sanitize entity responses

apereo · Oct 15, 2021 · 376bf08 · 376bf08
1 parent 932870d
commit 376bf08
Show file tree

Hide file tree

Showing 9 changed files with 38 additions and 18 deletions.
diff --git a/...org/apereo/cas/uma/web/controllers/rpt/UmaRequestingPartyTokenJwksEndpointController.java b/...org/apereo/cas/uma/web/controllers/rpt/UmaRequestingPartyTokenJwksEndpointController.java
@@ -9,6 +9,7 @@
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.jose4j.jwk.JsonWebKey;
 import org.jose4j.jwk.JsonWebKeySet;
 import org.springframework.http.HttpStatus;
@@ -57,7 +58,7 @@ public ResponseEntity<String> getKeys(final HttpServletRequest request, final Ht
             return new ResponseEntity<>("UMA RPT JWKS resource is undefined or cannot be located", HttpStatus.NOT_IMPLEMENTED);
         } catch (final Exception e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.BAD_REQUEST);
         }
     }
 }
diff --git a/...pi/src/main/java/org/apereo/cas/oidc/web/controllers/jwks/OidcJwksEndpointController.java b/...pi/src/main/java/org/apereo/cas/oidc/web/controllers/jwks/OidcJwksEndpointController.java
@@ -12,6 +12,7 @@
 import lombok.val;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.jose4j.jwk.JsonWebKey;
 import org.jose4j.jwk.JsonWebKeySet;
 import org.pac4j.core.context.JEEContext;
@@ -79,7 +80,7 @@ public ResponseEntity<String> handleRequestInternal(final HttpServletRequest req
             return new ResponseEntity<>(body, HttpStatus.OK);
         } catch (final Exception e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.BAD_REQUEST);
         }
     }
 }
diff --git a/...port-rest-core/src/main/java/org/apereo/cas/support/rest/resources/RestResourceUtils.java b/...port-rest-core/src/main/java/org/apereo/cas/support/rest/resources/RestResourceUtils.java
@@ -11,6 +11,7 @@
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -59,15 +60,16 @@ public static ResponseEntity<String> createResponseEntityForAuthnFailure(final A
             return new ResponseEntity<>(MAPPER.writerWithDefaultPrettyPrinter().writeValueAsString(errorsMap), HttpStatus.UNAUTHORIZED);
         } catch (final JsonProcessingException exception) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
         }
     }
 
     private static String mapExceptionToMessage(final AuthenticationException authnhandlerErrors,
                                                 final HttpServletRequest request,
                                                 final ApplicationContext applicationContext,
                                                 final Throwable ex) {
-        val authnMsg = StringUtils.defaultIfBlank(ex.getMessage(), "Authentication Failure: " + authnhandlerErrors.getMessage());
+        val authnMsg = StringUtils.defaultIfBlank(StringEscapeUtils.escapeHtml4(ex.getMessage()),
+            "Authentication Failure: " + authnhandlerErrors.getMessage());
         val authnBundleMsg = getTranslatedMessageForExceptionClass(ex.getClass().getSimpleName(), request, applicationContext);
         return String.format("%s:%s", authnMsg, authnBundleMsg);
     }

diff --git a/...-rest-core/src/main/java/org/apereo/cas/support/rest/resources/ServiceTicketResource.java b/...-rest-core/src/main/java/org/apereo/cas/support/rest/resources/ServiceTicketResource.java
@@ -16,6 +16,7 @@
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -67,16 +68,26 @@ public class ServiceTicketResource {
      * @param tgtId              ticket granting ticket id URI path param
      * @return {@link ResponseEntity} representing RESTful response
      */
-    @PostMapping(value = RestProtocolConstants.ENDPOINT_TICKETS + "/{tgtId:.+}", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
+    @PostMapping(value = RestProtocolConstants.ENDPOINT_TICKETS + "/{tgtId:.+}",
+        consumes = {
+            MediaType.APPLICATION_FORM_URLENCODED_VALUE,
+            MediaType.APPLICATION_JSON_VALUE,
+            MediaType.TEXT_HTML_VALUE
+        },
+        produces = {
+            MediaType.APPLICATION_FORM_URLENCODED_VALUE,
+            MediaType.APPLICATION_JSON_VALUE,
+            MediaType.TEXT_HTML_VALUE
+        })
     public ResponseEntity<String> createServiceTicket(final HttpServletRequest httpServletRequest,
                                                       @RequestBody(required = false) final MultiValueMap<String, String> requestBody,
                                                       @PathVariable("tgtId") final String tgtId) {
         try {
-            val authn = this.ticketRegistrySupport.getAuthenticationFrom(tgtId);
-            AuthenticationCredentialsThreadLocalBinder.bindCurrent(authn);
+            val authn = this.ticketRegistrySupport.getAuthenticationFrom(StringEscapeUtils.escapeHtml4(tgtId));
             if (authn == null) {
                 throw new InvalidTicketException(tgtId);
             }
+            AuthenticationCredentialsThreadLocalBinder.bindCurrent(authn);
             val service = this.argumentExtractor.extractService(httpServletRequest);
             if (service == null) {
                 throw new IllegalArgumentException("Target service/application is unspecified or unrecognized in the request");
@@ -98,15 +109,15 @@ public ResponseEntity<String> createServiceTicket(final HttpServletRequest httpS
             return this.serviceTicketResourceEntityResponseFactory.build(tgtId, service, authenticationResult);
 
         } catch (final InvalidTicketException e) {
-            return new ResponseEntity<>(tgtId + " could not be found or is considered invalid", HttpStatus.NOT_FOUND);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(tgtId) + " could not be found or is considered invalid", HttpStatus.NOT_FOUND);
         } catch (final AuthenticationException e) {
             return RestResourceUtils.createResponseEntityForAuthnFailure(e, httpServletRequest, applicationContext);
         } catch (final BadRestRequestException e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.BAD_REQUEST);
         } catch (final Exception e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
         } finally {
             AuthenticationCredentialsThreadLocalBinder.clear();
         }

diff --git a/...ore/src/main/java/org/apereo/cas/support/rest/resources/TicketGrantingTicketResource.java b/...ore/src/main/java/org/apereo/cas/support/rest/resources/TicketGrantingTicketResource.java
@@ -15,6 +15,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -98,10 +99,10 @@ public ResponseEntity<String> createTicketGrantingTicket(@RequestBody(required =
             return RestResourceUtils.createResponseEntityForAuthnFailure(e, request, applicationContext);
         } catch (final BadRestRequestException e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.BAD_REQUEST);
         } catch (final Exception e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
         }
     }
 

diff --git a/...t-rest-core/src/main/java/org/apereo/cas/support/rest/resources/TicketStatusResource.java b/...t-rest-core/src/main/java/org/apereo/cas/support/rest/resources/TicketStatusResource.java
@@ -7,6 +7,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -49,7 +50,7 @@ public ResponseEntity<String> getTicketStatus(@PathVariable("id") final String i
             return new ResponseEntity<>("Ticket could not be found", HttpStatus.NOT_FOUND);
         } catch (final Exception e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
         }
     }
 }
diff --git a/...-core/src/main/java/org/apereo/cas/support/rest/resources/UserAuthenticationResource.java b/...-core/src/main/java/org/apereo/cas/support/rest/resources/UserAuthenticationResource.java
@@ -9,6 +9,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -72,10 +73,10 @@ public ResponseEntity<String> authenticateRequest(@RequestBody final MultiValueM
             return RestResourceUtils.createResponseEntityForAuthnFailure(e, request, applicationContext);
         } catch (final BadRestRequestException e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.BAD_REQUEST);
         } catch (final Exception e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
         }
     }
 }
diff --git a/...rt-rest-services/src/main/java/org/apereo/cas/support/rest/RegisteredServiceResource.java b/...rt-rest-services/src/main/java/org/apereo/cas/support/rest/RegisteredServiceResource.java
@@ -18,6 +18,7 @@
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.pac4j.core.context.JEEContext;
 import org.pac4j.core.context.session.JEESessionStore;
 import org.pac4j.core.credentials.UsernamePasswordCredentials;
@@ -74,10 +75,10 @@ public ResponseEntity<String> createService(@RequestBody final RegisteredService
             }
             return new ResponseEntity<>("Request is not authorized", HttpStatus.FORBIDDEN);
         } catch (final AuthenticationException e) {
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.UNAUTHORIZED);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.UNAUTHORIZED);
         } catch (final Exception e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.BAD_REQUEST);
         }
     }
 

diff --git a/...org/apereo/cas/support/saml/web/idp/profile/sso/SSOSamlIdPPostProfileHandlerEndpoint.java b/...org/apereo/cas/support/saml/web/idp/profile/sso/SSOSamlIdPPostProfileHandlerEndpoint.java
@@ -25,6 +25,7 @@
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.jasig.cas.client.authentication.AttributePrincipalImpl;
 import org.jasig.cas.client.validation.Assertion;
 import org.jasig.cas.client.validation.AssertionImpl;
@@ -176,7 +177,7 @@ private ResponseEntity<Object> produce(final HttpServletRequest request,
             }
         } catch (final Exception e) {
             LoggingUtils.error(LOGGER, e);
-            return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
+            return new ResponseEntity<>(StringEscapeUtils.escapeHtml4(e.getMessage()), HttpStatus.BAD_REQUEST);
         }
         return new ResponseEntity<>(HttpStatus.NO_CONTENT);
     }