You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2019/11/20 13:13:51 UTC

[sling-org-apache-sling-xss] 01/02: SLING-8851 - Skip namespace mangling

This is an automated email from the ASF dual-hosted git repository.

radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

View the commit online:
https://github.com/apache/sling-org-apache-sling-xss/commit/a827eb7f30ac2d65b512b928087ca93b1ebd3fb8

commit a827eb7f30ac2d65b512b928087ca93b1ebd3fb8
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Wed Nov 20 13:59:49 2019 +0100

    SLING-8851 - Skip namespace mangling
    
    * removed mangling code and adapted tests
---
 .../java/org/apache/sling/xss/impl/XSSAPIImpl.java | 50 ----------------------
 .../org/apache/sling/xss/impl/XSSAPIImplTest.java  | 20 ++++-----
 2 files changed, 10 insertions(+), 60 deletions(-)

diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index 4022b8a..958e365 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -181,55 +181,6 @@ public class XSSAPIImpl implements XSSAPI {
         return defaultValue;
     }
 
-    private static final String MANGLE_NAMESPACE_OUT_SUFFIX = ":";
-
-    private static final String MANGLE_NAMESPACE_OUT = "/([^:/]+):";
-
-    private static final Pattern MANGLE_NAMESPACE_PATTERN = Pattern.compile(MANGLE_NAMESPACE_OUT);
-
-    private static final String MANGLE_NAMESPACE_IN_SUFFIX = "_";
-
-    private static final String MANGLE_NAMESPACE_IN_PREFIX = "/_";
-
-    private String mangleNamespaces(String absPath) throws URISyntaxException, UnsupportedEncodingException {
-        String mangledPath = null;
-        URI uri = new URI(absPath);
-        if (uri.getPath() != null) {
-            if (uri.getRawPath().contains(MANGLE_NAMESPACE_OUT_SUFFIX)) {
-                final Matcher m = MANGLE_NAMESPACE_PATTERN.matcher(uri.getRawPath());
-
-                final StringBuffer buf = new StringBuffer();
-                while (m.find()) {
-                    final String replacement = MANGLE_NAMESPACE_IN_PREFIX + m.group(1) + MANGLE_NAMESPACE_IN_SUFFIX;
-                    m.appendReplacement(buf, replacement);
-                }
-
-                m.appendTail(buf);
-                mangledPath = buf.toString();
-            }
-        }
-        if (mangledPath != null) {
-            URI mangledURI = new URI(uri.getScheme(), uri.getUserInfo(), uri.getHost(), uri.getPort(),
-                    URLDecoder.decode(mangledPath, "UTF-8"),
-                    uri.getQuery(), uri.getFragment());
-            StringBuilder uriBuilder = new StringBuilder();
-            if (StringUtils.isNotEmpty(mangledURI.getScheme()) && StringUtils.isNotEmpty(mangledURI.getAuthority())) {
-                uriBuilder.append(mangledURI.getScheme()).append("://").append(mangledURI.getRawAuthority());
-            }
-            if (StringUtils.isNotEmpty(mangledURI.getPath())) {
-                uriBuilder.append(mangledURI.getRawPath());
-            }
-            if (StringUtils.isNotEmpty(mangledURI.getQuery())) {
-                uriBuilder.append("?").append(mangledURI.getRawQuery());
-            }
-            if (StringUtils.isNotEmpty(mangledURI.getFragment())) {
-                uriBuilder.append("#").append(mangledURI.getRawFragment());
-            }
-            return uriBuilder.toString();
-        }
-        return absPath;
-    }
-
     /**
      * @see org.apache.sling.xss.XSSAPI#getValidHref(String)
      */
@@ -247,7 +198,6 @@ public class XSSAPIImpl implements XSSAPI {
                     .replaceAll("`", "%60")
                     .replaceAll(" ", "%20");
             try {
-                encodedUrl = mangleNamespaces(encodedUrl);
                 if (xssFilter.isValidHref(encodedUrl)) {
                     return encodedUrl;
                 }
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index e365b57..43981f5 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -241,16 +241,16 @@ public class XSSAPIImplTest {
                 {"repo/günter", "repo/günter"},
 
                 // JCR namespaces:
-                {"my/page/jcr:content.feed", "my/page/_jcr_content.feed"},
-                {"my/jcr:content/page/jcr:content", "my/_jcr_content/page/_jcr_content"},
-                {"my/jcr:content/encoded%20spaces", "my/_jcr_content/encoded%20spaces"},
-                {"my/jcr:content/this path has spaces", "my/_jcr_content/this%20path%20has%20spaces"},
+                {"my/page/jcr:content.feed", "my/page/jcr:content.feed"},
+                {"my/jcr:content/page/jcr:content", "my/jcr:content/page/jcr:content"},
+                {"my/jcr:content/encoded%20spaces", "my/jcr:content/encoded%20spaces"},
+                {"my/jcr:content/this path has spaces", "my/jcr:content/this%20path%20has%20spaces"},
 
                 {"\" onClick=ugly", "%22%20onClick=ugly"},
                 {"javascript:ugly", ""},
                 {"http://localhost:4502", "http://localhost:4502"},
                 {"http://localhost:4502/test", "http://localhost:4502/test"},
-                {"http://localhost:4502/jcr:content/test", "http://localhost:4502/_jcr_content/test"},
+                {"http://localhost:4502/jcr:content/test", "http://localhost:4502/jcr:content/test"},
                 {"http://localhost:4502/test.html?a=b&b=c", "http://localhost:4502/test.html?a=b&b=c"},
 
                 // space
@@ -280,15 +280,15 @@ public class XSSAPIImplTest {
                 {"/test/search.html?0_tag:id=test", "/test/search.html?0_tag:id=test"},
                 { // JCR namespaces and colons in query string
                         "/test/jcr:content/search.html?0_tag:id=test",
-                        "/test/_jcr_content/search.html?0_tag:id=test"
+                        "/test/jcr:content/search.html?0_tag:id=test"
                 },
                 { // JCR namespaces and colons in query string plus encoded path
                         "/test%20with%20encoded%20spaces/jcr:content/search.html?0_tag:id=test",
-                        "/test%20with%20encoded%20spaces/_jcr_content/search.html?0_tag:id=test"
+                        "/test%20with%20encoded%20spaces/jcr:content/search.html?0_tag:id=test"
                 },
                 { // JCR namespaces and colons in query string plus spaces in path
                         "/test with spaces/jcr:content/search.html?0_tag:id=test",
-                        "/test%20with%20spaces/_jcr_content/search.html?0_tag:id=test"
+                        "/test%20with%20spaces/jcr:content/search.html?0_tag:id=test"
                 },
                 { // ? in query string
                         "/test/search.html?0_tag:id=test?ing&1_tag:id=abc",
@@ -316,14 +316,14 @@ public class XSSAPIImplTest {
                 },
                 { // namespace mangling + encoded parameter values
                         "/path/to/page/jcr:content/par?key=%25text",
-                        "/path/to/page/_jcr_content/par?key=%25text"
+                        "/path/to/page/jcr:content/par?key=%25text"
                 },
                 { // namespace mangling + incorrect escape sequence
                         "/path/to/page/jcr:content/par?key=%text",
                         ""
                 },
                 { // incorrect escape sequence
-                        "/path/to/page/_jcr_content/par?key=%text",
+                        "/path/to/page/jcr:content/par?key=%text",
                         ""
                 }
         };