You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2019/10/25 12:25:43 UTC
[sling-org-apache-sling-xss] branch issue/SLING-8775 created (now
0911c83)
This is an automated email from the ASF dual-hosted git repository.
radu pushed a change to branch issue/SLING-8775
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git.
at 0911c83 SLING-8775 - java.lang.StackOverflowError in XSSAPIImpl.getValidHref for long URLs
This branch includes the following new commits:
new 0911c83 SLING-8775 - java.lang.StackOverflowError in XSSAPIImpl.getValidHref for long URLs
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[sling-org-apache-sling-xss] 01/01: SLING-8775 -
java.lang.StackOverflowError in XSSAPIImpl.getValidHref for long URLs
Posted by ra...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch issue/SLING-8775
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 0911c83bcee923757d2a4d5c049d82158ff7b9da
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Fri Oct 25 14:25:21 2019 +0200
SLING-8775 - java.lang.StackOverflowError in XSSAPIImpl.getValidHref for long URLs
* added fallback to using the regexes before SLING-7741 in case a
StackOverflowError is encountered
---
.../org/apache/sling/xss/impl/XSSFilterImpl.java | 22 +++++++++++++++++++++-
.../org/apache/sling/xss/impl/XSSAPIImplTest.java | 8 ++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
index 809084e..931c28a 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
@@ -127,6 +127,12 @@ public class XSSFilterImpl implements XSSFilter {
public static final String RELATIVE_REF = "(?!\\s*javascript(?::|:))" + RELATIVE_PART + "?(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
public static final String URI = SCHEME_PATTERN + ":" + HIER_PART + "(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
+ private static final Pattern ON_SITE_SIMPLIFIED = Pattern.compile("([\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*|\\#" +
+ "(\\w)+)");
+ private static final Pattern OFF_SITE_SIMPLIFIED = Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)" +
+ "[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*");
+
+ private static final Pattern[] BACKUP_PATTERNS = new Pattern[] {ON_SITE_SIMPLIFIED, OFF_SITE_SIMPLIFIED};
// Default href configuration copied from the config.xml supplied with AntiSamy
static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
@@ -206,7 +212,21 @@ public class XSSFilterImpl implements XSSFilter {
// Same logic as in org.owasp.validator.html.scan.MagicSAXFilter.startElement()
boolean isValid = hrefAttribute.containsAllowedValue(url.toLowerCase());
if (!isValid) {
- isValid = hrefAttribute.matchesAllowedExpression(url.toLowerCase());
+ try {
+ isValid = hrefAttribute.matchesAllowedExpression(url.toLowerCase());
+ } catch (StackOverflowError e) {
+ logger.warn("Detected a StackOverflowError when validating url {} with configured regexes. Trying fallback.", url);
+ try {
+ for (Pattern p : BACKUP_PATTERNS) {
+ isValid = p.matcher(url.toLowerCase()).matches();
+ if (isValid) {
+ break;
+ }
+ }
+ } catch (StackOverflowError inner) {
+ logger.error(String.format("Cannot validate url %s.", url), inner);
+ }
+ }
}
return isValid;
}
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index 5d1737b..6852ea6 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -207,6 +207,14 @@ public class XSSAPIImplTest {
// Href Expected Result
//
{
+ "/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun [...]
+ "/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun [...]
+ },
+ {
+ "/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun [...]
+ "/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun [...]
+ },
+ {
"test?discount=25%25",
"test?discount=25%25"
},