Search in sources :

Example 1 with PolicyFactory

use of org.owasp.html.PolicyFactory in project mamute by caelum.

the class HtmlSanitizerTest method setUp.

@Before
public void setUp() {
    envReturns(ALLOWED_ELEMENTS_KEY, "a, blockquote, code, em, h1, h2, hr, img, kbd, li, ol, p, pre, strong, ul, iframe");
    envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "a", "href");
    envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "pre", "class");
    envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "img", "src, alt, width, height");
    envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "iframe", "src, width, height, scrolling, frameborder");
    envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "iframe" + ALLOWED_ATTRIBUTES_WHITELIST_KEY_SUFIX + "href", ".*soundcloud.com\\/tracks\\/.*|.*youtube.com\\/embed\\/.*|.*//player.vimeo.com\\/video\\/.*");
    final HtmlElementsBuilder htmlElementsBuilder = new HtmlElementsBuilder(env, new HtmlAttributesBuilder(env));
    htmlElementsBuilder.setUp();
    MamutePolicyProducer mamutePolicyProducer = new MamutePolicyProducer(htmlElementsBuilder);
    mamutePolicyProducer.setUp();
    PolicyFactory policy = mamutePolicyProducer.getInstance();
    htmlSanitizer = new HtmlSanitizer(policy);
}
Also used : PolicyFactory(org.owasp.html.PolicyFactory) Before(org.junit.Before)

Example 2 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class CreateBuildRevisionInvariant method processRequest.

/**
 * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
 * methods.
 *
 * @param request servlet request
 * @param response servlet response
 * @throws ServletException if a servlet-specific error occurs
 * @throws IOException if an I/O error occurs
 * @throws org.cerberus.exception.CerberusException
 * @throws org.json.JSONException
 */
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
    JSONObject jsonResponse = new JSONObject();
    Answer ans = new Answer();
    MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
    msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
    ans.setResultMessage(msg);
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    String charset = request.getCharacterEncoding();
    response.setContentType("application/json");
    // Calling Servlet Transversal Util.
    ServletUtil.servletStart(request);
    /**
     * Parsing and securing all required parameters.
     */
    // Parameter that are already controled by GUI (no need to decode) --> We SECURE them
    Integer seq = -1;
    boolean seq_error = false;
    try {
        if (request.getParameter("seq") != null && !request.getParameter("seq").equals("")) {
            seq = Integer.valueOf(policy.sanitize(request.getParameter("seq")));
        }
    } catch (Exception ex) {
        seq_error = true;
    }
    Integer level = -1;
    boolean level_error = false;
    try {
        if (request.getParameter("level") != null && !request.getParameter("level").equals("")) {
            level = Integer.valueOf(policy.sanitize(request.getParameter("level")));
        }
    } catch (Exception ex) {
        level_error = true;
    }
    // Parameter that needs to be secured --> We SECURE+DECODE them
    String system = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("system"), "", charset);
    String versionName = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("versionname"), "", charset);
    /**
     * Checking all constrains before calling the services.
     */
    if (StringUtil.isNullOrEmpty(system)) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Create").replace("%REASON%", "System name is missing!"));
        ans.setResultMessage(msg);
    } else if (level_error) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Create").replace("%REASON%", "Could not manage to convert level to an integer value!"));
        ans.setResultMessage(msg);
    } else if (seq_error) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Create").replace("%REASON%", "Could not manage to convert sequence to an integer value!"));
        ans.setResultMessage(msg);
    } else {
        /**
         * All data seems cleans so we can call the services.
         */
        ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
        IBuildRevisionInvariantService buildRevisionInvariantService = appContext.getBean(IBuildRevisionInvariantService.class);
        IFactoryBuildRevisionInvariant factoryBuildRevisionInvariant = appContext.getBean(IFactoryBuildRevisionInvariant.class);
        BuildRevisionInvariant buildRevisionInvariantData = factoryBuildRevisionInvariant.create(system, level, seq, versionName);
        ans = buildRevisionInvariantService.create(buildRevisionInvariantData);
        if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
            /**
             * Object created. Adding Log entry.
             */
            ILogEventService logEventService = appContext.getBean(LogEventService.class);
            logEventService.createForPrivateCalls("/CreateBuildRevisionInvariant", "CREATE", "Create BuildRevisionInvariant : ['" + system + "'|'" + level + "'|'" + seq + "']", request);
        }
    }
    /**
     * Formating and returning the json result.
     */
    jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
    jsonResponse.put("message", ans.getResultMessage().getDescription());
    response.getWriter().print(jsonResponse);
    response.getWriter().flush();
}
Also used : PolicyFactory(org.owasp.html.PolicyFactory) MessageEvent(org.cerberus.engine.entity.MessageEvent) IFactoryBuildRevisionInvariant(org.cerberus.crud.factory.IFactoryBuildRevisionInvariant) ServletException(javax.servlet.ServletException) JSONException(org.json.JSONException) IOException(java.io.IOException) CerberusException(org.cerberus.exception.CerberusException) IBuildRevisionInvariantService(org.cerberus.crud.service.IBuildRevisionInvariantService) Answer(org.cerberus.util.answer.Answer) ApplicationContext(org.springframework.context.ApplicationContext) JSONObject(org.json.JSONObject) IFactoryBuildRevisionInvariant(org.cerberus.crud.factory.IFactoryBuildRevisionInvariant) BuildRevisionInvariant(org.cerberus.crud.entity.BuildRevisionInvariant) ILogEventService(org.cerberus.crud.service.ILogEventService)

Example 3 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class ReadBuildRevisionInvariant method processRequest.

/**
 * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
 * methods.
 *
 * @param request servlet request
 * @param response servlet response
 * @throws ServletException if a servlet-specific error occurs
 * @throws IOException if an I/O error occurs
 * @throws org.cerberus.exception.CerberusException
 */
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException {
    String echo = request.getParameter("sEcho");
    ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    response.setContentType("application/json");
    response.setCharacterEncoding("utf8");
    // Calling Servlet Transversal Util.
    ServletUtil.servletStart(request);
    // Default message to unexpected error.
    MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
    msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
    /**
     * Parsing and securing all required parameters.
     */
    Integer lvlid = -1;
    boolean lvlid_error = true;
    try {
        if (request.getParameter("level") != null && !request.getParameter("level").equals("")) {
            lvlid = Integer.valueOf(policy.sanitize(request.getParameter("level")));
            lvlid_error = false;
        }
    } catch (Exception ex) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", OBJECT_NAME));
        msg.setDescription(msg.getDescription().replace("%OPERATION%", "Read"));
        msg.setDescription(msg.getDescription().replace("%REASON%", "level must be an integer value."));
        lvlid_error = true;
    }
    Integer seqid = -1;
    boolean seqid_error = true;
    try {
        if (request.getParameter("seq") != null && !request.getParameter("seq").equals("")) {
            seqid = Integer.valueOf(policy.sanitize(request.getParameter("seq")));
            seqid_error = false;
        }
    } catch (Exception ex) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", OBJECT_NAME));
        msg.setDescription(msg.getDescription().replace("%OPERATION%", "Read"));
        msg.setDescription(msg.getDescription().replace("%REASON%", "id must be an integer value."));
        seqid_error = true;
    }
    String system = policy.sanitize(request.getParameter("system"));
    String columnName = ParameterParserUtil.parseStringParam(request.getParameter("columnName"), "");
    // Global boolean on the servlet that define if the user has permition to edit and delete object.
    boolean userHasPermissions = request.isUserInRole("Integrator");
    // Init Answer with potencial error from Parsing parameter.
    AnswerItem answer = new AnswerItem(msg);
    try {
        JSONObject jsonResponse = new JSONObject();
        if ((request.getParameter("system") != null) && (request.getParameter("level") != null) && !(lvlid_error) && (request.getParameter("seq") != null) && !(seqid_error)) {
            // ID parameter is specified so we return the unique record of object.
            answer = findBuildRevisionInvariantByKey(system, lvlid, seqid, appContext, userHasPermissions);
            jsonResponse = (JSONObject) answer.getItem();
        } else if (!Strings.isNullOrEmpty(columnName)) {
            answer = findDistinctValuesOfColumn(system, appContext, request, columnName);
            jsonResponse = (JSONObject) answer.getItem();
        } else {
            // Default behaviour, we return the list of objects.
            answer = findBuildRevisionInvariantList(system, lvlid, appContext, userHasPermissions, request);
            jsonResponse = (JSONObject) answer.getItem();
        }
        jsonResponse.put("messageType", answer.getResultMessage().getMessage().getCodeString());
        jsonResponse.put("message", answer.getResultMessage().getDescription());
        jsonResponse.put("sEcho", echo);
        response.getWriter().print(jsonResponse.toString());
    } catch (JSONException e) {
        LOG.warn(e);
        // returns a default error message with the json format that is able to be parsed by the client-side
        response.getWriter().print(AnswerUtil.createGenericErrorAnswer());
    }
}
Also used : ApplicationContext(org.springframework.context.ApplicationContext) PolicyFactory(org.owasp.html.PolicyFactory) JSONObject(org.json.JSONObject) MessageEvent(org.cerberus.engine.entity.MessageEvent) JSONException(org.json.JSONException) AnswerItem(org.cerberus.util.answer.AnswerItem) ServletException(javax.servlet.ServletException) JSONException(org.json.JSONException) IOException(java.io.IOException) CerberusException(org.cerberus.exception.CerberusException)

Example 4 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class UpdateBuildRevisionInvariant method processRequest.

/**
 * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
 * methods.
 *
 * @param request servlet request
 * @param response servlet response
 * @throws ServletException if a servlet-specific error occurs
 * @throws IOException if an I/O error occurs
 */
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
    JSONObject jsonResponse = new JSONObject();
    Answer ans = new Answer();
    MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
    msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
    ans.setResultMessage(msg);
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    String charset = request.getCharacterEncoding();
    response.setContentType("application/json");
    // Calling Servlet Transversal Util.
    ServletUtil.servletStart(request);
    /**
     * Parsing and securing all required parameters.
     */
    // Parameter that are already controled by GUI (no need to decode) --> We SECURE them
    Integer seq = -1;
    boolean seq_error = false;
    try {
        if (request.getParameter("seq") != null && !request.getParameter("seq").equals("")) {
            seq = Integer.valueOf(policy.sanitize(request.getParameter("seq")));
        }
    } catch (Exception ex) {
        seq_error = true;
    }
    Integer level = -1;
    boolean level_error = false;
    try {
        if (request.getParameter("level") != null && !request.getParameter("level").equals("")) {
            level = Integer.valueOf(policy.sanitize(request.getParameter("level")));
        }
    } catch (Exception ex) {
        level_error = true;
    }
    // Parameter that needs to be secured --> We SECURE+DECODE them
    String system = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("system"), "", charset);
    String versionName = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("versionname"), "", charset);
    /**
     * Checking all constrains before calling the services.
     */
    if (StringUtil.isNullOrEmpty(system)) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Update").replace("%REASON%", "System name is missing!"));
        ans.setResultMessage(msg);
    } else if (level_error) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Update").replace("%REASON%", "Could not manage to convert level to an integer value!"));
        ans.setResultMessage(msg);
    } else if (seq_error) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Update").replace("%REASON%", "Could not manage to convert sequence to an integer value!"));
        ans.setResultMessage(msg);
    } else {
        /**
         * All data seems cleans so we can call the services.
         */
        ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
        IBuildRevisionInvariantService buildRevisionInvariantService = appContext.getBean(IBuildRevisionInvariantService.class);
        AnswerItem resp = buildRevisionInvariantService.readByKey(system, level, seq);
        if (!(resp.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode()) && resp.getItem() != null)) {
            /**
             * Object could not be found. We stop here and report the error.
             */
            msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
            msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Update").replace("%REASON%", "BuildRevisionInvariant does not exist."));
            ans.setResultMessage(msg);
        } else {
            /**
             * The service was able to perform the query and confirm the
             * object exist, then we can update it.
             */
            BuildRevisionInvariant buildRevisionInvariantData = (BuildRevisionInvariant) resp.getItem();
            buildRevisionInvariantData.setSystem(system);
            buildRevisionInvariantData.setLevel(level);
            buildRevisionInvariantData.setSeq(seq);
            buildRevisionInvariantData.setVersionName(versionName);
            ans = buildRevisionInvariantService.update(buildRevisionInvariantData.getSystem(), buildRevisionInvariantData.getLevel(), buildRevisionInvariantData.getSeq(), buildRevisionInvariantData);
            if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
                /**
                 * Update was successful. Adding Log entry.
                 */
                ILogEventService logEventService = appContext.getBean(LogEventService.class);
                logEventService.createForPrivateCalls("/UpdateBuildRevisionInvariant", "UPDATE", "Updated BuildRevisionInvariant : ['" + system + "'|'" + level + "'|'" + seq + "']", request);
            }
        }
    }
    /**
     * Formating and returning the json result.
     */
    jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
    jsonResponse.put("message", ans.getResultMessage().getDescription());
    response.getWriter().print(jsonResponse);
    response.getWriter().flush();
}
Also used : PolicyFactory(org.owasp.html.PolicyFactory) MessageEvent(org.cerberus.engine.entity.MessageEvent) AnswerItem(org.cerberus.util.answer.AnswerItem) ServletException(javax.servlet.ServletException) JSONException(org.json.JSONException) IOException(java.io.IOException) CerberusException(org.cerberus.exception.CerberusException) IBuildRevisionInvariantService(org.cerberus.crud.service.IBuildRevisionInvariantService) Answer(org.cerberus.util.answer.Answer) ApplicationContext(org.springframework.context.ApplicationContext) JSONObject(org.json.JSONObject) BuildRevisionInvariant(org.cerberus.crud.entity.BuildRevisionInvariant) ILogEventService(org.cerberus.crud.service.ILogEventService)

Example 5 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class TCEwwwDetail method doGet.

@Override
protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
    String echo = httpServletRequest.getParameter("sEcho");
    String sStart = httpServletRequest.getParameter("iDisplayStart");
    String sAmount = httpServletRequest.getParameter("iDisplayLength");
    String sCol = httpServletRequest.getParameter("iSortCol_0");
    String sdir = httpServletRequest.getParameter("sSortDir_0");
    String dir = "asc";
    // String[] cols = {"id","execID","start","url",
    // "end","ext","statusCode","method","bytes","timeInMillis","reqHeader_Host","resHeader_ContentType"};
    int start = 0;
    int amount = 0;
    int col = 0;
    if (sStart != null) {
        start = Integer.parseInt(sStart);
        if (start < 0)
            start = 0;
    }
    if (sAmount != null) {
        amount = Integer.parseInt(sAmount);
        if (amount < 10 || amount > 100)
            amount = 10;
    }
    if (sCol != null) {
        col = Integer.parseInt(sCol);
        if (col < 0 || col > 5)
            col = 0;
    }
    if (sdir != null) {
        if (!sdir.equals("asc"))
            dir = "desc";
    }
    // String colName = cols[col];
    // data that will be shown in the table
    JSONArray data = new JSONArray();
    ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
    ITestCaseExecutionwwwDetService tCEwwwDetService = appContext.getBean(ITestCaseExecutionwwwDetService.class);
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    String id = policy.sanitize(httpServletRequest.getParameter("id"));
    List<TestCaseExecutionwwwDet> detailList = tCEwwwDetService.getListOfDetail(Integer.valueOf(id));
    try {
        JSONObject jsonResponse = new JSONObject();
        for (TestCaseExecutionwwwDet detail : detailList) {
            JSONArray row = new JSONArray();
            row.put(detail.getId()).put(detail.getExecID()).put(detail.getStart()).put(detail.getUrl()).put(detail.getEnd()).put(detail.getExt()).put(detail.getStatusCode()).put(detail.getMethod()).put(detail.getBytes()).put(detail.getTimeInMillis()).put(detail.getReqHeader_Host()).put(detail.getResHeader_ContentType());
            data.put(row);
        }
        jsonResponse.put("aaData", data);
        jsonResponse.put("sEcho", echo);
        httpServletResponse.setContentType("application/json");
        httpServletResponse.getWriter().print(jsonResponse.toString());
    } catch (JSONException e) {
        httpServletResponse.setContentType("text/html");
        httpServletResponse.getWriter().print(e.getMessage());
    }
}
Also used : ApplicationContext(org.springframework.context.ApplicationContext) ITestCaseExecutionwwwDetService(org.cerberus.crud.service.ITestCaseExecutionwwwDetService) PolicyFactory(org.owasp.html.PolicyFactory) JSONObject(org.json.JSONObject) JSONArray(org.json.JSONArray) JSONException(org.json.JSONException) TestCaseExecutionwwwDet(org.cerberus.crud.entity.TestCaseExecutionwwwDet)

Aggregations

PolicyFactory (org.owasp.html.PolicyFactory)123 ApplicationContext (org.springframework.context.ApplicationContext)116 JSONObject (org.json.JSONObject)115 MessageEvent (org.cerberus.engine.entity.MessageEvent)93 AnswerItem (org.cerberus.util.answer.AnswerItem)74 JSONException (org.json.JSONException)70 ILogEventService (org.cerberus.crud.service.ILogEventService)62 Answer (org.cerberus.util.answer.Answer)60 CerberusException (org.cerberus.exception.CerberusException)35 IOException (java.io.IOException)32 ServletException (javax.servlet.ServletException)31 JSONArray (org.json.JSONArray)24 ITestCaseService (org.cerberus.crud.service.ITestCaseService)19 TestCase (org.cerberus.crud.entity.TestCase)17 ArrayList (java.util.ArrayList)14 LogEventService (org.cerberus.crud.service.impl.LogEventService)11 TestCaseStep (org.cerberus.crud.entity.TestCaseStep)10 IParameterService (org.cerberus.crud.service.IParameterService)9 TestCaseCountry (org.cerberus.crud.entity.TestCaseCountry)7 ICountryEnvParamService (org.cerberus.crud.service.ICountryEnvParamService)7