You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2019/10/25 12:25:44 UTC
[sling-org-apache-sling-xss] 01/01: SLING-8775 -
java.lang.StackOverflowError in XSSAPIImpl.getValidHref for long URLs
This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch issue/SLING-8775
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 0911c83bcee923757d2a4d5c049d82158ff7b9da
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Fri Oct 25 14:25:21 2019 +0200
SLING-8775 - java.lang.StackOverflowError in XSSAPIImpl.getValidHref for long URLs
* added fallback to using the regexes before SLING-7741 in case a
StackOverflowError is encountered
---
.../org/apache/sling/xss/impl/XSSFilterImpl.java | 22 +++++++++++++++++++++-
.../org/apache/sling/xss/impl/XSSAPIImplTest.java | 8 ++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
index 809084e..931c28a 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
@@ -127,6 +127,12 @@ public class XSSFilterImpl implements XSSFilter {
public static final String RELATIVE_REF = "(?!\\s*javascript(?::|:))" + RELATIVE_PART + "?(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
public static final String URI = SCHEME_PATTERN + ":" + HIER_PART + "(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
+ private static final Pattern ON_SITE_SIMPLIFIED = Pattern.compile("([\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*|\\#" +
+ "(\\w)+)");
+ private static final Pattern OFF_SITE_SIMPLIFIED = Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)" +
+ "[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*");
+
+ private static final Pattern[] BACKUP_PATTERNS = new Pattern[] {ON_SITE_SIMPLIFIED, OFF_SITE_SIMPLIFIED};
// Default href configuration copied from the config.xml supplied with AntiSamy
static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
@@ -206,7 +212,21 @@ public class XSSFilterImpl implements XSSFilter {
// Same logic as in org.owasp.validator.html.scan.MagicSAXFilter.startElement()
boolean isValid = hrefAttribute.containsAllowedValue(url.toLowerCase());
if (!isValid) {
- isValid = hrefAttribute.matchesAllowedExpression(url.toLowerCase());
+ try {
+ isValid = hrefAttribute.matchesAllowedExpression(url.toLowerCase());
+ } catch (StackOverflowError e) {
+ logger.warn("Detected a StackOverflowError when validating url {} with configured regexes. Trying fallback.", url);
+ try {
+ for (Pattern p : BACKUP_PATTERNS) {
+ isValid = p.matcher(url.toLowerCase()).matches();
+ if (isValid) {
+ break;
+ }
+ }
+ } catch (StackOverflowError inner) {
+ logger.error(String.format("Cannot validate url %s.", url), inner);
+ }
+ }
}
return isValid;
}
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index 5d1737b..6852ea6 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -207,6 +207,14 @@ public class XSSAPIImplTest {
// Href Expected Result
//
{
+ "/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun [...]
+ "/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun [...]
+ },
+ {
+ "/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun [...]
+ "/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun [...]
+ },
+ {
"test?discount=25%25",
"test?discount=25%25"
},