[ofbiz-framework] branch release18.12 updated: Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new d620550  Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096)
d620550 is described below

commit d620550a5f0fb757d2af6f66af0d7b2e19f9cb6f
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Dec 19 17:59:02 2020 +0100

    Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096)
   
    We missed to unescape EcmaScript encoded strings in
    UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe"
   
    Thanks: 牛治 <[hidden email]> for report
   
    Conflicts handled by hand => no functional changes in code (ude to IDE setting)
    framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
---
 .../java/org/apache/ofbiz/base/util/UtilCodec.java | 59 ++++++++++------------
 1 file changed, 26 insertions(+), 33 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index 7c7535b..6d90e35 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -51,7 +51,7 @@ public class UtilCodec {
     private static final StringEncoder stringEncoder = new StringEncoder();
     private static final UrlCodec urlCodec = new UrlCodec();
     private static final List<Codec> codecs;
-    // From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers 
+    // From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers
     private static final List<String> jsEventList = Arrays.asList(new String[] { "onAbort", "onActivate",
             "onAfterPrint", "onAfterUpdate", "onBeforeActivate", "onBeforeCopy", "onBeforeCut", "onBeforeDeactivate",
             "onBeforeEditFocus", "onBeforePaste", "onBeforePrint", "onBeforeUnload", "onBeforeUpdate", "onBegin",
@@ -115,13 +115,9 @@ public class UtilCodec {
         }
 
         /**
-         * This method will start a configurable sanitizing process. The sanitizer can
-         * be turns off through "sanitizer.enable=false", the default value is true. It
-         * is possible to configure a custom policy using the properties
-         * "sanitizer.permissive.policy" and "sanitizer.custom.permissive.policy.class".
-         * The custom policy has to implement
-         * {@link org.apache.ofbiz.base.html.SanitizerCustomPolicy}.
-         *
+         * This method will start a configurable sanitizing process. The sanitizer can be turns off through "sanitizer.enable=false", the default
+         * value is true. It is possible to configure a custom policy using the properties "sanitizer.permissive.policy" and
+         * "sanitizer.custom.permissive.policy.class". The custom policy has to implement {@link org.apache.ofbiz.base.html.SanitizerCustomPolicy}.
          * @param original
          * @param contentTypeId
          * @return sanitized HTML-Code if enabled, original HTML-Code when disabled
@@ -365,7 +361,7 @@ public class UtilCodec {
      * @param errorMessageList an empty list passed by and modified in case of issues
      * @param locale
      */
-    public static String checkStringForHtmlStrictNone(String valueName, String value, List<String> errorMessageList,
+    public static String checkStringForHtmlStrictNone(String valueName, String value, List<String> errorMessageList,
             Locale locale) {
         if (UtilValidate.isEmpty(value)) {
             return value;
@@ -384,7 +380,7 @@ public class UtilCodec {
                 issueMsg = "In field [" + valueName + "] found character escaping (mixed or double) "
                         + "that is not allowed or other format consistency error: ";
             } else {
-                issueMsg = UtilProperties.getMessage("SecurityUiLabels","PolicyNoneMixedOrDouble",
+                issueMsg = UtilProperties.getMessage("SecurityUiLabels", "PolicyNoneMixedOrDouble",
                         UtilMisc.toMap("valueName", valueName), locale);
             }
             errorMessageList.add(issueMsg + e.toString());
@@ -396,7 +392,7 @@ public class UtilCodec {
             if (locale.equals(new Locale("test"))) {
                 issueMsg = "In field [" + valueName + "] less-than (<) and greater-than (>) symbols are not allowed.";
             } else {
-                issueMsg = UtilProperties.getMessage("SecurityUiLabels","PolicyNoneLess-thanGreater-than",
+                issueMsg = UtilProperties.getMessage("SecurityUiLabels", "PolicyNoneLess-thanGreater-than",
                         UtilMisc.toMap("valueName", valueName), locale);
             }
             errorMessageList.add(issueMsg);
@@ -404,13 +400,13 @@ public class UtilCodec {
         
         // check for js events
         String onEvent = "on" + StringUtils.substringBetween(value, " on", "=");
-        if (jsEventList.stream().anyMatch(str -> StringUtils.containsIgnoreCase(str, onEvent))
+        if (jsEventList.stream().anyMatch(str -> StringUtils.containsIgnoreCase(str, onEvent))
                 || value.contains("seekSegmentTime")) {
             String issueMsg = null;
             if (locale.equals(new Locale("test"))) {
                 issueMsg = "In field [" + valueName + "] Javascript events are not allowed.";
             } else {
-                issueMsg = UtilProperties.getMessage("SecurityUiLabels","PolicyNoneJsEvents",
+                issueMsg = UtilProperties.getMessage("SecurityUiLabels", "PolicyNoneJsEvents",
                         UtilMisc.toMap("valueName", valueName), locale);
             }
             errorMessageList.add(issueMsg);
@@ -427,18 +423,14 @@ public class UtilCodec {
     }
 
     /**
-     * This method check if the input is safe HTML.
-     * It is possible to configure a safe policy using the properties
-     * "sanitizer.safe.policy" and "sanitizer.custom.safe.policy.class".
-     * The safe policy has to implement
-     * {@link org.apache.ofbiz.base.html.SanitizerCustomPolicy}.
-     *
+     * This method check if the input is safe HTML. It is possible to configure a safe policy using the properties "sanitizer.safe.policy" and
+     * "sanitizer.custom.safe.policy.class". The safe policy has to implement {@link org.apache.ofbiz.base.html.SanitizerCustomPolicy}.
      * @param valueName field name checked
      * @param value value checked
      * @param errorMessageList an empty list passed by and modified in case of issues
      * @param locale
      */
-    public static String checkStringForHtmlSafe(String valueName, String value, List<String> errorMessageList,
+    public static String checkStringForHtmlSafe(String valueName, String value, List<String> errorMessageList,
             Locale locale, boolean enableSanitizer) {
         if (!enableSanitizer) {
             return value;
@@ -464,25 +456,27 @@ public class UtilCodec {
                     + "Beware: the result is not rightly checked!", module);
         }
 
-        String filtered = policy.sanitize(value);
-        if (!value.equals(StringEscapeUtils.unescapeHtml4(filtered))) {
-            String issueMsg = null;
-            if (locale.equals(new Locale("test"))) {
-                issueMsg = "In field [" + valueName + "] by our input policy, your input has not been accepted "
-                        + "for security reason. Please check and modify accordingly, thanks.";
-            } else {
-                issueMsg = UtilProperties.getMessage("SecurityUiLabels","PolicySafe",
-                        UtilMisc.toMap("valueName", valueName), locale);
+        if (value != null) {
+            String filtered = StringEscapeUtils.unescapeEcmaScript(policy.sanitize(value));
+            if (filtered != null && !value.equals(StringEscapeUtils.unescapeHtml4(filtered))) {
+                String issueMsg = null;
+                if (locale.equals(new Locale("test"))) {
+                    issueMsg = "In field [" + valueName + "] by our input policy, your input has not been accepted "
+                            + "for security reason. Please check and modify accordingly, thanks.";
+                } else {
+                    issueMsg = UtilProperties.getMessage("SecurityUiLabels", "PolicySafe",
+                            UtilMisc.toMap("valueName", valueName), locale);
+                }
+                errorMessageList.add(issueMsg);
             }
-            errorMessageList.add(issueMsg);
         }
         
         return value;
     }
     
     /**
-     * A simple Map wrapper class that will do HTML encoding.
-     * To be used for passing a Map to something that will expand Strings with it as a context, etc.
+     * A simple Map wrapper class that will do HTML encoding. To be used for passing a Map to something that will expand Strings with it as a context,
+     * etc.
      */
     public static class HtmlEncodingMapWrapper<K> implements Map<K, Object> {
         public static <K> HtmlEncodingMapWrapper<K> getHtmlEncodingMapWrapper(Map<K, Object> mapToWrap, SimpleEncoder encoder) {
@@ -534,5 +528,4 @@ public class UtilCodec {
         @Override
         public String toString() { return this.internalMap.toString(); }
     }
-
 }