You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2017/03/30 12:10:05 UTC
svn commit: r1789508 - in /sling/trunk/bundles/extensions/xss: ./
src/main/java/org/apache/sling/xss/ src/main/java/org/apache/sling/xss/impl/
Author: radu
Date: Thu Mar 30 12:10:05 2017
New Revision: 1789508
URL: http://svn.apache.org/viewvc?rev=1789508&view=rev
Log:
SLING-6754 - The XSS bundle doesn't provide any services
* switched to the official OSGi annotations
* minor code cleanup
Modified:
sling/trunk/bundles/extensions/xss/pom.xml
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSFilter.java
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIAdapterFactory.java
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/package-info.java
Modified: sling/trunk/bundles/extensions/xss/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/pom.xml?rev=1789508&r1=1789507&r2=1789508&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/pom.xml (original)
+++ sling/trunk/bundles/extensions/xss/pom.xml Thu Mar 30 12:10:05 2017
@@ -68,10 +68,6 @@
<plugins>
<plugin>
- <groupId>org.apache.felix</groupId>
- <artifactId>maven-scr-plugin</artifactId>
- </plugin>
- <plugin>
<groupId>org.apache.sling</groupId>
<artifactId>maven-sling-plugin</artifactId>
</plugin>
@@ -79,7 +75,16 @@
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<extensions>true</extensions>
+ <executions>
+ <execution>
+ <id>scr-metadata</id>
+ <goals>
+ <goal>manifest</goal>
+ </goals>
+ </execution>
+ </executions>
<configuration>
+ <exportScr>true</exportScr>
<instructions>
<Import-Package>
!bsh,
@@ -245,16 +250,6 @@
<artifactId>osgi.core</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.felix</groupId>
- <artifactId>org.apache.felix.scr.annotations</artifactId>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>biz.aQute.bnd</groupId>
- <artifactId>biz.aQute.bndlib</artifactId>
- <scope>provided</scope>
- </dependency>
- <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
Modified: sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java?rev=1789508&r1=1789507&r2=1789508&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java (original)
+++ sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java Thu Mar 30 12:10:05 2017
@@ -24,8 +24,7 @@ import javax.annotation.Nullable;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.resource.ResourceResolver;
-
-import aQute.bnd.annotation.ProviderType;
+import org.osgi.annotation.versioning.ProviderType;
/**
* A service providing validators and encoders for XSS protection during the composition of HTML
Modified: sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSFilter.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSFilter.java?rev=1789508&r1=1789507&r2=1789508&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSFilter.java (original)
+++ sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/XSSFilter.java Thu Mar 30 12:10:05 2017
@@ -16,7 +16,7 @@
******************************************************************************/
package org.apache.sling.xss;
-import aQute.bnd.annotation.ProviderType;
+import org.osgi.annotation.versioning.ProviderType;
/**
* This service should be used to protect output against potential XSS attacks.
Modified: sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIAdapterFactory.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIAdapterFactory.java?rev=1789508&r1=1789507&r2=1789508&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIAdapterFactory.java (original)
+++ sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIAdapterFactory.java Thu Mar 30 12:10:05 2017
@@ -16,56 +16,44 @@
******************************************************************************/
package org.apache.sling.xss.impl;
-import org.apache.sling.xss.XSSAPI;
-import org.apache.felix.scr.annotations.Component;
-import org.apache.felix.scr.annotations.Properties;
-import org.apache.felix.scr.annotations.Property;
-import org.apache.felix.scr.annotations.Reference;
-import org.apache.felix.scr.annotations.Service;
+import javax.annotation.Nonnull;
+
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.adapter.AdapterFactory;
import org.apache.sling.api.resource.ResourceResolver;
+import org.apache.sling.xss.XSSAPI;
+import org.osgi.framework.Constants;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
/**
* Adapter factory that adapts a {@link ResourceResolver} to a resourceResolver-specific
* {@link XSSAPI} service.
*/
-@Component(metatype = false)
-@Service(AdapterFactory.class)
-@Properties({
- @Property(name = "service.description", value = "Adapter for the XSSAPI service.")
-})
-@SuppressWarnings("unused")
+@Component(
+ property = {
+ Constants.SERVICE_DESCRIPTION + "=Adapter for the XSSAPI service.",
+ AdapterFactory.ADAPTER_CLASSES + "=org.apache.sling.xss.XSSAPI",
+ AdapterFactory.ADAPTABLE_CLASSES + "=org.apache.sling.api.resource.ResourceResolver",
+ AdapterFactory.ADAPTABLE_CLASSES + "=org.apache.sling.api.SlingHttpServletRequest"
+ }
+)
public class XSSAPIAdapterFactory implements AdapterFactory {
- private static final Logger log = LoggerFactory.getLogger(XSSAPIAdapterFactory.class);
- private static final Class<XSSAPI> XSSAPI_CLASS = XSSAPI.class;
- private static final Class<ResourceResolver> RESOURCE_RESOLVER_CLASS = ResourceResolver.class;
- private static final Class<SlingHttpServletRequest> SLING_REQUEST_CLASS = SlingHttpServletRequest.class;
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(XSSAPIAdapterFactory.class);
@Reference
XSSAPI xssApi;
- @Property(name = "adapters")
- public static final String[] ADAPTER_CLASSES = {
- XSSAPI_CLASS.getName()
- };
-
- @Property(name = "adaptables")
- public static final String[] ADAPTABLE_CLASSES = {
- RESOURCE_RESOLVER_CLASS.getName(),
- SLING_REQUEST_CLASS.getName()
- };
-
- public <AdapterType> AdapterType getAdapter(Object adaptable, Class<AdapterType> type) {
+ public <AdapterType> AdapterType getAdapter(@Nonnull Object adaptable, @Nonnull Class<AdapterType> type) {
if (adaptable instanceof ResourceResolver) {
return getAdapter((ResourceResolver) adaptable, type);
} else if (adaptable instanceof SlingHttpServletRequest) {
return getAdapter((SlingHttpServletRequest) adaptable, type);
} else {
- log.warn("Unable to handle adaptable {}", adaptable.getClass().getName());
+ LOGGER.warn("Unable to handle adaptable {}", adaptable.getClass().getName());
return null;
}
}
@@ -77,7 +65,7 @@ public class XSSAPIAdapterFactory implem
return (AdapterType) xssApi.getResourceResolverSpecificAPI(resourceResolver);
}
}
- log.debug("Unable to adapt resourceResolver to type {}", type.getName());
+ LOGGER.error(String.format("Unable to adapt resourceResolver to type %s.", type.getName()));
return null;
}
@@ -88,7 +76,7 @@ public class XSSAPIAdapterFactory implem
return (AdapterType) xssApi.getRequestSpecificAPI(request);
}
}
- log.debug("Unable to adapt resourceResolver to type {}", type.getName());
+ LOGGER.error(String.format("Unable to adapt request to type %s.", type.getName()));
return null;
}
}
Modified: sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1789508&r1=1789507&r2=1789508&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java (original)
+++ sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java Thu Mar 30 12:10:05 2017
@@ -29,16 +29,15 @@ import javax.json.JsonReaderFactory;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
-import org.apache.felix.scr.annotations.Activate;
-import org.apache.felix.scr.annotations.Component;
-import org.apache.felix.scr.annotations.Deactivate;
-import org.apache.felix.scr.annotations.Reference;
-import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.xss.ProtectionContext;
import org.apache.sling.xss.XSSAPI;
import org.apache.sling.xss.XSSFilter;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Deactivate;
+import org.osgi.service.component.annotations.Reference;
import org.owasp.encoder.Encode;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Validator;
@@ -48,7 +47,6 @@ import org.xml.sax.InputSource;
import org.xml.sax.XMLReader;
@Component
-@Service(value = XSSAPI.class)
public class XSSAPIImpl implements XSSAPI {
private static final Logger LOGGER = LoggerFactory.getLogger(XSSAPIImpl.class);
@@ -64,7 +62,6 @@ public class XSSAPIImpl implements XSSAP
private volatile JsonReaderFactory jsonReaderFactory;
@Activate
- @SuppressWarnings("unused")
protected void activate() {
factory = SAXParserFactory.newInstance();
factory.setValidating(false);
@@ -82,7 +79,6 @@ public class XSSAPIImpl implements XSSAP
}
@Deactivate
- @SuppressWarnings("unused")
protected void deactivate() {
factory = null;
jsonReaderFactory = null;
@@ -166,9 +162,6 @@ public class XSSAPIImpl implements XSSAP
return defaultValue;
}
- private static final String LINK_PREFIX = "<a href=\"";
- private static final String LINK_SUFFIX = "\"></a>";
-
private static final String MANGLE_NAMESPACE_OUT_SUFFIX = ":";
private static final String MANGLE_NAMESPACE_OUT = "/([^:/]+):";
Modified: sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java?rev=1789508&r1=1789507&r2=1789508&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java (original)
+++ sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java Thu Mar 30 12:10:05 2017
@@ -19,18 +19,13 @@ package org.apache.sling.xss.impl;
import java.io.InputStream;
import java.util.Arrays;
import java.util.Collections;
-import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
-import org.apache.felix.scr.annotations.Activate;
-import org.apache.felix.scr.annotations.Component;
-import org.apache.felix.scr.annotations.Properties;
-import org.apache.felix.scr.annotations.Property;
-import org.apache.felix.scr.annotations.Reference;
-import org.apache.felix.scr.annotations.Service;
+import javax.annotation.Nonnull;
+
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
@@ -41,6 +36,9 @@ import org.apache.sling.api.resource.obs
import org.apache.sling.serviceusermapping.ServiceUserMapped;
import org.apache.sling.xss.ProtectionContext;
import org.apache.sling.xss.XSSFilter;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
import org.owasp.validator.html.model.Attribute;
import org.owasp.validator.html.model.Tag;
import org.slf4j.Logger;
@@ -50,12 +48,15 @@ import org.slf4j.LoggerFactory;
* This class implements the <code>XSSFilter</code> using the Antisamy XSS protection library found at
* <a href="http://code.google.com/p/owaspantisamy/">http://code.google.com/p/owaspantisamy/</a>.
*/
-@Component(immediate = true)
-@Service(value = {ResourceChangeListener.class, XSSFilter.class})
-@Properties({
- @Property(name = ResourceChangeListener.CHANGES, value = {"ADDED", "CHANGED", "REMOVED"}),
- @Property(name = ResourceChangeListener.PATHS, value = XSSFilterImpl.DEFAULT_POLICY_PATH)
-})
+@Component(
+ service = {ResourceChangeListener.class, XSSFilter.class},
+ property = {
+ ResourceChangeListener.CHANGES + "=ADDED",
+ ResourceChangeListener.CHANGES + "=CHANGED",
+ ResourceChangeListener.CHANGES + "=REMOVED",
+ ResourceChangeListener.PATHS + "=" + XSSFilterImpl.DEFAULT_POLICY_PATH
+ }
+)
public class XSSFilterImpl implements XSSFilter, ResourceChangeListener, ExternalResourceChangeListener {
private static final Logger LOGGER = LoggerFactory.getLogger(XSSFilterImpl.class);
@@ -71,7 +72,7 @@ public class XSSFilterImpl implements XS
"removeAttribute", ""
);
- public static final String DEFAULT_POLICY_PATH = "sling/xss/config.xml";
+ static final String DEFAULT_POLICY_PATH = "sling/xss/config.xml";
private static final String EMBEDDED_POLICY_PATH = "SLING-INF/content/config.xml";
private static final int DEFAULT_POLICY_CACHE_SIZE = 128;
private PolicyHandler defaultHandler;
@@ -82,7 +83,7 @@ public class XSSFilterImpl implements XS
private final XSSFilterRule plainHtmlContext = new PlainTextToHtmlContentContext();
// policies cache
- private Map<String, PolicyHandler> policies = new ConcurrentHashMap<String, PolicyHandler>();
+ private Map<String, PolicyHandler> policies = new ConcurrentHashMap<>();
@Reference
private ResourceResolverFactory resourceResolverFactory = null;
@@ -91,7 +92,7 @@ public class XSSFilterImpl implements XS
private ServiceUserMapped serviceUserMapped;
@Override
- public void onChange(List<ResourceChange> resourceChanges) {
+ public void onChange(@Nonnull List<ResourceChange> resourceChanges) {
for (ResourceChange change : resourceChanges) {
if (change.getPath().endsWith(DEFAULT_POLICY_PATH)) {
LOGGER.info("Detected policy file change ({}) at {}. Updating default handler.", change.getType().name(), change.getPath());
@@ -115,13 +116,75 @@ public class XSSFilterImpl implements XS
return this.filter(context, src, null);
}
+ @Override
+ public boolean isValidHref(String url) {
+ // Same logic as in org.owasp.validator.html.scan.MagicSAXFilter.startElement()
+ boolean isValid = hrefAttribute.containsAllowedValue(url.toLowerCase());
+ if (!isValid) {
+ isValid = hrefAttribute.matchesAllowedExpression(url);
+ }
+ return isValid;
+ }
+
@Activate
- @SuppressWarnings("unused")
protected void activate() {
// load default handler
updateDefaultHandler();
}
+ /*
+ The following methods are not part of the API. Client-code dependency to these methods is risky as they can be removed at any
+ point in time from the implementation.
+ */
+
+ public boolean check(final ProtectionContext context, final String src, final String policy) {
+ final XSSFilterRule ctx = this.getFilterRule(context);
+ PolicyHandler handler = null;
+ if (ctx.supportsPolicy()) {
+ if (policy == null || (handler = policies.get(policy)) == null) {
+ handler = defaultHandler;
+ }
+ }
+ return ctx.check(handler, src);
+ }
+
+ public String filter(final ProtectionContext context, final String src, final String policy) {
+ if (src == null) {
+ return "";
+ }
+ final XSSFilterRule ctx = this.getFilterRule(context);
+ PolicyHandler handler = null;
+ if (ctx.supportsPolicy()) {
+ if (policy == null || (handler = policies.get(policy)) == null) {
+ handler = defaultHandler;
+ }
+ }
+ return ctx.filter(handler, src);
+ }
+
+ public void setDefaultPolicy(InputStream policyStream) throws Exception {
+ setDefaultHandler(new PolicyHandler(policyStream));
+ }
+
+ public void resetDefaultPolicy() {
+ updateDefaultHandler();
+ }
+
+ public void loadPolicy(String policyName, InputStream policyStream) throws Exception {
+ if (policies.size() < DEFAULT_POLICY_CACHE_SIZE) {
+ PolicyHandler policyHandler = new PolicyHandler(policyStream);
+ policies.put(policyName, policyHandler);
+ }
+ }
+
+ public void unloadPolicy(String policyName) {
+ policies.remove(policyName);
+ }
+
+ public boolean hasPolicy(String policyName) {
+ return policies.containsKey(policyName);
+ }
+
private synchronized void updateDefaultHandler() {
this.defaultHandler = null;
ResourceResolver xssResourceResolver = null;
@@ -184,41 +247,6 @@ public class XSSFilterImpl implements XS
return this.plainHtmlContext;
}
- /*
- The following methods are not part of the API. Client-code dependency to these methods is risky as they can be removed at any
- point in time from the implementation.
- */
-
- public boolean check(final ProtectionContext context, final String src, final String policy) {
- final XSSFilterRule ctx = this.getFilterRule(context);
- PolicyHandler handler = null;
- if (ctx.supportsPolicy()) {
- if (policy == null || (handler = policies.get(policy)) == null) {
- handler = defaultHandler;
- }
- }
- return ctx.check(handler, src);
- }
-
- public String filter(final ProtectionContext context, final String src, final String policy) {
- if (src == null) {
- return "";
- }
- final XSSFilterRule ctx = this.getFilterRule(context);
- PolicyHandler handler = null;
- if (ctx.supportsPolicy()) {
- if (policy == null || (handler = policies.get(policy)) == null) {
- handler = defaultHandler;
- }
- }
- return ctx.filter(handler, src);
- }
-
- @SuppressWarnings("unused")
- public void setDefaultPolicy(InputStream policyStream) throws Exception {
- setDefaultHandler(new PolicyHandler(policyStream));
- }
-
private void setDefaultHandler(PolicyHandler defaultHandler) {
Tag linkTag = defaultHandler.getPolicy().getTagByLowercaseName("a");
Attribute hrefAttribute = (linkTag != null) ? linkTag.getAttributeByName("href") : null;
@@ -230,37 +258,4 @@ public class XSSFilterImpl implements XS
this.defaultHandler = defaultHandler;
this.hrefAttribute = hrefAttribute;
}
-
- @SuppressWarnings("unused")
- public void resetDefaultPolicy() {
- updateDefaultHandler();
- }
-
- @SuppressWarnings("unused")
- public void loadPolicy(String policyName, InputStream policyStream) throws Exception {
- if (policies.size() < DEFAULT_POLICY_CACHE_SIZE) {
- PolicyHandler policyHandler = new PolicyHandler(policyStream);
- policies.put(policyName, policyHandler);
- }
- }
-
- @SuppressWarnings("unused")
- public void unloadPolicy(String policyName) {
- policies.remove(policyName);
- }
-
- @SuppressWarnings("unused")
- public boolean hasPolicy(String policyName) {
- return policies.containsKey(policyName);
- }
-
- @Override
- public boolean isValidHref(String url) {
- // Same logic as in org.owasp.validator.html.scan.MagicSAXFilter.startElement()
- boolean isValid = hrefAttribute.containsAllowedValue(url.toLowerCase());
- if (!isValid) {
- isValid = hrefAttribute.matchesAllowedExpression(url);
- }
- return isValid;
- }
}
Modified: sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/package-info.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/package-info.java?rev=1789508&r1=1789507&r2=1789508&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/package-info.java (original)
+++ sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/package-info.java Thu Mar 30 12:10:05 2017
@@ -22,5 +22,4 @@
@Version("2.0.0")
package org.apache.sling.xss;
-import aQute.bnd.annotation.Version;
-
+import org.osgi.annotation.versioning.Version;