Fix Reflected XSS through maliciously formed URLs

[vierbergenlars]

Reflected XSS is possible in extensions that use the com.github.dynamicextensionsalfresco.webscripts.support.AbstractBundleResourceHandler.handleResourceNotFound() method to trigger an error message when a resource is not found.

Description

Example:

@Component
@WebScript(families="xss")
@Transaction(TransactionType.NONE)
public class XSSResourceWebScript extends AbstractBundleResourceHandler {

    private final String packagePath;

    public FinderResourceWebScript() {
        packagePath = this.getClass().getPackage().getName().replace('.', '/');
    
    @Uri(value = "/resources/{path}", formatStyle = FormatStyle.ARGUMENT)
    public void handleResources(@UriVariable final String path, final WebScriptResponse response, WebScriptRequest request) throws Exception {

        final URL resource = getBundleContext().getBundle().getEntry(path);
        if (resource != null) {
            sendResource(request, response, resource);
        } else {
            handleResourceNotFound(path, response);
        }
}

Visiting /alfresco/s/resources/<script>alert('XSS');</script>index.html shows a javascript alert window.

Related Issue

Private

Motivation and Context

How Has This Been Tested?

Tested that it remedies a specific XSS payload in IE11, Edge 15, Chrome latest, Firefox latest on Windows 10.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.