Ignore cookies with script content in login UI (#683)
* Ignore cookies with script content. Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com> * Fix pattern, add unit test. Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com> * Fix unit test. Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com> * Rename. Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
@@ -11,6 +11,7 @@ package org.eclipse.hawkbit.ui.login;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
|
||||
@@ -81,6 +82,7 @@ public abstract class AbstractHawkbitLoginUI extends UI {
|
||||
|
||||
private static final String SP_LOGIN_USER = "sp-login-user";
|
||||
private static final String SP_LOGIN_TENANT = "sp-login-tenant";
|
||||
private static final Pattern FORBIDDEN_COOKIE_CONTENT = Pattern.compile("(\\s|.)*(<|>)(\\s|.)*");
|
||||
|
||||
private final transient ApplicationContext context;
|
||||
|
||||
@@ -365,8 +367,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
|
||||
|
||||
if (usernameCookie != null) {
|
||||
final String previousUser = usernameCookie.getValue();
|
||||
username.setValue(previousUser);
|
||||
password.focus();
|
||||
if (isAllowedCookieValue(previousUser)) {
|
||||
username.setValue(previousUser);
|
||||
password.focus();
|
||||
}
|
||||
} else {
|
||||
username.focus();
|
||||
}
|
||||
@@ -375,7 +379,9 @@ public abstract class AbstractHawkbitLoginUI extends UI {
|
||||
|
||||
if (tenantCookie != null && multiTenancyIndicator.isMultiTenancySupported()) {
|
||||
final String previousTenant = tenantCookie.getValue();
|
||||
tenant.setValue(previousTenant.toUpperCase());
|
||||
if (isAllowedCookieValue(previousTenant)) {
|
||||
tenant.setValue(previousTenant.toUpperCase());
|
||||
}
|
||||
} else if (multiTenancyIndicator.isMultiTenancySupported()) {
|
||||
tenant.focus();
|
||||
} else {
|
||||
@@ -383,6 +389,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
|
||||
}
|
||||
}
|
||||
|
||||
protected static boolean isAllowedCookieValue(final String previousTenant) {
|
||||
return !FORBIDDEN_COOKIE_CONTENT.matcher(previousTenant).matches();
|
||||
}
|
||||
|
||||
private void setCookies() {
|
||||
if (multiTenancyIndicator.isMultiTenancySupported()) {
|
||||
final Cookie tenantCookie = new Cookie(SP_LOGIN_TENANT, tenant.getValue().toUpperCase());
|
||||
|
||||
Reference in New Issue
Block a user