This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-scripting-sightly-compiler-java.git
commit 087d83c317917eefb0be4756ef93cc06b79b0df4 Author: Radu Cotescu <[email protected]> AuthorDate: Fri Oct 7 10:36:32 2016 +0000 SLING-6094 - HTL can generate invalid Java code by using user-supplied input * added tests git-svn-id: https://svn.apache.org/repos/asf/sling/trunk@1763732 13f79535-47bb-0310-9956-ffa450edef68 --- .../java/JavaClassBackendCompilerTest.java | 88 +++++++++++++++++----- src/test/resources/SLING-6094.1.html | 17 +++++ src/test/resources/SLING-6094.1.output.html | 2 + src/test/resources/SLING-6094.2.html | 17 +++++ src/test/resources/SLING-6094.2.output.html | 2 + 5 files changed, 107 insertions(+), 19 deletions(-) diff --git a/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java b/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java index 83bfac7..3dd3c8c 100644 --- a/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java +++ b/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java @@ -18,6 +18,7 @@ package org.apache.sling.scripting.sightly.compiler.java; import java.io.PrintWriter; import java.io.StringWriter; +import java.util.HashMap; import javax.script.Bindings; import javax.script.SimpleBindings; @@ -32,6 +33,7 @@ import org.apache.sling.scripting.sightly.java.compiler.JavaClassBackendCompiler import org.apache.sling.scripting.sightly.java.compiler.RenderUnit; import org.apache.sling.scripting.sightly.render.AbstractRuntimeObjectModel; import org.apache.sling.scripting.sightly.render.RenderContext; +import org.apache.sling.scripting.sightly.render.RuntimeObjectModel; import org.junit.Test; import static junit.framework.TestCase.assertEquals; @@ -44,50 +46,98 @@ public class JavaClassBackendCompilerTest { JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler(); SightlyCompiler sightlyCompiler = new SightlyCompiler(); sightlyCompiler.compile(compilationUnit, backendCompiler); - ClassInfo classInfo = new ClassInfo() { + ClassInfo classInfo = buildClassInfo("testScript"); + String source = backendCompiler.build(classInfo); + StringWriter writer = new StringWriter(); + Bindings bindings = new SimpleBindings(); + RenderContext renderContext = buildRenderContext(bindings); + render(writer, classInfo, source, renderContext, new SimpleBindings()); + String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/test-output.html"), "UTF-8"); + assertEquals(expectedOutput, writer.toString()); + } + + @Test + public void sling_6094_1() throws Exception { + CompilationUnit compilationUnit = TestUtils.readScriptFromClasspath("/SLING-6094.1.html"); + JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler(); + SightlyCompiler sightlyCompiler = new SightlyCompiler(); + sightlyCompiler.compile(compilationUnit, backendCompiler); + ClassInfo classInfo = buildClassInfo("sling_6094_1"); + String source = backendCompiler.build(classInfo); + StringWriter writer = new StringWriter(); + Bindings bindings = new SimpleBindings(); + bindings.put("img", new HashMap<String, Object>(){{ + put("attributes", new HashMap<String, String>() {{ + put("v-bind:src", "replaced"); + }}); + }}); + RenderContext renderContext = buildRenderContext(bindings); + render(writer, classInfo, source, renderContext, new SimpleBindings()); + String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/SLING-6094.1.output.html"), "UTF-8"); + assertEquals(expectedOutput, writer.toString()); + } + + @Test + public void sling_6094_2() throws Exception { + CompilationUnit compilationUnit = TestUtils.readScriptFromClasspath("/SLING-6094.2.html"); + JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler(); + SightlyCompiler sightlyCompiler = new SightlyCompiler(); + sightlyCompiler.compile(compilationUnit, backendCompiler); + ClassInfo classInfo = buildClassInfo("sling_6094_2"); + String source = backendCompiler.build(classInfo); + StringWriter writer = new StringWriter(); + Bindings bindings = new SimpleBindings(); + RenderContext renderContext = buildRenderContext(bindings); + render(writer, classInfo, source, renderContext, new SimpleBindings()); + String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/SLING-6094.2.output.html"), "UTF-8"); + assertEquals(expectedOutput, writer.toString()); + } + + private ClassInfo buildClassInfo(final String info) { + return new ClassInfo() { @Override public String getSimpleClassName() { - return "Test"; + return "Test_" + info; } @Override public String getPackageName() { - return "org.example.test"; + return "org.apache.sling.scripting.sightly.compiler.java"; } @Override public String getFullyQualifiedClassName() { - return "org.example.test.Test"; + return "org.apache.sling.scripting.sightly.compiler.java.Test_" + info; } }; - String source = backendCompiler.build(classInfo); - ClassLoader classLoader = JavaClassBackendCompilerTest.class.getClassLoader(); - CharSequenceJavaCompiler<RenderUnit> compiler = new CharSequenceJavaCompiler<>(classLoader, null); - Class<RenderUnit> newClass = compiler.compile(classInfo.getFullyQualifiedClassName(), source, new Class<?>[]{}); - RenderUnit renderUnit = newClass.newInstance(); - StringWriter writer = new StringWriter(); - PrintWriter printWriter = new PrintWriter(writer); - RenderContext renderContext = new RenderContext() { + } + + private RenderContext buildRenderContext(final Bindings bindings) { + return new RenderContext() { @Override - public AbstractRuntimeObjectModel getObjectModel() { + public RuntimeObjectModel getObjectModel() { return new AbstractRuntimeObjectModel() {}; } @Override public Bindings getBindings() { - return new SimpleBindings(); + return bindings; } @Override public Object call(String functionName, Object... arguments) { - assert arguments.length == 2; - // for this test case only the xss runtime function will be called; return the unfiltered input return arguments[0]; } }; - renderUnit.render(printWriter, renderContext, new SimpleBindings()); - String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/test-output.html"), "UTF-8"); - assertEquals(expectedOutput, writer.toString()); + } + private void render(StringWriter writer, ClassInfo classInfo, String source, RenderContext renderContext, Bindings arguments) throws + Exception { + ClassLoader classLoader = JavaClassBackendCompilerTest.class.getClassLoader(); + CharSequenceJavaCompiler<RenderUnit> compiler = new CharSequenceJavaCompiler<>(classLoader, null); + Class<RenderUnit> newClass = compiler.compile(classInfo.getFullyQualifiedClassName(), source); + RenderUnit renderUnit = newClass.newInstance(); + PrintWriter printWriter = new PrintWriter(writer); + renderUnit.render(printWriter, renderContext, arguments); } } diff --git a/src/test/resources/SLING-6094.1.html b/src/test/resources/SLING-6094.1.html new file mode 100644 index 0000000..e2706e2 --- /dev/null +++ b/src/test/resources/SLING-6094.1.html @@ -0,0 +1,17 @@ +<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/--> +<img src="" v-bind:src="abc" data-sly-attribute="${img.attributes}" /> diff --git a/src/test/resources/SLING-6094.1.output.html b/src/test/resources/SLING-6094.1.output.html new file mode 100644 index 0000000..2ce0be5 --- /dev/null +++ b/src/test/resources/SLING-6094.1.output.html @@ -0,0 +1,2 @@ + +<img src="" v-bind:src="replaced"/> diff --git a/src/test/resources/SLING-6094.2.html b/src/test/resources/SLING-6094.2.html new file mode 100644 index 0000000..fe07e01 --- /dev/null +++ b/src/test/resources/SLING-6094.2.html @@ -0,0 +1,17 @@ +<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/--> +<div data-sly-test.jcr:title="${1>0}">correctly escaped variable</div> diff --git a/src/test/resources/SLING-6094.2.output.html b/src/test/resources/SLING-6094.2.output.html new file mode 100644 index 0000000..cad8097 --- /dev/null +++ b/src/test/resources/SLING-6094.2.output.html @@ -0,0 +1,2 @@ + +<div>correctly escaped variable</div> -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
