You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ro...@apache.org on 2020/11/17 22:14:36 UTC
[axis-axis2-java-core] branch master updated: fix admin page
filtering of invalid chars
This is an automated email from the ASF dual-hosted git repository.
robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
The following commit(s) were added to refs/heads/master by this push:
new 331b767 fix admin page filtering of invalid chars
331b767 is described below
commit 331b7679d8dd5f159ec7dad881f057b8237b962d
Author: Robert Lazarski <ro...@gmail.com>
AuthorDate: Tue Nov 17 17:09:50 2020 -0500
fix admin page filtering of invalid chars
---
.../java/org/apache/axis2/webapp/AdminActions.java | 86 +++++++++++-----------
1 file changed, 45 insertions(+), 41 deletions(-)
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
index 0a261d7..9affc3c 100644
--- a/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
+++ b/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
@@ -71,7 +71,7 @@ final class AdminActions {
private static final String ACTIVATE_SERVICE = "activateService";
private static final String EDIT_SERVICE_PARAMETERS = "editServiceParameters";
private static final String VIEW_OPERATION_SPECIFIC_CHAINS = "viewOperationSpecificChains";
- private static final String HTTP_PARAM_REGEX_INVALID_CHARS = "^[a-zA-Z0-9.\\-\\/+=@_,:\\\\ ]*$";
+ private static final String HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS = "^[a-zA-Z0-9.\\-\\/+=@,:\\\\ ]*$";
private static final String FILENAME_REGEX_INVALID_CHARS = "^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$";
/**
@@ -120,16 +120,14 @@ final class AdminActions {
public ActionResult welcome(HttpServletRequest req) {
// Session fixation prevention: if there is an existing session, first invalidate it.
if (req.getSession(false) != null) {
+ log.debug("welcome() found an active http session, first invalidate it, redirecting to: " + LOGOUT);
return new Redirect(LOGOUT);
} else {
- String failed = req.getParameter("failed");
- if (failed.matches(HTTP_PARAM_REGEX_INVALID_CHARS)) {
- log.error("welcome() received invalid 'failed' param, redirecting to: " + LOGOUT);
- return new Redirect(LOGOUT);
- }
- if ("true".equals(failed)) {
+ if ("true".equals(req.getParameter("failed"))) {
+ log.error("welcome() received 'failed' param as true, redirecting to: " + LOGIN_JSP_NAME);
req.setAttribute("errorMessage", "Invalid auth credentials!");
}
+ log.debug("welcome() returning view: " + LOGIN_JSP_NAME);
return new View(LOGIN_JSP_NAME);
}
}
@@ -182,7 +180,7 @@ final class AdminActions {
.length());
}
- if (fileNameOnly.matches(FILENAME_REGEX_INVALID_CHARS) || fileNameOnly.length() > 100) {
+ if (!fileNameOnly.matches(FILENAME_REGEX_INVALID_CHARS)) {
log.error("doUpload() received invalid filename, redirecting to: " + WELCOME);
return new Redirect(UPLOAD).withStatus(false, "Received invalid filename");
}
@@ -211,12 +209,12 @@ final class AdminActions {
String username = req.getParameter("userName");
String password = req.getParameter("password");
- if (username.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || username.length() > 100) {
+ if (username != null && !username.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("login() received invalid 'username' param, redirecting to: " + WELCOME);
return new Redirect(WELCOME).withParameter("failed", "true");
}
- if (password.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || password.length() > 100) {
+ if (password != null && !password.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("login() received invalid 'password' param, redirecting to: " + WELCOME);
return new Redirect(WELCOME).withParameter("failed", "true");
}
@@ -242,9 +240,15 @@ final class AdminActions {
@Action(name=EDIT_SERVICE_PARAMETERS)
public View editServiceParameters(HttpServletRequest req) throws AxisFault {
String serviceName = req.getParameter("axisService");
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
- log.error("editServiceParameters() received invalid 'serviceName' param, redirecting to: editServiceParameters.jsp");
- req.setAttribute("status", "invalid serviceName");
+ log.debug("editServiceParameters() received 'axisService' param value: " + serviceName);
+ if (serviceName == null) {
+ log.error("editServiceParameters() received null 'axisService' param, redirecting to: editServiceParameters.jsp");
+ req.setAttribute("status", "invalid axisService");
+ return new View("editServiceParameters.jsp");
+ }
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
+ log.error("editServiceParameters() received invalid 'axisService' param, redirecting to: editServiceParameters.jsp");
+ req.setAttribute("status", "invalid axisService");
return new View("editServiceParameters.jsp");
}
AxisService service =
@@ -287,7 +291,7 @@ final class AdminActions {
@Action(name="updateServiceParameters", post=true)
public Redirect updateServiceParameters(HttpServletRequest request) throws AxisFault {
String serviceName = request.getParameter("axisService");
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("updateServiceParameters() received invalid 'serviceName' param, redirecting to: " + EDIT_SERVICE_PARAMETERS);
return new Redirect(EDIT_SERVICE_PARAMETERS).withStatus(false, "invalid serviceName");
}
@@ -295,7 +299,7 @@ final class AdminActions {
if (service != null) {
for (Parameter parameter : service.getParameters()) {
String para = request.getParameter(serviceName + "_" + parameter.getName());
- if (para.matches(HTTP_PARAM_REGEX_INVALID_CHARS)) {
+ if (para != null && !para.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("updateServiceParameters() received invalid param '" +serviceName + "_" + parameter.getName()+ "', redirecting to: " + EDIT_SERVICE_PARAMETERS);
return new Redirect(EDIT_SERVICE_PARAMETERS).withStatus(false, "invalid parameter name");
}
@@ -308,7 +312,7 @@ final class AdminActions {
for (Parameter parameter : axisOperation.getParameters()) {
String para = request.getParameter(op_name + "_" + parameter.getName());
- if (para.matches(HTTP_PARAM_REGEX_INVALID_CHARS)) {
+ if (para != null && !para.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("updateServiceParameters() received invalid param '" + op_name + "_" + parameter.getName() + "', redirecting to: " + EDIT_SERVICE_PARAMETERS);
return new Redirect(EDIT_SERVICE_PARAMETERS).withStatus(false, "invalid parameter name");
}
@@ -335,7 +339,7 @@ final class AdminActions {
@Action(name="doEngageGlobally", post=true)
public Redirect doEngageGlobally(HttpServletRequest request) {
String moduleName = request.getParameter("module");
- if (moduleName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || moduleName.length() > 100) {
+ if (moduleName != null && moduleName != null && !moduleName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("processdisengageModule() received invalid 'moduleName' param, redirecting to: " + LIST_SERVICES);
return new Redirect(ENGAGE_GLOBALLY).withStatus(false, "invalid moduleName");
}
@@ -358,7 +362,7 @@ final class AdminActions {
req.getSession().setAttribute("modules", null);
String serviceName = req.getParameter("axisService");
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("engageToOperation() received invalid 'serviceName' param, redirecting to: engageToOperation.jsp");
req.setAttribute("status", "invalid serviceName");
return new View("engageToOperation.jsp");
@@ -381,16 +385,16 @@ final class AdminActions {
String moduleName = request.getParameter("module");
String serviceName = request.getParameter("service");
String operationName = request.getParameter("axisOperation");
- if (moduleName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || moduleName.length() > 100) {
+ if (moduleName != null && !moduleName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doEngageToOperation() received invalid 'moduleName' param, redirecting to: engageToOperation.jsp");
return new Redirect(ENGAGE_TO_OPERATION).withStatus(false, "invalid moduleName");
}
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doEngageToOperation() received invalid 'serviceName' param, redirecting to: engageToOperation.jsp");
return new Redirect(ENGAGE_TO_OPERATION).withStatus(false, "invalid serviceName");
}
- if (operationName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || operationName.length() > 100) {
+ if (operationName != null && !operationName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doEngageToOperation() received invalid 'operationName' param, redirecting to: engageToOperation.jsp");
return new Redirect(ENGAGE_TO_OPERATION).withStatus(false, "invalid operationName");
@@ -428,11 +432,11 @@ final class AdminActions {
public Redirect doEngageToService(HttpServletRequest request) {
String moduleName = request.getParameter("module");
String serviceName = request.getParameter("axisService");
- if (moduleName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || moduleName.length() > 100) {
+ if (moduleName != null && !moduleName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doEngageToService() received invalid 'moduleName' param, redirecting to: engageToOperation.jsp");
return new Redirect(ENGAGE_TO_SERVICE).withStatus(false, "invalid module name");
}
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doEngageToService() received invalid 'serviceName' param, redirecting to: engageToOperation.jsp");
return new Redirect(ENGAGE_TO_SERVICE).withStatus(false, "invalid serviceName");
@@ -470,11 +474,11 @@ final class AdminActions {
public Redirect doEngageToServiceGroup(HttpServletRequest request) throws AxisFault {
String moduleName = request.getParameter("module");
String serviceName = request.getParameter("axisService");
- if (moduleName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || moduleName.length() > 100) {
+ if (moduleName != null && !moduleName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doEngageToServiceGroup() received invalid 'moduleName' param, redirecting to: engageToOperation.jsp");
return new Redirect(ENGAGE_GLOBALLY).withStatus(false, "invalid module name");
}
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doEngageToServiceGroup() received invalid 'serviceName' param, redirecting to: engageToOperation.jsp");
return new Redirect(ENGAGE_TO_SERVICE).withStatus(false, "invalid serviceName");
@@ -495,13 +499,13 @@ final class AdminActions {
public View viewServiceGroupContext(HttpServletRequest req) {
String type = req.getParameter("TYPE");
String sgID = req.getParameter("ID");
- if (type.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || type.length() > 100) {
+ if (type != null && !type.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("viewServiceGroupContext() received invalid 'type' param, redirecting to: viewServiceGroupContext.jsp");
req.setAttribute("status", "invalid type");
return new View("viewServiceGroupContext.jsp");
}
- if (sgID.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || sgID.length() > 100) {
+ if (sgID != null && !sgID.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("viewServiceGroupContext() received invalid 'sgID' param, redirecting to: viewServiceGroupContext.jsp");
req.setAttribute("status", "invalid sgID");
return new View("viewServiceGroupContext.jsp");
@@ -519,19 +523,19 @@ final class AdminActions {
String type = req.getParameter("TYPE");
String sgID = req.getParameter("PID");
String ID = req.getParameter("ID");
- if (type.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || type.length() > 100) {
+ if (type != null && !type.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("viewServiceContext() received invalid 'type' param, redirecting to: viewServiceGroupContext.jsp");
req.setAttribute("status", "invalid type");
return new View("viewServiceGroupContext.jsp");
}
- if (sgID.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || sgID.length() > 100) {
+ if (sgID != null && !sgID.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("viewServiceContext() received invalid 'sgID' param, redirecting to: viewServiceGroupContext.jsp");
req.setAttribute("status", "invalid sgID");
return new View("viewServiceGroupContext.jsp");
}
- if (ID.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || ID.length() > 100) {
+ if (ID != null && !ID.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("viewServiceContext() received invalid 'ID' param, redirecting to: viewServiceGroupContext.jsp");
req.setAttribute("status", "invalid ID");
return new View("viewServiceGroupContext.jsp");
@@ -575,14 +579,14 @@ final class AdminActions {
@Action(name="doActivateService", post=true)
public Redirect doActivateService(HttpServletRequest request) throws AxisFault {
String serviceName = request.getParameter("axisService");
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doActivateService() received invalid 'serviceName' param, redirecting to: " + ACTIVATE_SERVICE);
request.setAttribute("status", "invalid serviceName");
return new Redirect(ACTIVATE_SERVICE);
}
String turnon = request.getParameter("turnon");
- if (turnon.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || turnon.length() > 100) {
+ if (turnon != null && !turnon.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doActivateService() received invalid 'turnon' param, redirecting to: " + ACTIVATE_SERVICE);
request.setAttribute("status", "invalid turnon");
return new Redirect(ACTIVATE_SERVICE);
@@ -606,13 +610,13 @@ final class AdminActions {
public Redirect doDeactivateService(HttpServletRequest request) throws AxisFault {
String serviceName = request.getParameter("axisService");
String turnoff = request.getParameter("turnoff");
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doDeactivateService() received invalid 'serviceName' param, redirecting to: " + DEACTIVATE_SERVICE);
request.setAttribute("status", "invalid serviceName");
return new Redirect(DEACTIVATE_SERVICE);
}
- if (turnoff.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || turnoff.length() > 100) {
+ if (turnoff != null && !turnoff.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("doDeactivateService() received invalid 'turnoff' param, redirecting to: " + DEACTIVATE_SERVICE);
request.setAttribute("status", "invalid turnoff");
return new Redirect(DEACTIVATE_SERVICE);
@@ -637,7 +641,7 @@ final class AdminActions {
@Action(name=VIEW_OPERATION_SPECIFIC_CHAINS)
public View viewOperationSpecificChains(HttpServletRequest req) throws AxisFault {
String service = req.getParameter("axisService");
- if (service.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || service.length() > 100) {
+ if (service != null && !service.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("viewOperationSpecificChains() received invalid 'axisService' param, redirecting to: viewOperationSpecificChains.jsp");
req.setAttribute("status", "invalid axisService");
return new View("viewOperationSpecificChains.jsp");
@@ -681,7 +685,7 @@ final class AdminActions {
public View listSingleService(HttpServletRequest req) throws AxisFault {
req.getSession().setAttribute(Constants.IS_FAULTY, ""); //Clearing out any old values.
String serviceName = req.getParameter("serviceName");
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("listSingleService() received invalid 'serviceName' param, redirecting to: listSingleService.jsp");
req.setAttribute("status", "invalid serviceName");
return new View("listSingleService.jsp");
@@ -725,17 +729,17 @@ final class AdminActions {
String type = req.getParameter("type");
String serviceName = req.getParameter("serviceName");
String moduleName = req.getParameter("module");
- if (type.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || type.length() > 100) {
+ if (type != null && !type.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("processdisengageModule() received invalid 'type' param, redirecting to: " + LIST_SERVICES);
return new Redirect(LIST_SERVICES).withStatus(false, "invalid type");
}
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("processdisengageModule() received invalid 'serviceName' param, redirecting to: " + LIST_SERVICES);
return new Redirect(LIST_SERVICES).withStatus(false, "invalid serviceName");
}
- if (moduleName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || moduleName.length() > 100) {
+ if (moduleName != null && !moduleName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("processdisengageModule() received invalid 'moduleName' param, redirecting to: " + LIST_SERVICES);
return new Redirect(LIST_SERVICES).withStatus(false, "invalid moduleName");
}
@@ -749,7 +753,7 @@ final class AdminActions {
+ moduleName + ". This module is engaged at a higher level.");
} else {
String opName = req.getParameter("operation");
- if (opName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || opName.length() > 100) {
+ if (opName != null && !opName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("processdisengageModule() received invalid 'operation' param, redirecting to: " + LIST_SERVICES);
return new Redirect(LIST_SERVICES).withStatus(false, "invalid operation");
}
@@ -774,7 +778,7 @@ final class AdminActions {
@Action(name="deleteService", post=true)
public Redirect deleteService(HttpServletRequest req) throws AxisFault {
String serviceName = req.getParameter("serviceName");
- if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || serviceName.length() > 100) {
+ if (serviceName != null && !serviceName.matches(HTTP_PARAM_VALUE_REGEX_WHITELIST_CHARS)) {
log.error("deleteService() received invalid 'serviceName' param, redirecting to: " + LIST_SERVICES);
return new Redirect(LIST_SERVICES).withStatus(false, "Failed to delete service '" + serviceName + "'. Received invalid 'serviceName'.");