This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 50770bb1cf Improved: Prevent URL parameters manipulation (OFBIZ-13147)
50770bb1cf is described below
commit 50770bb1cf21a0f63d03121bf7a54519ddea31fc
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Nov 9 12:05:34 2024 +0100
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
I finally decided to remove SecurityUtilTest::webShellTokensTesting
---
.../apache/ofbiz/security/SecurityUtilTest.java | 103 ---------------------
1 file changed, 103 deletions(-)
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 8a28162f8b..2dae4f7b88 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -53,107 +53,4 @@ public class SecurityUtilTest {
assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"HOTDEP_PARTYMGR_ADMIN"));
}
-// @Test
-// public void webShellTokensTesting() {
-// /* Currently used
-// java.,beans,freemarker,<script,javascript,<body,body
,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
-//
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
,\
-// chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
-// python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
-// ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
-// execute,println,calc,touch,curl,base64,tcp,4444
-// */
-// try {
-// List<String> allowed = new ArrayList<>();
-// allowed.add("getfilename");
-// assertTrue(SecuredUpload.isValidText("hack.getFileName",
allowed));
-// allowed = new ArrayList<>();
-// assertFalse(SecuredUpload.isValidText("hack.getFileName",
allowed));
-//
-// assertFalse(SecuredUpload.isValidText("java.", allowed));
-// assertFalse(SecuredUpload.isValidText("beans", allowed));
-// assertFalse(SecuredUpload.isValidText("freemarker", allowed));
-// assertFalse(SecuredUpload.isValidText("<script", allowed));
-// assertFalse(SecuredUpload.isValidText("javascript", allowed));
-// assertFalse(SecuredUpload.isValidText("<body", allowed));
-// assertFalse(SecuredUpload.isValidText("body ", allowed));
-// assertFalse(SecuredUpload.isValidText("<form", allowed));
-// assertFalse(SecuredUpload.isValidText("<jsp:", allowed));
-// assertFalse(SecuredUpload.isValidText("<c:out", allowed));
-// assertFalse(SecuredUpload.isValidText("taglib", allowed));
-// assertFalse(SecuredUpload.isValidText("<prefix", allowed));
-// assertFalse(SecuredUpload.isValidText("<%@ page", allowed));
-// assertFalse(SecuredUpload.isValidText("<?php", allowed));
-// assertFalse(SecuredUpload.isValidText("exec(", allowed));
-//
-// assertFalse(SecuredUpload.isValidText("%eval", allowed));
-// assertFalse(SecuredUpload.isValidText("@eval", allowed));
-// assertFalse(SecuredUpload.isValidText("runtime", allowed));
-// assertFalse(SecuredUpload.isValidText("import", allowed));
-// assertFalse(SecuredUpload.isValidText("passthru", allowed));
-// assertFalse(SecuredUpload.isValidText("shell_exec", allowed));
-// assertFalse(SecuredUpload.isValidText("assert", allowed));
-// assertFalse(SecuredUpload.isValidText("str_rot13", allowed));
-// assertFalse(SecuredUpload.isValidText("system", allowed));
-// assertFalse(SecuredUpload.isValidText("decode", allowed));
-// assertFalse(SecuredUpload.isValidText("include", allowed));
-//
-// assertFalse(SecuredUpload.isValidText("chmod", allowed));
-// assertFalse(SecuredUpload.isValidText("mkdir", allowed));
-// assertFalse(SecuredUpload.isValidText("fopen", allowed));
-// assertFalse(SecuredUpload.isValidText("fclose", allowed));
-// assertFalse(SecuredUpload.isValidText("new file", allowed));
-// assertFalse(SecuredUpload.isValidText("upload", allowed));
-// assertFalse(SecuredUpload.isValidText("getfilename", allowed));
-// assertFalse(SecuredUpload.isValidText("download", allowed));
-// assertFalse(SecuredUpload.isValidText("getoutputstring",
allowed));
-// assertFalse(SecuredUpload.isValidText("readfile", allowed));
-// assertFalse(SecuredUpload.isValidText("iframe", allowed));
-// assertFalse(SecuredUpload.isValidText("object", allowed));
-// assertFalse(SecuredUpload.isValidText("embed", allowed));
-// assertFalse(SecuredUpload.isValidText("onload", allowed));
-// assertFalse(SecuredUpload.isValidText("build", allowed));
-//
-// assertFalse(SecuredUpload.isValidText("python", allowed));
-// assertFalse(SecuredUpload.isValidText("perl ", allowed));
-// assertFalse(SecuredUpload.isValidText("/perl", allowed));
-// assertFalse(SecuredUpload.isValidText("ruby ", allowed));
-// assertFalse(SecuredUpload.isValidText("/ruby", allowed));
-// assertFalse(SecuredUpload.isValidText("process", allowed));
-// assertFalse(SecuredUpload.isValidText("function", allowed));
-// assertFalse(SecuredUpload.isValidText("class", allowed));
-// assertFalse(SecuredUpload.isValidText("wget ", allowed));
-// assertFalse(SecuredUpload.isValidText("static", allowed));
-// assertFalse(SecuredUpload.isValidText("assign", allowed));
-// assertFalse(SecuredUpload.isValidText("webappPath", allowed));
-//
-// assertFalse(SecuredUpload.isValidText("ifconfig", allowed));
-// assertFalse(SecuredUpload.isValidText("route", allowed));
-// assertFalse(SecuredUpload.isValidText("crontab", allowed));
-// assertFalse(SecuredUpload.isValidText("netstat", allowed));
-// assertFalse(SecuredUpload.isValidText("uname ", allowed));
-// assertFalse(SecuredUpload.isValidText("hostname", allowed));
-// assertFalse(SecuredUpload.isValidText("iptables", allowed));
-// assertFalse(SecuredUpload.isValidText("whoami", allowed));
-// // ip, ls, nc, ip, cat and pwd can't be used, too short for
allowing some images
-// assertFalse(SecuredUpload.isValidText("\"cmd\"", allowed));
-// assertFalse(SecuredUpload.isValidText("*cmd|", allowed));
-// assertFalse(SecuredUpload.isValidText("+cmd|", allowed));
-// assertFalse(SecuredUpload.isValidText("=cmd|", allowed));
-// assertFalse(SecuredUpload.isValidText("localhost", allowed));
-// assertFalse(SecuredUpload.isValidText("thread", allowed));
-// assertFalse(SecuredUpload.isValidText("require", allowed));
-// assertFalse(SecuredUpload.isValidText("gzdeflate", allowed));
-// assertFalse(SecuredUpload.isValidText("execute", allowed));
-// assertFalse(SecuredUpload.isValidText("println", allowed));
-// assertFalse(SecuredUpload.isValidText("calc", allowed));
-// assertFalse(SecuredUpload.isValidText("touch", allowed));
-// assertFalse(SecuredUpload.isValidText("curl", allowed));
-// assertFalse(SecuredUpload.isValidText("base64", allowed));
-// assertFalse(SecuredUpload.isValidText("tcp", allowed));
-// assertFalse(SecuredUpload.isValidText("4444", allowed));
-// } catch (IOException e) {
-// fail(String.format("IOException occured : %s", e.getMessage()));
-// }
-// }
}
