Skip to content
Permalink
Browse files Browse the repository at this point in the history
RETRA-41 - Specialni znaky v nazvu projektu
RETRA-48 - Chyba při renderování textu worklogu
RETRA-56 - Retra je nachylna na XSS
  • Loading branch information
siglp committed Jan 7, 2022
1 parent 6cf3eb9 commit a6d94ab
Show file tree
Hide file tree
Showing 62 changed files with 477 additions and 388 deletions.
Expand Up @@ -419,9 +419,11 @@ private void prepareProjects(Model model, boolean showAll) {

private List<Project> filterActiveProject(Set<Project> projects) {
List<Project> filtersList = new ArrayList<Project>();
for (Project p : projects) {
if (p.getState() == Project.STATE_ACTIVE) {
filtersList.add(p);
if (projects != null && !projects.isEmpty()) {
for (Project p : projects) {
if (p.getState() == Project.STATE_ACTIVE) {
filtersList.add(p);
}
}
}
return filtersList;
Expand Down
Expand Up @@ -6,6 +6,7 @@

import javax.servlet.jsp.PageContext;

import org.apache.commons.lang.StringEscapeUtils;
import org.displaytag.decorator.DisplaytagColumnDecorator;
import org.displaytag.exception.DecoratorException;
import org.displaytag.properties.MediaTypeEnum;
Expand All @@ -25,6 +26,10 @@ public Object decorate(Object columnValue, PageContext pageContext, MediaTypeEnu
return dateFormat.format(columnValue);
}

if (columnValue instanceof String) {
return StringEscapeUtils.escapeHtml(columnValue.toString());
}

// not date return it as it comes
return columnValue;
}
Expand Down
Expand Up @@ -2,6 +2,7 @@

import javax.servlet.jsp.PageContext;

import org.apache.commons.lang.StringEscapeUtils;
import org.displaytag.decorator.DisplaytagColumnDecorator;
import org.displaytag.exception.DecoratorException;
import org.displaytag.properties.MediaTypeEnum;
Expand All @@ -12,7 +13,8 @@ public Object decorate(Object columnValue, PageContext pageContext, MediaTypeEnu
if (columnValue == null) {
return null;
}
return "<a href='mailto:" + columnValue + "'>" + columnValue + "</a>";
String escaped = StringEscapeUtils.escapeHtml(columnValue.toString());
return "<a href='mailto:" + escaped + "'>" + escaped + "</a>";
}

}
Expand Up @@ -6,6 +6,7 @@

import javax.servlet.jsp.PageContext;

import org.apache.commons.lang.StringEscapeUtils;
import org.displaytag.decorator.DisplaytagColumnDecorator;
import org.displaytag.exception.DecoratorException;
import org.displaytag.properties.MediaTypeEnum;
Expand All @@ -25,6 +26,10 @@ public Object decorate(Object columnValue, PageContext pageContext, MediaTypeEnu
return dateFormat.format(columnValue);
}

if (columnValue instanceof String) {
return StringEscapeUtils.escapeHtml(columnValue.toString());
}

// not date return it as it comes
return columnValue;
}
Expand Down
Expand Up @@ -8,6 +8,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.jsp.PageContext;

import org.apache.commons.lang.StringEscapeUtils;
import org.displaytag.decorator.DisplaytagColumnDecorator;
import org.displaytag.exception.DecoratorException;
import org.displaytag.properties.MediaTypeEnum;
Expand Down Expand Up @@ -37,6 +38,10 @@ public Object decorate(Object columnValue, PageContext pageContext, MediaTypeEnu
return formatter.format(columnValue);
}

if (columnValue instanceof String) {
return StringEscapeUtils.escapeHtml(columnValue.toString());
}

// not number return it as it comes
return columnValue;
}
Expand Down
Expand Up @@ -6,6 +6,7 @@

import javax.servlet.jsp.PageContext;

import org.apache.commons.lang.StringEscapeUtils;
import org.displaytag.decorator.DisplaytagColumnDecorator;
import org.displaytag.exception.DecoratorException;
import org.displaytag.properties.MediaTypeEnum;
Expand Down Expand Up @@ -43,9 +44,9 @@ public Object decorate(Object columnValue, PageContext pageContext, MediaTypeEnu
Type type = schedule.getType();
String typeName = "";
if (type != null) {
typeName = type.getName();
typeName = StringEscapeUtils.escapeHtml(type.getName());
}
String comment = schedule.getComment();
String comment = StringEscapeUtils.escapeHtml(schedule.getComment());
if (comment == null) {
comment = "";
}
Expand Down Expand Up @@ -96,6 +97,10 @@ public Object decorate(Object columnValue, PageContext pageContext, MediaTypeEnu

}

if (columnValue instanceof String) {
result = StringEscapeUtils.escapeHtml(columnValue.toString());
}

// not schedule return it as it comes
return result;
}
Expand Down
17 changes: 14 additions & 3 deletions src/main/java/cz/softinel/retra/jiraintegration/JiraHelper.java
Expand Up @@ -5,6 +5,8 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.apache.commons.lang.StringEscapeUtils;

import cz.softinel.retra.jiraintegration.logic.JiraLogic;

public abstract class JiraHelper {
Expand Down Expand Up @@ -60,10 +62,11 @@ public static String getLinkableText(final String text, String linkText, final J
JiraIssue issue = jiraLogic.getJiraIssue(code);
String title = code;
if (issue != null) {
title = code + " - " + issue.getSummary();
String summary = getSafeJiraText(issue.getSummary());
title = code + " - " + summary;
String replacement = String.format(url, code, title, code);
result = result.replaceAll(code, replacement);
}
String replacement = String.format(url, code, title, code);
result = result.replaceAll(code, replacement);
}
} else {
result = text;
Expand All @@ -75,4 +78,12 @@ public static String getLinkableText(final String text, String linkText, final J
return result;
}

public static String getSafeJiraText(final String text) {
String safeText = "";
if (text != null) {
safeText = StringEscapeUtils.escapeHtml(text);
safeText = safeText.replace("$", "&dollar;").replace("{", "&lcub;").replace("}", "&rcub;");
}
return safeText;
}
}
Expand Up @@ -84,6 +84,12 @@ public void setSelf(String self) {
this.self = self;
}

public void setSummary(String summary) {
if (fields != null) {
this.fields.setSummary(summary);
}
}

public String getSummary() {
return fields == null ? null : fields.summary;
}
Expand Down
Expand Up @@ -3,6 +3,7 @@
import java.util.ArrayList;
import java.util.List;

import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.Assert;
Expand Down Expand Up @@ -427,7 +428,7 @@ private void updateDescriptionGui(Worklog worklog) {
}

private void updateDescriptionGuiImpl(Worklog worklog) {
worklog.setDescriptionGui(JiraHelper.getLinkableText(worklog.getDescription(), jiraLogic));
worklog.setDescriptionGui(JiraHelper.getLinkableText(StringEscapeUtils.escapeHtml(worklog.getDescription()), jiraLogic));
}

private boolean isGivenEmpLoggedEmployee(Long givenPk) {
Expand Down
Expand Up @@ -200,6 +200,7 @@ protected void prepareJiraIssues(Model model) {
if (issues != null && !issues.isEmpty()) {
for (JiraIssue ji : issues) {
ji.setGuiLink(JiraHelper.getLinkableText(ji.getKey(), "(Show...)", jiraLogic));
ji.setSummary(JiraHelper.getSafeJiraText(ji.getSummary()));
}
}
model.put("issues", issues);
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/cz/softinel/uaf/lovs/LovsFactory.java
Expand Up @@ -83,7 +83,7 @@ public Lov getLov(String code, ApplicationContext applicationContext) {
}

Lov lov = lovsInMap.get(code);
if (lov == null || lov.getFields() != null) {
if (lov == null || lov.getFields() == null) {
throw new RuntimeException("Missing LOV for code: " + code);
}
// TODO: Check ... it is good solution?
Expand Down
17 changes: 15 additions & 2 deletions src/main/java/cz/softinel/uaf/vc/tag/SelectTag.java
Expand Up @@ -9,6 +9,8 @@
import java.util.Map;

import org.apache.commons.beanutils.BeanUtils;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.poi.util.StringUtil;

import cz.softinel.uaf.util.CommonHelper;

Expand Down Expand Up @@ -85,7 +87,15 @@ public int compare(Object o1, Object o2) {
try {
Comparable<String> v1 = BeanUtils.getProperty(o1, orderBy);
String v2 = BeanUtils.getProperty(o2, orderBy);
return v1.compareTo(v2);
if (v1 != null && v2 != null) {
return v1.compareTo(v2);
} else {
if (v2 == null) {
return 0;
} else {
return -1;
}
}
} catch (IllegalAccessException e) {
throw new RuntimeException("Exception while getting property: " + e.getMessage(), e);
} catch (InvocationTargetException e) {
Expand Down Expand Up @@ -194,8 +204,11 @@ private void generateOption(String value, String label, int level) {
prefix = "&nbsp;&nbsp;&nbsp;&nbsp;" + prefix;
}
}
String escapedValue = StringEscapeUtils.escapeHtml(value);
String escapedLabel = StringEscapeUtils.escapeHtml(label);

output.append(
"\n <option value='" + value + "'" + selectedAttribute + ">" + prefix + label + "</option>");
"\n <option value='" + escapedValue + "'" + selectedAttribute + ">" + prefix + escapedLabel + "</option>");
}

// Setters ...
Expand Down
1 change: 1 addition & 0 deletions src/main/webapp/WEB-INF/jsp/Includes.jsp
Expand Up @@ -7,6 +7,7 @@
--%><%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %><%--
--%><%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %><%--
--%><%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %><%--
--%><%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %><%--
--%><%@ taglib prefix="display" uri="http://displaytag.sf.net" %><%--
--%><%--
--%><%@ taglib prefix="vc" uri="/WEB-INF/tld/visual-component.tld" %><%--
Expand Down
8 changes: 4 additions & 4 deletions src/main/webapp/WEB-INF/jsp/retra/ComponentCreate.jsp
Expand Up @@ -7,19 +7,19 @@
<form action="${requestURI}" method="post" >

<spring:bind path="componentForm.pk">
<input type="hidden" name="${status.expression}" value="${status.value}" />
<input type="hidden" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
</spring:bind>

<spring:bind path="componentForm.projectPk">
<input type="hidden" name="${status.expression}" value="${status.value}" />
<input type="hidden" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
</spring:bind>

<table class="formTable">
<tr>
<spring:bind path="componentForm.code">
<th><fmt:message key="entity.component.code" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" maxlength="30"/>
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" maxlength="30"/>
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand All @@ -30,7 +30,7 @@
<spring:bind path="componentForm.name">
<th><fmt:message key="entity.component.name" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" maxlength="250"/>
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" maxlength="250"/>
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand Down
4 changes: 2 additions & 2 deletions src/main/webapp/WEB-INF/jsp/retra/ComponentEdit.jsp
Expand Up @@ -19,7 +19,7 @@
<spring:bind path="componentForm.code">
<th><fmt:message key="entity.component.code" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" maxlength="30"/>
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" maxlength="30"/>
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand All @@ -30,7 +30,7 @@
<spring:bind path="componentForm.name">
<th><fmt:message key="entity.component.name" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" maxlength="250"/>
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" maxlength="250"/>
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand Down
14 changes: 7 additions & 7 deletions src/main/webapp/WEB-INF/jsp/retra/EmployeeChangeContactInfo.jsp
Expand Up @@ -10,7 +10,7 @@
<spring:bind path="employeeForm.user.contactInfo.firstName">
<th><fmt:message key="entity.contactInfo.firstName" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" />
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand All @@ -21,7 +21,7 @@
<spring:bind path="employeeForm.user.contactInfo.lastName">
<th><fmt:message key="entity.contactInfo.lastName" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" />
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand All @@ -32,7 +32,7 @@
<spring:bind path="employeeForm.user.contactInfo.email">
<th><fmt:message key="entity.contactInfo.email" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" />
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand All @@ -43,7 +43,7 @@
<spring:bind path="employeeForm.user.contactInfo.web">
<th><fmt:message key="entity.contactInfo.web" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" />
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand All @@ -54,7 +54,7 @@
<spring:bind path="employeeForm.user.contactInfo.phone1">
<th><fmt:message key="entity.contactInfo.phone1" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" />
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand All @@ -65,7 +65,7 @@
<spring:bind path="employeeForm.user.contactInfo.phone2">
<th><fmt:message key="entity.contactInfo.phone2" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" />
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand All @@ -76,7 +76,7 @@
<spring:bind path="employeeForm.user.contactInfo.fax">
<th><fmt:message key="entity.contactInfo.fax" /></th>
<td>
<input type="text" name="${status.expression}" value="${status.value}" />
<input type="text" name="${status.expression}" value="${fn:escapeXml(status.value)}" />
<c:forEach items="${status.errorMessages}">
<span class="error"><fmt:message key="error.sign" /></span>
</c:forEach>
Expand Down

0 comments on commit a6d94ab

Please sign in to comment.