Skip to content

Commit

Permalink
#2983 Prevent XSS for URLs:
Browse files Browse the repository at this point in the history
- corrected scadalts.security.http.query.xss.enabled to scadalts.security.http.query.protect.enabled;
- added test cases to XssUtilsTest;
  • Loading branch information
Limraj committed Aug 28, 2024
1 parent 16123a6 commit 2bd5adb
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 9 deletions.
6 changes: 3 additions & 3 deletions src/org/scada_lts/utils/SystemSettingsUtils.java
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ private SystemSettingsUtils() {}
private static final String SECURITY_HTTP_QUERY_ACCESS_DENIED_REGEX_KEY = "scadalts.security.http.query.access.denied.regex";
private static final String SECURITY_HTTP_QUERY_ACCESS_GRANTED_REGEX_KEY = "scadalts.security.http.query.access.granted.regex";
private static final String SECURITY_HTTP_QUERY_LIMIT_KEY = "scadalts.security.http.query.limit";
private static final String SECURITY_HTTP_QUERY_XSS_ENABLED_KEY = "scadalts.security.http.query.xss.enabled";
private static final String SECURITY_HTTP_QUERY_PROTECT_ENABLED_KEY = "scadalts.security.http.query.protect.enabled";

private static final org.apache.commons.logging.Log LOG = LogFactory.getLog(SystemSettingsUtils.class);

Expand Down Expand Up @@ -572,9 +572,9 @@ public static int getSecurityHttpQueryLimit() {
}
}

public static boolean isSecurityHttpQueryXssEnabled() {
public static boolean isSecurityHttpQueryProtectEnabled() {
try {
String securityHttpQueryXssEnabled = ScadaConfig.getInstance().getConf().getProperty(SECURITY_HTTP_QUERY_XSS_ENABLED_KEY, "false");
String securityHttpQueryXssEnabled = ScadaConfig.getInstance().getConf().getProperty(SECURITY_HTTP_QUERY_PROTECT_ENABLED_KEY, "false");
return Boolean.parseBoolean(securityHttpQueryXssEnabled);
} catch (Exception e) {
LOG.error(e.getMessage());
Expand Down
4 changes: 2 additions & 2 deletions src/org/scada_lts/web/security/XssUtils.java
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@ private XssUtils() {}
private static final Pattern SECURITY_HTTP_ACCESS_DENIED_QUERY_REGEX = init(SystemSettingsUtils.getSecurityHttpQueryAccessDeniedRegex());
private static final Pattern SECURITY_HTTP_ACCESS_GRANTED_QUERY_REGEX = init(SystemSettingsUtils.getSecurityHttpQueryAccessGrantedRegex());
public static final int SECURITY_HTTP_ACCESS_GRANTED_QUERY_LIMIT = SystemSettingsUtils.getSecurityHttpQueryLimit();
public static final boolean SECURITY_HTTP_QUERY_XSS_ENABLED = SystemSettingsUtils.isSecurityHttpQueryXssEnabled();
public static final boolean SECURITY_HTTP_QUERY_PROTECT_ENABLED = SystemSettingsUtils.isSecurityHttpQueryProtectEnabled();

public static boolean validateHttpQuery(String query) {

if(!SECURITY_HTTP_QUERY_XSS_ENABLED)
if(!SECURITY_HTTP_QUERY_PROTECT_ENABLED)
return true;

if (query == null || query.isEmpty()) {
Expand Down
2 changes: 1 addition & 1 deletion test/env.properties
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ http.protocol.allow-circular-redirects=false
http.protocol.timeout-ms=15000
event.assign.enabled=true

scadalts.security.http.query.xss.enabled=true
scadalts.security.http.query.protect.enabled=true
scadalts.security.http.query.limit=3900
scadalts.security.http.query.access.denied.regex=^(.*?(javascript:|onerror|onload|onmouseover|alert\\(){1}.*?)$
scadalts.security.http.query.access.granted.regex=^(([a-zA-Z0-9_\\-]{1,32}=[a-zA-Z0-9_\\-.,/+=\s!$*?@%]*&?)|([a-zA-Z0-9_\\-]{1,32}&?))+$
14 changes: 13 additions & 1 deletion test/org/scada_lts/web/security/XssUtilsTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,19 @@ public static Collection<Object[]> data() {
{"param1=123&param2=<img src=x onerror=alert(document.location)>", false},
{"param1=123&param2=<img src=x onerror=document.location>", false},
{"param1=alert(document.location)", false},
{"=abc", false}
{"=abc", false},
{"param1=<script>alert(document.location)", false},
{"param1=<scriptalert(document.location)", false},
{"param1=script>alert(document.location)", false},
{"param1=alert(document.location)</script>", false},
{"param1=alert(document.location)/script>", false},
{"param1=alert(document.location)</script", false},
{"param1=<script>document.location", false},
{"param1=<scriptdocument.location", false},
{"param1=script>document.location", false},
{"param1=document.location</script>", false},
{"param1=document.location/script>", false},
{"param1=document.location</script", false},
});
}

Expand Down
4 changes: 2 additions & 2 deletions webapp-resources/env.properties
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ http.protocol.allow-circular-redirects=false
http.protocol.timeout-ms=15000
event.assign.enabled=true

scadalts.security.http.query.xss.enabled=true
scadalts.security.http.query.protect.enabled=true
scadalts.security.http.query.limit=3900
scadalts.security.http.query.access.denied.regex=^(.*?(javascript:|onerror|onload|onmouseover|alert\\(){1}.*?)$
scadalts.security.http.query.access.denied.regex=^(.*?(script>|<script|/script>|</script|javascript:|onerror|onload|onmouseover|alert\\(){1}.*?)$
scadalts.security.http.query.access.granted.regex=^(([a-zA-Z0-9_\\-]{1,32}=[a-zA-Z0-9_\\-.,/+=\s!$*?@%]*&?)|([a-zA-Z0-9_\\-]{1,32}&?))+$

0 comments on commit 2bd5adb

Please sign in to comment.