You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by mb...@apache.org on 2021/09/13 02:12:10 UTC
[roller] branch master updated (f90f714 -> 440ef70)
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git.
from f90f714 quote $ and \ to not confuse the Matcher.
new 2d5bc97 RememberMeService should use a better hash function.
new 3b53a62 Context URL validation.
new d673ecd TagDataServlet: Escape URIs for XML output to make CodeQL happy.
new 24e5302 FileContentManagerImpl: Validate Path before creating a File.
new 28f9ca1 FileContentManagerImpl: Validate filename in saveFileContent() + use stream transferTo() shortcut.
new 2181cb7 FolderEdit: HTTP response splitting defense.
new 5a4af10 WeblogRequestMapper: Use already validated weblog handle for redirect logic.
new 27c1201 close the right stream (getter would return a new stream).
new c86fffe set cookie "secure" and "SameSite" flags by default.
new 440ef70 CodeQL: don't scan JS files three times.
The 10 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.github/codeql/codeql-config.yml | 14 ++++
.github/workflows/codeql-analysis.yml | 10 +--
.../weblogger/business/FileContentManagerImpl.java | 79 +++++++++-------------
.../business/themes/ThemeManagerImpl.java | 6 +-
.../weblogger/ui/core/filters/InitFilter.java | 42 +++++++-----
.../ui/core/security/RollerRememberMeServices.java | 8 +--
.../ui/rendering/WeblogRequestMapper.java | 4 +-
.../weblogger/ui/struts2/editor/FolderEdit.java | 7 +-
.../webservices/tagdata/TagDataServlet.java | 6 +-
app/src/main/webapp/theme/scripts/roller.js | 5 +-
10 files changed, 92 insertions(+), 89 deletions(-)
create mode 100644 .github/codeql/codeql-config.yml
[roller] 05/10: FileContentManagerImpl: Validate filename in
saveFileContent() + use stream transferTo() shortcut.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 28f9ca1c589d7847f9685f6f6aef369b461cf9e7
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue Aug 24 21:51:37 2021 +0200
FileContentManagerImpl: Validate filename in saveFileContent() + use stream transferTo() shortcut.
---
.../weblogger/business/FileContentManagerImpl.java | 46 +++++++++-------------
1 file changed, 18 insertions(+), 28 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/business/FileContentManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/FileContentManagerImpl.java
index 0b99268..3df3902 100644
--- a/app/src/main/java/org/apache/roller/weblogger/business/FileContentManagerImpl.java
+++ b/app/src/main/java/org/apache/roller/weblogger/business/FileContentManagerImpl.java
@@ -19,7 +19,6 @@
package org.apache.roller.weblogger.business;
import java.io.File;
-import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -104,34 +103,19 @@ public class FileContentManagerImpl implements FileContentManager {
public void saveFileContent(Weblog weblog, String fileId, InputStream is)
throws FileNotFoundException, FilePathException, FileIOException {
+ checkFileName(fileId);
+
// make sure uploads area exists for this weblog
File dirPath = this.getRealFile(weblog, null);
// create File that we are about to save
- File saveFile = new File(dirPath.getAbsolutePath() + File.separator
- + fileId);
+ Path saveFile = Path.of(dirPath.getAbsolutePath(), fileId);
- byte[] buffer = new byte[RollerConstants.EIGHT_KB_IN_BYTES];
- int bytesRead;
- OutputStream bos = null;
- try {
- bos = new FileOutputStream(saveFile);
- while ((bytesRead = is.read(buffer, 0,
- RollerConstants.EIGHT_KB_IN_BYTES)) != -1) {
- bos.write(buffer, 0, bytesRead);
- }
- log.debug("The file has been written to ["
- + saveFile.getAbsolutePath() + "]");
- } catch (Exception e) {
+ try (OutputStream os = Files.newOutputStream(saveFile)) {
+ is.transferTo(os);
+ log.debug("The file has been written to ["+saveFile+"]");
+ } catch (IOException e) {
throw new FileIOException("ERROR uploading file", e);
- } finally {
- try {
- if (bos != null) {
- bos.flush();
- bos.close();
- }
- } catch (Exception ignored) {
- }
}
}
@@ -414,11 +398,7 @@ public class FileContentManagerImpl implements FileContentManager {
// now form the absolute path
Path filePath = weblogDir.toAbsolutePath();
if (fileId != null) {
- // make sure someone isn't trying to sneek outside the uploads dir
- if(fileId.contains("..")) {
- throw new FilePathException("Invalid file name [" + fileId + "], "
- + "trying to get outside uploads dir.");
- }
+ checkFileName(fileId);
filePath = filePath.resolve(fileId);
}
@@ -431,4 +411,14 @@ public class FileContentManagerImpl implements FileContentManager {
return filePath.toFile();
}
+ /**
+ * Make sure someone isn't trying to sneak outside the uploads dir.
+ */
+ private static void checkFileName(String fileId) throws FilePathException {
+ if(fileId.contains("..")) {
+ throw new FilePathException("Invalid file name [" + fileId + "], "
+ + "trying to get outside uploads dir.");
+ }
+ }
+
}
[roller] 09/10: set cookie "secure" and "SameSite" flags by default.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit c86fffed7b6a1f24b4ead87cd7c141a4077ed4b2
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Wed Aug 25 04:11:39 2021 +0200
set cookie "secure" and "SameSite" flags by default.
---
app/src/main/webapp/theme/scripts/roller.js | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/app/src/main/webapp/theme/scripts/roller.js b/app/src/main/webapp/theme/scripts/roller.js
index 1685b76..f703a62 100644
--- a/app/src/main/webapp/theme/scripts/roller.js
+++ b/app/src/main/webapp/theme/scripts/roller.js
@@ -16,11 +16,12 @@
* directory of this distribution.
*/
/* This function is used to set cookies */
-function setCookie(name,value,expires,path,domain,secure) {
+function setCookie(name, value, expires, path, domain, secure=true, sameSite=true) {
document.cookie = name + "=" + escape (value) +
((expires) ? "; expires=" + expires.toGMTString() : "") +
((path) ? "; path=" + path : "") +
- ((domain) ? "; domain=" + domain : "") + ((secure) ? "; secure" : "");
+ ((domain) ? "; domain=" + domain : "") + ((secure) ? "; secure" : "") +
+ ((sameSite) ? "; SameSite=Strict" : "");
}
/* This function is used to get cookies */
[roller] 08/10: close the right stream (getter would return a new
stream).
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 27c120127a453413a581a2d0991b8963255c376e
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Wed Aug 25 01:01:29 2021 +0200
close the right stream (getter would return a new stream).
---
.../apache/roller/weblogger/business/themes/ThemeManagerImpl.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/business/themes/ThemeManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/themes/ThemeManagerImpl.java
index 8603263..1346717 100644
--- a/app/src/main/java/org/apache/roller/weblogger/business/themes/ThemeManagerImpl.java
+++ b/app/src/main/java/org/apache/roller/weblogger/business/themes/ThemeManagerImpl.java
@@ -65,7 +65,7 @@ import org.apache.roller.weblogger.util.RollerMessages;
@com.google.inject.Singleton
public class ThemeManagerImpl implements ThemeManager {
- static FileTypeMap map = null;
+ private static final FileTypeMap map;
static {
// TODO: figure out why PNG is missing from Java MIME types
map = FileTypeMap.getDefaultFileTypeMap();
@@ -77,7 +77,7 @@ public class ThemeManagerImpl implements ThemeManager {
}
}
- private static Log log = LogFactory.getLog(ThemeManagerImpl.class);
+ private static final Log log = LogFactory.getLog(ThemeManagerImpl.class);
private final Weblogger roller;
// directory where themes are kept
private String themeDir = null;
@@ -354,7 +354,7 @@ public class ThemeManagerImpl implements ThemeManager {
RollerMessages errors = new RollerMessages();
fileMgr.createThemeMediaFile(weblog, mf, errors);
try {
- resource.getInputStream().close();
+ is.close();
} catch (IOException ex) {
errors.addError("error.closingStream");
log.debug("ERROR closing inputstream");
[roller] 01/10: RememberMeService should use a better hash function.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 2d5bc971cab183df5ee0d1b1ffecc3946a1e9f2c
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Sun Aug 22 03:44:19 2021 +0200
RememberMeService should use a better hash function.
---
.../weblogger/ui/core/security/RollerRememberMeServices.java | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
index af1afc2..2566a43 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
@@ -31,8 +31,8 @@ import java.security.NoSuchAlgorithmException;
public class RollerRememberMeServices extends TokenBasedRememberMeServices {
- private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
+ private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
public RollerRememberMeServices(UserDetailsService userDetailsService) {
@@ -51,7 +51,7 @@ public class RollerRememberMeServices extends TokenBasedRememberMeServices {
/**
* Calculates the digital signature to be put in the cookie. Default value is
- * MD5 ("username:tokenExpiryTime:password:key")
+ * SHA-512 ("username:tokenExpiryTime:password:key")
*
* If LDAP is enabled then a configurable dummy password is used in the calculation.
*/
@@ -70,9 +70,9 @@ public class RollerRememberMeServices extends TokenBasedRememberMeServices {
String data = username + ":" + tokenExpiryTime + ":" + password + ":" + getKey();
MessageDigest digest;
try {
- digest = MessageDigest.getInstance("MD5");
+ digest = MessageDigest.getInstance("SHA-512");
} catch (NoSuchAlgorithmException e) {
- throw new IllegalStateException("No MD5 algorithm available!");
+ throw new IllegalStateException("Required by Spec.", e);
}
return new String(Hex.encode(digest.digest(data.getBytes())));
[roller] 04/10: FileContentManagerImpl: Validate Path before
creating a File.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 24e53029faeab078d73e043800b8e63771d132cd
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue Aug 24 06:05:43 2021 +0200
FileContentManagerImpl: Validate Path before creating a File.
CodeQL doesn't understand validation which is happening *after* Files or Paths are created.
Rewriting the method a little bit solves that + its now using Path instead of File.
---
.../weblogger/business/FileContentManagerImpl.java | 45 ++++++++++------------
1 file changed, 20 insertions(+), 25 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/business/FileContentManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/FileContentManagerImpl.java
index cd8553d..0b99268 100644
--- a/app/src/main/java/org/apache/roller/weblogger/business/FileContentManagerImpl.java
+++ b/app/src/main/java/org/apache/roller/weblogger/business/FileContentManagerImpl.java
@@ -24,6 +24,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigDecimal;
+import java.nio.file.Files;
+import java.nio.file.Path;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
@@ -42,7 +44,7 @@ import org.apache.roller.weblogger.util.RollerMessages;
*/
public class FileContentManagerImpl implements FileContentManager {
- private static Log log = LogFactory.getLog(FileContentManagerImpl.class);
+ private static final Log log = LogFactory.getLog(FileContentManagerImpl.class);
private String storageDir = null;
@@ -400,40 +402,33 @@ public class FileContentManagerImpl implements FileContentManager {
throws FileNotFoundException, FilePathException {
// make sure uploads area exists for this weblog
- File weblogDir = new File(this.storageDir + weblog.getHandle());
- if (!weblogDir.exists()) {
- weblogDir.mkdirs();
+ Path weblogDir = Path.of(this.storageDir, weblog.getHandle());
+ if (!Files.exists(weblogDir)) {
+ try {
+ Files.createDirectories(weblogDir);
+ } catch (IOException ex) {
+ throw new FilePathException("Can't create storage dir [" + weblogDir + "]", ex);
+ }
}
// now form the absolute path
- String filePath = weblogDir.getAbsolutePath();
+ Path filePath = weblogDir.toAbsolutePath();
if (fileId != null) {
- filePath += File.separator + fileId;
+ // make sure someone isn't trying to sneek outside the uploads dir
+ if(fileId.contains("..")) {
+ throw new FilePathException("Invalid file name [" + fileId + "], "
+ + "trying to get outside uploads dir.");
+ }
+ filePath = filePath.resolve(fileId);
}
// make sure path exists and is readable
- File file = new File(filePath);
- if (!file.exists()) {
+ if (!Files.isReadable(filePath)) {
throw new FileNotFoundException("Invalid path [" + filePath + "], "
- + "file does not exist.");
- } else if (!file.canRead()) {
- throw new FilePathException("Invalid path [" + filePath + "], "
- + "cannot read from path.");
- }
-
- try {
- // make sure someone isn't trying to sneek outside the uploads dir
- if (!file.getCanonicalPath().startsWith(
- weblogDir.getCanonicalPath())) {
- throw new FilePathException("Invalid path " + filePath + "], "
- + "trying to get outside uploads dir.");
- }
- } catch (IOException ex) {
- // rethrow as FilePathException
- throw new FilePathException(ex);
+ + "file does not exist or is not readable.");
}
- return file;
+ return filePath.toFile();
}
}
[roller] 06/10: FolderEdit: HTTP response splitting defense.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 2181cb796aa3057bd8b692d34ada970b17d21fc6
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue Aug 24 22:15:21 2021 +0200
FolderEdit: HTTP response splitting defense.
---
.../org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java
index 91dc0ae..94de22d 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java
@@ -40,7 +40,7 @@ import javax.servlet.http.HttpServletResponse;
// TODO: make this work @AllowedMethods({"execute","save"})
public class FolderEdit extends UIAction implements ServletResponseAware {
- private static Log log = LogFactory.getLog(FolderEdit.class);
+ private static final Log log = LogFactory.getLog(FolderEdit.class);
// bean for managing form data
private FolderBean bean = new FolderBean();
@@ -127,7 +127,10 @@ public class FolderEdit extends UIAction implements ServletResponseAware {
addMessage("folderForm.updated");
}
- httpServletResponse.addHeader("folderId", folderId );
+ // HTTP response splitting defense
+ String sanetizedFolderID = folderId.replace("\n", "").replace("\r", "");
+
+ httpServletResponse.addHeader("folderId", sanetizedFolderID);
return SUCCESS;
[roller] 07/10: WeblogRequestMapper: Use already validated weblog
handle for redirect logic.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 5a4af10a6adf55d2b00639509415d80ecc57bb05
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Wed Aug 25 00:29:00 2021 +0200
WeblogRequestMapper: Use already validated weblog handle for redirect logic.
---
.../org/apache/roller/weblogger/ui/rendering/WeblogRequestMapper.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/WeblogRequestMapper.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/WeblogRequestMapper.java
index 92b78a2..584ee28 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/WeblogRequestMapper.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/WeblogRequestMapper.java
@@ -46,7 +46,7 @@ import org.apache.roller.weblogger.pojos.Weblog;
*/
public class WeblogRequestMapper implements RequestMapper {
- private static Log log = LogFactory.getLog(WeblogRequestMapper.class);
+ private static final Log log = LogFactory.getLog(WeblogRequestMapper.class);
private static final String PAGE_SERVLET = "/roller-ui/rendering/page";
private static final String FEED_SERVLET = "/roller-ui/rendering/feed";
@@ -199,7 +199,7 @@ public class WeblogRequestMapper implements RequestMapper {
// this means someone referred to a weblog index page with the
// shortest form of url /<weblog> or /<weblog>/<locale> and we need
// to do a redirect to /<weblog>/ or /<weblog>/<locale>/
- String redirectUrl = request.getRequestURI() + "/";
+ String redirectUrl = "/" + weblogHandle + "/";
if(request.getQueryString() != null) {
redirectUrl += "?"+request.getQueryString();
}
[roller] 03/10: TagDataServlet: Escape URIs for XML output to make
CodeQL happy.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit d673ecd72d45dd5ac576d968574f993eacc81622
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Mon Aug 23 06:43:07 2021 +0200
TagDataServlet: Escape URIs for XML output to make CodeQL happy.
This is technically not needed, but CodeQL thinks those variables are client provided Strings,
since one code path leads to the InitFilter. We do it anyway to fix 3 alerts + its trivial.
---
.../apache/roller/weblogger/webservices/tagdata/TagDataServlet.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java b/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
index 6ddb591..e239839 100644
--- a/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
+++ b/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
@@ -186,7 +186,7 @@ public class TagDataServlet extends HttpServlet {
0, true);
int frequency = stat.getCount();
pw.print("<atom:category term=\"" + term + "\" tagdata:frequency=\"" + frequency + "\" ");
- pw.println("tagdata:href=\"" + viewURI + "\" />");
+ pw.println("tagdata:href=\"" + StringEscapeUtils.escapeXml10(viewURI) + "\" />");
if (count++ > MAX) {
break;
}
@@ -194,12 +194,12 @@ public class TagDataServlet extends HttpServlet {
if (tags.size() > MAX) {
// get next URI, if site-wide then don't specify weblog
String nextURI = urlstrat.getWeblogTagsJsonURL(weblog, true, page + 1);
- pw.println("<atom:link rel=\"next\" href=\"" + nextURI + "\" />");
+ pw.println("<atom:link rel=\"next\" href=\"" + StringEscapeUtils.escapeXml10(nextURI) + "\" />");
}
if (page > 0) {
// get prev URI, if site-wide then don't specify weblog
String prevURI = urlstrat.getWeblogTagsJsonURL(weblog, true, page - 1);
- pw.println("<atom:link rel=\"previous\" href=\"" + prevURI + "\" />");
+ pw.println("<atom:link rel=\"previous\" href=\"" + StringEscapeUtils.escapeXml10(prevURI) + "\" />");
}
pw.println("</categories>");
response.flushBuffer();
[roller] 02/10: Context URL validation.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 3b53a62195787c3b00cec86e5845959250aabc99
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Mon Aug 23 03:11:31 2021 +0200
Context URL validation.
---
.../weblogger/ui/core/filters/InitFilter.java | 42 +++++++++++++---------
1 file changed, 25 insertions(+), 17 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java
index 7ab9fa0..554ccc6 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java
@@ -30,6 +30,7 @@ import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.commons.validator.routines.UrlValidator;
import org.apache.roller.weblogger.config.WebloggerRuntimeConfig;
/**
@@ -41,7 +42,7 @@ import org.apache.roller.weblogger.config.WebloggerRuntimeConfig;
*/
public class InitFilter implements Filter {
- private static Log log = LogFactory.getLog(InitFilter.class);
+ private static final Log log = LogFactory.getLog(InitFilter.class);
private boolean initialized = false;
@@ -53,22 +54,29 @@ public class InitFilter implements Filter {
// first request, lets do our initialization
HttpServletRequest request = (HttpServletRequest) req;
- // HttpServletResponse response = (HttpServletResponse) res;
-
- // determine absolute and relative url paths to the app
- String relPath = request.getContextPath();
- String absPath = this.getAbsoluteUrl(request);
-
- // set them in our config
- WebloggerRuntimeConfig.setAbsoluteContextURL(absPath);
- WebloggerRuntimeConfig.setRelativeContextURL(relPath);
-
- if (log.isDebugEnabled()) {
- log.debug("relPath = " + relPath);
- log.debug("absPath = " + absPath);
+
+ UrlValidator validator = new UrlValidator(
+ new String[]{"http", "https"},
+ UrlValidator.ALLOW_LOCAL_URLS); // for integration tests
+
+ if(validator.isValid(request.getRequestURL().toString())) {
+
+ // determine absolute and relative url paths to the app
+ String relPath = request.getContextPath();
+ String absPath = this.getAbsoluteUrl(request);
+
+ // set them in our config
+ WebloggerRuntimeConfig.setAbsoluteContextURL(absPath);
+ WebloggerRuntimeConfig.setRelativeContextURL(relPath);
+
+ if (log.isDebugEnabled()) {
+ log.debug("relPath = " + relPath);
+ log.debug("absPath = " + absPath);
+ }
+
+ this.initialized = true;
}
- this.initialized = true;
}
chain.doFilter(req, res);
@@ -90,9 +98,9 @@ public class InitFilter implements Filter {
protected static String getAbsoluteUrl(boolean secure, String serverName, String contextPath, String requestURI, String requestURL){
- String url = null;
+ String url;
- String fullUrl = null;
+ String fullUrl;
if (!secure) {
fullUrl = requestURL;
[roller] 10/10: CodeQL: don't scan JS files three times.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 440ef707696bbe9f0c4d65deeff19bd3d3a9988f
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Fri Aug 27 05:38:38 2021 +0200
CodeQL: don't scan JS files three times.
this requires unfortunately another config file since path settings
can't be set in the workflow config.
see https://github.com/github/codeql-action/issues/283
---
.github/codeql/codeql-config.yml | 14 ++++++++++++++
.github/workflows/codeql-analysis.yml | 10 +---------
2 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000..7fa5e23
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,14 @@
+name: "Roller CodeQL config"
+
+# paths-ignore only influences interpreted languages according to the doc
+# don't scan JS files three times:
+# - ignore test folder and source folder
+# - target is kept to only scan what is deployed
+paths-ignore:
+ - app/target/test-classes
+ - app/src
+
+# If you wish to specify custom queries, you can do so here or in a config file.
+# By default, queries listed here will override any specified in a config file.
+# Prefix the list here with "+" to use these queries and those in the config file.
+# queries: ./path/to/local/query, your-org/your-repo/queries@main
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4a7f7ba..43f56cb 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -4,11 +4,6 @@
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
name: "CodeQL"
on:
@@ -45,10 +40,7 @@ jobs:
uses: github/codeql-action/init@v1
with:
languages: ${{ matrix.language }}
- # If you wish to specify custom queries, you can do so here or in a config file.
- # By default, queries listed here will override any specified in a config file.
- # Prefix the list here with "+" to use these queries and those in the config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
+ config-file: ./.github/codeql/codeql-config.yml
- name: Build with Maven
run: mvn -DskipTests=true -V -ntp install