diff --git a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java
index 2611de17a..22d136d01 100644
--- a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java
+++ b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java
@@ -11,6 +11,7 @@ package org.eclipse.hawkbit.ui.login;
import java.io.IOException;
import java.io.InputStream;
import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
import javax.servlet.http.Cookie;
@@ -81,6 +82,7 @@ public abstract class AbstractHawkbitLoginUI extends UI {
private static final String SP_LOGIN_USER = "sp-login-user";
private static final String SP_LOGIN_TENANT = "sp-login-tenant";
+ private static final Pattern FORBIDDEN_COOKIE_CONTENT = Pattern.compile("(\\s|.)*(<|>)(\\s|.)*");
private final transient ApplicationContext context;
@@ -365,8 +367,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
if (usernameCookie != null) {
final String previousUser = usernameCookie.getValue();
- username.setValue(previousUser);
- password.focus();
+ if (isAllowedCookieValue(previousUser)) {
+ username.setValue(previousUser);
+ password.focus();
+ }
} else {
username.focus();
}
@@ -375,7 +379,9 @@ public abstract class AbstractHawkbitLoginUI extends UI {
if (tenantCookie != null && multiTenancyIndicator.isMultiTenancySupported()) {
final String previousTenant = tenantCookie.getValue();
- tenant.setValue(previousTenant.toUpperCase());
+ if (isAllowedCookieValue(previousTenant)) {
+ tenant.setValue(previousTenant.toUpperCase());
+ }
} else if (multiTenancyIndicator.isMultiTenancySupported()) {
tenant.focus();
} else {
@@ -383,6 +389,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
}
}
+ protected static boolean isAllowedCookieValue(final String previousTenant) {
+ return !FORBIDDEN_COOKIE_CONTENT.matcher(previousTenant).matches();
+ }
+
private void setCookies() {
if (multiTenancyIndicator.isMultiTenancySupported()) {
final Cookie tenantCookie = new Cookie(SP_LOGIN_TENANT, tenant.getValue().toUpperCase());
diff --git a/hawkbit-ui/src/test/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUITest.java b/hawkbit-ui/src/test/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUITest.java
new file mode 100644
index 000000000..35e84d503
--- /dev/null
+++ b/hawkbit-ui/src/test/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUITest.java
@@ -0,0 +1,36 @@
+/**
+ * Copyright (c) 2018 Bosch Software Innovations GmbH and others.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.eclipse.hawkbit.ui.login;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.Test;
+
+import ru.yandex.qatools.allure.annotations.Description;
+import ru.yandex.qatools.allure.annotations.Features;
+import ru.yandex.qatools.allure.annotations.Stories;
+
+/**
+ * Tests for {@link AbstractHawkbitLoginUI}
+ *
+ */
+@Features("Unit Tests - Management UI")
+@Stories("Login UI")
+public class AbstractHawkbitLoginUITest {
+
+ @Test
+ @Description("Verfies that forbidden content is disallowed.")
+ public void isAllowedCookieValue() {
+ assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("")).isFalse();
+ assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("\nfoobar")).isFalse();
+ assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("foobar")).isFalse();
+ assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("\nfoobar")).isFalse();
+ }
+
+}