RHPAM-4719: Replace single qoute with nothing

kiegroup · Jun 27, 2023 · cc2b241 · cc2b241
1 parent b8eaab5
commit cc2b241
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 3 deletions.
diff --git a/...ire-rest/uberfire-rest-backend/src/main/java/org/guvnor/rest/backend/ProjectResource.java b/...ire-rest/uberfire-rest-backend/src/main/java/org/guvnor/rest/backend/ProjectResource.java
@@ -374,7 +374,7 @@ public Response addBranch(@PathParam("spaceName") String spaceName,
         jobRequest.setJobId(id);
         jobRequest.setSpaceName(spaceName);
         jobRequest.setProjectName(projectName);
-        jobRequest.setNewBranchName(StringEscapeUtils.escapeHtml4(addBranchRequest.getNewBranchName()));
+        jobRequest.setNewBranchName(escapeHtmlInput(addBranchRequest.getNewBranchName()));
         jobRequest.setBaseBranchName(addBranchRequest.getBaseBranchName());
         jobRequest.setUserIdentifier(sessionInfo.getIdentity().getIdentifier());
         addAcceptedJobResult(id);
@@ -455,6 +455,16 @@ private ProjectResponse getProjectResponse(WorkspaceProject workspaceProject) {
         return projectResponse;
     }
 
+    private String escapeHtmlInput(String input) {
+        if (input != null) {
+            String escapedInput = StringEscapeUtils.escapeHtml4(input);
+            escapedInput = escapedInput.replace("'", "");
+            return escapedInput;
+        } else {
+            return null;
+        }
+    }
+
     @POST
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/spaces/{spaceName}/projects/{projectName}/maven/compile")
@@ -685,7 +695,7 @@ public Response createSpace(Space space) {
         jobRequest.setJobId(id);
         jobRequest.setSpaceName(space.getName());
         jobRequest.setDescription(space.getDescription());
-        jobRequest.setOwner(StringEscapeUtils.escapeHtml4(space.getOwner()));
+        jobRequest.setOwner(escapeHtmlInput(space.getOwner()));
         jobRequest.setDefaultGroupId(space.getDefaultGroupId());
         addAcceptedJobResult(id);
 
@@ -710,7 +720,7 @@ public Response updateSpace(Space space) {
         jobRequest.setJobId(id);
         jobRequest.setSpaceName(space.getName());
         jobRequest.setDescription(space.getDescription());
-        jobRequest.setOwner(StringEscapeUtils.escapeHtml4(space.getOwner()));
+        jobRequest.setOwner(escapeHtmlInput(space.getOwner()));
         jobRequest.setDefaultGroupId(space.getDefaultGroupId());
         addAcceptedJobResult(id);
 

diff --git a/...t/uberfire-rest-backend/src/test/java/org/guvnor/rest/backend/ProjectResourceJobTest.java b/...t/uberfire-rest-backend/src/test/java/org/guvnor/rest/backend/ProjectResourceJobTest.java
@@ -315,6 +315,28 @@ public void updateSpace() throws Exception {
         assertEquals(JobStatus.ACCEPTED, jobResultArgumentCaptor.getValue().getStatus());
     }
 
+    @Test
+    public void updateSpaceWithXSSOwer() throws Exception {
+        String xssOwner = "<img/src/onerror=alert(\"XSS\")>";
+        Space testedSpace = new Space();
+        testedSpace.setOwner(xssOwner);
+        projectResource.updateSpace(testedSpace);
+
+        verify(jobManager).putJob(jobResultArgumentCaptor.capture());
+        assertEquals(JobStatus.ACCEPTED, jobResultArgumentCaptor.getValue().getStatus());
+    }
+
+    @Test
+    public void createSpaceWithXSSOwner() throws Exception {
+        String xssOwner = "<img/src/onerror=alert(document.cookie)>";
+        Space testedSpace = new Space();
+        testedSpace.setOwner(xssOwner);
+        projectResource.createSpace(testedSpace);
+
+        verify(jobManager).putJob(jobResultArgumentCaptor.capture());
+        assertEquals(JobStatus.ACCEPTED, jobResultArgumentCaptor.getValue().getStatus());
+    }
+
     @Test
     public void deleteSpace() throws Exception {
 
@@ -334,6 +356,19 @@ public void addBranch() {
         assertEquals(JobStatus.ACCEPTED, jobResultArgumentCaptor.getValue().getStatus());
     }
 
+    @Test
+    public void addBranchWithXSSName() {
+        AddBranchRequest addBranchRequest = new AddBranchRequest();
+        addBranchRequest.setNewBranchName("<img/src/onerror=alert(\"Xss\")>");
+
+        projectResource.addBranch("spaceName",
+                                  "projectName",
+                                  addBranchRequest);
+
+        verify(jobManager).putJob(jobResultArgumentCaptor.capture());
+        assertEquals(JobStatus.ACCEPTED, jobResultArgumentCaptor.getValue().getStatus());
+    }
+
     @Test
     public void removeBranch() {
         projectResource.removeBranch("spaceName",

diff --git a/...n/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java b/...n/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java
@@ -625,6 +625,7 @@ private Collection<Contributor> escapeContributorsNames(Collection<Contributor>
         Collection<Contributor> escapedContributors = new ArrayList<>();
         contributors.forEach((contributor -> {
             String escapedName = StringEscapeUtils.escapeHtml4(contributor.getUsername());
+            escapedName = escapedName.replace("'", "");
             escapedContributors.add(new Contributor(escapedName, contributor.getType()));
         }));
         return escapedContributors;