Increase coverage and remove code smells

kiegroup · Jul 12, 2023 · a2277c8 · a2277c8
1 parent 0872802
commit a2277c8
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 1 deletion.
diff --git a/...erfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java b/...erfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.guvnor.structure.backend;
 
 import java.util.ArrayList;
@@ -6,8 +21,16 @@
 import org.apache.commons.text.StringEscapeUtils;
 import org.uberfire.security.Contributor;
 
+/**
+ * Utility class to provide input escaping or other
+ * functionality needed by backend services to sanitize inputs.
+ */
 public class InputEscapeUtils {
 
+    private InputEscapeUtils() {
+        // non-instantiable class
+    }
+
     public static Collection<Contributor> escapeContributorsNames(Collection<Contributor> contributors) {
         Collection<Contributor> escapedContributors = new ArrayList<>();
         contributors.forEach((contributor -> {

diff --git a/...n/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java b/...n/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java
@@ -33,7 +33,6 @@
 import javax.inject.Inject;
 import javax.inject.Named;
 
-import org.apache.commons.text.StringEscapeUtils;
 import org.uberfire.security.Contributor;
 import org.guvnor.structure.contributors.SpaceContributorsUpdatedEvent;
 import org.guvnor.structure.organizationalunit.NewOrganizationalUnitEvent;

diff --git a/...re-structure-backend/src/test/java/org/guvnor/structure/backend/InputEscapeUtilsTest.java b/...re-structure-backend/src/test/java/org/guvnor/structure/backend/InputEscapeUtilsTest.java
@@ -0,0 +1,33 @@
+package org.guvnor.structure.backend;
+
+import org.apache.commons.text.StringEscapeUtils;
+import org.assertj.core.api.Assertions;
+import org.junit.Test;
+
+import static org.guvnor.structure.backend.InputEscapeUtils.escapeHtmlInput;
+
+public class InputEscapeUtilsTest {
+
+    @Test
+    public void testEscapeHtmlInput() {
+        final String xssString = "<img/src/onerror=alert(\"XSS\")>";
+        final String expectedResult = StringEscapeUtils.escapeHtml4(xssString).replace("'", "");
+        final String result = escapeHtmlInput(xssString);
+        Assertions.assertThat(result).isEqualTo(expectedResult);
+    }
+
+    @Test
+    public void testEscapeHtmlInputWithSingleQoutes() {
+        final String xssString = "<img/src/onerror=alert('XSS')>";
+        final String expectedResult = StringEscapeUtils.escapeHtml4(xssString).replace("'", "");
+        final String result = escapeHtmlInput(xssString);
+        Assertions.assertThat(result).isEqualTo(expectedResult);
+    }
+
+    @Test
+    public void testEscapeHtmlInputNull() {
+        final String xssString = null;
+        final String result = escapeHtmlInput(xssString);
+        Assertions.assertThat(result).isNull();
+    }
+}