Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #165 from dcleao/PPP-4690
[PPP-4690] XSS on pentaho-cdf-dd/api/renderer/render?root parameter
  • Loading branch information
smmribeiro committed Oct 7, 2021
2 parents a02ae42 + e4b9746 commit 3bff900
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 3 deletions.
5 changes: 5 additions & 0 deletions core/pom.xml
Expand Up @@ -63,6 +63,11 @@
<optional>true</optional>
</dependency>

<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
</dependency>

<!-- region - Needed for testing -->
<dependency>
<groupId>org.springframework</groupId>
Expand Down
@@ -1,5 +1,5 @@
/*!
* Copyright 2002 - 2019 Webdetails, a Hitachi Vantara company. All rights reserved.
* Copyright 2002 - 2021 Webdetails, a Hitachi Vantara company. All rights reserved.
*
* This software was developed by Webdetails and is provided under the terms
* of the Mozilla Public License, Version 2.0, or any later version. You may not use
Expand All @@ -12,6 +12,7 @@
*/
package pt.webdetails.cpf.packager;

import org.owasp.encoder.Encode;
import pt.webdetails.cpf.context.api.IUrlProvider;
import pt.webdetails.cpf.packager.dependencies.CssMinifiedDependency;
import pt.webdetails.cpf.packager.dependencies.Dependency;
Expand Down Expand Up @@ -276,6 +277,7 @@ public String filter( String input ) {
}

public String filter( String input, String baseUrl ) {
baseUrl = Encode.forHtmlAttribute( baseUrl );
return String.format(
"\t\t<link href=\"%s%s\" rel=\"stylesheet\" type=\"text/css\" />\n",
baseUrl, baseUrl.endsWith( "/" ) && input.startsWith( "/" ) ? input.replaceFirst( "/", "" ) : input );
Expand All @@ -288,6 +290,7 @@ public String filter( String input ) {
}

public String filter( String input, String baseUrl ) {
baseUrl = Encode.forHtmlAttribute( baseUrl );
return String.format(
"\t\t<script language=\"javascript\" type=\"text/javascript\" src=\"%s%s\"></script>\n",
baseUrl, baseUrl.endsWith( "/" ) && input.startsWith( "/" ) ? input.replaceFirst( "/", "" ) : input );
Expand All @@ -312,7 +315,7 @@ public String filter( String input ) {
}

public String filter( String input, String baseUrl ) {
return baseUrl + input + "\n";
return Encode.forHtmlAttribute( baseUrl ) + input + "\n";
}
};
}
Expand Down
@@ -1,5 +1,5 @@
/*!
* Copyright 2002 - 2017 Webdetails, a Hitachi Vantara company. All rights reserved.
* Copyright 2002 - 2021 Webdetails, a Hitachi Vantara company. All rights reserved.
*
* This software was developed by Webdetails and is provided under the terms
* of the Mozilla Public License, Version 2.0, or any later version. You may not use
Expand Down Expand Up @@ -172,6 +172,23 @@ public void testGetDefaultFilter() {
assertEquals( "", mapFilter.filter( "MAP-FILTER" ) );
}

@Test
public void testGetDefaultFilterEscapesUntrustedBaseUrl() {
StringFilter jsFilter = jsDepPackage.getDefaultFilter();
StringFilter cssFilter = cssDepPackage.getDefaultFilter();
StringFilter mapFilter = mapDepPackage.getDefaultFilter();

String untrustedBaseUrl = "http://foo\"/";

assertEquals( "<script language=\"javascript\" type=\"text/javascript\" src=\"http://foo&#34;/JS-FILTER\"></script>",
jsFilter.filter( "JS-FILTER", untrustedBaseUrl ).trim() );

assertEquals( "<link href=\"http://foo&#34;/CSS-FILTER\" rel=\"stylesheet\" type=\"text/css\" />",
cssFilter.filter( "CSS-FILTER", untrustedBaseUrl ).trim() );

assertEquals( "", mapFilter.filter( "MAP-FILTER", untrustedBaseUrl ) );
}

private static void addFileDependencies( String[] filePaths ) {
String[] fileNames = new String[]{"file1", "file2"};
String[] fileVersions = new String[]{"v1", "v2"};
Expand Down
13 changes: 13 additions & 0 deletions pom.xml
Expand Up @@ -62,6 +62,7 @@
<google-collections.version>1.0</google-collections.version>
<jersey.version>1.19.1</jersey.version>
<jcr.version>2.0</jcr.version>
<owasp.encoder.version>1.2</owasp.encoder.version>
</properties>

<dependencyManagement>
Expand Down Expand Up @@ -96,6 +97,18 @@
<artifactId>json</artifactId>
<version>${pentaho-json.version}</version>
</dependency>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>${owasp.encoder.version}</version>
<scope>compile</scope>
<exclusions>
<exclusion>
<artifactId>*</artifactId>
<groupId>*</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
Expand Down

0 comments on commit 3bff900

Please sign in to comment.