You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:10:55 UTC
[sling-org-apache-sling-scripting-sightly-compiler-java] 04/31:
SLING-6094 - HTL can generate invalid Java code by using user-supplied
input
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.scripting.sightly.compiler.java-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-scripting-sightly-compiler-java.git
commit 6d1dbb10f490bcc9826bbaff6f99e2318adc1255
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Fri Oct 7 10:36:32 2016 +0000
SLING-6094 - HTL can generate invalid Java code by using user-supplied input
* added tests
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/scripting/sightly/java-compiler@1763732 13f79535-47bb-0310-9956-ffa450edef68
---
.../java/JavaClassBackendCompilerTest.java | 88 +++++++++++++++++-----
src/test/resources/SLING-6094.1.html | 17 +++++
src/test/resources/SLING-6094.1.output.html | 2 +
src/test/resources/SLING-6094.2.html | 17 +++++
src/test/resources/SLING-6094.2.output.html | 2 +
5 files changed, 107 insertions(+), 19 deletions(-)
diff --git a/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java b/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java
index 83bfac7..3dd3c8c 100644
--- a/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java
+++ b/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java
@@ -18,6 +18,7 @@ package org.apache.sling.scripting.sightly.compiler.java;
import java.io.PrintWriter;
import java.io.StringWriter;
+import java.util.HashMap;
import javax.script.Bindings;
import javax.script.SimpleBindings;
@@ -32,6 +33,7 @@ import org.apache.sling.scripting.sightly.java.compiler.JavaClassBackendCompiler
import org.apache.sling.scripting.sightly.java.compiler.RenderUnit;
import org.apache.sling.scripting.sightly.render.AbstractRuntimeObjectModel;
import org.apache.sling.scripting.sightly.render.RenderContext;
+import org.apache.sling.scripting.sightly.render.RuntimeObjectModel;
import org.junit.Test;
import static junit.framework.TestCase.assertEquals;
@@ -44,50 +46,98 @@ public class JavaClassBackendCompilerTest {
JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler();
SightlyCompiler sightlyCompiler = new SightlyCompiler();
sightlyCompiler.compile(compilationUnit, backendCompiler);
- ClassInfo classInfo = new ClassInfo() {
+ ClassInfo classInfo = buildClassInfo("testScript");
+ String source = backendCompiler.build(classInfo);
+ StringWriter writer = new StringWriter();
+ Bindings bindings = new SimpleBindings();
+ RenderContext renderContext = buildRenderContext(bindings);
+ render(writer, classInfo, source, renderContext, new SimpleBindings());
+ String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/test-output.html"), "UTF-8");
+ assertEquals(expectedOutput, writer.toString());
+ }
+
+ @Test
+ public void sling_6094_1() throws Exception {
+ CompilationUnit compilationUnit = TestUtils.readScriptFromClasspath("/SLING-6094.1.html");
+ JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler();
+ SightlyCompiler sightlyCompiler = new SightlyCompiler();
+ sightlyCompiler.compile(compilationUnit, backendCompiler);
+ ClassInfo classInfo = buildClassInfo("sling_6094_1");
+ String source = backendCompiler.build(classInfo);
+ StringWriter writer = new StringWriter();
+ Bindings bindings = new SimpleBindings();
+ bindings.put("img", new HashMap<String, Object>(){{
+ put("attributes", new HashMap<String, String>() {{
+ put("v-bind:src", "replaced");
+ }});
+ }});
+ RenderContext renderContext = buildRenderContext(bindings);
+ render(writer, classInfo, source, renderContext, new SimpleBindings());
+ String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/SLING-6094.1.output.html"), "UTF-8");
+ assertEquals(expectedOutput, writer.toString());
+ }
+
+ @Test
+ public void sling_6094_2() throws Exception {
+ CompilationUnit compilationUnit = TestUtils.readScriptFromClasspath("/SLING-6094.2.html");
+ JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler();
+ SightlyCompiler sightlyCompiler = new SightlyCompiler();
+ sightlyCompiler.compile(compilationUnit, backendCompiler);
+ ClassInfo classInfo = buildClassInfo("sling_6094_2");
+ String source = backendCompiler.build(classInfo);
+ StringWriter writer = new StringWriter();
+ Bindings bindings = new SimpleBindings();
+ RenderContext renderContext = buildRenderContext(bindings);
+ render(writer, classInfo, source, renderContext, new SimpleBindings());
+ String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/SLING-6094.2.output.html"), "UTF-8");
+ assertEquals(expectedOutput, writer.toString());
+ }
+
+ private ClassInfo buildClassInfo(final String info) {
+ return new ClassInfo() {
@Override
public String getSimpleClassName() {
- return "Test";
+ return "Test_" + info;
}
@Override
public String getPackageName() {
- return "org.example.test";
+ return "org.apache.sling.scripting.sightly.compiler.java";
}
@Override
public String getFullyQualifiedClassName() {
- return "org.example.test.Test";
+ return "org.apache.sling.scripting.sightly.compiler.java.Test_" + info;
}
};
- String source = backendCompiler.build(classInfo);
- ClassLoader classLoader = JavaClassBackendCompilerTest.class.getClassLoader();
- CharSequenceJavaCompiler<RenderUnit> compiler = new CharSequenceJavaCompiler<>(classLoader, null);
- Class<RenderUnit> newClass = compiler.compile(classInfo.getFullyQualifiedClassName(), source, new Class<?>[]{});
- RenderUnit renderUnit = newClass.newInstance();
- StringWriter writer = new StringWriter();
- PrintWriter printWriter = new PrintWriter(writer);
- RenderContext renderContext = new RenderContext() {
+ }
+
+ private RenderContext buildRenderContext(final Bindings bindings) {
+ return new RenderContext() {
@Override
- public AbstractRuntimeObjectModel getObjectModel() {
+ public RuntimeObjectModel getObjectModel() {
return new AbstractRuntimeObjectModel() {};
}
@Override
public Bindings getBindings() {
- return new SimpleBindings();
+ return bindings;
}
@Override
public Object call(String functionName, Object... arguments) {
- assert arguments.length == 2;
- // for this test case only the xss runtime function will be called; return the unfiltered input
return arguments[0];
}
};
- renderUnit.render(printWriter, renderContext, new SimpleBindings());
- String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/test-output.html"), "UTF-8");
- assertEquals(expectedOutput, writer.toString());
+ }
+ private void render(StringWriter writer, ClassInfo classInfo, String source, RenderContext renderContext, Bindings arguments) throws
+ Exception {
+ ClassLoader classLoader = JavaClassBackendCompilerTest.class.getClassLoader();
+ CharSequenceJavaCompiler<RenderUnit> compiler = new CharSequenceJavaCompiler<>(classLoader, null);
+ Class<RenderUnit> newClass = compiler.compile(classInfo.getFullyQualifiedClassName(), source);
+ RenderUnit renderUnit = newClass.newInstance();
+ PrintWriter printWriter = new PrintWriter(writer);
+ renderUnit.render(printWriter, renderContext, arguments);
}
}
diff --git a/src/test/resources/SLING-6094.1.html b/src/test/resources/SLING-6094.1.html
new file mode 100644
index 0000000..e2706e2
--- /dev/null
+++ b/src/test/resources/SLING-6094.1.html
@@ -0,0 +1,17 @@
+<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/-->
+<img src="" v-bind:src="abc" data-sly-attribute="${img.attributes}" />
diff --git a/src/test/resources/SLING-6094.1.output.html b/src/test/resources/SLING-6094.1.output.html
new file mode 100644
index 0000000..2ce0be5
--- /dev/null
+++ b/src/test/resources/SLING-6094.1.output.html
@@ -0,0 +1,2 @@
+
+<img src="" v-bind:src="replaced"/>
diff --git a/src/test/resources/SLING-6094.2.html b/src/test/resources/SLING-6094.2.html
new file mode 100644
index 0000000..fe07e01
--- /dev/null
+++ b/src/test/resources/SLING-6094.2.html
@@ -0,0 +1,17 @@
+<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/-->
+<div data-sly-test.jcr:title="${1>0}">correctly escaped variable</div>
diff --git a/src/test/resources/SLING-6094.2.output.html b/src/test/resources/SLING-6094.2.output.html
new file mode 100644
index 0000000..cad8097
--- /dev/null
+++ b/src/test/resources/SLING-6094.2.output.html
@@ -0,0 +1,2 @@
+
+<div>correctly escaped variable</div>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.