You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/11/24 12:12:32 UTC

cxf-fediz git commit: Adding ESAPI protection to OIDC

Repository: cxf-fediz
Updated Branches:
  refs/heads/master 467382b88 -> 3197f65b5


Adding ESAPI protection to OIDC


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/3197f65b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/3197f65b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/3197f65b

Branch: refs/heads/master
Commit: 3197f65b5f366cd83378f6ee99569ba211317499
Parents: 467382b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Nov 24 12:12:10 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Nov 24 12:12:10 2016 +0000

----------------------------------------------------------------------
 pom.xml                                                         | 1 +
 services/oidc/pom.xml                                           | 5 +++++
 services/oidc/src/main/resources/ESAPI.properties               | 1 +
 services/oidc/src/main/webapp/WEB-INF/views/client.jsp          | 3 ++-
 .../oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp     | 3 ++-
 services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp    | 3 ++-
 .../src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp    | 3 ++-
 .../oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp    | 4 +++-
 8 files changed, 18 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 1facafa..7b7b1c7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,6 +50,7 @@
         <easymock.version>3.4</easymock.version>
         <ecj.version>4.6.1</ecj.version>
         <ehcache.version>2.10.3</ehcache.version>
+        <esapi.version>2.1.0.1</esapi.version>
         <httpclient.version>4.3.5</httpclient.version>
         <hsqldb.version>2.3.4</hsqldb.version>
         <htmlunit.version>2.23</htmlunit.version>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/pom.xml
----------------------------------------------------------------------
diff --git a/services/oidc/pom.xml b/services/oidc/pom.xml
index 50755e5..10183c7 100644
--- a/services/oidc/pom.xml
+++ b/services/oidc/pom.xml
@@ -77,6 +77,11 @@
             <artifactId>commons-validator</artifactId>
             <version>${commons.validator.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.esapi</groupId>
+            <artifactId>esapi</artifactId>
+            <version>${esapi.version}</version>
+        </dependency>
         <!--
         <dependency>
             <groupId>org.apache.geronimo.specs</groupId>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/resources/ESAPI.properties
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/resources/ESAPI.properties b/services/oidc/src/main/resources/ESAPI.properties
new file mode 100644
index 0000000..077737c
--- /dev/null
+++ b/services/oidc/src/main/resources/ESAPI.properties
@@ -0,0 +1 @@
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/client.jsp b/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
index 58438a9..6bdd74d 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
@@ -4,6 +4,7 @@
 <%@ page import="java.util.Locale"%>
 <%@ page import="java.util.TimeZone"%>
 <%@ page import="javax.servlet.http.HttpServletRequest" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 <%
 	Client client = (Client)request.getAttribute("data");
@@ -72,7 +73,7 @@
 </head>
 <body>
 <div class="padded">
-<h1><%= client.getApplicationName() %></h1>
+<h1><%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) %></h1>
 <br/>
 <table border="1" id=client>
     <%

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp b/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
index a303bd4..4b170e6 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
@@ -7,6 +7,7 @@
 <%@ page import="java.util.TimeZone"%>
 <%@ page import="javax.servlet.http.HttpServletRequest" %>
 <%@ page import="org.apache.cxf.fediz.service.oidc.clients.ClientCodeGrants" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 <%
 	ClientCodeGrants tokens = (ClientCodeGrants)request.getAttribute("data");
@@ -41,7 +42,7 @@
 </head>
 <body>
 <div class="padded">
-<h1>Code Grants issued to <%= client.getApplicationName() + " (" + client.getClientId() + ")"%></h1>
+<h1>Code Grants issued to <%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) + " (" + client.getClientId() + ")"%></h1>
 <br/>
 <table border="1">
     <tr><th>ID</th><th>Issue Date</th><th>Expiry Date</th><th>Action</th></tr> 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp b/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
index 4ccd6de..54ea6a9 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
@@ -8,6 +8,7 @@
 <%@ page import="java.util.TimeZone"%>
 <%@ page import="javax.servlet.http.HttpServletRequest" %>
 <%@ page import="org.apache.cxf.fediz.service.oidc.clients.ClientTokens" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 <%
 	ClientTokens tokens = (ClientTokens)request.getAttribute("data");
@@ -44,7 +45,7 @@
 	</STYLE>
 </head>
 <body>
-<h1>Tokens issued to <%= client.getApplicationName() + " (" + client.getClientId() + ")"%></h1>
+<h1>Tokens issued to <%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) + " (" + client.getClientId() + ")"%></h1>
 <br/>
 <div class="padded">
 <h2>Access Tokens</h2>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp b/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
index 1a71624..a4420c6 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
@@ -2,6 +2,7 @@
 <%@ page import="java.util.List" %>
 <%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData" %>
 <%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthPermission" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 
 <%
@@ -76,7 +77,7 @@
                             }
                         %>
 
-                        <h2>Would you like to grant <%= data.getApplicationName() %><br />the following permissions:</h2>
+                        <h2>Would you like to grant <%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) %><br />the following permissions:</h2>
 
                         <table> 
                             <%

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp b/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
index 5fca5f7..009cccf 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
@@ -6,6 +6,7 @@
 <%@ page import="java.util.TimeZone"%>
 <%@ page import="javax.servlet.http.HttpServletRequest" %>
 <%@ page import="org.apache.cxf.fediz.service.oidc.clients.RegisteredClients" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 <%
 	Collection<Client> regs = ((RegisteredClients)request.getAttribute("data")).getClients();
@@ -50,7 +51,8 @@
        for (Client client : regs) {
     %>
        <tr>
-           <td><a href="<%= basePath + "console/clients/" + client.getClientId() %>"><%= client.getApplicationName() %></a></td>
+           <td><a href="<%= basePath + "console/clients/" + client.getClientId() %>"><%= 
+               ESAPI.encoder().encodeForHTML(client.getApplicationName()) %></a></td>
            <td>
               <%= client.getClientId() %>
            </td>