You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2022/11/18 09:24:53 UTC
[myfaces-tobago] branch main updated: refactor(security): fix GitHub code scanning issue (#3430)

This is an automated email from the ASF dual-hosted git repository.

lofwyr pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git


The following commit(s) were added to refs/heads/main by this push:
     new 983b564b7a refactor(security): fix GitHub code scanning issue (#3430)
983b564b7a is described below

commit 983b564b7a44fb5e423be743d4fb9de0b3e9a465
Author: Udo Schnurpfeil <gi...@schnurpfeil.de>
AuthorDate: Fri Nov 18 10:24:47 2022 +0100

    refactor(security): fix GitHub code scanning issue (#3430)
    
    * fix: Polynomial regular expression used on uncontrolled data
---
 .../tobago/internal/component/AbstractUIPage.java  | 47 ++++++++++++++++---
 .../internal/component/AbstractUIPageUnitTest.java | 53 ++++++++++++++++++++++
 .../internal/config/AbstractTobagoTestBase.java    |  9 ++--
 3 files changed, 99 insertions(+), 10 deletions(-)

diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUIPage.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUIPage.java
index c58842af5e..7463f5cf8f 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUIPage.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUIPage.java
@@ -96,21 +96,20 @@ public abstract class AbstractUIPage extends AbstractUIFormBase implements Clien
       LOG.warn("No sourceId found!");
     }
 
-    // TODO: Remove this if block if proven this never happens anymore
-    // TODO: This workaround is stil needed for Mojarra
-    // TODO: Otherwise actions in tree/sheet will not be detected
-    if (command == null
-      && sourceId != null && sourceId.matches(".*:\\d+:.*")) {
+    if (command == null && sourceId != null) {
       // If currentActionId component was inside a sheet the id contains the
       // rowIndex and is therefore not found here.
       // We do not need the row here because we want just to find the
       // related form, so removing the rowIndex will help here.
-      sourceId = sourceId.replaceAll(":\\d+:", ":");
+      sourceId = cutIteratorFromId(sourceId);
       try {
         command = viewRoot.findComponent(sourceId);
-        //LOG.info("command = \"" + command + "\"", new Exception());
       } catch (final Exception e) {
         // ignore
+        if (LOG.isTraceEnabled()) {
+          LOG.trace("sourceId='{}'", sourceId);
+          LOG.trace("Exception in findComponent", e);
+        }
       }
     }
 
@@ -140,6 +139,40 @@ public abstract class AbstractUIPage extends AbstractUIFormBase implements Clien
     }
   }
 
+  // TODO: Remove this method if proven this never happens anymore
+  // TODO: This workaround is stil needed for Mojarra
+  // TODO: Otherwise actions in tree/sheet will not be detected
+  protected String cutIteratorFromId(final String sourceId) {
+
+    final char[] chars = sourceId.toCharArray();
+    final int n = chars.length;
+    final char colon = getFacesContext().getNamingContainerSeparatorChar();
+    final StringBuilder builder = new StringBuilder(n);
+    char lastInBuilder = ' '; // any non-colon
+    for (char c : chars) {
+      if (c == colon) { // colon
+        if (lastInBuilder != colon) {
+          builder.append(c);
+          lastInBuilder = c;
+        }
+      } else if ('0' <= c && c <= '9') { // number
+
+      } else { // any other
+        builder.append(c);
+        lastInBuilder = c;
+      }
+    }
+
+    if (builder.length() == n) {
+      return sourceId;
+    } else if (lastInBuilder == colon) {
+      builder.deleteCharAt(builder.length() - 1);
+      return builder.toString();
+    } else {
+      return builder.toString();
+    }
+  }
+
   public abstract String getLabel();
 
   public abstract String getFocusId();
diff --git a/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/component/AbstractUIPageUnitTest.java b/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/component/AbstractUIPageUnitTest.java
new file mode 100644
index 0000000000..5adc5af62e
--- /dev/null
+++ b/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/component/AbstractUIPageUnitTest.java
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.myfaces.tobago.internal.component;
+
+import org.apache.myfaces.tobago.component.RendererTypes;
+import org.apache.myfaces.tobago.component.Tags;
+import org.apache.myfaces.tobago.internal.config.AbstractTobagoTestBase;
+import org.apache.myfaces.tobago.util.ComponentUtils;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class AbstractUIPageUnitTest extends AbstractTobagoTestBase {
+
+  @Test
+  public void testCutIteratorFromId() {
+
+    final AbstractUIPage page = (AbstractUIPage) ComponentUtils.createComponent(
+        facesContext, Tags.page.componentType(), RendererTypes.Page, null);
+
+    Assertions.assertEquals("abc", page.cutIteratorFromId("abc"));
+
+    Assertions.assertEquals("a:b:c", page.cutIteratorFromId("a:b:c"));
+
+    Assertions.assertEquals("a:c", page.cutIteratorFromId("a:5:c"));
+
+    Assertions.assertEquals("a:c", page.cutIteratorFromId("a:55555555555555:c"));
+
+    Assertions.assertEquals("a:c", page.cutIteratorFromId("a:555:555:555:55555:c"));
+
+    Assertions.assertEquals("", page.cutIteratorFromId(""));
+
+    Assertions.assertEquals("", page.cutIteratorFromId("5"));
+
+    Assertions.assertEquals("sheet", page.cutIteratorFromId("sheet:5"));
+  }
+}
diff --git a/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/AbstractTobagoTestBase.java b/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/AbstractTobagoTestBase.java
index 550fb30614..e912ee59d9 100644
--- a/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/AbstractTobagoTestBase.java
+++ b/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/AbstractTobagoTestBase.java
@@ -38,6 +38,7 @@ import org.apache.myfaces.tobago.component.UIIn;
 import org.apache.myfaces.tobago.component.UILink;
 import org.apache.myfaces.tobago.component.UILinks;
 import org.apache.myfaces.tobago.component.UIOut;
+import org.apache.myfaces.tobago.component.UIPage;
 import org.apache.myfaces.tobago.component.UIPanel;
 import org.apache.myfaces.tobago.component.UIPopup;
 import org.apache.myfaces.tobago.component.UIRange;
@@ -63,6 +64,7 @@ import org.apache.myfaces.tobago.component.UITreeIndent;
 import org.apache.myfaces.tobago.component.UITreeNode;
 import org.apache.myfaces.tobago.component.UITreeSelect;
 import org.apache.myfaces.tobago.config.TobagoConfig;
+import static org.apache.myfaces.tobago.config.TobagoConfig.TOBAGO_CONFIG;
 import org.apache.myfaces.tobago.context.TobagoContext;
 import org.apache.myfaces.tobago.internal.behavior.EventBehavior;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.BadgeRenderer;
@@ -78,6 +80,7 @@ import org.apache.myfaces.tobago.internal.renderkit.renderer.InRenderer;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.LinkRenderer;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.LinksRenderer;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.OutRenderer;
+import org.apache.myfaces.tobago.internal.renderkit.renderer.PageRenderer;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.PanelRenderer;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.PopupRenderer;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.RangeRenderer;
@@ -103,6 +106,7 @@ import org.apache.myfaces.tobago.internal.renderkit.renderer.TreeNodeRenderer;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.TreeRenderer;
 import org.apache.myfaces.tobago.internal.renderkit.renderer.TreeSelectRenderer;
 import org.apache.myfaces.tobago.internal.webapp.HtmlResponseWriter;
+import static org.apache.myfaces.tobago.util.ResourceUtils.TOBAGO_RESOURCE_BUNDLE;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 
@@ -116,9 +120,6 @@ import java.nio.charset.StandardCharsets;
 import java.util.Date;
 import java.util.Locale;
 
-import static org.apache.myfaces.tobago.config.TobagoConfig.TOBAGO_CONFIG;
-import static org.apache.myfaces.tobago.util.ResourceUtils.TOBAGO_RESOURCE_BUNDLE;
-
 /**
  * <p>Abstract JUnit test case base class, which sets up the JavaServer Faces
  * mock object environment for a particular simulated request.
@@ -170,6 +171,7 @@ public abstract class AbstractTobagoTestBase extends AbstractJsfTestCase {
     application.addComponent(Tags.link.componentType(), UILink.class.getName());
     application.addComponent(Tags.links.componentType(), UILinks.class.getName());
     application.addComponent(Tags.out.componentType(), UIOut.class.getName());
+    application.addComponent(Tags.page.componentType(), UIPage.class.getName());
     application.addComponent(Tags.panel.componentType(), UIPanel.class.getName());
     application.addComponent(Tags.popup.componentType(), UIPopup.class.getName());
     application.addComponent(Tags.range.componentType(), UIRange.class.getName());
@@ -216,6 +218,7 @@ public abstract class AbstractTobagoTestBase extends AbstractJsfTestCase {
     renderKit.addRenderer(UILink.COMPONENT_FAMILY, RendererTypes.LINK, new LinkRenderer<UILink>());
     renderKit.addRenderer(UILinks.COMPONENT_FAMILY, RendererTypes.LINKS, new LinksRenderer<UILinks>());
     renderKit.addRenderer(UIOut.COMPONENT_FAMILY, RendererTypes.OUT, new OutRenderer<UIOut>());
+    renderKit.addRenderer(UIPage.COMPONENT_FAMILY, RendererTypes.PAGE, new PageRenderer<UIPage>());
     renderKit.addRenderer(UIPanel.COMPONENT_FAMILY, RendererTypes.PANEL, new PanelRenderer<UIPanel>());
     renderKit.addRenderer(UIPopup.COMPONENT_FAMILY, RendererTypes.POPUP, new PopupRenderer<UIPopup>());
     renderKit.addRenderer(UIRange.COMPONENT_FAMILY, RendererTypes.RANGE, new RangeRenderer<UIRange>());