zrlog.service.CommentService;
 import com.zrlog.util.I18nUtil;
 import com.zrlog.util.PagerUtil;
 import com.zrlog.util.ParseUtil;
 import com.zrlog.util.ZrLogUtil;
+import com.zrlog.web.cache.CacheService;
 import com.zrlog.web.controller.BaseController;
 import com.zrlog.web.handler.GlobalResourceHandler;
 import com.zrlog.web.util.WebTools;
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Whitelist;
 
 import java.util.Map;
 
@@ -108,7 +110,7 @@ public void addComment() {
     CreateCommentResponse saveComment() {
         CreateCommentRequest createCommentRequest = ZrLogUtil.convertRequestParam(getRequest().getParameterMap(), CreateCommentRequest.class);
         createCommentRequest.setIp(WebTools.getRealIp(getRequest()));
-        createCommentRequest.setUserAgent(getHeader("User-Agent"));
+        createCommentRequest.setUserAgent(Jsoup.clean(getHeader("User-Agent"), Whitelist.basic()));
         return commentService.save(createCommentRequest);
     }
 

web/src/main/java/com/zrlog/web/interceptor/TemplateHelper.java

@@ -249,7 +249,9 @@ public static void fillArticleInfo(Log data, HttpServletRequest request, String
                 && !data.getStr("markdown").toLowerCase().contains("[tocm]")) {
             //最基础的实现方式，若需要更强大的实现方式建议使用JavaScript完成（页面输入toc对象）
             OutlineVO outlineVO = OutlineUtil.extractOutline(data.getStr("content"));
-            data.put("tocHtml", OutlineUtil.buildTocHtml(outlineVO, ""));
+            if (outlineVO.size() > 0) {
+                data.put("tocHtml", OutlineUtil.buildTocHtml(outlineVO, ""));
+            }
             data.put("toc", outlineVO);
         }
         if (!new CommentService().isAllowComment()) {

web/src/main/java/com/zrlog/web/interceptor/VisitorInterceptor.java

@@ -13,6 +13,7 @@
 import com.zrlog.util.ZrLogUtil;
 import com.zrlog.web.config.ZrLogConfig;
 import com.zrlog.web.handler.GlobalResourceHandler;
+import com.zrlog.web.render.BlogFrontendFreeMarkerRender;
 
 import java.io.File;
 import java.util.Enumeration;
@@ -72,7 +73,15 @@ private void visitorPermission(Invocation ai) {
             ai.getController().setAttr("pageLevel", 2);
         }
         fullDevData(ai.getController());
-        ai.getController().render(templatePath + "/" + templateName + ext);
+        String viewPath = templatePath + "/" + templateName + ext;
+        if (ext.equals(".ftl")) {
+            BlogFrontendFreeMarkerRender render = new BlogFrontendFreeMarkerRender(viewPath);
+            render.setContext(ai.getController().getRequest(), ai.getController().getResponse());
+            ai.getController().render(render);
+        } else {
+            ai.getController().render(viewPath);
+        }
+
     }
 
     /**

web/src/main/java/com/zrlog/web/render/BlogFrontendFreeMarkerRender.java

@@ -0,0 +1,103 @@
+package com.zrlog.web.render;
+
+import com.jfinal.render.FreeMarkerRender;
+import com.jfinal.render.Render;
+import com.jfinal.render.RenderException;
+import freemarker.template.*;
+
+import javax.servlet.ServletContext;
+import java.io.PrintWriter;
+import java.util.*;
+
+public class BlogFrontendFreeMarkerRender extends Render {
+    private static final String contentType = "text/html; charset=" + getEncoding();
+    private static final Configuration config = new Configuration();
+
+    public BlogFrontendFreeMarkerRender(String view) {
+        this.view = view;
+    }
+
+    /**
+     * freemarker can not load freemarker.properies automatically
+     */
+    public static Configuration getConfiguration() {
+        return config;
+    }
+
+    public static void setProperties(Properties properties) {
+        try {
+            FreeMarkerRender.getConfiguration().setSettings(properties);
+        } catch (TemplateException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static void init(ServletContext servletContext, Locale locale, int template_update_delay) {
+        // Initialize the FreeMarker configuration;
+        // - Create a configuration instance
+        // config = new Configuration();
+        // - Templates are stoted in the WEB-INF/templates directory of the Web app.
+        config.setServletContextForTemplateLoading(servletContext, "/");	// "WEB-INF/templates"
+        // - Set update dealy to 0 for now, to ease debugging and testing.
+        //   Higher value should be used in production environment.
+
+        if (getDevMode()) {
+            config.setTemplateUpdateDelay(0);
+        }
+        else {
+            config.setTemplateUpdateDelay(template_update_delay);
+        }
+
+        // - Set an error handler that prints errors so they are readable with
+        //   a HTML browser.
+        // config.setTemplateExceptionHandler(TemplateExceptionHandler.HTML_DEBUG_HANDLER);
+        config.setTemplateExceptionHandler(TemplateExceptionHandler.RETHROW_HANDLER);
+
+        // - Use beans wrapper (recommmended for most applications)
+        config.setObjectWrapper(ObjectWrapper.BEANS_WRAPPER);
+        // - Set the default charset of the template files
+        config.setDefaultEncoding(getEncoding());		// config.setDefaultEncoding("ISO-8859-1");
+        // - Set the charset of the output. This is actually just a hint, that
+        //   templates may require for URL encoding and for generating META element
+        //   that uses http-equiv="Content-type".
+        config.setOutputEncoding(getEncoding());			// config.setOutputEncoding("UTF-8");
+        // - Set the default locale
+        config.setLocale(locale /* Locale.CHINA */ );		// config.setLocale(Locale.US);
+        config.setLocalizedLookup(false);
+
+        // 去掉int型输出时的逗号, 例如: 123,456
+        // config.setNumberFormat("#");		// config.setNumberFormat("0"); 也可以
+        config.setNumberFormat("#0.#####");
+        config.setDateFormat("yyyy-MM-dd");
+        config.setTimeFormat("HH:mm:ss");
+        config.setDateTimeFormat("yyyy-MM-dd HH:mm:ss");
+    }
+
+    /**
+     * 继承类可通过覆盖此方法改变 contentType，从而重用 freemarker 模板功能
+     * 例如利用 freemarker 实现 FreeMarkerXmlRender 生成 Xml 内容
+     */
+    public String getContentType() {
+        return contentType;
+    }
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    public void render() {
+        response.setContentType(getContentType());
+
+        Map data = new HashMap();
+        for (Enumeration<String> attrs = request.getAttributeNames(); attrs.hasMoreElements();) {
+            String attrName = attrs.nextElement();
+            data.put(attrName, request.getAttribute(attrName));
+        }
+
+        PrintWriter writer = null;
+        try {
+            Template template = config.getTemplate(view);
+            writer = response.getWriter();
+            template.process(data, writer);		// Merge the data-model and the template
+        } catch (Exception e) {
+            throw new RenderException(e);
+        }
+    }
+}