From 11caf7ec6454381289e40c1a88f475ff9a1021ac Mon Sep 17 00:00:00 2001
From: Kai Zimmermann <kai.zimmermann@bosch-si.com>
Date: Tue, 5 Jun 2018 08:55:18 +0200
Subject: [PATCH] Ignore cookies with script content in login UI (#683)

* Ignore cookies with script content.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Fix pattern, add unit test.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Fix unit test.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Rename.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
---
 .../ui/login/AbstractHawkbitLoginUI.java      | 16 +++++++--
 .../ui/login/AbstractHawkbitLoginUITest.java  | 36 +++++++++++++++++++
 2 files changed, 49 insertions(+), 3 deletions(-)
 create mode 100644 hawkbit-ui/src/test/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUITest.java

diff --git a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java
index 2611de17a..22d136d01 100644
--- a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java
+++ b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUI.java
@@ -11,6 +11,7 @@ package org.eclipse.hawkbit.ui.login;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
 
 import javax.servlet.http.Cookie;
 
@@ -81,6 +82,7 @@ public abstract class AbstractHawkbitLoginUI extends UI {
 
     private static final String SP_LOGIN_USER = "sp-login-user";
     private static final String SP_LOGIN_TENANT = "sp-login-tenant";
+    private static final Pattern FORBIDDEN_COOKIE_CONTENT = Pattern.compile("(\\s|.)*(<|>)(\\s|.)*");
 
     private final transient ApplicationContext context;
 
@@ -365,8 +367,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
 
         if (usernameCookie != null) {
             final String previousUser = usernameCookie.getValue();
-            username.setValue(previousUser);
-            password.focus();
+            if (isAllowedCookieValue(previousUser)) {
+                username.setValue(previousUser);
+                password.focus();
+            }
         } else {
             username.focus();
         }
@@ -375,7 +379,9 @@ public abstract class AbstractHawkbitLoginUI extends UI {
 
         if (tenantCookie != null && multiTenancyIndicator.isMultiTenancySupported()) {
             final String previousTenant = tenantCookie.getValue();
-            tenant.setValue(previousTenant.toUpperCase());
+            if (isAllowedCookieValue(previousTenant)) {
+                tenant.setValue(previousTenant.toUpperCase());
+            }
         } else if (multiTenancyIndicator.isMultiTenancySupported()) {
             tenant.focus();
         } else {
@@ -383,6 +389,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
         }
     }
 
+    protected static boolean isAllowedCookieValue(final String previousTenant) {
+        return !FORBIDDEN_COOKIE_CONTENT.matcher(previousTenant).matches();
+    }
+
     private void setCookies() {
         if (multiTenancyIndicator.isMultiTenancySupported()) {
             final Cookie tenantCookie = new Cookie(SP_LOGIN_TENANT, tenant.getValue().toUpperCase());
diff --git a/hawkbit-ui/src/test/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUITest.java b/hawkbit-ui/src/test/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUITest.java
new file mode 100644
index 000000000..35e84d503
--- /dev/null
+++ b/hawkbit-ui/src/test/java/org/eclipse/hawkbit/ui/login/AbstractHawkbitLoginUITest.java
@@ -0,0 +1,36 @@
+/**
+ * Copyright (c) 2018 Bosch Software Innovations GmbH and others.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.eclipse.hawkbit.ui.login;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.Test;
+
+import ru.yandex.qatools.allure.annotations.Description;
+import ru.yandex.qatools.allure.annotations.Features;
+import ru.yandex.qatools.allure.annotations.Stories;
+
+/**
+ * Tests for {@link AbstractHawkbitLoginUI}
+ *
+ */
+@Features("Unit Tests - Management UI")
+@Stories("Login UI")
+public class AbstractHawkbitLoginUITest {
+
+    @Test
+    @Description("Verfies that forbidden content is disallowed.")
+    public void isAllowedCookieValue() {
+        assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("<script>test</script>")).isFalse();
+        assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("\n<script>test</script>foobar")).isFalse();
+        assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("foobar<script>test</script>")).isFalse();
+        assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("\nfoobar<script>test</script>")).isFalse();
+    }
+
+}