This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
The following commit(s) were added to refs/heads/master by this push:
new 89dcfd4 SLING-8775 - java.lang.StackOverflowError in
XSSAPIImpl.getValidHref for long URLs
89dcfd4 is described below
commit 89dcfd4947af0e8b3b84d61b1796e49f82fe73d5
Author: Radu Cotescu <[email protected]>
AuthorDate: Fri Oct 25 16:35:03 2019 +0200
SLING-8775 - java.lang.StackOverflowError in XSSAPIImpl.getValidHref for
long URLs
* added fallback to using the regexes before SLING-7741 in case a
StackOverflowError is encountered
---
.../org/apache/sling/xss/impl/XSSFilterImpl.java | 22 +++++++++++++++++++++-
.../org/apache/sling/xss/impl/XSSAPIImplTest.java | 8 ++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
index 809084e..931c28a 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
@@ -127,6 +127,12 @@ public class XSSFilterImpl implements XSSFilter {
public static final String RELATIVE_REF =
"(?!\\s*javascript(?::|:))" + RELATIVE_PART + "?(?:\\?" + QUERY +
")?(?:#" + FRAGMENT + ")?";
public static final String URI = SCHEME_PATTERN + ":" + HIER_PART +
"(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
+ private static final Pattern ON_SITE_SIMPLIFIED =
Pattern.compile("([\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*|\\#"
+
+ "(\\w)+)");
+ private static final Pattern OFF_SITE_SIMPLIFIED =
Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)" +
+
"[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*");
+
+ private static final Pattern[] BACKUP_PATTERNS = new Pattern[]
{ON_SITE_SIMPLIFIED, OFF_SITE_SIMPLIFIED};
// Default href configuration copied from the config.xml supplied with
AntiSamy
static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
@@ -206,7 +212,21 @@ public class XSSFilterImpl implements XSSFilter {
// Same logic as in
org.owasp.validator.html.scan.MagicSAXFilter.startElement()
boolean isValid =
hrefAttribute.containsAllowedValue(url.toLowerCase());
if (!isValid) {
- isValid =
hrefAttribute.matchesAllowedExpression(url.toLowerCase());
+ try {
+ isValid =
hrefAttribute.matchesAllowedExpression(url.toLowerCase());
+ } catch (StackOverflowError e) {
+ logger.warn("Detected a StackOverflowError when validating url
{} with configured regexes. Trying fallback.", url);
+ try {
+ for (Pattern p : BACKUP_PATTERNS) {
+ isValid = p.matcher(url.toLowerCase()).matches();
+ if (isValid) {
+ break;
+ }
+ }
+ } catch (StackOverflowError inner) {
+ logger.error(String.format("Cannot validate url %s.",
url), inner);
+ }
+ }
}
return isValid;
}
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index 5d1737b..6852ea6 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -207,6 +207,14 @@ public class XSSAPIImplTest {
// Href
Expected Result
//
{
+
"/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun
[...]
+
"/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun
[...]
+ },
+ {
+
"/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun
[...]
+
"/libs/wcm/core/content/sites/createlaunchwizard.html/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment?create_nested_launch=true&redirect=/sites.html/content/we-retail/language-masters/en/products/equipment#/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/biking,/content/launches/2019/10/11/l3/content/we-retail/language-masters/en/products/equipment/hiking/buffalo-plaid-shorts,/content/laun
[...]
+ },
+ {
"test?discount=25%25",
"test?discount=25%25"
},
