Skip to content

Commit

Permalink
Security fix: prevent XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonherrmann
jonherrmann committed Jul 2, 2017
1 parent bb8e707 commit 9fe7592
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 3 deletions.
17 changes: 15 additions & 2 deletions src/main/java/de/interactive_instruments/etf/webapp/conversion/ObjectMapperFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,21 @@
*/
package de.interactive_instruments.etf.webapp.conversion;

import java.io.IOException;
import java.util.List;

import com.fasterxml.jackson.annotation.*;
import com.fasterxml.jackson.core.SerializableString;
import com.fasterxml.jackson.core.*;
import com.fasterxml.jackson.core.Version;
import com.fasterxml.jackson.core.io.CharacterEscapes;
import com.fasterxml.jackson.core.io.SerializedString;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.*;
import com.fasterxml.jackson.databind.module.SimpleModule;
import com.fasterxml.jackson.databind.ser.FilterProvider;
import com.fasterxml.jackson.databind.ser.impl.SimpleBeanPropertyFilter;
import com.fasterxml.jackson.databind.ser.impl.SimpleFilterProvider;

import de.interactive_instruments.*;
import org.apache.commons.lang3.StringEscapeUtils;
import org.springframework.beans.factory.FactoryBean;

Expand All @@ -37,6 +39,7 @@
import de.interactive_instruments.etf.dal.dto.test.ExecutableTestSuiteDto;
import de.interactive_instruments.etf.dal.dto.translation.TranslationTemplateDto;
import de.interactive_instruments.etf.model.EID;
import org.springframework.web.util.HtmlUtils;

/**
* @author Jon Herrmann ( herrmann aT interactive-instruments doT de )
Expand Down Expand Up @@ -109,6 +112,14 @@ public SerializableString getEscapeSequence(int ch) {
}
}

public static class JsonHtmlXssDeserializer extends JsonDeserializer<String> {
@Override
public String deserialize(final JsonParser jp, final DeserializationContext ctxt) throws IOException, JsonProcessingException {
final JsonNode node = jp.getCodec().readTree(jp);
return HtmlUtils.htmlEscape(node.asText());
}
}

public ObjectMapperFactory() {

mapper.addMixIn(ModelItemDto.class, BaseMixin.class);
Expand All @@ -135,6 +146,8 @@ public ObjectMapperFactory() {

etfModule.addSerializer(de.interactive_instruments.Version.class, new VersionConverter().jsonSerializer());
etfModule.addDeserializer(de.interactive_instruments.Version.class, new VersionConverter().jsonDeserializer());
// Prevent XSS
etfModule.addDeserializer(String.class, new JsonHtmlXssDeserializer());

mapper.registerModule(etfModule);

Expand Down
3 changes: 2 additions & 1 deletion src/main/java/de/interactive_instruments/etf/webapp/dto/SimpleTestObject.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@

import io.swagger.annotations.ApiModel;
import io.swagger.annotations.ApiModelProperty;
import org.springframework.web.util.HtmlUtils;

/**
* @author Jon Herrmann ( herrmann aT interactive-instruments doT de )
Expand Down Expand Up @@ -100,7 +101,7 @@ public TestObjectDto toTestObject(final PreparedDtoResolver<TestObjectDto> testO
if (resources != null && !resources.isEmpty()) {
testObject = new TestObjectDto();
for (final Map.Entry<String, String> nameUriEntry : resources.entrySet()) {
testObject.addResource(new ResourceDto(nameUriEntry.getKey(), nameUriEntry.getValue()));
testObject.addResource(new ResourceDto(nameUriEntry.getKey(), HtmlUtils.htmlUnescape(nameUriEntry.getValue())));
}
testObject.properties().setProperty("temporary", "true");
testObject.setVersionFromStr("1.0.0");
Expand Down

0 comments on commit 9fe7592

Please sign in to comment.