← Back to branch summary

~ubuntu-branches/ubuntu/saucy/jenkins/saucy-proposed

« back to all changes in this revision

Viewing changes to core/src/main/java/hudson/markup/MyspacePolicy.java

  • Committer: Package Import Robot
  • Author(s): James Page
  • Date: 2012-03-27 09:17:51 UTC
  • mfrom: (1.1.6)
  • Revision ID: package-import@ubuntu.com-20120327091751-8qx6gofm6tuz8yov
Tags: 1.424.6+dfsg-1
http://bugs.debian.org/664057
* New upstream release, fixing XSS security vulnerability (Closes: #664057):
  - d/control: Add new dependency on libowasp-java-html-sanitizer-java.
  - d/maven.rules: Add new rule to use artifacts 
    from libowasp-java-html-sanitizer-java.
* Switch upstart configurations to use start-stop-daemon to allow
  desktop systems to shutdown.
* d/jenkins-slave.upstart.in: Ensure /var/run/jenkins exists before
  trying to download the jenkins slave.jar file to it.
  Thanks to Al Stone for providing this fix.

Show diffs side-by-side

added added

removed removed

Lines of Context:
core/src/main/java/hudson/markup/MyspacePolicy.java
 
1
package hudson.markup;
 
2
 
 
3
import com.google.common.base.Predicate;
 
4
import com.google.common.base.Throwables;
 
5
import org.owasp.html.Handler;
 
6
import org.owasp.html.HtmlSanitizer;
 
7
import org.owasp.html.HtmlStreamRenderer;
 
8
import org.owasp.html.PolicyFactory;
 
9
 
 
10
import java.io.IOException;
 
11
import java.util.regex.Pattern;
 
12
 
 
13
/**
 
14
 * Policy definition based on OWASP AntiSamy MySpace policy.
 
15
 *
 
16
 * @author Kohsuke Kawaguchi
 
17
 * @see <a href="https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#Stage_2_-_Choosing_a_base_policy_file">OWASP AntiSamy MySpace Policy</a>
 
18
 */
 
19
public class MyspacePolicy {
 
20
    public static final PolicyFactory POLICY_DEFINITION;
 
21
 
 
22
    private static final Pattern ONSITE_URL = Pattern.compile(
 
23
        "(?:[\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!]+|\\#(\\w)+)");
 
24
    private static final Pattern OFFSITE_URL = Pattern.compile(
 
25
        "\\s*(?:(?:ht|f)tps?://|mailto:)[\\p{L}\\p{N}]"
 
26
        + "[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*\\s*");
 
27
  
 
28
    private static final Predicate<String> ONSITE_OR_OFFSITE_URL
 
29
        = new Predicate<String>() {
 
30
          public boolean apply(String s) {
 
31
            return ONSITE_URL.matcher(s).matches()
 
32
                || OFFSITE_URL.matcher(s).matches();
 
33
          }
 
34
        };
 
35
 
 
36
    static {
 
37
        POLICY_DEFINITION = new HtmlPolicyBuilder2() {{
 
38
            allowAttributes("id","class","lang","title",
 
39
                    "alt","style","media","href","name","shape",
 
40
                    "border","cellpadding","cellspacing","colspan","rowspan",
 
41
                    "background","bgcolor","abbr","headers","charoff","char",
 
42
                    "aixs","nowrap","width","height","align","valign","scope",
 
43
                    "tabindex","disabled","readonly","accesskey","size",
 
44
                    "autocomplete","rows","cols").globally();
 
45
 
 
46
            disallowElements(
 
47
                    // I'm allowing iframe
 
48
                    "script","noscript",/*"iframe",*/"frameset","frame");
 
49
 
 
50
            tag("label",    "for");
 
51
            tag("form",     "action",ONSITE_OR_OFFSITE_URL,
 
52
                            "method");
 
53
            tag("button",   "value", "type");
 
54
            tag("input",    "maxlength","checked",
 
55
                            "src",ONSITE_OR_OFFSITE_URL,
 
56
                            "usemap",ONSITE_URL,
 
57
                            "type","value");
 
58
            tag("select",   "multiple");
 
59
            tag("option",   "value","label","selected");
 
60
            tag("textarea");
 
61
            tag("h1,h2,h3,h4,h5,h6,p,i,b,u,strong,em,small,big,pre,code,cite,samp,sub,sup,strike,center,blockquote");
 
62
            tag("hr,br,col");
 
63
            tag("font", "color", "face", "size");
 
64
            tag("a",        "nohref","rel");
 
65
            tag("style",    "type");
 
66
            tag("span,div");
 
67
            tag("img",      "src",ONSITE_OR_OFFSITE_URL,
 
68
                            "hspace","vspace");
 
69
            tag("iframe",   "src");
 
70
            tag("link",     "type","rel");
 
71
            tag("ul,ol,li,dd,dl,dt,thead,tbody,tfoot");
 
72
            tag("table",    "noresize");
 
73
            tag("td,th,tr");
 
74
            tag("colgroup", "span");
 
75
            tag("col",      "span");
 
76
            tag("fieldset,legend");
 
77
            allowStandardUrlProtocols();
 
78
        }}.toFactory();
 
79
    }
 
80
 
 
81
    public static void main(String[] args) throws IOException {
 
82
        // Fetch the HTML to sanitize.
 
83
        String html = "<a href='http://www.google.com/'>Google</a><img src='http://www.yahoo.com'>";
 
84
        // Set up an output channel to receive the sanitized HTML.
 
85
        HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
 
86
                System.out,
 
87
                // Receives notifications on a failure to write to the output.
 
88
                new Handler<IOException>() {
 
89
                    public void handle(IOException ex) {
 
90
                        Throwables.propagate(ex);  // System.out suppresses IOExceptions
 
91
                    }
 
92
                },
 
93
                // Our HTML parser is very lenient, but this receives notifications on
 
94
                // truly bizarre inputs.
 
95
                new Handler<String>() {
 
96
                    public void handle(String x) {
 
97
                        throw new AssertionError(x);
 
98
                    }
 
99
                }
 
100
        );
 
101
        // Use the policy defined above to sanitize the HTML.
 
102
        HtmlSanitizer.sanitize(html, POLICY_DEFINITION.apply(renderer));
 
103
    }
 
104
}