inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud)

Browse Source 
98426: Merged 5.0.N (5.0.2) to HEAD-BUG-FIX (5.1/Cloud)
      98384: Merged 5.0.1 (5.0.1) to 5.0.N (5.0.2)
         98286: MNT-13473: Merged CLOUD39 (Cloud 39.3) to 5.0.1 (5.0.1)
            97951: MNT-13456:


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@98533 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2015-03-03 23:43:09 +00:00
parent d0f7fdedf7
commit 0dd0c87f93
4 changed files with 184 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
source/test-java/org/alfresco/repo/web/scripts/links/LinksRestApiTest.java
View File

@@ -20,6 +20,7 @@ package org.alfresco.repo.web.scripts.links;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import javax.transaction.UserTransaction;
@@ -538,6 +539,47 @@ public class LinksRestApiTest extends BaseWebScriptTest
getLink(name, Status.STATUS_NOT_FOUND);
deleteLink(name, Status.STATUS_NOT_FOUND);
}
/**
* MNT-13456 Check for XSS attack via update of link
* @throws Exception
*/
public void testXssLinks() throws Exception
{
String LINK_TITLE = "lnk" + System.currentTimeMillis();
String LINK_URL = "http://alfresco.com";
HashMap<String, Integer> mapForCheck = new HashMap<String, Integer>();
mapForCheck.put("http:javasc\\ript:alert('mail.ru')", Status.STATUS_BAD_REQUEST);
mapForCheck.put("javas\\0cr\\ip\\00t:alert('dd')", Status.STATUS_BAD_REQUEST);
mapForCheck.put("alfresco.my", Status.STATUS_OK);
mapForCheck.put("javascript:alert('http://somedata.html')", Status.STATUS_BAD_REQUEST);
mapForCheck.put("http://alfresco.org", Status.STATUS_OK);
mapForCheck.put("localhost:8080", Status.STATUS_OK);
mapForCheck.put("localhost:8080/share", Status.STATUS_OK);
mapForCheck.put("localhost:80A80/share", Status.STATUS_BAD_REQUEST);
mapForCheck.put("http:java\\00script:alert('XSS')", Status.STATUS_BAD_REQUEST);
mapForCheck.put("http:javas\\0cript:alert('XSS')", Status.STATUS_BAD_REQUEST);
mapForCheck.put("http: &#14; javascript:alert('XSS')", Status.STATUS_BAD_REQUEST);
mapForCheck.put("<SCRIPT/XSS SRC='http://ha.ckers.org/xss.js'></SCRIPT>", Status.STATUS_BAD_REQUEST);
mapForCheck.put("<iframe src=http://ha.ckers.org/scriptlet.html <", Status.STATUS_BAD_REQUEST);
mapForCheck.put("html:vbscript:msgbox(\"XSS\")", Status.STATUS_BAD_REQUEST);
mapForCheck.put("<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>", Status.STATUS_BAD_REQUEST);
mapForCheck.put("<IMG SRC= onmouseover=\"alert('xxs')\">", Status.STATUS_BAD_REQUEST);
mapForCheck.put("BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", Status.STATUS_BAD_REQUEST);
mapForCheck.put("onload54(dd)fg`=df", Status.STATUS_BAD_REQUEST);
JSONObject link;
link = createLink(LINK_TITLE, "Link desc", LINK_URL, false, Status.STATUS_OK);
String name = getNameFromLink(link);
for (String url : mapForCheck.keySet())
{
int expStatus = mapForCheck.get(url);
updateLink(name, LINK_TITLE, "Link desc", url, false, expStatus);
}
}
/**
* Listing