Update jsoup (#1276)
* upgraded jsoup to 1.15.3 * removed deprecated safe html annotation * added own valid string jsoup validator, disabled hibernate parallel method declaration constraint * adapted valid string validator * static method * return invalid value in case of processing exception Signed-off-by: Bogdan Bondar <Bogdan.Bondar@bosch.io>
This commit is contained in:
@@ -71,6 +71,10 @@
|
|||||||
<groupId>cz.jirutka.rsql</groupId>
|
<groupId>cz.jirutka.rsql</groupId>
|
||||||
<artifactId>rsql-parser</artifactId>
|
<artifactId>rsql-parser</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.jsoup</groupId>
|
||||||
|
<artifactId>jsoup</artifactId>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
<!-- TEST -->
|
<!-- TEST -->
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|||||||
@@ -16,18 +16,14 @@ import java.lang.annotation.Target;
|
|||||||
import javax.validation.Constraint;
|
import javax.validation.Constraint;
|
||||||
import javax.validation.Payload;
|
import javax.validation.Payload;
|
||||||
|
|
||||||
import org.hibernate.validator.constraints.SafeHtml;
|
|
||||||
import org.hibernate.validator.constraints.SafeHtml.WhiteListType;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constraint for strings submitted into the repository.
|
* Constraint for strings submitted into the repository.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
@Constraint(validatedBy = {})
|
@Constraint(validatedBy = ValidStringValidator.class)
|
||||||
@Target({ ElementType.METHOD, ElementType.FIELD, ElementType.ANNOTATION_TYPE, ElementType.CONSTRUCTOR,
|
@Target({ ElementType.METHOD, ElementType.FIELD, ElementType.ANNOTATION_TYPE, ElementType.CONSTRUCTOR,
|
||||||
ElementType.PARAMETER, ElementType.TYPE_USE })
|
ElementType.PARAMETER, ElementType.TYPE_USE })
|
||||||
@Retention(RetentionPolicy.RUNTIME)
|
@Retention(RetentionPolicy.RUNTIME)
|
||||||
@SafeHtml(whitelistType = WhiteListType.NONE)
|
|
||||||
public @interface ValidString {
|
public @interface ValidString {
|
||||||
|
|
||||||
String message() default "Invalid characters in string";
|
String message() default "Invalid characters in string";
|
||||||
@@ -0,0 +1,56 @@
|
|||||||
|
/**
|
||||||
|
* Copyright (c) 2022 Bosch.IO GmbH and others.
|
||||||
|
*
|
||||||
|
* All rights reserved. This program and the accompanying materials
|
||||||
|
* are made available under the terms of the Eclipse Public License v1.0
|
||||||
|
* which accompanies this distribution, and is available at
|
||||||
|
* http://www.eclipse.org/legal/epl-v10.html
|
||||||
|
*/
|
||||||
|
package org.eclipse.hawkbit.repository;
|
||||||
|
|
||||||
|
import javax.validation.ConstraintValidator;
|
||||||
|
import javax.validation.ConstraintValidatorContext;
|
||||||
|
|
||||||
|
import org.jsoup.Jsoup;
|
||||||
|
import org.jsoup.nodes.Document;
|
||||||
|
import org.jsoup.parser.Parser;
|
||||||
|
import org.jsoup.safety.Cleaner;
|
||||||
|
import org.jsoup.safety.Safelist;
|
||||||
|
import org.slf4j.Logger;
|
||||||
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
import com.cronutils.utils.StringUtils;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Safe html constraint validator for strings submitted into the repository.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public class ValidStringValidator implements ConstraintValidator<ValidString, String> {
|
||||||
|
private static final Logger LOG = LoggerFactory.getLogger(ValidStringValidator.class);
|
||||||
|
|
||||||
|
private final Cleaner cleaner = new Cleaner(Safelist.none());
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isValid(final String value, final ConstraintValidatorContext context) {
|
||||||
|
return StringUtils.isEmpty(value) || isValidString(value);
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isValidString(final String value) {
|
||||||
|
try {
|
||||||
|
return cleaner.isValid(stringToDocument(value));
|
||||||
|
} catch (final Exception ex) {
|
||||||
|
LOG.error(String.format("There was an exception during bean field value (%s) validation", value), ex);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static Document stringToDocument(final String value) {
|
||||||
|
final Document xmlFragment = Jsoup.parse(value, "", Parser.xmlParser());
|
||||||
|
final Document resultingDocument = Document.createShell("");
|
||||||
|
|
||||||
|
xmlFragment.childNodes().forEach(xmlNode -> resultingDocument.body().appendChild(xmlNode.clone()));
|
||||||
|
|
||||||
|
return resultingDocument;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@@ -13,8 +13,7 @@ import java.io.InputStream;
|
|||||||
import javax.validation.constraints.NotEmpty;
|
import javax.validation.constraints.NotEmpty;
|
||||||
import javax.validation.constraints.NotNull;
|
import javax.validation.constraints.NotNull;
|
||||||
|
|
||||||
import org.hibernate.validator.constraints.SafeHtml;
|
import org.eclipse.hawkbit.repository.ValidString;
|
||||||
import org.hibernate.validator.constraints.SafeHtml.WhiteListType;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Use to create a new artifact.
|
* Use to create a new artifact.
|
||||||
@@ -28,7 +27,7 @@ public class ArtifactUpload {
|
|||||||
private final long moduleId;
|
private final long moduleId;
|
||||||
|
|
||||||
@NotEmpty
|
@NotEmpty
|
||||||
@SafeHtml(whitelistType = WhiteListType.NONE, message = "Invalid characters in string")
|
@ValidString
|
||||||
private final String filename;
|
private final String filename;
|
||||||
|
|
||||||
private final String providedMd5Sum;
|
private final String providedMd5Sum;
|
||||||
|
|||||||
@@ -14,6 +14,7 @@ import java.util.concurrent.ScheduledExecutorService;
|
|||||||
|
|
||||||
import javax.persistence.EntityManager;
|
import javax.persistence.EntityManager;
|
||||||
import javax.sql.DataSource;
|
import javax.sql.DataSource;
|
||||||
|
import javax.validation.Validation;
|
||||||
|
|
||||||
import org.eclipse.hawkbit.artifact.repository.ArtifactRepository;
|
import org.eclipse.hawkbit.artifact.repository.ArtifactRepository;
|
||||||
import org.eclipse.hawkbit.repository.ArtifactEncryption;
|
import org.eclipse.hawkbit.repository.ArtifactEncryption;
|
||||||
@@ -107,6 +108,7 @@ import org.eclipse.hawkbit.security.SecurityTokenGenerator;
|
|||||||
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
import org.eclipse.hawkbit.security.SystemSecurityContext;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.eclipse.persistence.config.PersistenceUnitProperties;
|
import org.eclipse.persistence.config.PersistenceUnitProperties;
|
||||||
|
import org.hibernate.validator.HibernateValidatorConfiguration;
|
||||||
import org.springframework.beans.factory.ObjectProvider;
|
import org.springframework.beans.factory.ObjectProvider;
|
||||||
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
|
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||||
@@ -385,7 +387,12 @@ public class RepositoryApplicationConfiguration extends JpaBaseConfiguration {
|
|||||||
*/
|
*/
|
||||||
@Bean
|
@Bean
|
||||||
public MethodValidationPostProcessor methodValidationPostProcessor() {
|
public MethodValidationPostProcessor methodValidationPostProcessor() {
|
||||||
return new MethodValidationPostProcessor();
|
final MethodValidationPostProcessor processor = new MethodValidationPostProcessor();
|
||||||
|
processor.setValidator(Validation.byDefaultProvider().configure()
|
||||||
|
.addProperty(HibernateValidatorConfiguration.ALLOW_PARALLEL_METHODS_DEFINE_PARAMETER_CONSTRAINTS,
|
||||||
|
"true")
|
||||||
|
.buildValidatorFactory().getValidator());
|
||||||
|
return processor;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
6
pom.xml
6
pom.xml
@@ -143,9 +143,7 @@
|
|||||||
<!-- Newer versions needed than defined in Boot -->
|
<!-- Newer versions needed than defined in Boot -->
|
||||||
<!-- Fixed dependencies -->
|
<!-- Fixed dependencies -->
|
||||||
<rabbitmq.http-client.version>3.5.0.RELEASE</rabbitmq.http-client.version>
|
<rabbitmq.http-client.version>3.5.0.RELEASE</rabbitmq.http-client.version>
|
||||||
<!-- Newer version contains new rule that we violate. Needs to be fixed first -->
|
<!-- Spring boot version overrides - END -->
|
||||||
<hibernate-validator.version>6.0.20.Final</hibernate-validator.version>
|
|
||||||
<!-- Spring boot version overrides - END -->
|
|
||||||
|
|
||||||
<!-- Vaadin versions - START -->
|
<!-- Vaadin versions - START -->
|
||||||
<vaadin.version>8.14.1</vaadin.version>
|
<vaadin.version>8.14.1</vaadin.version>
|
||||||
@@ -163,7 +161,7 @@
|
|||||||
|
|
||||||
<!-- Misc libraries versions - START -->
|
<!-- Misc libraries versions - START -->
|
||||||
<cron-utils.version>9.1.6</cron-utils.version>
|
<cron-utils.version>9.1.6</cron-utils.version>
|
||||||
<jsoup.version>1.14.2</jsoup.version>
|
<jsoup.version>1.15.3</jsoup.version>
|
||||||
<allure.version>2.13.6</allure.version>
|
<allure.version>2.13.6</allure.version>
|
||||||
<eclipselink.version>2.7.9</eclipselink.version>
|
<eclipselink.version>2.7.9</eclipselink.version>
|
||||||
<gwtmockito.version>1.1.8</gwtmockito.version>
|
<gwtmockito.version>1.1.8</gwtmockito.version>
|
||||||
|
|||||||
Reference in New Issue
Block a user