From ca2aa9cc30f06afb3ccf9e82b8b2f9e6ed0ff16f Mon Sep 17 00:00:00 2001 From: Paulo Martins Date: Thu, 13 Jul 2023 09:32:42 -0300 Subject: [PATCH] RHPAM-4723: Creating a branch via BC UI can lead to XSS (#3815) --- .../services/backend/validation/ValidationServiceImpl.java | 4 +++- .../backend/validation/ValidationServiceImplTest.java | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/kie-wb-common-services/kie-wb-common-services-backend/src/main/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImpl.java b/kie-wb-common-services/kie-wb-common-services-backend/src/main/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImpl.java index 34a90bbd97c..7d0da87dcd2 100644 --- a/kie-wb-common-services/kie-wb-common-services-backend/src/main/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImpl.java +++ b/kie-wb-common-services/kie-wb-common-services-backend/src/main/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImpl.java @@ -39,6 +39,8 @@ import org.uberfire.backend.vfs.Path; import org.uberfire.ext.editor.commons.backend.validation.ValidationUtils; +import static org.guvnor.structure.backend.InputEscapeUtils.escapeHtmlInput; + /** * Implementation of validation Service for file names */ @@ -107,7 +109,7 @@ public boolean isFileNameValid(String fileName) { @Override public boolean isBranchNameValid(final String branchName) { final Matcher branchNameMatcher = branchNameValidator.matcher(branchName); - return branchNameMatcher.matches(); + return branchNameMatcher.matches() && branchName.equals(escapeHtmlInput(branchName)); } @Override diff --git a/kie-wb-common-services/kie-wb-common-services-backend/src/test/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImplTest.java b/kie-wb-common-services/kie-wb-common-services-backend/src/test/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImplTest.java index 01311f773c1..6b1fd50370f 100644 --- a/kie-wb-common-services/kie-wb-common-services-backend/src/test/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImplTest.java +++ b/kie-wb-common-services/kie-wb-common-services-backend/src/test/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImplTest.java @@ -138,7 +138,7 @@ public void testValidateBranchName() { assertTrue(validationService.isBranchNameValid("test!")); assertTrue(validationService.isBranchNameValid("test-")); assertTrue(validationService.isBranchNameValid("test_")); - assertTrue(validationService.isBranchNameValid("test&")); + assertFalse(validationService.isBranchNameValid("test&")); assertTrue(validationService.isBranchNameValid("test%")); assertFalse(validationService.isBranchNameValid("@test")); @@ -223,5 +223,6 @@ public void testValidateBranchName() { assertTrue(validationService.isBranchNameValid("te-st")); assertTrue(validationService.isBranchNameValid("test-")); + assertFalse(validationService.isBranchNameValid("")); } }