← Back to branch summary

~ubuntu-branches/ubuntu/saucy/jenkins/saucy-proposed

« back to all changes in this revision

Viewing changes to core/src/test/java/hudson/markup/MyspacePolicyTest.java

  • Committer: Package Import Robot
  • Author(s): James Page
  • Date: 2012-03-27 09:17:51 UTC
  • mfrom: (1.1.6)
  • Revision ID: package-import@ubuntu.com-20120327091751-8qx6gofm6tuz8yov
Tags: 1.424.6+dfsg-1
http://bugs.debian.org/664057
* New upstream release, fixing XSS security vulnerability (Closes: #664057):
  - d/control: Add new dependency on libowasp-java-html-sanitizer-java.
  - d/maven.rules: Add new rule to use artifacts 
    from libowasp-java-html-sanitizer-java.
* Switch upstart configurations to use start-stop-daemon to allow
  desktop systems to shutdown.
* d/jenkins-slave.upstart.in: Ensure /var/run/jenkins exists before
  trying to download the jenkins slave.jar file to it.
  Thanks to Al Stone for providing this fix.

Show diffs side-by-side

added added

removed removed

Lines of Context:
core/src/test/java/hudson/markup/MyspacePolicyTest.java
 
1
package hudson.markup;
 
2
 
 
3
import com.google.common.base.Throwables;
 
4
import org.junit.Assert;
 
5
import org.junit.Test;
 
6
import org.owasp.html.Handler;
 
7
import org.owasp.html.HtmlSanitizer;
 
8
import org.owasp.html.HtmlStreamRenderer;
 
9
 
 
10
import java.io.IOException;
 
11
 
 
12
/**
 
13
 * @author Kohsuke Kawaguchi
 
14
 */
 
15
public class MyspacePolicyTest extends Assert {
 
16
    @Test
 
17
    public void testPolicy() {
 
18
        assertIntact("<a href='http://www.cloudbees.com'>CB</a>");
 
19
        assertIntact("<a href='relative/link'>relative</a>");
 
20
        assertIntact("<a href='mailto:kk&#64;kohsuke.org'>myself</a>");
 
21
        assertReject("javascript","<a href='javascript:alert(5)'>test</a>");
 
22
 
 
23
        assertIntact("<img src='http://www.cloudbees.com'>");
 
24
        assertIntact("<img src='relative/test.png'>");
 
25
        assertIntact("<img src='relative/test.png'>");
 
26
        assertReject("javascript","<img src='javascript:alert(5)'>");
 
27
 
 
28
        assertIntact("<b><i><u><strike>basic tag</strike></u></i></b>");
 
29
        assertIntact("<div><p>basic block tags</p></div>");
 
30
 
 
31
        assertIntact("<ul><li>1</li><li>2</li><li>3</li></ul>");
 
32
        assertIntact("<ol><li>x</li></ol>");
 
33
        assertIntact("<dl><dt>abc</dt><dd>foo</dd></dl>");
 
34
        assertIntact("<table><tr><th>header</th></tr><tr><td>something</td></tr></table>");
 
35
        assertIntact("<h1>title</h1><blockquote>blurb</blockquote>");
 
36
 
 
37
        assertIntact("<iframe src='nested'></iframe>");
 
38
        assertIntact("<iframe src='http://kohsuke.org'></iframe>");
 
39
        assertReject("javascript","<iframe src='javascript:foo'></iframe>");
 
40
 
 
41
        assertReject("script","<script>window.alert(5);</script>");
 
42
        assertReject("script","<script src='http://foo/evil.js'></script>");
 
43
        assertReject("script","<script src='relative.js'></script>");
 
44
 
 
45
        assertIntact("<style>H1 { display:none; }</style>");
 
46
        assertIntact("<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>");
 
47
        assertIntact("<div style='background-color:white'>inline CSS</div>");
 
48
        assertIntact("<br><hr>");
 
49
 
 
50
        assertIntact("<form method='post' action='http://sun.com/'><input type='text' name='foo'><input type='password' name='pass'></form>");
 
51
    }
 
52
 
 
53
    private void assertIntact(String input) {
 
54
        input = input.replace('\'','\"');
 
55
        assertSanitize(input,input);
 
56
    }
 
57
    
 
58
    private void assertReject(String problematic, String input) {
 
59
        String out = sanitize(input);
 
60
        assertFalse(out, out.contains(problematic));
 
61
    }
 
62
    
 
63
    private void assertSanitize(String expected, String input) {
 
64
        assertEquals(expected,sanitize(input));
 
65
    }
 
66
 
 
67
    private String sanitize(String input) {
 
68
        StringBuilder buf = new StringBuilder();
 
69
        HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
 
70
                buf,
 
71
                // Receives notifications on a failure to write to the output.
 
72
                new Handler<IOException>() {
 
73
                    public void handle(IOException ex) {
 
74
                        Throwables.propagate(ex);  // System.out suppresses IOExceptions
 
75
                    }
 
76
                },
 
77
                // Our HTML parser is very lenient, but this receives notifications on
 
78
                // truly bizarre inputs.
 
79
                new Handler<String>() {
 
80
                    public void handle(String x) {
 
81
                        throw new AssertionError(x);
 
82
                    }
 
83
                }
 
84
        );
 
85
        HtmlSanitizer.sanitize(input, MyspacePolicy.POLICY_DEFINITION.apply(renderer));
 
86
        return buf.toString();
 
87
    }
 
88
}