You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/12/18 08:46:45 UTC

[cxf] branch master updated: Fixing issue with multiple forward slashes in services listing stylesheetPath

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 1cf50e5  Fixing issue with multiple forward slashes in services listing stylesheetPath
1cf50e5 is described below

commit 1cf50e500c9f0d2ccbfc16f2a6b49de1bd9e7445
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Dec 18 06:58:23 2020 +0000

    Fixing issue with multiple forward slashes in services listing stylesheetPath
---
 .../servicelist/FormattedServiceListWriter.java    |  2 +
 .../FormattedServiceListWriterTest.java            | 65 ++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriter.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriter.java
index 9cc2cb4..1084ce2 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriter.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriter.java
@@ -43,6 +43,8 @@ public class FormattedServiceListWriter implements ServiceListWriter {
                                       boolean showForeignContexts,
                                       Bus bus) {
         this.styleSheetPath = StringEscapeUtils.escapeHtml4(styleSheetPath);
+        // Strip multiple forward slashes from the start of the styleSheePath to prevent CSS injection attacks
+        this.styleSheetPath = this.styleSheetPath.replaceFirst("(/)+", "/");
         this.title = title;
         this.showForeignContexts = showForeignContexts;
         this.bus = bus;
diff --git a/rt/transports/http/src/test/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriterTest.java b/rt/transports/http/src/test/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriterTest.java
new file mode 100644
index 0000000..1f9b7f2
--- /dev/null
+++ b/rt/transports/http/src/test/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriterTest.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.transport.servlet.servicelist;
+
+import java.io.PrintWriter;
+import java.io.StringWriter;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.transport.AbstractDestination;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertTrue;
+
+public class FormattedServiceListWriterTest {
+
+    @Test
+    public void testWriteServiceList() throws Exception {
+        Bus bus = BusFactory.getDefaultBus(true);
+        String styleSheetPath = "/app/services/?stylesheet=1";
+        FormattedServiceListWriter writer =
+                new FormattedServiceListWriter(styleSheetPath,
+                        "CXF services", false, bus);
+
+        StringWriter sw = new StringWriter();
+        writer.writeServiceList(new PrintWriter(sw), "/path", new AbstractDestination[0], new AbstractDestination[0]);
+
+        assertTrue(sw.toString().contains("href=\"" + styleSheetPath + "\""));
+        bus.shutdown(false);
+    }
+
+    @Test
+    public void testStripMultipleForwardSlashes() throws Exception {
+        Bus bus = BusFactory.getDefaultBus(true);
+        String styleSheetPath = "////app/services/?stylesheet=1";
+        FormattedServiceListWriter writer =
+                new FormattedServiceListWriter(styleSheetPath,
+                        "CXF services", false, bus);
+
+        StringWriter sw = new StringWriter();
+        writer.writeServiceList(new PrintWriter(sw), "/path", new AbstractDestination[0], new AbstractDestination[0]);
+
+        String desiredStyleSheetPath = "/app/services/?stylesheet=1";
+        assertTrue(sw.toString().contains("href=\"" + desiredStyleSheetPath + "\""));
+        bus.shutdown(false);
+    }
+
+}