Ignore cookies with script content in login UI (#683)

* Ignore cookies with script content.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Fix pattern, add unit test.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Fix unit test.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>

* Rename.

Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
Kai Zimmermann
2018-06-05 08:55:18 +02:00
committed by GitHub
parent cef7c2bbf2
commit 11caf7ec64
2 changed files with 49 additions and 3 deletions

View File

@@ -11,6 +11,7 @@ package org.eclipse.hawkbit.ui.login;
import java.io.IOException;
import java.io.InputStream;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import javax.servlet.http.Cookie;
@@ -81,6 +82,7 @@ public abstract class AbstractHawkbitLoginUI extends UI {
private static final String SP_LOGIN_USER = "sp-login-user";
private static final String SP_LOGIN_TENANT = "sp-login-tenant";
private static final Pattern FORBIDDEN_COOKIE_CONTENT = Pattern.compile("(\\s|.)*(<|>)(\\s|.)*");
private final transient ApplicationContext context;
@@ -365,8 +367,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
if (usernameCookie != null) {
final String previousUser = usernameCookie.getValue();
username.setValue(previousUser);
password.focus();
if (isAllowedCookieValue(previousUser)) {
username.setValue(previousUser);
password.focus();
}
} else {
username.focus();
}
@@ -375,7 +379,9 @@ public abstract class AbstractHawkbitLoginUI extends UI {
if (tenantCookie != null && multiTenancyIndicator.isMultiTenancySupported()) {
final String previousTenant = tenantCookie.getValue();
tenant.setValue(previousTenant.toUpperCase());
if (isAllowedCookieValue(previousTenant)) {
tenant.setValue(previousTenant.toUpperCase());
}
} else if (multiTenancyIndicator.isMultiTenancySupported()) {
tenant.focus();
} else {
@@ -383,6 +389,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
}
}
protected static boolean isAllowedCookieValue(final String previousTenant) {
return !FORBIDDEN_COOKIE_CONTENT.matcher(previousTenant).matches();
}
private void setCookies() {
if (multiTenancyIndicator.isMultiTenancySupported()) {
final Cookie tenantCookie = new Cookie(SP_LOGIN_TENANT, tenant.getValue().toUpperCase());