[ofbiz-framework] branch trunk updated: Fixed: Secure the uploads (OFBIZ-12080)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new cf72d42  Fixed: Secure the uploads (OFBIZ-12080)
cf72d42 is described below

commit cf72d425d3029993e3232510a7ee943accc1fbc4
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Feb 27 21:57:38 2022 +0100

    Fixed: Secure the uploads (OFBIZ-12080)
    
    Removes <svg, replaces by onload,build according to
    https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
---
 framework/security/config/security.properties                      | 2 +-
 .../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java  | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 4b52bfd..e827a23 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -258,7 +258,7 @@ allowAllUploads=
 #-- If you are sure you are safe for a token you can remove it, etc.
 
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,<?php,exec(,alert(,\
                      
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
-                     chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,<svg
 ,\
+                     chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
                      python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget ,static,\
                      ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,\
                      ",","+",',','+'
diff --git 
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
 
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 2854bf6..9e5ee7b 100644
--- 
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++ 
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -61,7 +61,7 @@ public class SecurityUtilTest {
         // Currently used
         // 
java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,<?php,exec(,alert(,\
         // 
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
-        // chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,<svg
 ,\
+        // chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build\
         // python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget ,static,\
         // 
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost
         // ",","+",',','+'
@@ -112,6 +112,11 @@ public class SecurityUtilTest {
             assertFalse(SecuredUpload.isValidText("download", allowed));
             assertFalse(SecuredUpload.isValidText("getoutputstring", allowed));
             assertFalse(SecuredUpload.isValidText("readfile", allowed));
+            assertFalse(SecuredUpload.isValidText("iframe", allowed));
+            assertFalse(SecuredUpload.isValidText("object", allowed));
+            assertFalse(SecuredUpload.isValidText("embed", allowed));
+            assertFalse(SecuredUpload.isValidText("onload", allowed));
+            assertFalse(SecuredUpload.isValidText("build", allowed));
 
             assertFalse(SecuredUpload.isValidText("python", allowed));
             assertFalse(SecuredUpload.isValidText("perl ", allowed));