You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shindig.apache.org by dd...@apache.org on 2012/08/14 16:04:04 UTC
svn commit: r1372888 - in /shindig/trunk/java/gadgets/src:
main/java/org/apache/shindig/gadgets/
main/java/org/apache/shindig/gadgets/process/
test/java/org/apache/shindig/gadgets/
test/java/org/apache/shindig/gadgets/oauth2/ test/java/org/apache/shind...
Author: ddumont
Date: Tue Aug 14 14:04:03 2012
New Revision: 1372888
URL: http://svn.apache.org/viewvc?rev=1372888&view=rev
Log:
SHINDIG-1830 - Do whitelist check before consuming resources fetching content from the gadget URI
Committed for Marshall Shi
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultGadgetSpecFactory.java
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSpecFactory.java
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/process/Processor.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/FakeGadgetSpecFactory.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/MockUtils.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/process/ProcessorTest.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/BaseRewriterTestCase.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/RewriterTestBase.java
Modified: shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultGadgetSpecFactory.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultGadgetSpecFactory.java?rev=1372888&r1=1372887&r2=1372888&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultGadgetSpecFactory.java (original)
+++ shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultGadgetSpecFactory.java Tue Aug 14 14:04:03 2012
@@ -57,22 +57,16 @@ public class DefaultGadgetSpecFactory ex
}
public GadgetSpec getGadgetSpec(GadgetContext context) throws GadgetException {
- String rawxml = context.getParameter(RAW_GADGETSPEC_XML_PARAM_NAME);
- if (rawxml != null) {
- // Set URI to a fixed, safe value (localhost), preventing a gadget rendered
- // via raw XML (eg. via POST) to be rendered on a locked domain of any other
- // gadget whose spec is hosted non-locally.
- try
- {
- Uri uri = RAW_GADGET_URI;
- return new GadgetSpec(uri, XmlUtil.parse(rawxml), rawxml);
+ Uri gadgetUri = getGadgetUri(context);
+ if (RAW_GADGET_URI.equals(gadgetUri)) {
+ try {
+ String rawxml = context.getParameter(RAW_GADGETSPEC_XML_PARAM_NAME);
+ return new GadgetSpec(gadgetUri, XmlUtil.parse(rawxml), rawxml);
} catch (XmlException e) {
throw new SpecParserException(e);
}
}
- Uri gadgetUri = context.getUrl();
-
Query query = new Query()
.setSpecUri(gadgetUri)
.setContainer(context.getContainer())
@@ -81,6 +75,17 @@ public class DefaultGadgetSpecFactory ex
return getSpec(query);
}
+ public Uri getGadgetUri(GadgetContext context) throws GadgetException {
+ String rawxml = context.getParameter(RAW_GADGETSPEC_XML_PARAM_NAME);
+ if (rawxml != null) {
+ // Set URI to a fixed, safe value (localhost), preventing a gadget rendered
+ // via raw XML (eg. via POST) to be rendered on a locked domain of any other
+ // gadget whose spec is hosted non-locally.
+ return RAW_GADGET_URI;
+ }
+ return context.getUrl();
+ }
+
private static final String BOM_ENTITY = "";
@Override
Modified: shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSpecFactory.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSpecFactory.java?rev=1372888&r1=1372887&r2=1372888&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSpecFactory.java (original)
+++ shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/GadgetSpecFactory.java Tue Aug 14 14:04:03 2012
@@ -19,6 +19,7 @@
package org.apache.shindig.gadgets;
import org.apache.shindig.gadgets.spec.GadgetSpec;
+import org.apache.shindig.common.uri.Uri;
import com.google.inject.ImplementedBy;
@@ -30,4 +31,6 @@ public interface GadgetSpecFactory {
/** Return a gadget spec for a context */
GadgetSpec getGadgetSpec(GadgetContext context) throws GadgetException;
+
+ Uri getGadgetUri(GadgetContext context) throws GadgetException;
}
Modified: shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/process/Processor.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/process/Processor.java?rev=1372888&r1=1372887&r2=1372888&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/process/Processor.java (original)
+++ shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/process/Processor.java Tue Aug 14 14:04:03 2012
@@ -85,6 +85,22 @@ public class Processor {
FeatureRegistry featureRegistry;
try {
+ Uri url = gadgetSpecFactory.getGadgetUri(context);
+
+ if (url == null) {
+ throw new ProcessingException("Missing or malformed url parameter",
+ HttpServletResponse.SC_BAD_REQUEST);
+ }
+
+ validateGadgetUrl(url);
+ if (!gadgetAdminStore.isWhitelisted(context.getContainer(), url.toString())) {
+ if (LOG.isLoggable(Level.INFO)) {
+ LOG.logp(Level.INFO, classname, "process", MessageKeys.RENDER_NON_WHITELISTED_GADGET, new Object[] {url});
+ }
+ throw new ProcessingException("The requested gadget is not authorized for this container",
+ HttpServletResponse.SC_FORBIDDEN);
+ }
+
spec = gadgetSpecFactory.getGadgetSpec(context);
spec = substituter.substitute(context, spec);
@@ -97,22 +113,6 @@ public class Processor {
throw new ProcessingException(e.getMessage(), e, e.getHttpStatusCode());
}
- Uri url = spec.getUrl();
-
- if (url == null) {
- throw new ProcessingException("Missing or malformed url parameter",
- HttpServletResponse.SC_BAD_REQUEST);
- }
-
- validateGadgetUrl(url);
- if (!gadgetAdminStore.isWhitelisted(context.getContainer(), url.toString())) {
- if (LOG.isLoggable(Level.INFO)) {
- LOG.logp(Level.INFO, classname, "process", MessageKeys.RENDER_NON_WHITELISTED_GADGET, new Object[] {url});
- }
- throw new ProcessingException("The requested gadget is not authorized for this container",
- HttpServletResponse.SC_FORBIDDEN);
- }
-
return new Gadget()
.setContext(context)
.setGadgetFeatureRegistry(featureRegistry)
Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/FakeGadgetSpecFactory.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/FakeGadgetSpecFactory.java?rev=1372888&r1=1372887&r2=1372888&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/FakeGadgetSpecFactory.java (original)
+++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/FakeGadgetSpecFactory.java Tue Aug 14 14:04:03 2012
@@ -59,4 +59,8 @@ public class FakeGadgetSpecFactory imple
return new GadgetSpec(uri, baseSpec);
}
}
+
+ public Uri getGadgetUri(GadgetContext context) throws GadgetException {
+ return context.getUrl();
+ }
}
Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/MockUtils.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/MockUtils.java?rev=1372888&r1=1372887&r2=1372888&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/MockUtils.java (original)
+++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/MockUtils.java Tue Aug 14 14:04:03 2012
@@ -234,6 +234,10 @@ public class MockUtils {
throw new GadgetException(GadgetException.Code.OAUTH_STORAGE_ERROR);
}
+
+ public Uri getGadgetUri(GadgetContext context) throws GadgetException {
+ return context.getUrl();
+ }
}
private static void setTokenCommons(final OAuth2TokenPersistence token) throws Exception {
Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/process/ProcessorTest.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/process/ProcessorTest.java?rev=1372888&r1=1372887&r2=1372888&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/process/ProcessorTest.java (original)
+++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/process/ProcessorTest.java Tue Aug 14 14:04:03 2012
@@ -211,6 +211,10 @@ public class ProcessorTest extends EasyM
}
return new GadgetSpec(context.getUrl(), GADGET);
}
+
+ public Uri getGadgetUri(GadgetContext context) throws GadgetException {
+ return context.getUrl();
+ }
}
private static class FakeVariableSubstituter extends VariableSubstituter {
Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/BaseRewriterTestCase.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/BaseRewriterTestCase.java?rev=1372888&r1=1372887&r2=1372888&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/BaseRewriterTestCase.java (original)
+++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/BaseRewriterTestCase.java Tue Aug 14 14:04:03 2012
@@ -247,6 +247,9 @@ public abstract class BaseRewriterTestCa
public GadgetSpec getGadgetSpec(GadgetContext context) {
return null;
}
+ public Uri getGadgetUri(GadgetContext context) {
+ return null;
+ }
});
}
}
Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/RewriterTestBase.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/RewriterTestBase.java?rev=1372888&r1=1372887&r2=1372888&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/RewriterTestBase.java (original)
+++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/RewriterTestBase.java Tue Aug 14 14:04:03 2012
@@ -259,6 +259,9 @@ public abstract class RewriterTestBase {
public GadgetSpec getGadgetSpec(GadgetContext context) {
return null;
}
+ public Uri getGadgetUri(GadgetContext context) {
+ return null;
+ }
});
}
}