inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud)

Browse Source 
98426: Merged 5.0.N (5.0.2) to HEAD-BUG-FIX (5.1/Cloud)
      98384: Merged 5.0.1 (5.0.1) to 5.0.N (5.0.2)
         98286: MNT-13473: Merged CLOUD39 (Cloud 39.3) to 5.0.1 (5.0.1)
            97951: MNT-13456:


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@98533 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2015-03-03 23:43:09 +00:00
parent d0f7fdedf7
commit 0dd0c87f93
4 changed files with 184 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
source/java/org/alfresco/repo/web/scripts/links/AbstractLinksWebScript.java
View File

@@ -24,6 +24,7 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.alfresco.query.PagingRequest;
import org.alfresco.repo.content.MimetypeMap;
@@ -60,7 +61,7 @@ public abstract class AbstractLinksWebScript extends DeclarativeWebScript
protected static final String PARAM_MESSAGE = "message";
protected static final String PARAM_ITEM = "item";
private static Log logger = LogFactory.getLog(AbstractLinksWebScript.class);
// Injected services
@@ -69,7 +70,11 @@ public abstract class AbstractLinksWebScript extends DeclarativeWebScript
protected LinksService linksService;
protected PersonService personService;
protected ActivityService activityService;
private String protocolsWhiteList = "http,https,ftp,mailto";
private ArrayList<String> allowedProtocols;
private ArrayList<Pattern> xssPatterns;
public void setNodeService(NodeService nodeService)
{
this.nodeService = nodeService;
@@ -94,6 +99,98 @@ public abstract class AbstractLinksWebScript extends DeclarativeWebScript
{
this.activityService = activityService;
}
public void setProtocolsWhiteList(String protocolsWhiteList)
{
this.protocolsWhiteList = protocolsWhiteList;
}
public void setXssRegexp(ArrayList<String> xssRegexp)
{
xssPatterns = new ArrayList<>(xssRegexp.size());
for (String xssRegexpStr : xssRegexp)
{
xssPatterns.add(Pattern.compile(xssRegexpStr));
}
}
private boolean isProtocolAllowed(String protocol)
{
// will be used default protocol prefix
if (protocol.length() == 0)
{
return true;
}
if (allowedProtocols == null)
{
allowedProtocols = new ArrayList<String>();
for (String delimProtocol : protocolsWhiteList.split(","))
{
if (delimProtocol.trim().length() == 0)
{
continue;
}
allowedProtocols.add(delimProtocol.trim());
}
}
return allowedProtocols.contains(protocol);
}
private boolean isPossibleXSS(String url)
{
// check for null
if (xssPatterns == null)
{
return false;
}
boolean result = false;
for (Pattern pattern : xssPatterns)
{
if (pattern.matcher(url).matches())
{
result = true;
}
}
return result;
}
private boolean isUrlCorrect(String url)
{
//default behavior if url absent
if (url == null)
{
return true;
}
if (url.trim().length() == 0 || isPossibleXSS(url))
{
return false;
}
int colonPos = url.indexOf(":");
colonPos = colonPos > 0 ? colonPos : 0;
String protocol = url.substring(0, colonPos);
boolean result = isProtocolAllowed(protocol);
//check for record host:port e.g.: localhost:8080
if (!result)
{
String secondUrlPart = url.substring(colonPos+1);
int slashPos = secondUrlPart.indexOf("/");
slashPos = slashPos > 0 ? slashPos : secondUrlPart.length();
String port = secondUrlPart.substring(0, slashPos);
Pattern p = Pattern.compile("^[0-9]*$");
if (p.matcher(port).matches())
{
result = true;
}
}
return result;
}
protected String getOrNull(JSONObject json, String key)
@@ -306,7 +403,18 @@ public abstract class AbstractLinksWebScript extends DeclarativeWebScript
// Link name is optional
String linkName = templateVars.get("path");
//sanitise url
if (json != null)
{
String url = getOrNull(json, "url");
if (!isUrlCorrect(url))
{
String error = "Url not allowed";
throw new WebScriptException(Status.STATUS_BAD_REQUEST, error);
}
}
// Have the real work done
return executeImpl(site, linkName, req, json, status, cache);
}

13
source/java/org/alfresco/repo/web/scripts/links/LinkPut.java
View File

@@ -18,10 +18,12 @@
*/
package org.alfresco.repo.web.scripts.links;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.regex.Pattern;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.service.cmr.links.LinkInfo;
@@ -41,8 +43,8 @@ public class LinkPut extends AbstractLinksWebScript
{
private static final String MSG_ACCESS_DENIED= "links.err.access.denied";
private static final String MSG_NOT_FOUND= "links.err.not.found";
@Override
@Override
protected Map<String, Object> executeImpl(SiteInfo site, String linkName,
WebScriptRequest req, JSONObject json, Status status, Cache cache)
{
@@ -60,13 +62,14 @@ public class LinkPut extends AbstractLinksWebScript
model.put(PARAM_MESSAGE, rb.getString(MSG_NOT_FOUND));
return model;
}
// Get the new link details from the JSON
// Update the main properties
link.setTitle(getOrNull(json, "title"));
link.setDescription(getOrNull(json, "description"));
link.setURL(getOrNull(json, "url"));
String url = getOrNull(json, "url");
link.setURL(url);
// Handle internal / not internal
if (json.containsKey("internal"))