Ignore cookies with script content in login UI (#683)
* Ignore cookies with script content. Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com> * Fix pattern, add unit test. Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com> * Fix unit test. Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com> * Rename. Signed-off-by: kaizimmerm <kai.zimmermann@bosch-si.com>
This commit is contained in:
@@ -11,6 +11,7 @@ package org.eclipse.hawkbit.ui.login;
|
|||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.util.concurrent.TimeUnit;
|
import java.util.concurrent.TimeUnit;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
import javax.servlet.http.Cookie;
|
import javax.servlet.http.Cookie;
|
||||||
|
|
||||||
@@ -81,6 +82,7 @@ public abstract class AbstractHawkbitLoginUI extends UI {
|
|||||||
|
|
||||||
private static final String SP_LOGIN_USER = "sp-login-user";
|
private static final String SP_LOGIN_USER = "sp-login-user";
|
||||||
private static final String SP_LOGIN_TENANT = "sp-login-tenant";
|
private static final String SP_LOGIN_TENANT = "sp-login-tenant";
|
||||||
|
private static final Pattern FORBIDDEN_COOKIE_CONTENT = Pattern.compile("(\\s|.)*(<|>)(\\s|.)*");
|
||||||
|
|
||||||
private final transient ApplicationContext context;
|
private final transient ApplicationContext context;
|
||||||
|
|
||||||
@@ -365,8 +367,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
|
|||||||
|
|
||||||
if (usernameCookie != null) {
|
if (usernameCookie != null) {
|
||||||
final String previousUser = usernameCookie.getValue();
|
final String previousUser = usernameCookie.getValue();
|
||||||
|
if (isAllowedCookieValue(previousUser)) {
|
||||||
username.setValue(previousUser);
|
username.setValue(previousUser);
|
||||||
password.focus();
|
password.focus();
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
username.focus();
|
username.focus();
|
||||||
}
|
}
|
||||||
@@ -375,7 +379,9 @@ public abstract class AbstractHawkbitLoginUI extends UI {
|
|||||||
|
|
||||||
if (tenantCookie != null && multiTenancyIndicator.isMultiTenancySupported()) {
|
if (tenantCookie != null && multiTenancyIndicator.isMultiTenancySupported()) {
|
||||||
final String previousTenant = tenantCookie.getValue();
|
final String previousTenant = tenantCookie.getValue();
|
||||||
|
if (isAllowedCookieValue(previousTenant)) {
|
||||||
tenant.setValue(previousTenant.toUpperCase());
|
tenant.setValue(previousTenant.toUpperCase());
|
||||||
|
}
|
||||||
} else if (multiTenancyIndicator.isMultiTenancySupported()) {
|
} else if (multiTenancyIndicator.isMultiTenancySupported()) {
|
||||||
tenant.focus();
|
tenant.focus();
|
||||||
} else {
|
} else {
|
||||||
@@ -383,6 +389,10 @@ public abstract class AbstractHawkbitLoginUI extends UI {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected static boolean isAllowedCookieValue(final String previousTenant) {
|
||||||
|
return !FORBIDDEN_COOKIE_CONTENT.matcher(previousTenant).matches();
|
||||||
|
}
|
||||||
|
|
||||||
private void setCookies() {
|
private void setCookies() {
|
||||||
if (multiTenancyIndicator.isMultiTenancySupported()) {
|
if (multiTenancyIndicator.isMultiTenancySupported()) {
|
||||||
final Cookie tenantCookie = new Cookie(SP_LOGIN_TENANT, tenant.getValue().toUpperCase());
|
final Cookie tenantCookie = new Cookie(SP_LOGIN_TENANT, tenant.getValue().toUpperCase());
|
||||||
|
|||||||
@@ -0,0 +1,36 @@
|
|||||||
|
/**
|
||||||
|
* Copyright (c) 2018 Bosch Software Innovations GmbH and others.
|
||||||
|
*
|
||||||
|
* All rights reserved. This program and the accompanying materials
|
||||||
|
* are made available under the terms of the Eclipse Public License v1.0
|
||||||
|
* which accompanies this distribution, and is available at
|
||||||
|
* http://www.eclipse.org/legal/epl-v10.html
|
||||||
|
*/
|
||||||
|
package org.eclipse.hawkbit.ui.login;
|
||||||
|
|
||||||
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
|
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
import ru.yandex.qatools.allure.annotations.Description;
|
||||||
|
import ru.yandex.qatools.allure.annotations.Features;
|
||||||
|
import ru.yandex.qatools.allure.annotations.Stories;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tests for {@link AbstractHawkbitLoginUI}
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
@Features("Unit Tests - Management UI")
|
||||||
|
@Stories("Login UI")
|
||||||
|
public class AbstractHawkbitLoginUITest {
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@Description("Verfies that forbidden content is disallowed.")
|
||||||
|
public void isAllowedCookieValue() {
|
||||||
|
assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("<script>test</script>")).isFalse();
|
||||||
|
assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("\n<script>test</script>foobar")).isFalse();
|
||||||
|
assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("foobar<script>test</script>")).isFalse();
|
||||||
|
assertThat(AbstractHawkbitLoginUI.isAllowedCookieValue("\nfoobar<script>test</script>")).isFalse();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user