Skip to content
Permalink
Browse files Browse the repository at this point in the history
NMS-13125: user ID and group ID must not contain any HTML markup
  • Loading branch information
christianpape committed Mar 16, 2021
1 parent 795106d commit 8a97e68
Show file tree
Hide file tree
Showing 7 changed files with 48 additions and 6 deletions.
Expand Up @@ -57,6 +57,8 @@ IMPORTANT: Change the default _admin_ password to a secure password.
. _Optional_: Set a schedule when a _User_ should receive _Notifications_
. Click *Finish* to persist and apply the changes

WARNING: Please note that angle brackets (<>), single (') and double quotation marks ("), and the ampersand symbol (&) are not allowed to be used in the user ID.

NOTE: By default a new _User_ has the _Security Role_ similar to _ROLE_USER_ assigned.
Acknowledgment and working with _Alarms_ and _Notifications_ is possible.
The _Configure OpenNMS_ administration menu is not available.
Expand Down
Expand Up @@ -69,6 +69,11 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
UserManager userFactory = UserFactory.getInstance();

String userID = request.getParameter("userID");

if (userID != null && userID.matches(".*[&<>\"`']+.*")) {
throw new ServletException("User ID must not contain any HTML markup.");
}

String password = request.getParameter("pass1");

boolean hasUser = false;
Expand Down
Expand Up @@ -60,6 +60,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
String userID = request.getParameter("userID");
String newID = request.getParameter("newID");

if (newID != null && newID.matches(".*[&<>\"`']+.*")) {
throw new ServletException("User ID must not contain any HTML markup.");
}

// now save to the xml file
try {
UserManager userFactory = UserFactory.getInstance();
Expand Down
Expand Up @@ -151,7 +151,11 @@ private ModelAndView renameGroup(HttpServletRequest request, HttpServletResponse

String oldName = request.getParameter("groupName");
String newName = request.getParameter("newName");


if (newName != null && newName.matches(".*[&<>\"`']+.*")) {
throw new ServletException("Group ID must not contain any HTML markup.");
}

if (StringUtils.hasText(oldName) && StringUtils.hasText(newName)) {
m_groupRepository.renameGroup(oldName, newName);
}
Expand Down Expand Up @@ -312,6 +316,14 @@ private ModelAndView addGroup(HttpServletRequest request, HttpServletResponse re
groupComment = "";
}

if (groupName != null && groupName.matches(".*[&<>\"`']+.*")) {
throw new ServletException("Group ID must not contain any HTML markup.");
}

if (groupComment != null && groupComment.matches(".*[&<>\"`']+.*")) {
throw new ServletException("Group comment must not contain any HTML markup.");
}

boolean hasGroup = false;
try {
hasGroup = m_groupRepository.groupExists(groupName);
Expand Down
Expand Up @@ -77,8 +77,11 @@
{
var newName = prompt("Enter new name for group.", groupName);
if (newName != null && newName != "")
{
if (newName != null && newName != "") {
if (/.*[&<>"`']+.*/.test(newName)) {
alert("The group ID must not contain any HTML markup.");
return;
}
document.allGroups.newName.value = newName;
document.allGroups.groupName.value=groupName;
document.allGroups.operation.value="rename";
Expand Down
Expand Up @@ -43,15 +43,26 @@
</jsp:include>

<script type="text/javascript">
function validateFormInput()
function validateFormInput()
{
var id = new String(document.newGroupForm.groupName.value);
if (id.toLowerCase()=="admin")
{
alert("The group ID '" + document.newGroupForm.groupName.value + "' cannot be used. It may be confused with the administration group ID 'Admin'.");
return false;
}
if (/.*[&<>"`']+.*/.test(id)) {
alert("The group ID must not contain any HTML markup.");
return false;
}
var comment = new String(document.newGroupForm.groupComment.value);
if (/.*[&<>"`']+.*/.test(comment)) {
alert("The group comment must not contain any HTML markup.");
return false;
}
document.newGroupForm.action="admin/userGroupView/groups/modifyGroup";
document.newGroupForm.operation.value="addGroup";
return true;
Expand Down
Expand Up @@ -51,7 +51,12 @@
alert("The user ID '" + document.newUserForm.userID.value + "' cannot be used. It may be confused with the administration user ID 'admin'.");
return false;
}
if (/.*[&<>"`']+.*/.test(id)) {
alert("The user ID must not contain any HTML markup.");
return false;
}
if (document.newUserForm.pass1.value == document.newUserForm.pass2.value)
{
document.newUserForm.action="admin/userGroupView/users/addNewUser";
Expand Down

0 comments on commit 8a97e68

Please sign in to comment.