[jira] [Commented] (SLING-11525) Update dependency for sling.api v2.26.0 compatibility
[ https://issues.apache.org/jira/browse/SLING-11525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1752#comment-1752 ] Carsten Ziegeler commented on SLING-11525: -- [~enorman] What is causing this narrow version import, seems to be the usermanager is implementing a ProviderType interface which it should not do > Update dependency for sling.api v2.26.0 compatibility > - > > Key: SLING-11525 > URL: https://issues.apache.org/jira/browse/SLING-11525 > Project: Sling > Issue Type: Improvement >Reporter: Eric Norman >Assignee: Eric Norman >Priority: Major > Fix For: JCR Jackrabbit User Manager 2.2.24 > > Time Spent: 20m > Remaining Estimate: 0h > > Update dependency for compatibility with sling.api v2.26.0 > Resolves this error: > {code:java} > [ERROR] [bundle-packages] > org.apache.sling:org.apache.sling.jcr.jackrabbit.usermanager:2.2.22: Bundle > is importing package org.apache.sling.api.request;version=[2.6,2.7) with > start order 20 but no bundle is exporting these for that start order in the > required version range.{code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: [VOTE] Release Apache Sling Resource Resolver 1.10.0, Apache Sling Scripting HTL JS Use Provider 1.2.8, Apache Sling Scripting HTL Engine 1.4.20-1.4.0, Apache Sling Servlets Resolver 2.9.8, Apache
+1 However, this set of new bundles can not be added to the starter yet as there is a conflict with the *org.apache.sling.jcr.jackrabbit.usermanager* artifact. I started SLING-11525 to track the problem and prepared a PR that fixes the problem. That PR is blocked until these bundles are released and available on central. Regards, Eric On Mon, Aug 8, 2022 at 9:10 AM Radu Cotescu wrote: > Hi, > > We solved 18 issues in these releases: > https://issues.apache.org/jira/browse/SLING/fixforversion/12351841 > https://issues.apache.org/jira/browse/SLING/fixforversion/12352164 > https://issues.apache.org/jira/browse/SLING/fixforversion/12352163 > https://issues.apache.org/jira/browse/SLING/fixforversion/12351808 > https://issues.apache.org/jira/browse/SLING/fixforversion/12351863 > https://issues.apache.org/jira/browse/SLING/fixforversion/12352083 > https://issues.apache.org/jira/browse/SLING/fixforversion/12350470 > > Staging repository: > https://repository.apache.org/content/repositories/orgapachesling-2662/ > > You can use this UNIX script to download the release and verify the > signatures: > > https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD > > Usage: > sh check_staged_release.sh 2662 /tmp/sling-staging > > Please vote to approve this release: > > [ ] +1 Approve the release > [ ] 0 Don't care > [ ] -1 Don't release, because ... > > This majority vote is open for at least 72 hours. > > Regards, > Radu Cotescu >
[GitHub] [sling-org-apache-sling-jcr-jackrabbit-usermanager] enapps-enorman commented on pull request #14: SLING-11525 Update dependency for sling.api v2.26.0 compatibility
enapps-enorman commented on PR #14: URL: https://github.com/apache/sling-org-apache-sling-jcr-jackrabbit-usermanager/pull/14#issuecomment-1210036938 FYI: This PR won't build until org.apache.sling.api:2.26.0 is available on central -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-jcr-jackrabbit-usermanager] enapps-enorman opened a new pull request, #14: SLING-11525 Update dependency for sling.api v2.26.0 compatibility
enapps-enorman opened a new pull request, #14: URL: https://github.com/apache/sling-org-apache-sling-jcr-jackrabbit-usermanager/pull/14 Update dependency for compatibility with sling.api v2.26.0 Resolves this error from the feature analyzer: `[ERROR] [bundle-packages] org.apache.sling:org.apache.sling.jcr.jackrabbit.usermanager:2.2.22: Bundle is importing package org.apache.sling.api.request;version=[2.6,2.7) with start order 20 but no bundle is exporting these for that start order in the required version range.` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Updated] (SLING-6767) Jackrabbit Usermanager: Allow to detect whether a POST request was treated by the default POST servlet or the jackrabbit.usermanager
[ https://issues.apache.org/jira/browse/SLING-6767?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Norman updated SLING-6767: --- Fix Version/s: (was: JCR Jackrabbit User Manager 2.2.24) > Jackrabbit Usermanager: Allow to detect whether a POST request was treated by > the default POST servlet or the jackrabbit.usermanager > > > Key: SLING-6767 > URL: https://issues.apache.org/jira/browse/SLING-6767 > Project: Sling > Issue Type: Improvement > Components: JCR >Reporter: Konrad Windszus >Priority: Major > > Currently it is impossible to tell from the response whether a POST request > has been answered by either the Default Sling POST servlet or the Jackrabbit > Usermanager. Both the JSON and the HTML look exactly the same no matter, who > answered. It should be possible to see from the client-side whether a request > has been treated by one or the other. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (SLING-11525) Update dependency for sling.api v2.26.0 compatibility
[ https://issues.apache.org/jira/browse/SLING-11525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Norman updated SLING-11525: Description: Update dependency for compatibility with sling.api v2.26.0 Resolves this error: {code:java} [ERROR] [bundle-packages] org.apache.sling:org.apache.sling.jcr.jackrabbit.usermanager:2.2.22: Bundle is importing package org.apache.sling.api.request;version=[2.6,2.7) with start order 20 but no bundle is exporting these for that start order in the required version range.{code} was: Update dependency for compatibility with sling.api v2.25.0 Resolves this error: {code} [ERROR] [bundle-packages] org.apache.sling:org.apache.sling.jcr.jackrabbit.usermanager:2.2.22: Bundle is importing package org.apache.sling.api.request;version=[2.6,2.7) with start order 20 but no bundle is exporting these for that start order in the required version range.{code} > Update dependency for sling.api v2.26.0 compatibility > - > > Key: SLING-11525 > URL: https://issues.apache.org/jira/browse/SLING-11525 > Project: Sling > Issue Type: Improvement >Reporter: Eric Norman >Assignee: Eric Norman >Priority: Major > Fix For: JCR Jackrabbit User Manager 2.2.24 > > > Update dependency for compatibility with sling.api v2.26.0 > Resolves this error: > {code:java} > [ERROR] [bundle-packages] > org.apache.sling:org.apache.sling.jcr.jackrabbit.usermanager:2.2.22: Bundle > is importing package org.apache.sling.api.request;version=[2.6,2.7) with > start order 20 but no bundle is exporting these for that start order in the > required version range.{code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (SLING-11525) Update dependency for sling.api v2.26.0 compatibility
Eric Norman created SLING-11525: --- Summary: Update dependency for sling.api v2.26.0 compatibility Key: SLING-11525 URL: https://issues.apache.org/jira/browse/SLING-11525 Project: Sling Issue Type: Improvement Reporter: Eric Norman Assignee: Eric Norman Fix For: JCR Jackrabbit User Manager 2.2.24 Update dependency for compatibility with sling.api v2.25.0 Resolves this error: {code} [ERROR] [bundle-packages] org.apache.sling:org.apache.sling.jcr.jackrabbit.usermanager:2.2.22: Bundle is importing package org.apache.sling.api.request;version=[2.6,2.7) with start order 20 but no bundle is exporting these for that start order in the required version range.{code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [sling-maven-plugin] sonarcloud[bot] commented on pull request #6: SLING-11522 update Maven plugins, dependencies and parent
sonarcloud[bot] commented on PR #6: URL: https://github.com/apache/sling-maven-plugin/pull/6#issuecomment-1209831608 SonarCloud Quality Gate failed. [![Quality Gate failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/failed-16px.png 'Quality Gate failed')](https://sonarcloud.io/dashboard?id=apache_sling-maven-plugin=6) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/0-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_coverage=list) [0.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_coverage=list) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-maven-plugin] kwin commented on a diff in pull request #6: SLING-11522 update Maven plugins, dependencies and parent
kwin commented on code in PR #6: URL: https://github.com/apache/sling-maven-plugin/pull/6#discussion_r941694580 ## sling-maven-plugin/src/main/java/org/apache/sling/maven/bundlesupport/BundleInstallFileMojo.java: ## @@ -17,24 +17,24 @@ package org.apache.sling.maven.bundlesupport; -import java.util.ArrayList; +import java.io.File; import java.util.List; -import org.apache.maven.artifact.Artifact; -import org.apache.maven.artifact.repository.ArtifactRepository; -import org.apache.maven.artifact.repository.ArtifactRepositoryFactory; -import org.apache.maven.artifact.repository.ArtifactRepositoryPolicy; -import org.apache.maven.artifact.repository.layout.ArtifactRepositoryLayout; -import org.apache.maven.artifact.resolver.AbstractArtifactResolutionException; -import org.apache.maven.artifact.resolver.ArtifactResolver; import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugins.annotations.Component; import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.Parameter; import org.codehaus.plexus.util.StringUtils; +import org.eclipse.aether.RepositorySystem; +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.artifact.DefaultArtifact; +import org.eclipse.aether.repository.RemoteRepository; +import org.eclipse.aether.resolution.ArtifactRequest; +import org.eclipse.aether.resolution.ArtifactResolutionException; +import org.eclipse.aether.resolution.ArtifactResult; /** - * Install an OSGi bundle to a running Sling instance. + * Install an OSGi bundle from a given file path or Maven coordinates (resolved from the repository) to a running Sling instance. Review Comment: I filed https://issues.apache.org/jira/browse/SLING-11524 for an improvement. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Created] (SLING-11524) install goal: Use always the artifact file from the underlying Maven project
Konrad Windszus created SLING-11524: --- Summary: install goal: Use always the artifact file from the underlying Maven project Key: SLING-11524 URL: https://issues.apache.org/jira/browse/SLING-11524 Project: Sling Issue Type: Improvement Reporter: Konrad Windszus Assignee: Konrad Windszus Fix For: Sling Maven Plugin 2.4.4 Currently goals "install-file" and "install" behave almost the same, the only difference is that the latter requires a project, but still picks up the bundle to install from the filesystem with a predefined path instead of leveraging the project's artifact(s) directly (irrespective of their path/name). Instead of relying on a certain path in the filesystem one should directly leverage {{MavenProject.getArtifact()}} and {{MavenProject.getAttachedArtifacts()}} (in that order) until a bundle file is found and remove the parameter {{bundleFileName}} altogether. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [sling-maven-plugin] sonarcloud[bot] commented on pull request #6: SLING-11522 update Maven plugins, dependencies and parent
sonarcloud[bot] commented on PR #6: URL: https://github.com/apache/sling-maven-plugin/pull/6#issuecomment-1209742171 SonarCloud Quality Gate failed. [![Quality Gate failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/failed-16px.png 'Quality Gate failed')](https://sonarcloud.io/dashboard?id=apache_sling-maven-plugin=6) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/0-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_coverage=list) [0.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_coverage=list) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Created] (SLING-11523) Replace scannotation and asm by classgraph
Konrad Windszus created SLING-11523: --- Summary: Replace scannotation and asm by classgraph Key: SLING-11523 URL: https://issues.apache.org/jira/browse/SLING-11523 Project: Sling Issue Type: Improvement Components: Maven Plugins and Archetypes Reporter: Konrad Windszus Fix For: Sling Maven Plugin 2.4.4 Currently for goal {{generate-adapter-metadata}} the outdated [Scannotation Library|http://scannotation.sourceforge.net/] is used which received its last update in 2013. In addition also inspecting the class files with an additional library (like ASM) is necessary to get the actual field values. Instead we should use https://github.com/classgraph/classgraph to scan for annotations. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [sling-maven-plugin] sonarcloud[bot] commented on pull request #6: SLING-11522 update Maven plugins, dependencies and parent
sonarcloud[bot] commented on PR #6: URL: https://github.com/apache/sling-maven-plugin/pull/6#issuecomment-1209734132 SonarCloud Quality Gate failed. [![Quality Gate failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/failed-16px.png 'Quality Gate failed')](https://sonarcloud.io/dashboard?id=apache_sling-maven-plugin=6) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-maven-plugin=6=false=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-maven-plugin=6=false=CODE_SMELL) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/0-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_coverage=list) [0.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_coverage=list) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-maven-plugin=6=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-maven-plugin] kwin commented on a diff in pull request #6: SLING-11522 update Maven plugins, dependencies and parent
kwin commented on code in PR #6: URL: https://github.com/apache/sling-maven-plugin/pull/6#discussion_r94111 ## sling-maven-plugin/src/main/java/org/apache/sling/maven/bundlesupport/BundleInstallFileMojo.java: ## @@ -17,24 +17,24 @@ package org.apache.sling.maven.bundlesupport; -import java.util.ArrayList; +import java.io.File; import java.util.List; -import org.apache.maven.artifact.Artifact; -import org.apache.maven.artifact.repository.ArtifactRepository; -import org.apache.maven.artifact.repository.ArtifactRepositoryFactory; -import org.apache.maven.artifact.repository.ArtifactRepositoryPolicy; -import org.apache.maven.artifact.repository.layout.ArtifactRepositoryLayout; -import org.apache.maven.artifact.resolver.AbstractArtifactResolutionException; -import org.apache.maven.artifact.resolver.ArtifactResolver; import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugins.annotations.Component; import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.Parameter; import org.codehaus.plexus.util.StringUtils; +import org.eclipse.aether.RepositorySystem; +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.artifact.DefaultArtifact; +import org.eclipse.aether.repository.RemoteRepository; +import org.eclipse.aether.resolution.ArtifactRequest; +import org.eclipse.aether.resolution.ArtifactResolutionException; +import org.eclipse.aether.resolution.ArtifactResult; /** - * Install an OSGi bundle to a running Sling instance. + * Install an OSGi bundle from a given file path or Maven coordinates (resolved from the repository) to a running Sling instance. Review Comment: This is really a superset from `BundleInstallMojo` :-( -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-maven-plugin] kwin commented on a diff in pull request #6: SLING-11522 update Maven plugins, dependencies and parent
kwin commented on code in PR #6: URL: https://github.com/apache/sling-maven-plugin/pull/6#discussion_r94111 ## sling-maven-plugin/src/main/java/org/apache/sling/maven/bundlesupport/BundleInstallFileMojo.java: ## @@ -17,24 +17,24 @@ package org.apache.sling.maven.bundlesupport; -import java.util.ArrayList; +import java.io.File; import java.util.List; -import org.apache.maven.artifact.Artifact; -import org.apache.maven.artifact.repository.ArtifactRepository; -import org.apache.maven.artifact.repository.ArtifactRepositoryFactory; -import org.apache.maven.artifact.repository.ArtifactRepositoryPolicy; -import org.apache.maven.artifact.repository.layout.ArtifactRepositoryLayout; -import org.apache.maven.artifact.resolver.AbstractArtifactResolutionException; -import org.apache.maven.artifact.resolver.ArtifactResolver; import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugins.annotations.Component; import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.Parameter; import org.codehaus.plexus.util.StringUtils; +import org.eclipse.aether.RepositorySystem; +import org.eclipse.aether.RepositorySystemSession; +import org.eclipse.aether.artifact.DefaultArtifact; +import org.eclipse.aether.repository.RemoteRepository; +import org.eclipse.aether.resolution.ArtifactRequest; +import org.eclipse.aether.resolution.ArtifactResolutionException; +import org.eclipse.aether.resolution.ArtifactResult; /** - * Install an OSGi bundle to a running Sling instance. + * Install an OSGi bundle from a given file path or Maven coordinates (resolved from the repository) to a running Sling instance. Review Comment: This is really a superset from BundleInstallFileMojo :-( -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-maven-plugin] kwin opened a new pull request, #6: SLING-11522 update Maven plugins, dependencies and parent
kwin opened a new pull request, #6: URL: https://github.com/apache/sling-maven-plugin/pull/6 Switch to Maven Resolver/Eclipse Aether API introduced with Maven 3.3.1 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Updated] (SLING-5418) Display description about Metrics being collected in WebConsole Plugin
[ https://issues.apache.org/jira/browse/SLING-5418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joerg Hoh updated SLING-5418: - Description: Metrics webconsole plugin currently displays all metrics in tabular format. It would be helpful if it can display some details about what metric data is all about. This information should be added in during the registration of the metric as an additional (optional) parameter. was:Metrics webconsole plugin currently displays all metrics in tabular format. It would be helpful if it can display some details about what metric data is all about > Display description about Metrics being collected in WebConsole Plugin > -- > > Key: SLING-5418 > URL: https://issues.apache.org/jira/browse/SLING-5418 > Project: Sling > Issue Type: Improvement > Components: Commons >Reporter: Chetan Mehrotra >Assignee: Chetan Mehrotra >Priority: Minor > Fix For: Commons Metrics 1.2.14 > > > Metrics webconsole plugin currently displays all metrics in tabular format. > It would be helpful if it can display some details about what metric data is > all about. > This information should be added in during the registration of the metric as > an additional (optional) parameter. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (SLING-11522) Update parent, plugins and dependencies
Konrad Windszus created SLING-11522: --- Summary: Update parent, plugins and dependencies Key: SLING-11522 URL: https://issues.apache.org/jira/browse/SLING-11522 Project: Sling Issue Type: Improvement Components: Maven Plugins and Archetypes Affects Versions: Sling Maven Plugin 2.4.2 Reporter: Konrad Windszus Assignee: Konrad Windszus Fix For: Sling Maven Plugin 2.4.4 The parent should be updated to latest version (49), the dependencies and plugins as well. In addition the minimum Maven version should be lifted to 3.3.1 (was 3.0.4) in order to leverage the new Maven Resolver API. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941489475 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.annotation.Nullable; + +import org.apache.sling.xss.impl.style.CssValidator; +import org.apache.sling.xss.impl.xml.Attribute; +import org.apache.sling.xss.impl.xml.Policy; +import org.apache.sling.xss.impl.xml.Tag; +import org.owasp.html.AttributePolicy; +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableSet; + +public class CustomPolicy { +private PolicyFactory policyFactory; +private List onInvalidRemoveTagList = new ArrayList<>(); +private Map dynamicAttributesPolicyMap = new HashMap<>(); +private CssValidator cssValidator; + +public CustomPolicy(Policy policy) { +removeAttributeGuards(); +HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder(); + +cssValidator = new CssValidator(policy.getCssPolicy()); + +// this is for the global attributes - +Map globalAttributes = policy.getGlobalAttributes(); +for (Attribute attribute : globalAttributes.values()) { + +if (attribute.getOnInvalid().equals("removeTag")) { +onInvalidRemoveTagList.add(attribute.getName()); +} + +if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) { +// we match style tags separately + policyBuilder.allowAttributes(attribute.getName()).matching(cssValidator.newCssAttributePolicy()) +.globally(); +} else { +List allowedValuesFromAttribute = attribute.getLiterals(); +if (allowedValuesFromAttribute != null && allowedValuesFromAttribute.size() > 0) { +for (String allowedValue : allowedValuesFromAttribute) { + policyBuilder.allowAttributes(attribute.getName()).matching(true, allowedValue).globally(); +} + +} +List regexsFromAttribute = attribute.getPatternList(); +if (regexsFromAttribute != null && regexsFromAttribute.size() > 0) { + policyBuilder.allowAttributes(attribute.getName()).matching(matchesToPatterns(regexsFromAttribute)) +.globally(); +} else { + policyBuilder.allowAttributes(attribute.getName()).globally(); +} + +} +} + +// this is for the allowed emty tags - +List allowedEmptyTags = policy.getAllowedEmptyTags(); +for (String allowedEmptyTag : allowedEmptyTags) { +policyBuilder.allowWithoutAttributes(allowedEmptyTag); +} + +// this is for the tag rules - +Map tagMap = policy.getTagRules(); +for (Map.Entry tag : tagMap.entrySet()) { + +String tagAction = tag.getValue().getAction(); +switch (tagAction) { +// Tag.action +case "truncate": +policyBuilder.allowElements(tag.getValue().getName()); + +break; +// filter: remove tags, but keep content, +case "filter": +break; +// remove: remove tag and contents +case "remove": +policyBuilder.disallowElements(tag.getValue().getName()); +break; + +// validate is also the default +// validate: keep content as long as it passes rules,
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941477555 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.annotation.Nullable; + +import org.apache.sling.xss.impl.style.CssValidator; +import org.apache.sling.xss.impl.xml.Attribute; +import org.apache.sling.xss.impl.xml.Policy; +import org.apache.sling.xss.impl.xml.Tag; +import org.owasp.html.AttributePolicy; +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableSet; + +public class CustomPolicy { +private PolicyFactory policyFactory; +private List onInvalidRemoveTagList = new ArrayList<>(); +private Map dynamicAttributesPolicyMap = new HashMap<>(); +private CssValidator cssValidator; + +public CustomPolicy(Policy policy) { +removeAttributeGuards(); +HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder(); + +cssValidator = new CssValidator(policy.getCssPolicy()); + +// this is for the global attributes - +Map globalAttributes = policy.getGlobalAttributes(); +for (Attribute attribute : globalAttributes.values()) { + +if (attribute.getOnInvalid().equals("removeTag")) { +onInvalidRemoveTagList.add(attribute.getName()); +} + +if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) { +// we match style tags separately + policyBuilder.allowAttributes(attribute.getName()).matching(cssValidator.newCssAttributePolicy()) +.globally(); +} else { +List allowedValuesFromAttribute = attribute.getLiterals(); +if (allowedValuesFromAttribute != null && allowedValuesFromAttribute.size() > 0) { +for (String allowedValue : allowedValuesFromAttribute) { + policyBuilder.allowAttributes(attribute.getName()).matching(true, allowedValue).globally(); +} + +} +List regexsFromAttribute = attribute.getPatternList(); +if (regexsFromAttribute != null && regexsFromAttribute.size() > 0) { + policyBuilder.allowAttributes(attribute.getName()).matching(matchesToPatterns(regexsFromAttribute)) +.globally(); +} else { + policyBuilder.allowAttributes(attribute.getName()).globally(); +} + +} +} + +// this is for the allowed emty tags - +List allowedEmptyTags = policy.getAllowedEmptyTags(); +for (String allowedEmptyTag : allowedEmptyTags) { +policyBuilder.allowWithoutAttributes(allowedEmptyTag); +} + +// this is for the tag rules - +Map tagMap = policy.getTagRules(); +for (Map.Entry tag : tagMap.entrySet()) { + +String tagAction = tag.getValue().getAction(); +switch (tagAction) { +// Tag.action +case "truncate": +policyBuilder.allowElements(tag.getValue().getName()); + +break; +// filter: remove tags, but keep content, +case "filter": +break; +// remove: remove tag and contents +case "remove": +policyBuilder.disallowElements(tag.getValue().getName()); +break; + +// validate is also the default +// validate: keep content as long as it passes rules,
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941466862 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.annotation.Nullable; + +import org.apache.sling.xss.impl.style.CssValidator; +import org.apache.sling.xss.impl.xml.Attribute; +import org.apache.sling.xss.impl.xml.Policy; +import org.apache.sling.xss.impl.xml.Tag; +import org.owasp.html.AttributePolicy; +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableSet; + +public class CustomPolicy { +private PolicyFactory policyFactory; +private List onInvalidRemoveTagList = new ArrayList<>(); +private Map dynamicAttributesPolicyMap = new HashMap<>(); +private CssValidator cssValidator; + +public CustomPolicy(Policy policy) { +removeAttributeGuards(); +HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder(); + +cssValidator = new CssValidator(policy.getCssPolicy()); + +// this is for the global attributes - +Map globalAttributes = policy.getGlobalAttributes(); +for (Attribute attribute : globalAttributes.values()) { + +if (attribute.getOnInvalid().equals("removeTag")) { +onInvalidRemoveTagList.add(attribute.getName()); +} + +if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) { +// we match style tags separately + policyBuilder.allowAttributes(attribute.getName()).matching(cssValidator.newCssAttributePolicy()) +.globally(); +} else { +List allowedValuesFromAttribute = attribute.getLiterals(); +if (allowedValuesFromAttribute != null && allowedValuesFromAttribute.size() > 0) { +for (String allowedValue : allowedValuesFromAttribute) { + policyBuilder.allowAttributes(attribute.getName()).matching(true, allowedValue).globally(); +} + +} +List regexsFromAttribute = attribute.getPatternList(); +if (regexsFromAttribute != null && regexsFromAttribute.size() > 0) { + policyBuilder.allowAttributes(attribute.getName()).matching(matchesToPatterns(regexsFromAttribute)) +.globally(); +} else { + policyBuilder.allowAttributes(attribute.getName()).globally(); +} + +} +} + +// this is for the allowed emty tags - +List allowedEmptyTags = policy.getAllowedEmptyTags(); +for (String allowedEmptyTag : allowedEmptyTags) { +policyBuilder.allowWithoutAttributes(allowedEmptyTag); +} + +// this is for the tag rules - +Map tagMap = policy.getTagRules(); +for (Map.Entry tag : tagMap.entrySet()) { + +String tagAction = tag.getValue().getAction(); +switch (tagAction) { +// Tag.action +case "truncate": +policyBuilder.allowElements(tag.getValue().getName()); + +break; +// filter: remove tags, but keep content, +case "filter": +break; +// remove: remove tag and contents +case "remove": +policyBuilder.disallowElements(tag.getValue().getName()); +break; + +// validate is also the default +// validate: keep content as long as it passes rules,
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941464456 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.annotation.Nullable; + +import org.apache.sling.xss.impl.style.CssValidator; +import org.apache.sling.xss.impl.xml.Attribute; +import org.apache.sling.xss.impl.xml.Policy; +import org.apache.sling.xss.impl.xml.Tag; +import org.owasp.html.AttributePolicy; +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableSet; + +public class CustomPolicy { +private PolicyFactory policyFactory; +private List onInvalidRemoveTagList = new ArrayList<>(); +private Map dynamicAttributesPolicyMap = new HashMap<>(); +private CssValidator cssValidator; + +public CustomPolicy(Policy policy) { +removeAttributeGuards(); +HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder(); + +cssValidator = new CssValidator(policy.getCssPolicy()); + +// this is for the global attributes - +Map globalAttributes = policy.getGlobalAttributes(); +for (Attribute attribute : globalAttributes.values()) { + +if (attribute.getOnInvalid().equals("removeTag")) { +onInvalidRemoveTagList.add(attribute.getName()); +} + +if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) { +// we match style tags separately + policyBuilder.allowAttributes(attribute.getName()).matching(cssValidator.newCssAttributePolicy()) +.globally(); +} else { +List allowedValuesFromAttribute = attribute.getLiterals(); +if (allowedValuesFromAttribute != null && allowedValuesFromAttribute.size() > 0) { +for (String allowedValue : allowedValuesFromAttribute) { + policyBuilder.allowAttributes(attribute.getName()).matching(true, allowedValue).globally(); +} + +} +List regexsFromAttribute = attribute.getPatternList(); +if (regexsFromAttribute != null && regexsFromAttribute.size() > 0) { + policyBuilder.allowAttributes(attribute.getName()).matching(matchesToPatterns(regexsFromAttribute)) +.globally(); +} else { + policyBuilder.allowAttributes(attribute.getName()).globally(); +} + +} +} + +// this is for the allowed emty tags - +List allowedEmptyTags = policy.getAllowedEmptyTags(); +for (String allowedEmptyTag : allowedEmptyTags) { +policyBuilder.allowWithoutAttributes(allowedEmptyTag); +} + +// this is for the tag rules - +Map tagMap = policy.getTagRules(); +for (Map.Entry tag : tagMap.entrySet()) { + +String tagAction = tag.getValue().getAction(); +switch (tagAction) { +// Tag.action +case "truncate": +policyBuilder.allowElements(tag.getValue().getName()); + +break; +// filter: remove tags, but keep content, +case "filter": +break; +// remove: remove tag and contents +case "remove": +policyBuilder.disallowElements(tag.getValue().getName()); +break; + +// validate is also the default +// validate: keep content as long as it passes rules,
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941462942 ## src/main/java/org/apache/sling/xss/impl/xml/Policy.java: ## @@ -0,0 +1,391 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.xml.stream.XMLInputFactory; +import javax.xml.stream.XMLStreamException; +import javax.xml.stream.XMLStreamReader; + +import org.apache.sling.xss.impl.PolicyException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.ctc.wstx.stax.WstxInputFactory; +import com.ctc.wstx.stax.WstxOutputFactory; +import com.fasterxml.jackson.dataformat.xml.XmlMapper; + +public class Policy { + +private static final String DIRECTIVE_EMBED_STYLE_SHEETS = "embedStyleSheets"; + +public static class CssPolicy { + +private final Map cssRules; +private final IncludeExcludeMatcher elementMatcher; +private final IncludeExcludeMatcher classMatcher; +private final IncludeExcludeMatcher idMatcher; +private final IncludeExcludeMatcher pseudoElementMatcher; +private final IncludeExcludeMatcher attributeMatcher; + +public CssPolicy(Map cssrules, Map commonRegExps, Map directives) { +this.cssRules = Collections.unmodifiableMap(cssrules); +this.elementMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssElementSelector"), +commonRegExps.get("cssElementExclusion")); +this.classMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssClassSelector"), +commonRegExps.get("cssClassExclusion")); +this.idMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssIDSelector"), +commonRegExps.get("cssIDExclusion")); +this.pseudoElementMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssPseudoElementSelector"), +commonRegExps.get("cssPseudoElementExclusion")); +this.attributeMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssAttributeSelector"), +commonRegExps.get("cssAttributeExclusion")); +} + +public Map getCssRules() { +return cssRules; +} + +public boolean isValidElementName(String name) { +return elementMatcher.matches(name); +} + +public boolean isValidClassName(String name) { +return classMatcher.matches(name); +} + +public boolean isValidId(String name) { +return idMatcher.matches(name); +} + +public boolean isValidPseudoElementName(String name) { +return pseudoElementMatcher.matches(name); +} + +public boolean isValidAttributeSelector(String name) { +return attributeMatcher.matches(name); +} +} + +protected final Map commonRegularExpressions = new HashMap<>(); +protected final Map commonAttributes = new HashMap<>(); +protected final Map tagRules = new HashMap<>(); +protected final Map cssRules = new HashMap<>(); +protected final Map directives = new HashMap<>(); +protected final Map globalAttributes = new HashMap<>(); +protected final Map dynamicAttributes = new HashMap<>(); +protected List allowedEmptyTags = new ArrayList<>(); +protected final List requireClosingTags = new ArrayList<>(); + +private final Logger logger = LoggerFactory.getLogger(getClass()); + +public Map getDirectives() { +return directives; +} + +public List getRequireClosingTags() { +return requireClosingTags; +} + +public Map getCommonRegularExpressions() { +return commonRegularExpressions; +} + +public Map getGlobalAttributes() { +
[GitHub] [sling-org-apache-sling-resourceresolver] rombert commented on a diff in pull request #78: Various improvements for the webconsole plugin
rombert commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941399874 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); +if ( !(resolverAttribute instanceof ResourceResolver) ) { +throw new IllegalArgumentException("No " + ResourceResolver.class.getSimpleName() + " found in request, unable to proceed with impersonation"); Review Comment: @kwin suggested that we use an admin resolver instead (and include the bundle in the allow list ). If we would stop looking up the ResourceResolver in the request attribute, would it solve this issue? https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941353233 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941381480 ## src/main/java/org/apache/sling/xss/impl/AntiSamyHtmlSanitizer.java: ## @@ -0,0 +1,95 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; + +import org.apache.sling.xss.impl.xml.Policy; +import org.owasp.html.DynamicAttributesSanitizerPolicy; +import org.owasp.html.Handler; +import org.owasp.html.HtmlSanitizer; +import org.owasp.html.HtmlStreamEventReceiver; +import org.owasp.html.HtmlStreamRenderer; +import org.owasp.html.PolicyFactory; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +public class AntiSamyHtmlSanitizer { Review Comment: Resolved: c43bd02b00fa999427c5b891aa6380e42718cfcb -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941378489 ## src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java: ## @@ -351,14 +351,18 @@ public String getValidXML(String xml, String defaultXml) { return ""; } +ClassLoader tccl = Thread.currentThread().getContextClassLoader(); Review Comment: no, I removed them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941355689 ## src/test/java/org/owasp/validator/html/XMLParser/PolicyTest.java: ## @@ -0,0 +1,73 @@ +/*** + * Licensed to the Apache Software Foundation (ASF) under one or + * more contributor license agreements. See the NOTICE file + * distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to you under the + * Apache License, Version 2.0 (the "License"); you may not use + * this file except in compliance with the License. You may obtain + * a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 Unless required by + * applicable law or agreed to in writing, software distributed + * under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions + * and limitations under the License. + **/ +package org.owasp.validator.html.XMLParser; Review Comment: Resolved: c3780db38b4c5b1e39e4d475fce1a109a0887f35 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941353233 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: Actually the user needs to be "admin", just being member of the administrators group is IMHO not enough. I don't think that there is an option yet for a user to enable him to impersonate as anyone else. Might be a good extension though for Oak. The same limitation applies to the user doing the webconsole request (in case the Sling Webconsole Security provider is used), so in fact this option does only work for admin with all other users. Therefore I would suggest to use a new administrative resource resolver with impersonation and whitelist the usage accordingly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941353233 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: Actually the user needs to be "admin", just being member of the administrators group is IMHO not enough. I don't think that there is an option yet for a user to enable him to impersonate as anyone else. Might be a good extension though. The same limitation applies to the user doing the webconsole request (in case the Sling Webconsole Security provider is used), so in fact this option does only work for admin with all other users. Therefore I would suggest to use a new administrative resource resolver with impersonation and whitelist the usage accordingly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941353303 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> +// regexp.getPattern()) +// .collect(Collectors.toList()); + +@JsonCreator +public Attribute(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +// @JacksonXmlElementWrapper(localName = "regexp-list") +@JacksonXmlProperty(localName = "regexp") List allowedRegexps, +// @JacksonXmlElementWrapper(localName = "literal-list") +@JacksonXmlProperty(localName = "literal") List allowedValues, +@JacksonXmlProperty(localName = "onInvalid", isAttribute = true) String onInvalid, +@JacksonXmlProperty(localName = "description", isAttribute = true) String description) { +this.name = name; +this.description = description; +this.onInvalid = onInvalid; +this.regexpList = allowedRegexps; +this.literalList = allowedValues; +} + +@Override +public String toString() { +return "Attribute - name: " + name + ", description " + description + ", onInvalid " + onInvalid ++ ", allowedRegexlist: " ++ regexpList.size() + ", literals " + literalList; +} + +public String getOnInvalid() { +if (onInvalid != null && onInvalid.length() > 0) { +return onInvalid; +} else { +onInvalid = "removeAttribute"; +return onInvalid; +} +} + +public String getDescription() { +return description; +} + +public String getName() { +return name; +} + +public List getLiterals() { +if (literalList != null && literalList.size() > 0) { Review Comment: Resolved: 03aa737a86030bcb3b1a16c046fd47d84ea8d74e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941343800 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> +// regexp.getPattern()) +// .collect(Collectors.toList()); + +@JsonCreator +public Attribute(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +// @JacksonXmlElementWrapper(localName = "regexp-list") +@JacksonXmlProperty(localName = "regexp") List allowedRegexps, +// @JacksonXmlElementWrapper(localName = "literal-list") +@JacksonXmlProperty(localName = "literal") List allowedValues, +@JacksonXmlProperty(localName = "onInvalid", isAttribute = true) String onInvalid, +@JacksonXmlProperty(localName = "description", isAttribute = true) String description) { +this.name = name; +this.description = description; +this.onInvalid = onInvalid; +this.regexpList = allowedRegexps; +this.literalList = allowedValues; +} + +@Override +public String toString() { +return "Attribute - name: " + name + ", description " + description + ", onInvalid " + onInvalid ++ ", allowedRegexlist: " ++ regexpList.size() + ", literals " + literalList; +} + +public String getOnInvalid() { +if (onInvalid != null && onInvalid.length() > 0) { +return onInvalid; +} else { +onInvalid = "removeAttribute"; +return onInvalid; +} +} + +public String getDescription() { +return description; +} + +public String getName() { +return name; +} + +public List getLiterals() { +if (literalList != null && literalList.size() > 0) { +return literalList.stream().map(literal -> literal.getValue().toLowerCase()).collect(Collectors.toList()); +} +return null; +} + +public List getLiteralList() { +return literalList; +} + +public List getPatternList() { +return regexpList.stream().map(regexp -> regexp.getPattern()) +.collect(Collectors.toList()); + +} + +public List getRegexpList() { +return regexpList; +} + +public boolean containsAllowedValue(String valueInLowerCase) { +List literals = getLiterals(); +return literals != null && literals.size() > 0 ? getLiterals().contains(valueInLowerCase) : false; +} + +public boolean matchesAllowedExpression(String value) { +if (regexpList != null && regexpList.size() > 0) { Review Comment: Resolved: 03aa737a86030bcb3b1a16c046fd47d84ea8d74e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941344087 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> +// regexp.getPattern()) +// .collect(Collectors.toList()); + +@JsonCreator +public Attribute(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +// @JacksonXmlElementWrapper(localName = "regexp-list") +@JacksonXmlProperty(localName = "regexp") List allowedRegexps, +// @JacksonXmlElementWrapper(localName = "literal-list") +@JacksonXmlProperty(localName = "literal") List allowedValues, +@JacksonXmlProperty(localName = "onInvalid", isAttribute = true) String onInvalid, +@JacksonXmlProperty(localName = "description", isAttribute = true) String description) { +this.name = name; +this.description = description; +this.onInvalid = onInvalid; +this.regexpList = allowedRegexps; +this.literalList = allowedValues; +} + +@Override +public String toString() { +return "Attribute - name: " + name + ", description " + description + ", onInvalid " + onInvalid ++ ", allowedRegexlist: " ++ regexpList.size() + ", literals " + literalList; +} + +public String getOnInvalid() { +if (onInvalid != null && onInvalid.length() > 0) { +return onInvalid; +} else { +onInvalid = "removeAttribute"; +return onInvalid; +} +} + +public String getDescription() { +return description; +} + +public String getName() { +return name; +} + +public List getLiterals() { +if (literalList != null && literalList.size() > 0) { +return literalList.stream().map(literal -> literal.getValue().toLowerCase()).collect(Collectors.toList()); +} +return null; +} + +public List getLiteralList() { +return literalList; +} + +public List getPatternList() { +return regexpList.stream().map(regexp -> regexp.getPattern()) +.collect(Collectors.toList()); + +} + +public List getRegexpList() { +return regexpList; +} + +public boolean containsAllowedValue(String valueInLowerCase) { +List literals = getLiterals(); +return literals != null && literals.size() > 0 ? getLiterals().contains(valueInLowerCase) : false; Review Comment: Resolved: 03aa737a86030bcb3b1a16c046fd47d84ea8d74e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941343800 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> +// regexp.getPattern()) +// .collect(Collectors.toList()); + +@JsonCreator +public Attribute(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +// @JacksonXmlElementWrapper(localName = "regexp-list") +@JacksonXmlProperty(localName = "regexp") List allowedRegexps, +// @JacksonXmlElementWrapper(localName = "literal-list") +@JacksonXmlProperty(localName = "literal") List allowedValues, +@JacksonXmlProperty(localName = "onInvalid", isAttribute = true) String onInvalid, +@JacksonXmlProperty(localName = "description", isAttribute = true) String description) { +this.name = name; +this.description = description; +this.onInvalid = onInvalid; +this.regexpList = allowedRegexps; +this.literalList = allowedValues; +} + +@Override +public String toString() { +return "Attribute - name: " + name + ", description " + description + ", onInvalid " + onInvalid ++ ", allowedRegexlist: " ++ regexpList.size() + ", literals " + literalList; +} + +public String getOnInvalid() { +if (onInvalid != null && onInvalid.length() > 0) { +return onInvalid; +} else { +onInvalid = "removeAttribute"; +return onInvalid; +} +} + +public String getDescription() { +return description; +} + +public String getName() { +return name; +} + +public List getLiterals() { +if (literalList != null && literalList.size() > 0) { +return literalList.stream().map(literal -> literal.getValue().toLowerCase()).collect(Collectors.toList()); +} +return null; +} + +public List getLiteralList() { +return literalList; +} + +public List getPatternList() { +return regexpList.stream().map(regexp -> regexp.getPattern()) +.collect(Collectors.toList()); + +} + +public List getRegexpList() { +return regexpList; +} + +public boolean containsAllowedValue(String valueInLowerCase) { +List literals = getLiterals(); +return literals != null && literals.size() > 0 ? getLiterals().contains(valueInLowerCase) : false; +} + +public boolean matchesAllowedExpression(String value) { +if (regexpList != null && regexpList.size() > 0) { Review Comment: Resolved: 083ea04c66361c553d3357e9f05bdf8a43b691cc -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941344087 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> +// regexp.getPattern()) +// .collect(Collectors.toList()); + +@JsonCreator +public Attribute(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +// @JacksonXmlElementWrapper(localName = "regexp-list") +@JacksonXmlProperty(localName = "regexp") List allowedRegexps, +// @JacksonXmlElementWrapper(localName = "literal-list") +@JacksonXmlProperty(localName = "literal") List allowedValues, +@JacksonXmlProperty(localName = "onInvalid", isAttribute = true) String onInvalid, +@JacksonXmlProperty(localName = "description", isAttribute = true) String description) { +this.name = name; +this.description = description; +this.onInvalid = onInvalid; +this.regexpList = allowedRegexps; +this.literalList = allowedValues; +} + +@Override +public String toString() { +return "Attribute - name: " + name + ", description " + description + ", onInvalid " + onInvalid ++ ", allowedRegexlist: " ++ regexpList.size() + ", literals " + literalList; +} + +public String getOnInvalid() { +if (onInvalid != null && onInvalid.length() > 0) { +return onInvalid; +} else { +onInvalid = "removeAttribute"; +return onInvalid; +} +} + +public String getDescription() { +return description; +} + +public String getName() { +return name; +} + +public List getLiterals() { +if (literalList != null && literalList.size() > 0) { +return literalList.stream().map(literal -> literal.getValue().toLowerCase()).collect(Collectors.toList()); +} +return null; +} + +public List getLiteralList() { +return literalList; +} + +public List getPatternList() { +return regexpList.stream().map(regexp -> regexp.getPattern()) +.collect(Collectors.toList()); + +} + +public List getRegexpList() { +return regexpList; +} + +public boolean containsAllowedValue(String valueInLowerCase) { +List literals = getLiterals(); +return literals != null && literals.size() > 0 ? getLiterals().contains(valueInLowerCase) : false; Review Comment: Resolved: 083ea04c66361c553d3357e9f05bdf8a43b691cc -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] rombert commented on a diff in pull request #78: Various improvements for the webconsole plugin
rombert commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941330770 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: Looking at the Oak implementation, I see that impersonation works if either: - the impersonator is an admin - the impersonator is included in the `rep:impersonators` property of the impersonated user https://github.com/apache/jackrabbit-oak/blob/a90566744551246535f65c2aefc5a44fd5275490/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java#L125-L146 I am not sure if either of these is possible or desireable for a service user. Do you see another way? ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: Looking at the Oak implementation, I see that impersonation works if either: - the impersonator is an admin - the impersonator is included in the `rep:impersonators` property of the impersonated user https://github.com/apache/jackrabbit-oak/blob/a90566744551246535f65c2aefc5a44fd5275490/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java#L125-L146 I am not sure if either of these is possible or desirable for a service user. Do you see another way? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941319783 ## src/main/java/org/apache/sling/xss/impl/xml/Property.java: ## @@ -0,0 +1,123 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.Collections; +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Property { +private String name; +private String description; +private String defaultValue; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList; + +@JacksonXmlElementWrapper(localName = "category-list") +private List categoryList; + +@JacksonXmlElementWrapper(localName = "shorthand-list") +private List shorthandList; + +private String onInvalid; + +@JsonCreator +public Property(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +@JacksonXmlProperty(localName = "regexp") List allowedRegexp3, +@JacksonXmlProperty(localName = "literal") List allowedValue, +@JacksonXmlProperty(localName = "shorthand") List shortHandRefs, +@JacksonXmlProperty(localName = "description", isAttribute = true) String description, +@JacksonXmlProperty(localName = "onInvalid", isAttribute = true) String onInvalidStr, +@JacksonXmlProperty(isAttribute = true, localName = "default") String defaultValue) { + +this.name = name; +this.description = description; +this.onInvalid = onInvalidStr; +this.regexpList = allowedRegexp3; +this.literalList = allowedValue; +this.shorthandList = shortHandRefs; +this.defaultValue = defaultValue; +} + +public List getCategoryList() { +return categoryList; +} + +public String getDefaultValue() { +return defaultValue; +} + +public String getDescription() { +return description; +} + +public List getLiteralList() { +return literalList; +} + +public String getName() { +return name; +} + +public List getRegexpList() { +return regexpList; +} + +public List getShorthandList() { +return shorthandList; +} + +public List getShorthands() { +// reads out the shorthands and creats a list out of it + +return shorthandList != null ? shorthandList.stream().map(shorthand -> shorthand.getName()) +.collect(Collectors.toList()) : Collections.emptyList(); +} + +public List getLiterals() { +// reads out the literals and creats a list out of it Review Comment: Resolved: 703ba675cb7d0c47b97b0d0c3190a605bd62491c ## src/main/java/org/apache/sling/xss/impl/xml/Property.java: ## @@ -0,0 +1,123 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941317856 ## src/main/java/org/apache/sling/xss/impl/xml/Policy.java: ## @@ -0,0 +1,391 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.xml.stream.XMLInputFactory; +import javax.xml.stream.XMLStreamException; +import javax.xml.stream.XMLStreamReader; + +import org.apache.sling.xss.impl.PolicyException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.ctc.wstx.stax.WstxInputFactory; +import com.ctc.wstx.stax.WstxOutputFactory; +import com.fasterxml.jackson.dataformat.xml.XmlMapper; + +public class Policy { Review Comment: Resolved: b0c3a9665db74e25c2d1b17a96b597f5287a402e 81cc4a4f07ce77e8ac383fe3263a0787a2ffa447 4025459107514e4c3aa8a3fb45a8c3b7da72c1c4 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941312159 ## src/main/java/org/apache/sling/xss/impl/AntiSamyHtmlSanitizer.java: ## @@ -0,0 +1,95 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; + +import org.apache.sling.xss.impl.xml.Policy; +import org.owasp.html.DynamicAttributesSanitizerPolicy; +import org.owasp.html.Handler; +import org.owasp.html.HtmlSanitizer; +import org.owasp.html.HtmlStreamEventReceiver; +import org.owasp.html.HtmlStreamRenderer; +import org.owasp.html.PolicyFactory; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +public class AntiSamyHtmlSanitizer { + +public static final Object DOM = "DOM"; +public static final Object SAX = "SAX"; + +private CustomPolicy custumPolicy; +private ImmutableMap policies; +private ImmutableSet textContainers; + +public AntiSamyHtmlSanitizer() { +} + +public AntiSamyHtmlSanitizer(Policy policy) { +this.custumPolicy = new CustomPolicy(policy); +policies = reflectionGetPolicies(custumPolicy.getCustomPolicyFactory()); +textContainers = reflectionGetTextContainers(custumPolicy.getCustomPolicyFactory()); +} + Review Comment: Resolved: b0c3a9665db74e25c2d1b17a96b597f5287a402e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941311401 ## src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java: ## @@ -0,0 +1,134 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.owasp.html; + +import java.lang.reflect.InvocationTargetException; + +import java.lang.reflect.Method; +import java.util.List; +import java.util.ListIterator; +import java.util.Map; + +import javax.annotation.Nullable; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +public class DynamicAttributesSanitizerPolicy extends ElementAndAttributePolicyBasedSanitizerPolicy { Review Comment: Resoved: b0c3a9665db74e25c2d1b17a96b597f5287a402e ## src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java: ## @@ -0,0 +1,134 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.owasp.html; + +import java.lang.reflect.InvocationTargetException; + +import java.lang.reflect.Method; +import java.util.List; +import java.util.ListIterator; +import java.util.Map; + +import javax.annotation.Nullable; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +public class DynamicAttributesSanitizerPolicy extends ElementAndAttributePolicyBasedSanitizerPolicy { Review Comment: Resolved: b0c3a9665db74e25c2d1b17a96b597f5287a402e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941308995 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.annotation.Nullable; + +import org.apache.sling.xss.impl.style.CssValidator; +import org.apache.sling.xss.impl.xml.Attribute; +import org.apache.sling.xss.impl.xml.Policy; +import org.apache.sling.xss.impl.xml.Tag; +import org.owasp.html.AttributePolicy; +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableSet; + +public class CustomPolicy { +private PolicyFactory policyFactory; +private List onInvalidRemoveTagList = new ArrayList<>(); +private Map dynamicAttributesPolicyMap = new HashMap<>(); +private CssValidator cssValidator; + +public CustomPolicy(Policy policy) { +removeAttributeGuards(); +HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder(); + +cssValidator = new CssValidator(policy.getCssPolicy()); + +// this is for the global attributes - +Map globalAttributes = policy.getGlobalAttributes(); +for (Attribute attribute : globalAttributes.values()) { + +if (attribute.getOnInvalid().equals("removeTag")) { +onInvalidRemoveTagList.add(attribute.getName()); +} + +if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) { +// we match style tags separately + policyBuilder.allowAttributes(attribute.getName()).matching(cssValidator.newCssAttributePolicy()) +.globally(); +} else { +List allowedValuesFromAttribute = attribute.getLiterals(); +if (allowedValuesFromAttribute != null && allowedValuesFromAttribute.size() > 0) { +for (String allowedValue : allowedValuesFromAttribute) { + policyBuilder.allowAttributes(attribute.getName()).matching(true, allowedValue).globally(); +} + +} +List regexsFromAttribute = attribute.getPatternList(); +if (regexsFromAttribute != null && regexsFromAttribute.size() > 0) { + policyBuilder.allowAttributes(attribute.getName()).matching(matchesToPatterns(regexsFromAttribute)) +.globally(); +} else { + policyBuilder.allowAttributes(attribute.getName()).globally(); +} + +} +} + +// this is for the allowed emty tags - +List allowedEmptyTags = policy.getAllowedEmptyTags(); +for (String allowedEmptyTag : allowedEmptyTags) { +policyBuilder.allowWithoutAttributes(allowedEmptyTag); +} + +// this is for the tag rules - +Map tagMap = policy.getTagRules(); +for (Map.Entry tag : tagMap.entrySet()) { + +String tagAction = tag.getValue().getAction(); +switch (tagAction) { +// Tag.action +case "truncate": +policyBuilder.allowElements(tag.getValue().getName()); + +break; +// filter: remove tags, but keep content, +case "filter": +break; +// remove: remove tag and contents +case "remove": +policyBuilder.disallowElements(tag.getValue().getName()); +break; + +// validate is also the default +// validate: keep content as long as it passes rules,
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941308409 ## src/main/java/org/apache/sling/xss/impl/HtmlToHtmlContentContext.java: ## @@ -62,21 +58,17 @@ public boolean check(final PolicyHandler policyHandler, final String str) { * @see XSSFilterRule#filter(PolicyHandler, java.lang.String) */ @Override -public String filter(final PolicyHandler policyHandler, final String str) { -if (StringUtils.isNotEmpty(str)) { +public String filter(final PolicyHandler policyHandler, final String malicousString) { Review Comment: Resolved: 7d9e82449f514b2fce6ba4c3aa4ec0df70daf8bb -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941307584 ## src/main/java/org/apache/sling/xss/impl/AntiSamyHtmlSanitizer.java: ## @@ -0,0 +1,95 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; + +import org.apache.sling.xss.impl.xml.Policy; +import org.owasp.html.DynamicAttributesSanitizerPolicy; +import org.owasp.html.Handler; +import org.owasp.html.HtmlSanitizer; +import org.owasp.html.HtmlStreamEventReceiver; +import org.owasp.html.HtmlStreamRenderer; +import org.owasp.html.PolicyFactory; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +public class AntiSamyHtmlSanitizer { + +public static final Object DOM = "DOM"; Review Comment: Resolved: 7d9e82449f514b2fce6ba4c3aa4ec0df70daf8bb -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941281851 ## src/main/java/org/apache/sling/xss/impl/xml/Property.java: ## @@ -0,0 +1,123 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.Collections; +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Property { +private String name; +private String description; +private String defaultValue; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList; + +@JacksonXmlElementWrapper(localName = "category-list") +private List categoryList; + +@JacksonXmlElementWrapper(localName = "shorthand-list") +private List shorthandList; + +private String onInvalid; + +@JsonCreator +public Property(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +@JacksonXmlProperty(localName = "regexp") List allowedRegexp3, +@JacksonXmlProperty(localName = "literal") List allowedValue, +@JacksonXmlProperty(localName = "shorthand") List shortHandRefs, +@JacksonXmlProperty(localName = "description", isAttribute = true) String description, +@JacksonXmlProperty(localName = "onInvalid", isAttribute = true) String onInvalidStr, +@JacksonXmlProperty(isAttribute = true, localName = "default") String defaultValue) { + +this.name = name; +this.description = description; +this.onInvalid = onInvalidStr; +this.regexpList = allowedRegexp3; +this.literalList = allowedValue; +this.shorthandList = shortHandRefs; +this.defaultValue = defaultValue; +} + +public List getCategoryList() { +return categoryList; +} + +public String getDefaultValue() { +return defaultValue; +} + +public String getDescription() { +return description; +} + +public List getLiteralList() { +return literalList; +} + +public String getName() { +return name; +} + +public List getRegexpList() { +return regexpList; +} + +public List getShorthandList() { +return shorthandList; +} + +public List getShorthands() { +// reads out the shorthands and creats a list out of it + +return shorthandList != null ? shorthandList.stream().map(shorthand -> shorthand.getName()) +.collect(Collectors.toList()) : Collections.emptyList(); +} + +public List getLiterals() { +// reads out the literals and creats a list out of it +return literalList.stream().map(literal -> literal.getValue()) +.collect(Collectors.toList()); +} + +public String getOnInvalid() { +if (onInvalid != null && onInvalid.length() > 0) { Review Comment: Resolved: 7d9e82449f514b2fce6ba4c3aa4ec0df70daf8bb -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941280635 ## src/main/java/org/apache/sling/xss/impl/style/BatikCssCleaner.java: ## @@ -0,0 +1,83 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.style; + +import java.io.IOException; +import java.io.StringReader; + +import org.apache.batik.css.parser.Parser; +import org.apache.sling.xss.impl.xml.Policy.CssPolicy; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.css.sac.CSSException; +import org.w3c.css.sac.InputSource; + +public class BatikCssCleaner { + +private final Logger logger = LoggerFactory.getLogger(getClass()); + +private static final String CDATA_PRE = ""; +private final CssPolicy cssPolicy; + Review Comment: Resolved: 7d9e82449f514b2fce6ba4c3aa4ec0df70daf8bb -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941277947 ## src/main/java/org/apache/sling/xss/impl/xml/Policy.java: ## @@ -0,0 +1,391 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.xml.stream.XMLInputFactory; +import javax.xml.stream.XMLStreamException; +import javax.xml.stream.XMLStreamReader; + +import org.apache.sling.xss.impl.PolicyException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.ctc.wstx.stax.WstxInputFactory; +import com.ctc.wstx.stax.WstxOutputFactory; +import com.fasterxml.jackson.dataformat.xml.XmlMapper; + +public class Policy { + +private static final String DIRECTIVE_EMBED_STYLE_SHEETS = "embedStyleSheets"; + +public static class CssPolicy { + +private final Map cssRules; +private final IncludeExcludeMatcher elementMatcher; +private final IncludeExcludeMatcher classMatcher; +private final IncludeExcludeMatcher idMatcher; +private final IncludeExcludeMatcher pseudoElementMatcher; +private final IncludeExcludeMatcher attributeMatcher; + +public CssPolicy(Map cssrules, Map commonRegExps, Map directives) { +this.cssRules = Collections.unmodifiableMap(cssrules); +this.elementMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssElementSelector"), +commonRegExps.get("cssElementExclusion")); +this.classMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssClassSelector"), +commonRegExps.get("cssClassExclusion")); +this.idMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssIDSelector"), +commonRegExps.get("cssIDExclusion")); +this.pseudoElementMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssPseudoElementSelector"), +commonRegExps.get("cssPseudoElementExclusion")); +this.attributeMatcher = new IncludeExcludeMatcher(commonRegExps.get("cssAttributeSelector"), +commonRegExps.get("cssAttributeExclusion")); +} + +public Map getCssRules() { +return cssRules; +} + +public boolean isValidElementName(String name) { +return elementMatcher.matches(name); +} + +public boolean isValidClassName(String name) { +return classMatcher.matches(name); +} + +public boolean isValidId(String name) { +return idMatcher.matches(name); +} + +public boolean isValidPseudoElementName(String name) { +return pseudoElementMatcher.matches(name); +} + +public boolean isValidAttributeSelector(String name) { +return attributeMatcher.matches(name); +} +} + +protected final Map commonRegularExpressions = new HashMap<>(); +protected final Map commonAttributes = new HashMap<>(); +protected final Map tagRules = new HashMap<>(); +protected final Map cssRules = new HashMap<>(); +protected final Map directives = new HashMap<>(); +protected final Map globalAttributes = new HashMap<>(); +protected final Map dynamicAttributes = new HashMap<>(); +protected List allowedEmptyTags = new ArrayList<>(); +protected final List requireClosingTags = new ArrayList<>(); + +private final Logger logger = LoggerFactory.getLogger(getClass()); + +public Map getDirectives() { +return directives; +} + +public List getRequireClosingTags() { +return requireClosingTags; +} + +public Map getCommonRegularExpressions() { +return commonRegularExpressions; +} + +public Map getGlobalAttributes() { +
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941276440 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.annotation.Nullable; + +import org.apache.sling.xss.impl.style.CssValidator; +import org.apache.sling.xss.impl.xml.Attribute; +import org.apache.sling.xss.impl.xml.Policy; +import org.apache.sling.xss.impl.xml.Tag; +import org.owasp.html.AttributePolicy; +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableSet; + +public class CustomPolicy { +private PolicyFactory policyFactory; +private List onInvalidRemoveTagList = new ArrayList<>(); +private Map dynamicAttributesPolicyMap = new HashMap<>(); +private CssValidator cssValidator; + +public CustomPolicy(Policy policy) { +removeAttributeGuards(); +HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder(); + +cssValidator = new CssValidator(policy.getCssPolicy()); + +// this is for the global attributes - +Map globalAttributes = policy.getGlobalAttributes(); +for (Attribute attribute : globalAttributes.values()) { + +if (attribute.getOnInvalid().equals("removeTag")) { +onInvalidRemoveTagList.add(attribute.getName()); +} + +if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) { +// we match style tags separately + policyBuilder.allowAttributes(attribute.getName()).matching(cssValidator.newCssAttributePolicy()) +.globally(); +} else { +List allowedValuesFromAttribute = attribute.getLiterals(); +if (allowedValuesFromAttribute != null && allowedValuesFromAttribute.size() > 0) { +for (String allowedValue : allowedValuesFromAttribute) { + policyBuilder.allowAttributes(attribute.getName()).matching(true, allowedValue).globally(); +} + +} +List regexsFromAttribute = attribute.getPatternList(); +if (regexsFromAttribute != null && regexsFromAttribute.size() > 0) { + policyBuilder.allowAttributes(attribute.getName()).matching(matchesToPatterns(regexsFromAttribute)) +.globally(); +} else { + policyBuilder.allowAttributes(attribute.getName()).globally(); +} + +} +} + +// this is for the allowed emty tags - +List allowedEmptyTags = policy.getAllowedEmptyTags(); +for (String allowedEmptyTag : allowedEmptyTags) { +policyBuilder.allowWithoutAttributes(allowedEmptyTag); +} + +// this is for the tag rules - +Map tagMap = policy.getTagRules(); +for (Map.Entry tag : tagMap.entrySet()) { + +String tagAction = tag.getValue().getAction(); +switch (tagAction) { +// Tag.action +case "truncate": +policyBuilder.allowElements(tag.getValue().getName()); + +break; +// filter: remove tags, but keep content, +case "filter": Review Comment: Resolved: 1eebd8227f8ec90fef211eaad9cbcdb7ded10c03 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941276065 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.annotation.Nullable; + +import org.apache.sling.xss.impl.style.CssValidator; +import org.apache.sling.xss.impl.xml.Attribute; +import org.apache.sling.xss.impl.xml.Policy; +import org.apache.sling.xss.impl.xml.Tag; +import org.owasp.html.AttributePolicy; +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableSet; + +public class CustomPolicy { +private PolicyFactory policyFactory; +private List onInvalidRemoveTagList = new ArrayList<>(); +private Map dynamicAttributesPolicyMap = new HashMap<>(); +private CssValidator cssValidator; + +public CustomPolicy(Policy policy) { +removeAttributeGuards(); +HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder(); + +cssValidator = new CssValidator(policy.getCssPolicy()); + +// this is for the global attributes - +Map globalAttributes = policy.getGlobalAttributes(); +for (Attribute attribute : globalAttributes.values()) { + +if (attribute.getOnInvalid().equals("removeTag")) { +onInvalidRemoveTagList.add(attribute.getName()); +} + +if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) { +// we match style tags separately + policyBuilder.allowAttributes(attribute.getName()).matching(cssValidator.newCssAttributePolicy()) +.globally(); +} else { +List allowedValuesFromAttribute = attribute.getLiterals(); +if (allowedValuesFromAttribute != null && allowedValuesFromAttribute.size() > 0) { +for (String allowedValue : allowedValuesFromAttribute) { + policyBuilder.allowAttributes(attribute.getName()).matching(true, allowedValue).globally(); +} + +} +List regexsFromAttribute = attribute.getPatternList(); +if (regexsFromAttribute != null && regexsFromAttribute.size() > 0) { + policyBuilder.allowAttributes(attribute.getName()).matching(matchesToPatterns(regexsFromAttribute)) +.globally(); +} else { + policyBuilder.allowAttributes(attribute.getName()).globally(); +} + +} +} + +// this is for the allowed emty tags - +List allowedEmptyTags = policy.getAllowedEmptyTags(); +for (String allowedEmptyTag : allowedEmptyTags) { +policyBuilder.allowWithoutAttributes(allowedEmptyTag); +} + +// this is for the tag rules - +Map tagMap = policy.getTagRules(); +for (Map.Entry tag : tagMap.entrySet()) { + +String tagAction = tag.getValue().getAction(); +switch (tagAction) { +// Tag.action +case "truncate": Review Comment: Resolved: 1eebd8227f8ec90fef211eaad9cbcdb7ded10c03 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941273357 ## src/main/java/org/apache/sling/xss/impl/CustomPolicy.java: ## @@ -0,0 +1,265 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.regex.Pattern; + +import javax.annotation.Nullable; + +import org.apache.sling.xss.impl.style.CssValidator; +import org.apache.sling.xss.impl.xml.Attribute; +import org.apache.sling.xss.impl.xml.Policy; +import org.apache.sling.xss.impl.xml.Tag; +import org.owasp.html.AttributePolicy; +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableSet; + +public class CustomPolicy { +private PolicyFactory policyFactory; +private List onInvalidRemoveTagList = new ArrayList<>(); +private Map dynamicAttributesPolicyMap = new HashMap<>(); +private CssValidator cssValidator; + +public CustomPolicy(Policy policy) { +removeAttributeGuards(); +HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder(); + +cssValidator = new CssValidator(policy.getCssPolicy()); + +// this is for the global attributes - +Map globalAttributes = policy.getGlobalAttributes(); +for (Attribute attribute : globalAttributes.values()) { + +if (attribute.getOnInvalid().equals("removeTag")) { +onInvalidRemoveTagList.add(attribute.getName()); +} + +if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) { +// we match style tags separately + policyBuilder.allowAttributes(attribute.getName()).matching(cssValidator.newCssAttributePolicy()) +.globally(); +} else { +List allowedValuesFromAttribute = attribute.getLiterals(); +if (allowedValuesFromAttribute != null && allowedValuesFromAttribute.size() > 0) { +for (String allowedValue : allowedValuesFromAttribute) { + policyBuilder.allowAttributes(attribute.getName()).matching(true, allowedValue).globally(); +} + +} +List regexsFromAttribute = attribute.getPatternList(); +if (regexsFromAttribute != null && regexsFromAttribute.size() > 0) { + policyBuilder.allowAttributes(attribute.getName()).matching(matchesToPatterns(regexsFromAttribute)) +.globally(); +} else { + policyBuilder.allowAttributes(attribute.getName()).globally(); +} + +} +} + +// this is for the allowed emty tags - +List allowedEmptyTags = policy.getAllowedEmptyTags(); +for (String allowedEmptyTag : allowedEmptyTags) { +policyBuilder.allowWithoutAttributes(allowedEmptyTag); +} + +// this is for the tag rules - +Map tagMap = policy.getTagRules(); +for (Map.Entry tag : tagMap.entrySet()) { + +String tagAction = tag.getValue().getAction(); +switch (tagAction) { +// Tag.action +case "truncate": +policyBuilder.allowElements(tag.getValue().getName()); + +break; +// filter: remove tags, but keep content, +case "filter": +break; +// remove: remove tag and contents +case "remove": +policyBuilder.disallowElements(tag.getValue().getName()); +break; + +// validate is also the default +// validate: keep content as long as it passes rules,
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941272671 ## src/main/java/org/apache/sling/xss/impl/CleanResults.java: ## @@ -0,0 +1,52 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl; + +import java.util.List; +import java.util.concurrent.Callable; + +public class CleanResults { Review Comment: Resolved: d43c597859057a4b0cd955cff3403b5e1ea9e24e -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (SLING-11521) Clean up Engine code
[ https://issues.apache.org/jira/browse/SLING-11521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17577383#comment-17577383 ] Carsten Ziegeler commented on SLING-11521: -- Removed commons.osgi; cleaned up code around filter handling: https://github.com/apache/sling-org-apache-sling-engine/commit/31eafb67fc0514cf39aea8208c16b87916bc8882 > Clean up Engine code > > > Key: SLING-11521 > URL: https://issues.apache.org/jira/browse/SLING-11521 > Project: Sling > Issue Type: Improvement > Components: Engine >Reporter: Carsten Ziegeler >Assignee: Carsten Ziegeler >Priority: Major > Fix For: Engine 2.10.4 > > > The engine has grown over time and has been rewritten partially. As not all > code has been rewritten, the unchanged parts make assumptions which hold now > longer try: for example code still expects null to be returned by some method > while that no longer applies etc. > In addition we should replace usage of commons.osgi with the OSGi converter -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941270439 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> +// regexp.getPattern()) +// .collect(Collectors.toList()); + +@JsonCreator +public Attribute(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +// @JacksonXmlElementWrapper(localName = "regexp-list") +@JacksonXmlProperty(localName = "regexp") List allowedRegexps, +// @JacksonXmlElementWrapper(localName = "literal-list") +@JacksonXmlProperty(localName = "literal") List allowedValues, +@JacksonXmlProperty(localName = "onInvalid", isAttribute = true) String onInvalid, +@JacksonXmlProperty(localName = "description", isAttribute = true) String description) { +this.name = name; +this.description = description; +this.onInvalid = onInvalid; +this.regexpList = allowedRegexps; +this.literalList = allowedValues; +} + +@Override +public String toString() { +return "Attribute - name: " + name + ", description " + description + ", onInvalid " + onInvalid ++ ", allowedRegexlist: " ++ regexpList.size() + ", literals " + literalList; +} + +public String getOnInvalid() { +if (onInvalid != null && onInvalid.length() > 0) { +return onInvalid; Review Comment: Resolved: 797785e89b5f748652c2c1d8075bf1fd1de1a1c1 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941269559 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; Review Comment: Resolved: 797785e89b5f748652c2c1d8075bf1fd1de1a1c1 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941264491 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> +// regexp.getPattern()) +// .collect(Collectors.toList()); + +@JsonCreator +public Attribute(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +// @JacksonXmlElementWrapper(localName = "regexp-list") +@JacksonXmlProperty(localName = "regexp") List allowedRegexps, +// @JacksonXmlElementWrapper(localName = "literal-list") Review Comment: Resolved: 807bdfe57e41b35cd1916eff93038686a30b93c2 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] nonanalou commented on a diff in pull request #28: SLING-7231 Move to owasp sanitizer library
nonanalou commented on code in PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r941264070 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> Review Comment: Resolved: 807bdfe57e41b35cd1916eff93038686a30b93c2 ## src/main/java/org/apache/sling/xss/impl/xml/Attribute.java: ## @@ -0,0 +1,142 @@ +/*~~ + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + ~*/ +package org.apache.sling.xss.impl.xml; + +import java.util.List; +import java.util.regex.Pattern; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper; +import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; + +public class Attribute { + +private String name = null; +private String description = null; +private String onInvalid = null; + +@JacksonXmlElementWrapper(localName = "regexp-list") +private List regexpList = null; + +@JacksonXmlElementWrapper(localName = "literal-list") +private List literalList = null; + +// private List patternList = regexpList.stream().map(regexp -> +// regexp.getPattern()) +// .collect(Collectors.toList()); + +@JsonCreator +public Attribute(@JacksonXmlProperty(localName = "name", isAttribute = true) String name, +// @JacksonXmlElementWrapper(localName = "regexp-list") Review Comment: Resolved: 807bdfe57e41b35cd1916eff93038686a30b93c2 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-xss] sonarcloud[bot] commented on pull request #28: SLING-7231 Move to owasp sanitizer library
sonarcloud[bot] commented on PR #28: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/28#issuecomment-1209301709 SonarCloud Quality Gate failed. [![Quality Gate failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/failed-16px.png 'Quality Gate failed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-xss=28) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-xss=28=false=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-xss=28=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-xss=28=false=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=CODE_SMELL) [62 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=28=false=CODE_SMELL) [![74.7%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/60-16px.png '74.7%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-xss=28=new_coverage=list) [74.7% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-xss=28=new_coverage=list) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-xss=28=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-xss=28=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[Jenkins] Sling » Modules » sling-org-apache-sling-starter » master #379 is BROKEN
plugin:0.13:check (rat-check) @ org.apache.sling.starter --- [INFO] Enabled default license matchers. [INFO] Will parse SCM ignores for exclusions... [INFO] Parsing exclusions from /home/jenkins/jenkins-agent/workspace/_org-apache-sling-starter_master/jdk_17_latest/.gitignore [INFO] Finished adding exclusions from SCM ignore files. [INFO] 79 implicit excludes (use -debug for more details). [INFO] 15 explicit excludes (use -debug for more details). [INFO] 21 resources included (use -debug for more details) [INFO] Rat check: Summary over all files. Unapproved: 0, unknown: 0, generated: 0, approved: 20 licenses. [INFO] [INFO] --- docker-maven-plugin:0.39.0:stop (stop-mongo) @ org.apache.sling.starter --- [INFO] DOCKER> [apache/sling:snapshot]: Stop and removed container af96c98e888f after 0 ms [INFO] DOCKER> [mongo:4.4.6] "mongo": Stop and removed container 8fc7498f5169 after 0 ms [INFO] [INFO] --- maven-failsafe-plugin:3.0.0-M5:verify (default) @ org.apache.sling.starter --- [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 07:21 min [INFO] Finished at: 2022-08-09T11:25:50Z [INFO] [INFO] [jenkins-event-spy] Generated /home/jenkins/jenkins-agent/workspace/_org-apache-sling-starter_master/jdk_17_latest@tmp/withMaven69d59778/maven-spy-20220809-111828-658898412721877476816.log [ERROR] Failed to execute goal org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M5:verify (default) on project org.apache.sling.starter: There are test failures. [ERROR] [ERROR] Please refer to /home/jenkins/jenkins-agent/workspace/_org-apache-sling-starter_master/jdk_17_latest/target/failsafe-reports for the individual test results. [ERROR] Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream. [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException [Pipeline] } [withMaven] jacocoPublisher - Archive JaCoCo analysis results for Maven artifact MavenArtifact{org.apache.sling:org.apache.sling.starter:jar:13-SNAPSHOT(version: 13-SNAPSHOT, snapshot:false) } generated by PluginInvocation{org.jacoco:jacoco-maven-plugin:0.8.7@prepare-agent prepare-agent}: execFile: target/jacoco-unit.exec, sources: src/main/java, classes: target/classes [withMaven] jacocoPublisher - Archive JaCoCo analysis results for Maven artifact MavenArtifact{org.apache.sling:org.apache.sling.starter:jar:13-SNAPSHOT(version: 13-SNAPSHOT, snapshot:false) } generated by PluginInvocation{org.jacoco:jacoco-maven-plugin:0.8.7@prepare-agent prepare-agent}: execFile: target/jacoco-unit.exec, sources: src/main/java, classes: target/classes [withMaven] jacocoPublisher - Archive JaCoCo analysis results for Maven artifact MavenArtifact{org.apache.sling:org.apache.sling.starter:jar:13-SNAPSHOT(version: 13-SNAPSHOT, snapshot:false) } generated by PluginInvocation{org.jacoco:jacoco-maven-plugin:0.8.7@prepare-agent-integration prepare-agent-integration}: execFile: target/jacoco-it.exec, sources: src/main/java, classes: target/classes [JaCoCo plugin] Collecting JaCoCo coverage data... [JaCoCo plugin] target/jacoco-unit.exec,target/jacoco-unit.exec,target/jacoco-it.exec;target/classes,target/classes,target/classes;src/main/java,src/main/java,src/main/java; locations are configured [JaCoCo plugin] Number of found exec files for pattern target/jacoco-unit.exec,target/jacoco-unit.exec,target/jacoco-it.exec: 1 [JaCoCo plugin] Saving matched execfiles: /home/jenkins/workspace/_org-apache-sling-starter_master/jdk_1.8_latest/target/jacoco-it.exec [JaCoCo plugin] Saving matched class directories for class-pattern: target/classes,target/classes,target/classes: [JaCoCo plugin] - /home/jenkins/workspace/_org-apache-sling-starter_master/jdk_1.8_latest/target/classes 0 files [JaCoCo plugin] Saving matched source directories for source-pattern: src/main/java,src/main/java,src/main/java: [JaCoCo plugin] Source Inclusions: **/*.java,**/*.groovy,**/*.kt,**/*.kts [JaCoCo plugin] Source Exclusions: [JaCoCo plugin] Loading inclusions files.. [JaCoCo plugin] inclusions: [] [JaCoCo plugin] exclusions: [] [JaCoCo plugin] Thresholds: JacocoHealthReportThresholds [minClass=0, maxClass=0, minMethod=0, maxMethod=0, minLine=0, maxLine=0, minBranch=0, maxBranch=0, minInstruction=0, maxInstruction=0, minComplexity=0, maxComplexity=0] [JaCoCo plugin] Publishing the results.. [JaCoCo plugin] Loading packages.. [JaCoCo plugin] Done. [JaCoCo plugin] Overall c
[jira] [Created] (SLING-11521) Clean up Engine code
Carsten Ziegeler created SLING-11521: Summary: Clean up Engine code Key: SLING-11521 URL: https://issues.apache.org/jira/browse/SLING-11521 Project: Sling Issue Type: Improvement Components: Engine Reporter: Carsten Ziegeler Assignee: Carsten Ziegeler Fix For: Engine 2.10.4 The engine has grown over time and has been rewritten partially. As not all code has been rewritten, the unchanged parts make assumptions which hold now longer try: for example code still expects null to be returned by some method while that no longer applies etc. In addition we should replace usage of commons.osgi with the OSGi converter -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941071279 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: You need to adjust privileges of the underlying technical user: https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#impersonation -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941071279 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: You need to adjust privileges of the underlying technical user. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [VOTE] Release Apache Sling Resource Resolver 1.10.0, Apache Sling Scripting HTL JS Use Provider 1.2.8, Apache Sling Scripting HTL Engine 1.4.20-1.4.0, Apache Sling Servlets Resolver 2.9.8, Apache
+1 regards, Karl On Mon, Aug 8, 2022 at 6:54 PM Carsten Ziegeler wrote: > > +1 > > Carsten > > Am 08.08.2022 um 18:09 schrieb Radu Cotescu: > > Hi, > > > > We solved 18 issues in these releases: > > https://issues.apache.org/jira/browse/SLING/fixforversion/12351841 > > https://issues.apache.org/jira/browse/SLING/fixforversion/12352164 > > https://issues.apache.org/jira/browse/SLING/fixforversion/12352163 > > https://issues.apache.org/jira/browse/SLING/fixforversion/12351808 > > https://issues.apache.org/jira/browse/SLING/fixforversion/12351863 > > https://issues.apache.org/jira/browse/SLING/fixforversion/12352083 > > https://issues.apache.org/jira/browse/SLING/fixforversion/12350470 > > > > Staging repository: > > https://repository.apache.org/content/repositories/orgapachesling-2662/ > > > > You can use this UNIX script to download the release and verify the > > signatures: > > https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD > > > > Usage: > > sh check_staged_release.sh 2662 /tmp/sling-staging > > > > Please vote to approve this release: > > > >[ ] +1 Approve the release > >[ ] 0 Don't care > >[ ] -1 Don't release, because ... > > > > This majority vote is open for at least 72 hours. > > > > Regards, > > Radu Cotescu > > -- > Carsten Ziegeler > Adobe > cziege...@apache.org -- Karl Pauls karlpa...@gmail.com
[GitHub] [sling-org-apache-sling-resourceresolver] rombert commented on a diff in pull request #78: Various improvements for the webconsole plugin
rombert commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941063449 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: If I try to set up impersonation based on the existing resolver ( https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/11f26ad706a350269e27ca42a2cbcf22a4724ce1/src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java#L246 ) I get back > Test Failure: org.apache.sling.api.resource.LoginException: Impersonation not allowed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
RE: [VOTE] Release Apache Sling Resource Resolver 1.10.0, Apache Sling Scripting HTL JS Use Provider 1.2.8, Apache Sling Scripting HTL Engine 1.4.20-1.4.0, Apache Sling Servlets Resolver 2.9.8, Apache
+1 stefan