lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Ignore cookies with script content in login UI (#683)

Browse Source 
* Ignore cookies with script content.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Fix pattern, add unit test.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Fix unit test.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Rename.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
Kai Zimmermann
2018-06-05 08:55:18 +02:00
committed by GitHub
parent cef7c2bbf2
commit 11caf7ec64
2 changed files with 49 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java
View File

@@ -11,6 +11,7 @@ package org.eclipse.hawkbit.ui.login;
import java.io.IOException;
import java.io.InputStream;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import javax.servlet.http.Cookie;
@@ -81,6 +82,7 @@ public abstract class AbstractHawkbitLoginUI extends UI {
private static final String SP_LOGIN_USER = "sp-login-user";
private static final String SP_LOGIN_TENANT = "sp-login-tenant";
private static final Pattern FORBIDDEN_COOKIE_CONTENT = Pattern.compile("(\\s|.)*(<|>)(\\s|.)*");
private final transient ApplicationContext context;
@@ -365,8 +367,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
if (usernameCookie != null) {
final String previousUser = usernameCookie.getValue();
username.setValue(previousUser);
password.focus();
if (isAllowedCookieValue(previousUser)) {
username.setValue(previousUser);
password.focus();
}
} else {
username.focus();
}
@@ -375,7 +379,9 @@ public abstract class AbstractHawkbitLoginUI extends UI {
if (tenantCookie != null && multiTenancyIndicator.isMultiTenancySupported()) {
final String previousTenant = tenantCookie.getValue();
tenant.setValue(previousTenant.toUpperCase());
if (isAllowedCookieValue(previousTenant)) {
tenant.setValue(previousTenant.toUpperCase());
}
} else if (multiTenancyIndicator.isMultiTenancySupported()) {
tenant.focus();
} else {
@@ -383,6 +389,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
}
}
protected static boolean isAllowedCookieValue(final String previousTenant) {
return !FORBIDDEN_COOKIE_CONTENT.matcher(previousTenant).matches();
}
private void setCookies() {
if (multiTenancyIndicator.isMultiTenancySupported()) {
final Cookie tenantCookie = new Cookie(SP_LOGIN_TENANT, tenant.getValue().toUpperCase());

36
hawkbit-ui/src/test/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUITest.java Normal file
View File

@@ -0,0 +1,36 @@
/**
* Copyright (c) 2018 Bosch Software Innovations GmbH and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*/
package org.eclipse.hawkbit.ui.login;
import static org.assertj.core.api.Assertions.assertThat;
import org.junit.Test;
import ru.yandex.qatools.allure.annotations.Description;
import ru.yandex.qatools.allure.annotations.Features;
import ru.yandex.qatools.allure.annotations.Stories;
/**
* Tests for {@link AbstractHawkbitLoginUI}
*
*/
@Features("Unit Tests - Management UI")
@Stories("Login UI")
public class AbstractHawkbitLoginUITest {
@Test
@Description("Verfies that forbidden content is disallowed.")
public void isAllowedCookieValue() {
assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("<script>test</script>")).isFalse();
assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("\n<script>test</script>foobar")).isFalse();
assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("foobar<script>test</script>")).isFalse();
assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("\nfoobar<script>test</script>")).isFalse();
}
}