diff --git a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java new file mode 100644 index 0000000000..b8f466d9e4 --- /dev/null +++ b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java @@ -0,0 +1,30 @@ +package org.guvnor.structure.backend; + +import java.util.ArrayList; +import java.util.Collection; + +import org.apache.commons.text.StringEscapeUtils; +import org.uberfire.security.Contributor; + +public class InputEscapeUtils { + + public static Collection escapeContributorsNames(Collection contributors) { + Collection escapedContributors = new ArrayList<>(); + contributors.forEach((contributor -> { + String escapedName = escapeHtmlInput(contributor.getUsername()); + escapedContributors.add(new Contributor(escapedName, contributor.getType())); + })); + return escapedContributors; + } + + public static String escapeHtmlInput(String input) { + if (input != null) { + String escapedInput = StringEscapeUtils.escapeHtml4(input); + escapedInput = escapedInput.replace("'", ""); + return escapedInput; + } else { + return null; + } + } + +} diff --git a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java index 2aa2baeea5..f094dee557 100644 --- a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java +++ b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java @@ -65,6 +65,8 @@ import org.uberfire.spaces.Space; import org.uberfire.spaces.SpacesAPI; +import static org.guvnor.structure.backend.InputEscapeUtils.escapeContributorsNames; + @Service @ApplicationScoped public class OrganizationalUnitServiceImpl implements OrganizationalUnitService { @@ -620,23 +622,4 @@ private OrganizationalUnit createDeletedOrganizationalUnit(ConfigGroup configGro defaultGroupId, true); } - - private Collection escapeContributorsNames(Collection contributors) { - Collection escapedContributors = new ArrayList<>(); - contributors.forEach((contributor -> { - String escapedName = escapeHtmlInput(contributor.getUsername()); - escapedContributors.add(new Contributor(escapedName, contributor.getType())); - })); - return escapedContributors; - } - - String escapeHtmlInput(String input) { - if (input != null) { - String escapedInput = StringEscapeUtils.escapeHtml4(input); - escapedInput = escapedInput.replace("'", ""); - return escapedInput; - } else { - return null; - } - } } diff --git a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/repositories/RepositoryServiceImpl.java b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/repositories/RepositoryServiceImpl.java index 524f000234..ae2c5c506f 100644 --- a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/repositories/RepositoryServiceImpl.java +++ b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/repositories/RepositoryServiceImpl.java @@ -28,7 +28,6 @@ import javax.inject.Inject; import javax.inject.Named; -import org.apache.commons.text.StringEscapeUtils; import org.guvnor.common.services.backend.exceptions.ExceptionUtilities; import org.guvnor.common.services.project.events.RepositoryContributorsUpdatedEvent; import org.guvnor.structure.backend.backcompat.BackwardCompatibleUtil; @@ -68,6 +67,7 @@ import org.uberfire.spaces.Space; import org.uberfire.spaces.SpacesAPI; +import static org.guvnor.structure.backend.InputEscapeUtils.escapeContributorsNames; import static org.guvnor.structure.repositories.EnvironmentParameters.CRYPT_PREFIX; import static org.guvnor.structure.repositories.EnvironmentParameters.SECURE_PREFIX; import static org.guvnor.structure.repositories.EnvironmentParameters.SCHEME; @@ -620,25 +620,6 @@ private void addConfiguration(final RepositoryConfiguration repositoryConfigurat } } - public Collection escapeContributorsNames(Collection contributors) { - Collection escapedContributors = new ArrayList<>(); - contributors.forEach((contributor -> { - String escapedName = escapeHtmlInput(contributor.getUsername()); - escapedContributors.add(new Contributor(escapedName, contributor.getType())); - })); - return escapedContributors; - } - - String escapeHtmlInput(String input) { - if (input != null) { - String escapedInput = StringEscapeUtils.escapeHtml4(input); - escapedInput = escapedInput.replace("'", ""); - return escapedInput; - } else { - return null; - } - } - public class NoActiveSpaceInTheContext extends RuntimeException { } diff --git a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java index f784be83af..54fd6bda48 100644 --- a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java +++ b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java @@ -63,6 +63,7 @@ import org.uberfire.spaces.Space; import org.uberfire.spaces.SpacesAPI; +import static org.guvnor.structure.backend.InputEscapeUtils.escapeHtmlInput; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNull; @@ -270,14 +271,14 @@ public void createValidOrganizationalUnitTest() { assertEquals(contributors, ou.getContributors()); Assertions.assertThat(ou.getContributors()).hasSize(1); Assertions.assertThat(ou.getContributors()).hasOnlyOneElementSatisfying((contributor) -> { - contributor.getUsername().equals(organizationalUnitService.escapeHtmlInput(ADMIN)); + contributor.getUsername().equals(escapeHtmlInput(ADMIN)); }); } @Test public void createOrganizationalUnitWithPersistentXssInContributorTest() { final String persistentXssContributor = ""; - final String escapedPersistentXssContributor = organizationalUnitService.escapeHtmlInput(persistentXssContributor); + final String escapedPersistentXssContributor = escapeHtmlInput(persistentXssContributor); List contributors = new ArrayList<>(); contributors.add(new Contributor(persistentXssContributor, @@ -306,10 +307,10 @@ public void createOrganizationalUnitWithPersistentXssInContributorTest() { @Test public void createOrganizationalUnitWithPersistentXssAndValidContributorTest() { final String persistentXssContributor = ""; - final String escapedPersistentXssContributor = organizationalUnitService.escapeHtmlInput(persistentXssContributor); - final String escapedAdminContributor = organizationalUnitService.escapeHtmlInput(ADMIN); + final String escapedPersistentXssContributor = escapeHtmlInput(persistentXssContributor); + final String escapedAdminContributor = escapeHtmlInput(ADMIN); final String regularContributor = "head_technician_junior-intern"; - final String escapedRegularContributor = organizationalUnitService.escapeHtmlInput(regularContributor); + final String escapedRegularContributor = escapeHtmlInput(regularContributor); List contributors = new ArrayList<>(); contributors.add(new Contributor(persistentXssContributor, @@ -401,7 +402,7 @@ public void testUpdateOrganizationalUnit() { @Test public void testContributorsPersistentXssOnUpdateOrganizationalUnit() { final String persistentXssContributor = ""; - final String escapedPersistentXssContributor = organizationalUnitService.escapeHtmlInput(persistentXssContributor); + final String escapedPersistentXssContributor = escapeHtmlInput(persistentXssContributor); OrganizationalUnit organizationalUnit = organizationalUnitService.updateOrganizationalUnit(SPACE_NAME, diff --git a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/repositories/RepositoryServiceImplTest.java b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/repositories/RepositoryServiceImplTest.java index 218e9be1fa..b85e4fa331 100644 --- a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/repositories/RepositoryServiceImplTest.java +++ b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/repositories/RepositoryServiceImplTest.java @@ -39,6 +39,7 @@ import org.uberfire.spaces.Space; import org.uberfire.spaces.SpacesAPI; +import static org.guvnor.structure.backend.InputEscapeUtils.escapeHtmlInput; import static org.junit.Assert.*; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; @@ -195,7 +196,7 @@ public void updateContributorsWithXSSNameTest() { when(registry.getBatch(anyString())).thenReturn(new SpaceConfigStorageRegistryImpl.SpaceStorageBatchImpl(spaceConfigStorage)); final String xssName = ""; - final String escapedXssName = repositoryService.escapeHtmlInput(xssName); + final String escapedXssName = escapeHtmlInput(xssName); repositoryService.updateContributors(repository, Collections.singletonList(new Contributor(xssName, ContributorType.OWNER)));