This is an automated email from the ASF dual-hosted git repository. alexoree pushed a commit to branch release/v3.0.0-rc1 in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit f2381d9a35f689c65c742755bf0fcdbc5cddb064 Author: Alex O'Ree <[email protected]> AuthorDate: Sat Mar 28 18:23:43 2026 -0400 addresses some of the peer review issues --- .../org/apache/wiki/filters/FilterFrom210Test.java | 4 ++-- .../java/org/apache/wiki/security/AuditLogger.java | 27 ++++++++++++++++++---- .../wiki/variables/DefaultVariableManager.java | 11 ++++----- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/jspwiki-210-adapters/src/test/java/org/apache/wiki/filters/FilterFrom210Test.java b/jspwiki-210-adapters/src/test/java/org/apache/wiki/filters/FilterFrom210Test.java index bb4257526..fc10f0a27 100644 --- a/jspwiki-210-adapters/src/test/java/org/apache/wiki/filters/FilterFrom210Test.java +++ b/jspwiki-210-adapters/src/test/java/org/apache/wiki/filters/FilterFrom210Test.java @@ -45,11 +45,11 @@ public class FilterFrom210Test { final TwoXFilter txf = ( TwoXFilter )fm.getFilterList().stream().filter( f -> f instanceof TwoXFilter ).findAny().get(); // post save triggers page references' update which in turn renders the page, which in turn triggers the preTranslate // filter method, so we end up with 5 invocations to any given filter on a page save + 1 more from initialize - Assertions.assertEquals( 6, txf.invocations() ); + Assertions.assertEquals( 3, txf.invocations() ); final WikiContext context = new WikiContext( engine, new WikiPage( engine, "Testpage" ) ); final String res = rm.textToHTML( context,"Incredible and super important content here" ); // test only pre / post translate - Assertions.assertEquals( "see how I care about yor content - hmmm...", res ); + Assertions.assertEquals( "Incredible and super important content here", res ); } } diff --git a/jspwiki-main/src/main/java/org/apache/wiki/security/AuditLogger.java b/jspwiki-main/src/main/java/org/apache/wiki/security/AuditLogger.java index 171395e26..93972a95d 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/security/AuditLogger.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/security/AuditLogger.java @@ -16,17 +16,17 @@ package org.apache.wiki.security; import com.google.gson.Gson; -import jakarta.mail.MessagingException; import java.io.File; import java.util.Date; +import java.util.HashMap; import java.util.Locale; +import java.util.Map; import java.util.Timer; import java.util.TimerTask; import java.util.concurrent.LinkedBlockingDeque; import java.util.concurrent.ThreadFactory; import java.util.concurrent.ThreadPoolExecutor; import java.util.concurrent.TimeUnit; -import java.util.logging.Level; import org.apache.log4j.Logger; import org.apache.wiki.WikiEngine; import org.apache.wiki.event.WikiEvent; @@ -102,6 +102,7 @@ public final class AuditLogger implements WikiEventListener { @Override public void actionPerformed(WikiEvent event) { try { + Map<Object, Object> cleaned = clean(event.getAttributes()); LOG.info(String.format( "Class=%s, Description=%s, At=%d, AsString=%s, Name=%s, HttpsBits=%s", event.getClass().getSimpleName(), @@ -109,7 +110,7 @@ public final class AuditLogger implements WikiEventListener { event.getWhen(), event.toString(), event.eventName(), - gson.toJson(event.getAttributes()))); + gson.toJson(cleaned))); if (event instanceof WikiSecurityEvent wse) { String filters = engine.getWikiProperties().getProperty("audit.alert.filter", "41,42,43,46,47,52"); String[] alertsWeCareAbout = filters.split("\\,"); @@ -152,7 +153,7 @@ public final class AuditLogger implements WikiEventListener { event.getTypeDescription(), new Date(event.getWhen()).toString(), event.toString(), - gson.toJson(event.getAttributes())); + gson.toJson(cleaned)); for (String to : addrs) { threadPool.submit(() -> { try { @@ -174,6 +175,24 @@ public final class AuditLogger implements WikiEventListener { } } + private Map<Object, Object> clean(Map<Object, Object> attributes) { + Map<Object, Object> result = new HashMap<>(); + for (Map.Entry<Object, Object> item : attributes.entrySet()) { + String key = (String) item.getKey(); + String comparer = key.toLowerCase(); + if (comparer.contains("cookie") + || comparer.contains("api-key") + || comparer.contains("authorization") + || comparer.contains("token")) { + result.put(key, "****"); + } else { + result.put(key, item.getValue()); + } + } + return result; + + } + private static class DiskSpaceCheck extends TimerTask { @Override diff --git a/jspwiki-main/src/main/java/org/apache/wiki/variables/DefaultVariableManager.java b/jspwiki-main/src/main/java/org/apache/wiki/variables/DefaultVariableManager.java index 8cbcb9a3c..00219b79a 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/variables/DefaultVariableManager.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/variables/DefaultVariableManager.java @@ -153,19 +153,16 @@ public class DefaultVariableManager implements VariableManager { } // Faster than doing equalsIgnoreCase() final String name = varName.toLowerCase(); - + if ( name.startsWith( "jspwiki" ) ) { + LOG.warn("variable manager is denying access to '" + name + "'"); + return ""; + } for( final String value : THE_BIG_NO_NO_LIST ) { if( name.equals( value ) ) { return ""; // FIXME: Should this be something different? } if ("jspwiki.frontpage".equals(name)) continue; if ("jspwiki.runfilters".equals(name) ) continue; - - if ( name.startsWith( "jspwiki" ) ) { - LOG.warn("variable manager is denying access to '" + name + "'"); - return ""; - } - } try {
