Merge pull request #128 from percussion/CMS-7860

CMS-7860 - Disallow any access to the contents of WEB-INF from client…
percussion · May 14, 2021 · b1b2646 · b1b2646
2 parents 45f3d9a + e2b4ab1
commit b1b2646
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 10 deletions.
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
diff --git a/modules/servletutils/src/main/java/com/percussion/utils/servlet/PSInputValidatorFilter.java b/modules/servletutils/src/main/java/com/percussion/utils/servlet/PSInputValidatorFilter.java
@@ -427,7 +427,7 @@ private ParamError validateParameter(String key, String value)
                         }
                         catch (PatternSyntaxException e)
                         {
-                            log.error("Invalid Regular Expression, skipping restriction: " + ptn);
+                            log.error("Invalid Regular Expression, skipping restriction: {}" , ptn);
                             continue;
                         }
                     }

diff --git a/system/src/com/percussion/servlets/PSDispatcherFilter.java b/system/src/com/percussion/servlets/PSDispatcherFilter.java
@@ -30,7 +30,12 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import javax.servlet.*;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -48,6 +53,10 @@ public class PSDispatcherFilter implements Filter {
 
     private static final Pattern pattern = Pattern.compile("^.+\\/\\/[^\\/]+\\/Sites\\/([^\\/]*)", Pattern.MULTILINE);
 
+    private static final String[] bannedPaths = new String[]{
+            "/WEB-INF/"
+    };
+
     private static final String[] resourcePaths = new String[] {
             "/Sites/",
             "/Assets/",
@@ -104,6 +113,11 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         String strippedPath = path.startsWith(RHYTHMYX) ? StringUtils.substringAfter(path,RHYTHMYX) : path;
         String newPath = path;
 
+        if(Stream.of(bannedPaths).anyMatch(strippedPath::contains)){
+            ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        }
+
         if (Stream.of(resourcePaths).anyMatch(strippedPath::startsWith))
         {
             newPath = strippedPath;

diff --git a/system/src/com/percussion/servlets/PSSetCommunityFilter.java b/system/src/com/percussion/servlets/PSSetCommunityFilter.java
@@ -33,8 +33,8 @@
 import com.percussion.utils.request.PSRequestInfo;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.math.NumberUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -52,7 +52,7 @@
 
 public class PSSetCommunityFilter implements Filter
 {
-   private static final Log log = LogFactory.getLog(PSSetCommunityFilter.class);
+   private static final Logger log = LogManager.getLogger(PSSetCommunityFilter.class);
 
    /**
     * Filter the request, if the session of the request has been authenticated, 
@@ -101,7 +101,7 @@ private void setCommunityIfNeeded(ServletRequest request,
          {
             PSRequestInfo.initRequestInfo(httpReq);
             needsReset = true;
-            log.info("Need to reset Request ID: " + httpReq.getRemoteUser());
+            log.info("Need to reset Request ID: {}", httpReq.getRemoteUser());
          }
 
          PSRequest psReq = initRequest(httpReq, httpResp);
@@ -118,8 +118,7 @@ private void setCommunityIfNeeded(ServletRequest request,
                  PSAuthenticateUserUtils.SYS_DEFAULTCOMMUNITY);
          if (StringUtils.isBlank(communityName))
          {
-            log.debug("Cannot find a default community for user: \""
-                  + reqCtx.getUserName() + "\"");
+            log.debug("Cannot find a default community for user: {}", reqCtx.getUserName());
             return; // do nothing if cannot find default community.
          }
 
@@ -142,8 +141,9 @@ private void setCommunityIfNeeded(ServletRequest request,
       }
       finally
       {
-         if (needsReset)
+         if (needsReset) {
             PSRequestInfo.resetRequestInfo();
+         }
       }
    }