use of org.owasp.html.PolicyFactory in project mamute by caelum.
the class HtmlSanitizerTest method setUp.
@Before
public void setUp() {
envReturns(ALLOWED_ELEMENTS_KEY, "a, blockquote, code, em, h1, h2, hr, img, kbd, li, ol, p, pre, strong, ul, iframe");
envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "a", "href");
envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "pre", "class");
envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "img", "src, alt, width, height");
envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "iframe", "src, width, height, scrolling, frameborder");
envReturns(ALLOWED_ATTRIBUTES_KEY_PREFIX + "iframe" + ALLOWED_ATTRIBUTES_WHITELIST_KEY_SUFIX + "href", ".*soundcloud.com\\/tracks\\/.*|.*youtube.com\\/embed\\/.*|.*//player.vimeo.com\\/video\\/.*");
final HtmlElementsBuilder htmlElementsBuilder = new HtmlElementsBuilder(env, new HtmlAttributesBuilder(env));
htmlElementsBuilder.setUp();
MamutePolicyProducer mamutePolicyProducer = new MamutePolicyProducer(htmlElementsBuilder);
mamutePolicyProducer.setUp();
PolicyFactory policy = mamutePolicyProducer.getInstance();
htmlSanitizer = new HtmlSanitizer(policy);
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class CreateBuildRevisionInvariant method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
* @throws org.cerberus.exception.CerberusException
* @throws org.json.JSONException
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
JSONObject jsonResponse = new JSONObject();
Answer ans = new Answer();
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
ans.setResultMessage(msg);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String charset = request.getCharacterEncoding();
response.setContentType("application/json");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
/**
* Parsing and securing all required parameters.
*/
// Parameter that are already controled by GUI (no need to decode) --> We SECURE them
Integer seq = -1;
boolean seq_error = false;
try {
if (request.getParameter("seq") != null && !request.getParameter("seq").equals("")) {
seq = Integer.valueOf(policy.sanitize(request.getParameter("seq")));
}
} catch (Exception ex) {
seq_error = true;
}
Integer level = -1;
boolean level_error = false;
try {
if (request.getParameter("level") != null && !request.getParameter("level").equals("")) {
level = Integer.valueOf(policy.sanitize(request.getParameter("level")));
}
} catch (Exception ex) {
level_error = true;
}
// Parameter that needs to be secured --> We SECURE+DECODE them
String system = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("system"), "", charset);
String versionName = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("versionname"), "", charset);
/**
* Checking all constrains before calling the services.
*/
if (StringUtil.isNullOrEmpty(system)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Create").replace("%REASON%", "System name is missing!"));
ans.setResultMessage(msg);
} else if (level_error) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Create").replace("%REASON%", "Could not manage to convert level to an integer value!"));
ans.setResultMessage(msg);
} else if (seq_error) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Create").replace("%REASON%", "Could not manage to convert sequence to an integer value!"));
ans.setResultMessage(msg);
} else {
/**
* All data seems cleans so we can call the services.
*/
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
IBuildRevisionInvariantService buildRevisionInvariantService = appContext.getBean(IBuildRevisionInvariantService.class);
IFactoryBuildRevisionInvariant factoryBuildRevisionInvariant = appContext.getBean(IFactoryBuildRevisionInvariant.class);
BuildRevisionInvariant buildRevisionInvariantData = factoryBuildRevisionInvariant.create(system, level, seq, versionName);
ans = buildRevisionInvariantService.create(buildRevisionInvariantData);
if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
/**
* Object created. Adding Log entry.
*/
ILogEventService logEventService = appContext.getBean(LogEventService.class);
logEventService.createForPrivateCalls("/CreateBuildRevisionInvariant", "CREATE", "Create BuildRevisionInvariant : ['" + system + "'|'" + level + "'|'" + seq + "']", request);
}
}
/**
* Formating and returning the json result.
*/
jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", ans.getResultMessage().getDescription());
response.getWriter().print(jsonResponse);
response.getWriter().flush();
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class ReadBuildRevisionInvariant method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
* @throws org.cerberus.exception.CerberusException
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException {
String echo = request.getParameter("sEcho");
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
response.setContentType("application/json");
response.setCharacterEncoding("utf8");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
// Default message to unexpected error.
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
/**
* Parsing and securing all required parameters.
*/
Integer lvlid = -1;
boolean lvlid_error = true;
try {
if (request.getParameter("level") != null && !request.getParameter("level").equals("")) {
lvlid = Integer.valueOf(policy.sanitize(request.getParameter("level")));
lvlid_error = false;
}
} catch (Exception ex) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", OBJECT_NAME));
msg.setDescription(msg.getDescription().replace("%OPERATION%", "Read"));
msg.setDescription(msg.getDescription().replace("%REASON%", "level must be an integer value."));
lvlid_error = true;
}
Integer seqid = -1;
boolean seqid_error = true;
try {
if (request.getParameter("seq") != null && !request.getParameter("seq").equals("")) {
seqid = Integer.valueOf(policy.sanitize(request.getParameter("seq")));
seqid_error = false;
}
} catch (Exception ex) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", OBJECT_NAME));
msg.setDescription(msg.getDescription().replace("%OPERATION%", "Read"));
msg.setDescription(msg.getDescription().replace("%REASON%", "id must be an integer value."));
seqid_error = true;
}
String system = policy.sanitize(request.getParameter("system"));
String columnName = ParameterParserUtil.parseStringParam(request.getParameter("columnName"), "");
// Global boolean on the servlet that define if the user has permition to edit and delete object.
boolean userHasPermissions = request.isUserInRole("Integrator");
// Init Answer with potencial error from Parsing parameter.
AnswerItem answer = new AnswerItem(msg);
try {
JSONObject jsonResponse = new JSONObject();
if ((request.getParameter("system") != null) && (request.getParameter("level") != null) && !(lvlid_error) && (request.getParameter("seq") != null) && !(seqid_error)) {
// ID parameter is specified so we return the unique record of object.
answer = findBuildRevisionInvariantByKey(system, lvlid, seqid, appContext, userHasPermissions);
jsonResponse = (JSONObject) answer.getItem();
} else if (!Strings.isNullOrEmpty(columnName)) {
answer = findDistinctValuesOfColumn(system, appContext, request, columnName);
jsonResponse = (JSONObject) answer.getItem();
} else {
// Default behaviour, we return the list of objects.
answer = findBuildRevisionInvariantList(system, lvlid, appContext, userHasPermissions, request);
jsonResponse = (JSONObject) answer.getItem();
}
jsonResponse.put("messageType", answer.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", answer.getResultMessage().getDescription());
jsonResponse.put("sEcho", echo);
response.getWriter().print(jsonResponse.toString());
} catch (JSONException e) {
LOG.warn(e);
// returns a default error message with the json format that is able to be parsed by the client-side
response.getWriter().print(AnswerUtil.createGenericErrorAnswer());
}
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class UpdateBuildRevisionInvariant method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
JSONObject jsonResponse = new JSONObject();
Answer ans = new Answer();
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
ans.setResultMessage(msg);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String charset = request.getCharacterEncoding();
response.setContentType("application/json");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
/**
* Parsing and securing all required parameters.
*/
// Parameter that are already controled by GUI (no need to decode) --> We SECURE them
Integer seq = -1;
boolean seq_error = false;
try {
if (request.getParameter("seq") != null && !request.getParameter("seq").equals("")) {
seq = Integer.valueOf(policy.sanitize(request.getParameter("seq")));
}
} catch (Exception ex) {
seq_error = true;
}
Integer level = -1;
boolean level_error = false;
try {
if (request.getParameter("level") != null && !request.getParameter("level").equals("")) {
level = Integer.valueOf(policy.sanitize(request.getParameter("level")));
}
} catch (Exception ex) {
level_error = true;
}
// Parameter that needs to be secured --> We SECURE+DECODE them
String system = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("system"), "", charset);
String versionName = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("versionname"), "", charset);
/**
* Checking all constrains before calling the services.
*/
if (StringUtil.isNullOrEmpty(system)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Update").replace("%REASON%", "System name is missing!"));
ans.setResultMessage(msg);
} else if (level_error) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Update").replace("%REASON%", "Could not manage to convert level to an integer value!"));
ans.setResultMessage(msg);
} else if (seq_error) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Update").replace("%REASON%", "Could not manage to convert sequence to an integer value!"));
ans.setResultMessage(msg);
} else {
/**
* All data seems cleans so we can call the services.
*/
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
IBuildRevisionInvariantService buildRevisionInvariantService = appContext.getBean(IBuildRevisionInvariantService.class);
AnswerItem resp = buildRevisionInvariantService.readByKey(system, level, seq);
if (!(resp.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode()) && resp.getItem() != null)) {
/**
* Object could not be found. We stop here and report the error.
*/
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "BuildRevisionInvariant").replace("%OPERATION%", "Update").replace("%REASON%", "BuildRevisionInvariant does not exist."));
ans.setResultMessage(msg);
} else {
/**
* The service was able to perform the query and confirm the
* object exist, then we can update it.
*/
BuildRevisionInvariant buildRevisionInvariantData = (BuildRevisionInvariant) resp.getItem();
buildRevisionInvariantData.setSystem(system);
buildRevisionInvariantData.setLevel(level);
buildRevisionInvariantData.setSeq(seq);
buildRevisionInvariantData.setVersionName(versionName);
ans = buildRevisionInvariantService.update(buildRevisionInvariantData.getSystem(), buildRevisionInvariantData.getLevel(), buildRevisionInvariantData.getSeq(), buildRevisionInvariantData);
if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
/**
* Update was successful. Adding Log entry.
*/
ILogEventService logEventService = appContext.getBean(LogEventService.class);
logEventService.createForPrivateCalls("/UpdateBuildRevisionInvariant", "UPDATE", "Updated BuildRevisionInvariant : ['" + system + "'|'" + level + "'|'" + seq + "']", request);
}
}
}
/**
* Formating and returning the json result.
*/
jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", ans.getResultMessage().getDescription());
response.getWriter().print(jsonResponse);
response.getWriter().flush();
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class TCEwwwDetail method doGet.
@Override
protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
String echo = httpServletRequest.getParameter("sEcho");
String sStart = httpServletRequest.getParameter("iDisplayStart");
String sAmount = httpServletRequest.getParameter("iDisplayLength");
String sCol = httpServletRequest.getParameter("iSortCol_0");
String sdir = httpServletRequest.getParameter("sSortDir_0");
String dir = "asc";
// String[] cols = {"id","execID","start","url",
// "end","ext","statusCode","method","bytes","timeInMillis","reqHeader_Host","resHeader_ContentType"};
int start = 0;
int amount = 0;
int col = 0;
if (sStart != null) {
start = Integer.parseInt(sStart);
if (start < 0)
start = 0;
}
if (sAmount != null) {
amount = Integer.parseInt(sAmount);
if (amount < 10 || amount > 100)
amount = 10;
}
if (sCol != null) {
col = Integer.parseInt(sCol);
if (col < 0 || col > 5)
col = 0;
}
if (sdir != null) {
if (!sdir.equals("asc"))
dir = "desc";
}
// String colName = cols[col];
// data that will be shown in the table
JSONArray data = new JSONArray();
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
ITestCaseExecutionwwwDetService tCEwwwDetService = appContext.getBean(ITestCaseExecutionwwwDetService.class);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String id = policy.sanitize(httpServletRequest.getParameter("id"));
List<TestCaseExecutionwwwDet> detailList = tCEwwwDetService.getListOfDetail(Integer.valueOf(id));
try {
JSONObject jsonResponse = new JSONObject();
for (TestCaseExecutionwwwDet detail : detailList) {
JSONArray row = new JSONArray();
row.put(detail.getId()).put(detail.getExecID()).put(detail.getStart()).put(detail.getUrl()).put(detail.getEnd()).put(detail.getExt()).put(detail.getStatusCode()).put(detail.getMethod()).put(detail.getBytes()).put(detail.getTimeInMillis()).put(detail.getReqHeader_Host()).put(detail.getResHeader_ContentType());
data.put(row);
}
jsonResponse.put("aaData", data);
jsonResponse.put("sEcho", echo);
httpServletResponse.setContentType("application/json");
httpServletResponse.getWriter().print(jsonResponse.toString());
} catch (JSONException e) {
httpServletResponse.setContentType("text/html");
httpServletResponse.getWriter().print(e.getMessage());
}
}
Aggregations