Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix the code analysis error. #479

Merged
merged 10 commits into from
Aug 4, 2022
Merged

Fix the code analysis error. #479

merged 10 commits into from
Aug 4, 2022

Conversation

pandaapo
Copy link
Contributor

@pandaapo pandaapo commented Aug 1, 2022

PR Type

Describe what this PR does for and how you did.

Fix the code analysis error: (1) Append the missing space in string literal. (2) Using Filter and @ControllerAdvice to guard against cross-site scripting.

Adding the issue link (#xxx) if possible.

#462

Note

Checklist

  • Add copyright holder at the beginning of .class file if it is new.
  • Add information of this PR to CHANGELOG.md in root of project.
  • All junit tests passing.
  • Coverage from Codecov Report should not decrease.

Checklist (Optional)

  • Will Pull Request to branch of 2020.0 and 2021.0.
  • Add documentation in javadoc in code or comment below the PR if necessary.
  • Add your name as @author to the beginning of .class file.

pandaapo added 3 commits July 31, 2022 13:39
@pandaapo
Fix the code analysis error mentioned in issue Tencent#462:
d2aff73 
(1) Append space  in string literal. (2) Guard against cross-site scripting.
@pandaapo
Add copyright holder at the beginning of new .class file. Add informa…
f7492f0 
…tion of this PR to CHANGELOG.md in root of project.
@pandaapo
Merge branch 'dev' into main
a812ee5
@SkyeBeFreeman
Copy link
Collaborator

@pandaapo there are some cheskstyle error in you PR. Run mvn clean test before you pushing the commit.

SkyeBeFreeman
SkyeBeFreeman requested changes Aug 2, 2022
View reviewed changes
changes/changes-1.6.0.md Outdated Show resolved Hide resolved
@pandaapo
Copy link
Contributor Author

pandaapo commented Aug 2, 2022

@pandaapo there are some cheskstyle error in you PR. Run mvn clean test before you pushing the commit.

Running mvn clean test once takes a long time! Having run many times today but not yet complete.
Is there a way to get or apply all the checkstyle rules in advance? If yes I can find errors when coding.

@SkyeBeFreeman
Copy link
Collaborator

@pandaapo there are some cheskstyle error in you PR. Run mvn clean test before you pushing the commit.

Running mvn clean test once takes a long time! Having run many times today but not yet complete. Is there a way to get or apply all the checkstyle rules in advance? If yes I can find errors when coding.

You can configure plugin in IDEA following the doc from Spring Cloud 代码规范.

@SkyeBeFreeman
Copy link
Collaborator

SkyeBeFreeman commented Aug 2, 2022
edited
Loading

Click "Resolve conversation" after you having fixed that.

SkyeBeFreeman
SkyeBeFreeman reviewed Aug 2, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@lgtm-com
Copy link

lgtm-com bot commented Aug 2, 2022

This pull request fixes 1 alert when merging c74c380 into 4ed19e2 - view on LGTM.com

fixed alerts:

  • 1 for Missing space in string literal

@SkyeBeFreeman
Copy link
Collaborator

SkyeBeFreeman commented Aug 2, 2022
edited
Loading

This pull request fixes 1 alert when merging c74c380 into 4ed19e2 - view on LGTM.com

fixed alerts:

  • 1 for Missing space in string literal

@pandaapo This doesn't look like it fixes the cross site issue?Check here for solution Cross-site scripting
.

@pandaapo
Copy link
Contributor Author

pandaapo commented Aug 2, 2022

This pull request fixes 1 alert when merging c74c380 into 4ed19e2 - view on LGTM.com
fixed alerts:

  • 1 for Missing space in string literal

@pandaapo This doesn't look like it fixes the cross site issue?Check here for solution Cross-site scripting .

I used Filter to handle the request, and ResponseBodyAdvice to handle the Response. Does it not work?

@SkyeBeFreeman
Copy link
Collaborator

This pull request fixes 1 alert when merging c74c380 into 4ed19e2 - view on LGTM.com
fixed alerts:

  • 1 for Missing space in string literal

@pandaapo This doesn't look like it fixes the cross site issue?Check here for solution Cross-site scripting .

I used Filter to handle the request, and ResponseBodyAdvice to handle the Response. Does it not work?

Maybe should change a new method to fix this.

@pandaapo
Copy link
Contributor Author

pandaapo commented Aug 2, 2022
edited
Loading

This pull request fixes 1 alert when merging c74c380 into 4ed19e2 - view on LGTM.com
fixed alerts:

  • 1 for Missing space in string literal

@pandaapo This doesn't look like it fixes the cross site issue?Check here for solution Cross-site scripting .

I used Filter to handle the request, and ResponseBodyAdvice to handle the Response. Does it not work?

Maybe should change a new method to fix this.

  • Can I use the simple and straightforward but not very good method? for example, escape data directly in the body of each method that has alerts.

  • Can I test code that fixes XSS with LGTM.com before pushing my commits?
    I find a single-use way : Because the LGTM.com doesn't support analysis of fork, I must create a new repository on github that is same as my current fork. Then test code with LGTM.com.

@SkyeBeFreeman
Copy link
Collaborator

This pull request fixes 1 alert when merging c74c380 into 4ed19e2 - view on LGTM.com
fixed alerts:

  • 1 for Missing space in string literal

@pandaapo This doesn't look like it fixes the cross site issue?Check here for solution Cross-site scripting .

I used Filter to handle the request, and ResponseBodyAdvice to handle the Response. Does it not work?

Maybe should change a new method to fix this.

  • Can I use the simple and straightforward but not very good method? for example, escape data directly in the body of each method that has alerts.
  • Can I test code that fixes XSS with LGTM.com before pushing my commits?
    I find a single-use way : Because the LGTM.com doesn't support analysis of fork, I must create a new repository on github that is same as my current fork. Then test code with LGTM.com.

Try the second method. If the implementation is complicated or difficult to implement, then use the first method.

@SkyeBeFreeman SkyeBeFreeman changed the title Fix the code analysis error. #462 Fix the code analysis error. Aug 3, 2022
@lgtm-com
Copy link

lgtm-com bot commented Aug 3, 2022

This pull request fixes 1 alert when merging 58ae9a5 into a91a380 - view on LGTM.com

fixed alerts:

  • 1 for Missing space in string literal

@SkyeBeFreeman
Copy link
Collaborator

This pull request fixes 1 alert when merging 58ae9a5 into a91a380 - view on LGTM.com

fixed alerts:

  • 1 for Missing space in string literal

@pandaapo It seems that every commit will trigger LGTM.com analyzing.

pandaapo added 2 commits August 3, 2022 21:34
@pandaapo
Change the resolution of XSS: Remove the 'Filter + HttpServletRequest…
c028a2b 
…Wrapper / ResponseBodyAdvise' method. Use owasp esapi to handle the invocation directly that has alerts.
@pandaapo
fix checkstyle error
a7d0f1d
@lgtm-com
Copy link

lgtm-com bot commented Aug 3, 2022

This pull request fixes 6 alerts when merging a7d0f1d into a91a380 - view on LGTM.com

fixed alerts:

  • 5 for Cross-site scripting
  • 1 for Missing space in string literal

@lgtm-com
Copy link

lgtm-com bot commented Aug 3, 2022

This pull request fixes 6 alerts when merging d9d0352 into a91a380 - view on LGTM.com

fixed alerts:

  • 5 for Cross-site scripting
  • 1 for Missing space in string literal

@SkyeBeFreeman SkyeBeFreeman merged commit 496cbfb into Tencent:main Aug 4, 2022
@SkyeBeFreeman SkyeBeFreeman added this to the 1.8.0 milestone Aug 4, 2022
@SkyeBeFreeman
Copy link
Collaborator

@pandaapo You can cherry-pick this PR to branch 2020 and 2021. It will be in version 1.8.0. I will merge it after version 1.7.0 of 2020 and 2021 is released.

@SkyeBeFreeman
Copy link
Collaborator

SkyeBeFreeman commented Aug 4, 2022
edited
Loading

@pandaapo You should fix these error before you cherry-pick to other branches.
Cross-site Scripting in org.owasp.esapi:esapi
Path traversal in the OWASP Enterprise Security API

@SkyeBeFreeman
Copy link
Collaborator

@pandaapo You should fix these error before you cherry-pick to other branches. Cross-site Scripting in org.owasp.esapi:esapi Path traversal in the OWASP Enterprise Security API

@pandaapo I have used dependabot to fix this in main branch. If you cherry-pick to 2020 and 2021 branch, you should check the dependency version before you pushing your commit.

pandaapo added a commit to pandaapo/spring-cloud-tencent that referenced this pull request Aug 8, 2022
@pandaapo
Fix the code analysis error. (Tencent#479)
8181a33
pandaapo added a commit to pandaapo/spring-cloud-tencent that referenced this pull request Aug 8, 2022
@pandaapo
Fix the code analysis error. (Tencent#479)
7f127f9
@pandaapo
Copy link
Contributor Author

pandaapo commented Aug 8, 2022

@pandaapo You should fix these error before you cherry-pick to other branches. Cross-site Scripting in org.owasp.esapi:esapi Path traversal in the OWASP Enterprise Security API

@pandaapo I have used dependabot to fix this in main branch. If you cherry-pick to 2020 and 2021 branch, you should check the dependency version before you pushing your commit.

I have done as you said.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SkyeBeFreeman SkyeBeFreeman SkyeBeFreeman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.7.1
Development

Successfully merging this pull request may close these issues.
2 participants
@pandaapo @SkyeBeFreeman