diff --git a/hawkbit-repository/hawkbit-repository-api/pom.xml b/hawkbit-repository/hawkbit-repository-api/pom.xml
index d1a0df30a..93327d78b 100644
--- a/hawkbit-repository/hawkbit-repository-api/pom.xml
+++ b/hawkbit-repository/hawkbit-repository-api/pom.xml
@@ -71,6 +71,10 @@
cz.jirutka.rsql
rsql-parser
+
+ org.jsoup
+ jsoup
+
diff --git a/hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/ValidString.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ValidString.java
similarity index 84%
rename from hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/ValidString.java
rename to hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ValidString.java
index 9f4ab14e1..1a891620c 100644
--- a/hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/ValidString.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ValidString.java
@@ -16,18 +16,14 @@ import java.lang.annotation.Target;
import javax.validation.Constraint;
import javax.validation.Payload;
-import org.hibernate.validator.constraints.SafeHtml;
-import org.hibernate.validator.constraints.SafeHtml.WhiteListType;
-
/**
* Constraint for strings submitted into the repository.
*
*/
-@Constraint(validatedBy = {})
+@Constraint(validatedBy = ValidStringValidator.class)
@Target({ ElementType.METHOD, ElementType.FIELD, ElementType.ANNOTATION_TYPE, ElementType.CONSTRUCTOR,
ElementType.PARAMETER, ElementType.TYPE_USE })
@Retention(RetentionPolicy.RUNTIME)
-@SafeHtml(whitelistType = WhiteListType.NONE)
public @interface ValidString {
String message() default "Invalid characters in string";
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ValidStringValidator.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ValidStringValidator.java
new file mode 100644
index 000000000..879eaeea5
--- /dev/null
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/ValidStringValidator.java
@@ -0,0 +1,56 @@
+/**
+ * Copyright (c) 2022 Bosch.IO GmbH and others.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.eclipse.hawkbit.repository;
+
+import javax.validation.ConstraintValidator;
+import javax.validation.ConstraintValidatorContext;
+
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.parser.Parser;
+import org.jsoup.safety.Cleaner;
+import org.jsoup.safety.Safelist;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.cronutils.utils.StringUtils;
+
+/**
+ * Safe html constraint validator for strings submitted into the repository.
+ *
+ */
+public class ValidStringValidator implements ConstraintValidator {
+ private static final Logger LOG = LoggerFactory.getLogger(ValidStringValidator.class);
+
+ private final Cleaner cleaner = new Cleaner(Safelist.none());
+
+ @Override
+ public boolean isValid(final String value, final ConstraintValidatorContext context) {
+ return StringUtils.isEmpty(value) || isValidString(value);
+ }
+
+ private boolean isValidString(final String value) {
+ try {
+ return cleaner.isValid(stringToDocument(value));
+ } catch (final Exception ex) {
+ LOG.error(String.format("There was an exception during bean field value (%s) validation", value), ex);
+ return false;
+ }
+ }
+
+ private static Document stringToDocument(final String value) {
+ final Document xmlFragment = Jsoup.parse(value, "", Parser.xmlParser());
+ final Document resultingDocument = Document.createShell("");
+
+ xmlFragment.childNodes().forEach(xmlNode -> resultingDocument.body().appendChild(xmlNode.clone()));
+
+ return resultingDocument;
+ }
+
+}
diff --git a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/model/ArtifactUpload.java b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/model/ArtifactUpload.java
index 08923f832..8407c1329 100644
--- a/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/model/ArtifactUpload.java
+++ b/hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/model/ArtifactUpload.java
@@ -13,8 +13,7 @@ import java.io.InputStream;
import javax.validation.constraints.NotEmpty;
import javax.validation.constraints.NotNull;
-import org.hibernate.validator.constraints.SafeHtml;
-import org.hibernate.validator.constraints.SafeHtml.WhiteListType;
+import org.eclipse.hawkbit.repository.ValidString;
/**
* Use to create a new artifact.
@@ -28,7 +27,7 @@ public class ArtifactUpload {
private final long moduleId;
@NotEmpty
- @SafeHtml(whitelistType = WhiteListType.NONE, message = "Invalid characters in string")
+ @ValidString
private final String filename;
private final String providedMd5Sum;
diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/RepositoryApplicationConfiguration.java b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/RepositoryApplicationConfiguration.java
index 6357d655b..6745972b4 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/RepositoryApplicationConfiguration.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/RepositoryApplicationConfiguration.java
@@ -14,6 +14,7 @@ import java.util.concurrent.ScheduledExecutorService;
import javax.persistence.EntityManager;
import javax.sql.DataSource;
+import javax.validation.Validation;
import org.eclipse.hawkbit.artifact.repository.ArtifactRepository;
import org.eclipse.hawkbit.repository.ArtifactEncryption;
@@ -107,6 +108,7 @@ import org.eclipse.hawkbit.security.SecurityTokenGenerator;
import org.eclipse.hawkbit.security.SystemSecurityContext;
import org.eclipse.hawkbit.tenancy.TenantAware;
import org.eclipse.persistence.config.PersistenceUnitProperties;
+import org.hibernate.validator.HibernateValidatorConfiguration;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -385,7 +387,12 @@ public class RepositoryApplicationConfiguration extends JpaBaseConfiguration {
*/
@Bean
public MethodValidationPostProcessor methodValidationPostProcessor() {
- return new MethodValidationPostProcessor();
+ final MethodValidationPostProcessor processor = new MethodValidationPostProcessor();
+ processor.setValidator(Validation.byDefaultProvider().configure()
+ .addProperty(HibernateValidatorConfiguration.ALLOW_PARALLEL_METHODS_DEFINE_PARAMETER_CONSTRAINTS,
+ "true")
+ .buildValidatorFactory().getValidator());
+ return processor;
}
/**
diff --git a/pom.xml b/pom.xml
index c8279b9d5..9de1d791d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -143,9 +143,7 @@
3.5.0.RELEASE
-
- 6.0.20.Final
-
+
8.14.1
@@ -163,7 +161,7 @@
9.1.6
- 1.14.2
+ 1.15.3
2.13.6
2.7.9
1.1.8