Skip to content

Snyk report xss #708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Snyk report xss #708

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
9f47c61
XSS coverage
cubap Nov 27, 2024
2b453de
XSS and others
cubap Nov 27, 2024
91c2d0c
null protection for XSS
cubap Nov 27, 2024
7dd1e94
XSS washing
cubap Nov 27, 2024
b121a9c
xss
cubap Nov 27, 2024
03f178f
guard clauses
cubap Nov 27, 2024
09dcd8a
Update CreateProjectFromMSIDServlet.java
cubap Nov 27, 2024
4e69c77
Update GetManuscriptsByCityAndRepository.java
cubap Nov 27, 2024
ee17fbc
xss and some guard clausing so I can read it
cubap Nov 27, 2024
7fb8292
xss cleanup
cubap Nov 27, 2024
842c65a
Update transcription.jsp
cubap Nov 27, 2024
8da95fd
Update signup.jsp
cubap Nov 27, 2024
365988d
Update search.jsp
cubap Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,4 @@ nbproject
*.properties

# End of https://www.toptal.com/developers/gitignore/api/macos,netbeans
.vscode/settings.json
94 changes: 45 additions & 49 deletions src/java/UpdateLine.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,23 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/

import java.io.IOException;
import java.io.PrintWriter;
import static java.lang.Integer.parseInt;
import java.sql.SQLException;
import static java.util.logging.Level.SEVERE;
import static java.util.logging.Logger.getLogger;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
import javax.servlet.http.HttpSession;
import static org.owasp.esapi.ESAPI.encoder;
import textdisplay.Project;
import textdisplay.Transcription;
import user.Group;

import static java.lang.Integer.parseInt;
import static java.util.logging.Level.SEVERE;
import static java.util.logging.Logger.getLogger;
import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
import static org.owasp.esapi.ESAPI.encoder;

/**
*
* @author jdeerin1
Expand All @@ -41,54 +37,55 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
try (PrintWriter out = response.getWriter()) {
HttpSession session = request.getSession();
if (session.getAttribute("UID") == null) {
response.sendError(SC_FORBIDDEN);
response.sendError(SC_FORBIDDEN, "User not logged in.");
return;
}
else if (request.getParameter("text") == null) {
getLogger(UpdateLine.class.getName()).log(SEVERE, null, "'text' was not provided.");
response.sendError(SC_BAD_REQUEST);
if (request.getParameter("text") == null) {
getLogger(UpdateLine.class.getName()).log(SEVERE, "'text' was not provided.");
response.sendError(SC_BAD_REQUEST, "'text' parameter is missing.");
return;
}
else if (request.getParameter("projectID") == null) {
getLogger(UpdateLine.class.getName()).log(SEVERE, null, "'projectID' was not provided.");
response.sendError(SC_BAD_REQUEST);
if (request.getParameter("projectID") == null) {
getLogger(UpdateLine.class.getName()).log(SEVERE, "'projectID' was not provided.");
response.sendError(SC_BAD_REQUEST, "'projectID' parameter is missing.");
return;
}
else{
String text = request.getParameter("text");
String comment = "";
int projectID = parseInt(request.getParameter("projectID"));
int uid = parseInt(session.getAttribute("UID").toString());
String line = request.getParameter("line");
try{
Project thisProject = new Project(projectID);
if (request.getParameter("comment") != null) {
comment = request.getParameter("comment");
}

String text = request.getParameter("text");
String comment = "";
int projectID = parseInt(request.getParameter("projectID"));
int uid = parseInt(session.getAttribute("UID").toString());
String line = request.getParameter("line");

try {
Project thisProject = new Project(projectID);
if (request.getParameter("comment") != null) {
if (line == null) {
if (request.getParameter("projectID") != null) {
if (new Group(thisProject.getGroupID()).isMember(uid)) {
thisProject.setLinebreakText(text);
}
if (!new Group(thisProject.getGroupID()).isMember(uid)) {
response.sendError(SC_FORBIDDEN, "User is not a member of the project group.");
return;
}
thisProject.setLinebreakText(text);
out.print(encoder().decodeForHTML(thisProject.getLinebreakText()));
} else {
if (!new Group(thisProject.getGroupID()).isMember(uid)) {
response.sendError(SC_FORBIDDEN, "User is not a member of the project group.");
return;
}
}
if (new Group(thisProject.getGroupID()).isMember(uid)) {
Transcription t = new Transcription(line);
t.archive(); //create an archived version before making changes
t.setText(text);
t.setComment(comment);
t.setCreator(uid);
out.print(encoder().decodeForHTML(new Transcription(line).getText()));
}
else {
response.sendError(SC_FORBIDDEN);
out.print(encoder().decodeForHTML(t.getText()));
}
}
catch(SQLException e){
System.out.println("UpdateLine SQL failure");
getLogger(UpdateLine.class.getName()).log(SEVERE, null, e);
response.sendError(SC_INTERNAL_SERVER_ERROR);
}
} catch (SQLException e) {
System.out.println("UpdateLine SQL failure");
getLogger(UpdateLine.class.getName()).log(SEVERE, null, e);
response.sendError(SC_INTERNAL_SERVER_ERROR);
}
}
catch(Exception e){
} catch (Exception e) {
System.out.println("UpdateLine generic failure");
getLogger(UpdateLine.class.getName()).log(SEVERE, null, e);
response.sendError(SC_INTERNAL_SERVER_ERROR);
Expand All @@ -113,8 +110,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
* Handles the HTTP <code>POST</code> method.
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
* @throws ServletException if an I/O error occurs
*/
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
Expand Down
113 changes: 58 additions & 55 deletions src/java/UploadTextfile.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,3 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/


import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
Expand Down Expand Up @@ -42,49 +36,63 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
throws ServletException, IOException, SQLException, FileUploadException {
response.setContentType("text/html;charset=UTF-8");
try (PrintWriter out = response.getWriter()) {
int projectID=0;
int projectID = 0;
textdisplay.Project thisProject = null;

if (request.getParameter("projectID") == null) {
out.print("projectID parameter is missing.");
return;
}

textdisplay.Project thisProject=null;
if(request.getParameter("projectID")!=null)
{
String location = "";
projectID=parseInt(request.getParameter("projectID"));
location = (parseInt(request.getParameter("p"))>0) ? "?projectID="+projectID+"&p="+request.getParameter("p") : "?projectID="+projectID;
thisProject=new textdisplay.Project(projectID);
if (isMultipartContent(request)){
ServletFileUpload servletFileUpload = new ServletFileUpload(new DiskFileItemFactory());
List fileItemsList = servletFileUpload.parseRequest(request);
try {
projectID = parseInt(request.getParameter("projectID"));
} catch (NumberFormatException e) {
out.print("Invalid projectID format.");
return;
}

String optionalFileName = "";
FileItem fileItem = null;
Iterator it = fileItemsList.iterator();
while (it.hasNext()){
FileItem fileItemTemp = (FileItem)it.next();
String tmp=fileItemTemp.getFieldName();
if (fileItemTemp.getFieldName().compareTo("file")==0 && (fileItemTemp.getName().endsWith("txt") || fileItemTemp.getName().endsWith("xml"))){
try {
int p = request.getParameter("p") != null ? parseInt(request.getParameter("p")) : 0;
location = (p > 0) ? "?projectID=" + projectID + "&p=" + p : "?projectID=" + projectID;
} catch (NumberFormatException e) {
location = "?projectID=" + projectID;
}

String textData;//=fileItemTemp.getString();
BufferedReader in = new BufferedReader(new InputStreamReader(fileItemTemp.getInputStream() , "UTF-8"));
StringBuilder b=new StringBuilder("");
while(in.ready())
{
b.append(in.readLine());
}
textData=b.toString();
thisProject.setLinebreakText(textData);
response.sendRedirect("transcription.html"+location);
return;
thisProject = new textdisplay.Project(projectID);

}
else
{
out.print("You must upload a .txt or .xml file, other formats are not supported at this time.");
}
}
}
}
if (!isMultipartContent(request)) {
out.print("Request is not multipart.");
return;
}

ServletFileUpload servletFileUpload = new ServletFileUpload(new DiskFileItemFactory());
List fileItemsList = servletFileUpload.parseRequest(request);

String optionalFileName = "";
FileItem fileItem = null;
Iterator it = fileItemsList.iterator();
while (it.hasNext()) {
FileItem fileItemTemp = (FileItem) it.next();
String tmp = fileItemTemp.getFieldName();
if (fileItemTemp.getFieldName().compareTo("file") == 0 && (fileItemTemp.getName().endsWith("txt") || fileItemTemp.getName().endsWith("xml"))) {
String textData;
try (BufferedReader in = new BufferedReader(new InputStreamReader(fileItemTemp.getInputStream(), "UTF-8"))) {
StringBuilder b = new StringBuilder("");
String line;
while ((line = in.readLine()) != null) {
b.append(line).append("\n");
}
textData = b.toString();
}
thisProject.setLinebreakText(textData);
response.sendRedirect("transcription.html" + location);
return;
}
}
out.print("You must upload a .txt or .xml file, other formats are not supported at this time.");
}
}
}

// <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
/**
Expand All @@ -97,14 +105,12 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try
{
try {
processRequest(request, response);
} catch (SQLException | FileUploadException ex)
{
} catch (SQLException | FileUploadException ex) {
getLogger(UploadTextfile.class.getName()).log(SEVERE, null, ex);
}
}
}
}

/**
* Handles the HTTP <code>POST</code> method.
Expand All @@ -116,13 +122,11 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try
{
try {
processRequest(request, response);
} catch (SQLException | FileUploadException ex)
{
} catch (SQLException | FileUploadException ex) {
getLogger(UploadTextfile.class.getName()).log(SEVERE, null, ex);
}
}
}

/**
Expand All @@ -133,5 +137,4 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
public String getServletInfo() {
return "Short description";
}// </editor-fold>

}
19 changes: 15 additions & 4 deletions src/java/characterImage.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,15 +67,26 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
int blobIdentifier;

try {
blobIdentifier = parseInt(request.getParameter("blob"));
pageIdentifier = request.getParameter("page");
} catch (NumberFormatException | NullPointerException e) {
String blobParam = request.getParameter("blob");
String pageParam = request.getParameter("page");
if (blobParam == null || pageParam == null) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing parameters");
return;
}
blobIdentifier = parseInt(blobParam.replaceAll("[^\\d]", ""));
pageIdentifier = pageParam.replaceAll("[^\\w]", "");
} catch (NumberFormatException e) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid parameters");
return;
}
blobGetter thisBlob = new blobGetter(pageIdentifier, blobIdentifier);
String s = (getRbTok("SERVERCONTEXT") + "imageResize?folioNum=" + pageIdentifier + "&height=2000");
out.print(s + "\n");
BufferedImage originalImg = getImage(parseInt(pageIdentifier));//imageHelpers.readAsBufferedImage(new URL(Folio.getRbTok("SERVERCONTEXT")+"imageResize?folioNum="+pageIdentifier+"&height=2000&code="+Folio.getRbTok("imageCode")));
BufferedImage originalImg = getImage(parseInt(pageIdentifier));
if (originalImg == null) {
response.sendError(HttpServletResponse.SC_NOT_FOUND, "Image not found");
return;
}
width = thisBlob.getHeight();
height = thisBlob.getWidth();
x = thisBlob.getX();
Expand Down
3 changes: 2 additions & 1 deletion src/java/edu/slu/tpen/servlet/AcceptIPRServlet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import net.sf.json.JSONObject;
import static net.sf.json.JSONObject.fromObject;
import user.User;
import org.owasp.encoder.Encode;

/**
*
Expand All @@ -35,7 +36,7 @@ public class AcceptIPRServlet extends HttpServlet {
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
String content = request.getParameter("content");
String content = Encode.forHtml(request.getParameter("content"));
JSONObject params = fromObject(content);
User user = null;
int folioNum = params.getInt("folio");
Expand Down
17 changes: 14 additions & 3 deletions src/java/edu/slu/tpen/servlet/AddProjectToolServlet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@
import java.sql.SQLException;
import static java.util.logging.Level.SEVERE;
import static java.util.logging.Logger.getLogger;
import java.net.MalformedURLException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.owasp.encoder.Encode;
import utils.UserTool;

/**
Expand All @@ -36,10 +38,19 @@ public class AddProjectToolServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
Connection conn = getDBConnection();
String name = Encode.forHtml(request.getParameter("name"));
UserTool ut = new UserTool();
ut.saveUserTool(conn, request.getParameter("name"), request.getParameter("url"), parseInt(request.getParameter("projectID")));
response.getWriter().print("1");
String urlParam = request.getParameter("url");
String url = Encode.forHtml(urlParam);
new java.net.URL(urlParam);
} catch (MalformedURLException e) {
throw new ServletException("Invalid URL format", e);
}
int projectID = parseInt(request.getParameter("projectID"));
ut.saveUserTool(conn, name, url, projectID);
Connection conn = getDBConnection();
ut.saveUserTool(conn, name, url, projectID);
conn.close();
} catch (SQLException ex) {
getLogger(AddProjectToolServlet.class.getName()).log(SEVERE, null, ex);
}
Expand Down
Loading