URLs with escaped characters are being removed by XSS because of decoding during link building (#2456)

vladbailescu · web-flow · commit e1d4bc90eee4 · 2023-03-02T14:25:15.000+02:00
* Added escaping during link sanitization
* Preserves Adobe Campaign expressions
* Added new testcases
diff --git a/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/internal/link/DefaultPathProcessor.java b/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/internal/link/DefaultPathProcessor.java
@@ -17,7 +17,6 @@
 
 import java.util.Optional;
 
-import org.apache.commons.httpclient.URI;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.resource.ResourceResolver;
@@ -106,33 +105,35 @@ public boolean accepts(@NotNull String path, @NotNull SlingHttpServletRequest re
         if (vanityConfig == VanityConfig.ALWAYS) {
             path = getPathOrVanityUrl(path, request.getResourceResolver());
         }
-        int fragmentQueryMark = path.indexOf('#');
-        if (fragmentQueryMark < 0) {
-            fragmentQueryMark = path.indexOf('?');
-        }
-
-        final String fragmentQuery;
-        if (fragmentQueryMark >= 0) {
-            fragmentQuery = path.substring(fragmentQueryMark);
-            path = path.substring(0, fragmentQueryMark);
+        int queryStringMark = path.indexOf('?');
+        int fragmentMark = path.indexOf('#');
+        final String queryString;
+        final String fragment;
+        if (queryStringMark >= 0 || fragmentMark >= 0) {
+            if (queryStringMark >= 0) {
+                if (fragmentMark >= 0) {
+                    queryString = path.substring(queryStringMark + 1, fragmentMark);
+                    fragment = path.substring(fragmentMark + 1);
+                } else {
+                    queryString = path.substring(queryStringMark + 1);
+                    fragment = null;
+                }
+            } else {
+                queryString = null;
+                fragment = path.substring(fragmentMark + 1);
+            }
+            path = path.substring(0, queryStringMark >= 0 ? queryStringMark : fragmentMark);
         } else {
-            fragmentQuery = null;
+            queryString = null;
+            fragment = null;
         }
+
         String cp = request.getContextPath();
         if (!StringUtils.isEmpty(cp) && path.startsWith("/") && !path.startsWith(cp + "/")) {
             path = cp + path;
         }
 
-        try {
-            final URI uri = new URI(path, false);
-            path = uri.toString();
-        } catch (Exception e) {
-            LOG.error(e.getMessage());
-        }
-
-        if (fragmentQuery != null) {
-            path = path + fragmentQuery;
-        }
+        path = LinkUtil.escape(path, queryString, fragment);
         return path;
     }
 
diff --git a/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/internal/link/LinkBuilderImpl.java b/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/internal/link/LinkBuilderImpl.java
@@ -15,19 +15,10 @@
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
 package com.adobe.cq.wcm.core.components.internal.link;
 
-import java.io.UnsupportedEncodingException;
-import java.math.BigInteger;
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
-import java.security.SecureRandom;
-import java.util.Collections;
-import java.util.LinkedHashMap;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.HashMap;
 import java.util.Optional;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.ImmutablePair;
@@ -47,20 +38,19 @@
 import com.day.cq.wcm.api.Page;
 import com.day.cq.wcm.api.PageManager;
 
-import static com.adobe.cq.wcm.core.components.commons.link.Link.PN_LINK_URL;
 import static com.adobe.cq.wcm.core.components.commons.link.Link.PN_LINK_ACCESSIBILITY_LABEL;
 import static com.adobe.cq.wcm.core.components.commons.link.Link.PN_LINK_TARGET;
 import static com.adobe.cq.wcm.core.components.commons.link.Link.PN_LINK_TITLE_ATTRIBUTE;
+import static com.adobe.cq.wcm.core.components.commons.link.Link.PN_LINK_URL;
 import static com.adobe.cq.wcm.core.components.internal.Utils.resolveRedirects;
-import static com.adobe.cq.wcm.core.components.internal.link.LinkManagerImpl.VALID_LINK_TARGETS;
 import static com.adobe.cq.wcm.core.components.internal.link.LinkImpl.ATTR_ARIA_LABEL;
 import static com.adobe.cq.wcm.core.components.internal.link.LinkImpl.ATTR_TARGET;
 import static com.adobe.cq.wcm.core.components.internal.link.LinkImpl.ATTR_TITLE;
+import static com.adobe.cq.wcm.core.components.internal.link.LinkManagerImpl.VALID_LINK_TARGETS;
 
 public class LinkBuilderImpl implements LinkBuilder {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(LinkBuilderImpl.class);
-    private final static List<Pattern> PATTERNS = Collections.singletonList(Pattern.compile("(<%[=@].*?%>)"));
     public static final String HTML_EXTENSION = ".html";
 
     SlingHttpServletRequest request;
@@ -162,12 +152,7 @@ public LinkBuilderImpl(String url, SlingHttpServletRequest req, List<PathProcess
     private @NotNull Link buildLink(String path, SlingHttpServletRequest request, Map<String, String> htmlAttributes) {
         if (StringUtils.isNotEmpty(path)) {
             try {
-                // The link contain character sequences that are not well formatted and cannot be decoded, for example
-                // Adobe Campaign expressions like: /content/path/to/page.html?recipient=<%= recipient.id %>
-                Map<String, String> placeholders = new LinkedHashMap<>();
-                String maskedPath = mask(path, placeholders);
-                maskedPath = URLDecoder.decode(maskedPath, StandardCharsets.UTF_8.name());
-                path = unmask(maskedPath, placeholders);
+                path = LinkUtil.decode(path);
             } catch (Exception ex) {
                 String message = "Failed to decode url '{}': {}";
                 if (LOGGER.isDebugEnabled()) {
@@ -310,72 +295,4 @@ private Pair<Page, String> resolvePage(@NotNull final Page page) {
         return new ImmutablePair<>(resolved, getPageLinkURL(resolved));
     }
 
-    /**
-     * Masks a given {@link String} by replacing all occurrences of {@link LinkBuilderImpl#PATTERNS} with a placeholder.
-     * The generated placeholders are put into the given {@link Map} and can be used to unmask a {@link String} later on.
-     * <p>
-     * For example the given original {@link String} {@code /path/to/page.html?r=<%= recipient.id %>} will be transformed to
-     * {@code /path/to/page.html?r=_abcd_} and the placeholder with the expression will be put into the given {@link Map}.
-     *
-     * @param original     the original {@link String}
-     * @param placeholders a {@link Map} the generated placeholders will be put in
-     * @return the masked {@link String}
-     * @see LinkBuilderImpl#unmask(String, Map)
-     */
-    private static String mask(String original, Map<String, String> placeholders) {
-        String masked = original;
-        for (Pattern pattern : PATTERNS) {
-            Matcher matcher = pattern.matcher(masked);
-            while (matcher.find()) {
-                String expression = matcher.group(1);
-                String placeholder = newPlaceholder(masked);
-                masked = masked.replaceFirst(Pattern.quote(expression), placeholder);
-                placeholders.put(placeholder, expression);
-            }
-        }
-        return masked;
-    }
-
-    /**
-     * Unmasks the given {@link String} by replacing the given placeholders with their original value.
-     * <p>
-     * For example the given masked {@link String} {@code /path/to/page.html?r=_abcd_} will be transformed to
-     * {@code /path/to/page.html?r=<%= recipient.id %>} by replacing each of the given {@link Map}s keys with the corresponding value.
-     *
-     * @param masked       the masked {@link String}
-     * @param placeholders the {@link Map} of placeholders to replace
-     * @return the unmasked {@link String}
-     */
-    private static String unmask(String masked, Map<String, String> placeholders) {
-        String unmasked = masked;
-        for (Map.Entry<String, String> placeholder : placeholders.entrySet()) {
-            unmasked = unmasked.replaceFirst(placeholder.getKey(), placeholder.getValue());
-        }
-        return unmasked;
-    }
-
-    /**
-     * Generate a new random placeholder that is not conflicting with any character sequence in the given {@link String}.
-     * <p>
-     * For example the given {@link String} {@code "foo"} a new random {@link String} will be returned that is not contained in the
-     * given {@link String}. In this example the following {@link String}s will never be returned "f", "fo", "foo", "o", "oo".
-     *
-     * @param str the given {@link String}
-     * @return the placeholder name
-     */
-    private static String newPlaceholder(String str) {
-        SecureRandom random = new SecureRandom();
-        StringBuilder placeholderBuilder = new StringBuilder(5);
-
-        do {
-            placeholderBuilder.setLength(0);
-            placeholderBuilder
-                .append("_")
-                .append(new BigInteger(16, random).toString(16))
-                .append("_");
-        } while (str.contains(placeholderBuilder));
-
-        return placeholderBuilder.toString();
-    }
-
 }
diff --git a/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/internal/link/LinkUtil.java b/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/internal/link/LinkUtil.java
@@ -0,0 +1,182 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Copyright 2023 Adobe
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~     http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package com.adobe.cq.wcm.core.components.internal.link;
+
+import java.io.UnsupportedEncodingException;
+import java.math.BigInteger;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.commons.httpclient.URI;
+import org.apache.commons.httpclient.URIException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Utility methods for handling links
+ */
+public class LinkUtil {
+
+    private final static Logger LOG = LoggerFactory.getLogger(LinkUtil.class);
+
+    private final static List<Pattern> PATTERNS = Collections.singletonList(Pattern.compile("(<%[=@].*?%>)"));
+
+    /**
+     * Decodes and encoded or escaped URL taking care to not break Adobe Campaign expressions
+     * like: /content/path/to/page.html?recipient=<%= recipient.id %>
+     *
+     * @param url The URL to decode
+     * @return The decoded URL
+     * @throws UnsupportedEncodingException
+     */
+    public static String decode(final String url) throws UnsupportedEncodingException {
+        // The link contain character sequences that are not well formatted and cannot be decoded, for example
+        // Adobe Campaign expressions like: /content/path/to/page.html?recipient=<%= recipient.id %>
+        final Map<String, String> placeholders = new LinkedHashMap<>();
+        final String masked = LinkUtil.mask(url, placeholders);
+        final String decoded = URLDecoder.decode(masked, StandardCharsets.UTF_8.name());
+        final String unmasked = unmask(decoded, placeholders);
+        return unmasked;
+    }
+
+    /**
+     * Escapes an URI based on path, query string and fragment: path?queryString#fragment
+     *
+     * @param path The URI path
+     * @param queryString The URI query string
+     * @param fragment The URI fragment
+     * @return The escaped fragment
+     */
+    public static String escape(final String path, final String queryString, final String fragment) {
+        final Map<String, String> placeholders = new LinkedHashMap<>();
+        final String maskedQueryString = mask(queryString, placeholders);
+        String escaped;
+        URI parsed;
+        try {
+            parsed = new URI(path, false);
+        } catch (URIException e) {
+            parsed = null;
+            LOG.error(e.getMessage(), e);
+        }
+        try {
+            if (parsed != null) {
+                escaped = new URI(parsed.getScheme(), parsed.getAuthority(), parsed.getPath(), maskedQueryString, null).toString();
+            } else {
+                escaped = new URI(null, null, path, maskedQueryString, null).toString();
+            }
+            if (fragment != null) {
+                StringBuilder sb = new StringBuilder(escaped);
+                escaped = sb.append("#")
+                        .append(URLEncoder.encode(fragment, StandardCharsets.UTF_8.name()).replace("+", "%20"))
+                        .toString();
+            }
+        } catch (Exception e) {
+            LOG.error(e.getMessage(), e);
+            StringBuilder sb = new StringBuilder(path);
+            if (queryString != null) {
+                sb.append("?").append(maskedQueryString);
+            }
+            if (fragment != null) {
+                sb.append("#").append(fragment);
+            }
+            escaped = sb.toString();
+        }
+        final String unmasked = LinkUtil.unmask(escaped, placeholders);
+        return unmasked;
+    }
+
+    /**
+     * Masks a given {@link String} by replacing all occurrences of {@link LinkUtil#PATTERNS} with a placeholder.
+     * The generated placeholders are put into the given {@link Map} and can be used to unmask a {@link String} later on.
+     * <p>
+     * For example the given original {@link String} {@code /path/to/page.html?r=<%= recipient.id %>} will be transformed to
+     * {@code /path/to/page.html?r=_abcd_} and the placeholder with the expression will be put into the given {@link Map}.
+     *
+     * @param original     the original {@link String}
+     * @param placeholders a {@link Map} the generated placeholders will be put in
+     * @return the masked {@link String}
+     * @see LinkUtil#unmask(String, Map)
+     */
+    private static String mask(final String original, final Map<String, String> placeholders) {
+        if (original == null) {
+            return null;
+        }
+        String masked = original;
+        for (Pattern pattern : PATTERNS) {
+            Matcher matcher = pattern.matcher(masked);
+            while (matcher.find()) {
+                String expression = matcher.group(1);
+                String placeholder = newPlaceholder(masked);
+                masked = masked.replaceFirst(Pattern.quote(expression), placeholder);
+                placeholders.put(placeholder, expression);
+            }
+        }
+        return masked;
+    }
+
+    /**
+     * Unmasks the given {@link String} by replacing the given placeholders with their original value.
+     * <p>
+     * For example the given masked {@link String} {@code /path/to/page.html?r=_abcd_} will be transformed to
+     * {@code /path/to/page.html?r=<%= recipient.id %>} by replacing each of the given {@link Map}s keys with the corresponding value.
+     *
+     * @param masked       the masked {@link String}
+     * @param placeholders the {@link Map} of placeholders to replace
+     * @return the unmasked {@link String}
+     */
+    private static String unmask(final String masked, final Map<String, String> placeholders) {
+        if (masked == null) {
+            return null;
+        }
+        String unmasked = masked;
+        for (Map.Entry<String, String> placeholder : placeholders.entrySet()) {
+            unmasked = unmasked.replaceFirst(placeholder.getKey(), placeholder.getValue());
+        }
+        return unmasked;
+    }
+
+    /**
+     * Generate a new random placeholder that is not conflicting with any character sequence in the given {@link String}.
+     * <p>
+     * For example the given {@link String} {@code "foo"} a new random {@link String} will be returned that is not contained in the
+     * given {@link String}. In this example the following {@link String}s will never be returned "f", "fo", "foo", "o", "oo".
+     *
+     * @param str the given {@link String}
+     * @return the placeholder name
+     */
+    private static String newPlaceholder(final String str) {
+        SecureRandom random = new SecureRandom();
+        StringBuilder placeholderBuilder = new StringBuilder(5);
+
+        do {
+            placeholderBuilder.setLength(0);
+            placeholderBuilder
+                    .append("_")
+                    .append(new BigInteger(16, random).toString(16))
+                    .append("_");
+        } while (str.contains(placeholderBuilder));
+
+        return placeholderBuilder.toString();
+    }
+}
diff --git a/bundles/core/src/test/java/com/adobe/cq/wcm/core/components/internal/link/DefaultPathProcessorTest.java b/bundles/core/src/test/java/com/adobe/cq/wcm/core/components/internal/link/DefaultPathProcessorTest.java
