This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new 17d1a38453 Improved: Prevent URL parameters manipulation (OFBIZ-13147)
17d1a38453 is described below
commit 17d1a384530ec743f073d5b49e4520535be791bd
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Nov 9 12:05:34 2024 +0100
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
I finally decided to remove SecurityUtilTest::webShellTokensTesting
It's not present in 18.12 branch
Conflicts handled by hand
---
.../apache/ofbiz/security/SecurityUtilTest.java | 103 ---------------------
1 file changed, 103 deletions(-)
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 2354a60b0c..04d1671ff0 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -56,107 +56,4 @@ public class SecurityUtilTest {
assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"HOTDEP_PARTYMGR_ADMIN"));
}
- @Test
- public void webShellTokensTesting() {
- /* Currently used
- java.,beans,freemarker,<script,javascript,<body,body
,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
-
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
,\
- chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
- python,perl ,/perl,ruby
,/ruby,process,function,class,InputStream,to_server,wget
,static,assign,webappPath,\
- ifconfig,route,crontab,netstat,uname
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
- execute,println,calc,touch,curl,base64,tcp
- */
- try {
- List<String> allowed = new ArrayList<>();
- allowed.add("getfilename");
- assertTrue(SecuredUpload.isValidText("hack.getFileName", allowed));
- allowed = new ArrayList<>();
- assertFalse(SecuredUpload.isValidText("hack.getFileName",
allowed));
-
- assertFalse(SecuredUpload.isValidText("java.", allowed));
- assertFalse(SecuredUpload.isValidText("beans", allowed));
- assertFalse(SecuredUpload.isValidText("freemarker", allowed));
- assertFalse(SecuredUpload.isValidText("<script", allowed));
- assertFalse(SecuredUpload.isValidText("javascript", allowed));
- assertFalse(SecuredUpload.isValidText("<body", allowed));
- assertFalse(SecuredUpload.isValidText("body ", allowed));
- assertFalse(SecuredUpload.isValidText("<form", allowed));
- assertFalse(SecuredUpload.isValidText("<jsp:", allowed));
- assertFalse(SecuredUpload.isValidText("<c:out", allowed));
- assertFalse(SecuredUpload.isValidText("taglib", allowed));
- assertFalse(SecuredUpload.isValidText("<prefix", allowed));
- assertFalse(SecuredUpload.isValidText("<%@ page", allowed));
- assertFalse(SecuredUpload.isValidText("<?php", allowed));
- assertFalse(SecuredUpload.isValidText("exec(", allowed));
-
- assertFalse(SecuredUpload.isValidText("%eval", allowed));
- assertFalse(SecuredUpload.isValidText("@eval", allowed));
- assertFalse(SecuredUpload.isValidText("runtime", allowed));
- assertFalse(SecuredUpload.isValidText("import", allowed));
- assertFalse(SecuredUpload.isValidText("passthru", allowed));
- assertFalse(SecuredUpload.isValidText("shell_exec", allowed));
- assertFalse(SecuredUpload.isValidText("assert", allowed));
- assertFalse(SecuredUpload.isValidText("str_rot13", allowed));
- assertFalse(SecuredUpload.isValidText("system", allowed));
- assertFalse(SecuredUpload.isValidText("decode", allowed));
- assertFalse(SecuredUpload.isValidText("include", allowed));
-
- assertFalse(SecuredUpload.isValidText("chmod", allowed));
- assertFalse(SecuredUpload.isValidText("mkdir", allowed));
- assertFalse(SecuredUpload.isValidText("fopen", allowed));
- assertFalse(SecuredUpload.isValidText("fclose", allowed));
- assertFalse(SecuredUpload.isValidText("new file", allowed));
- assertFalse(SecuredUpload.isValidText("upload", allowed));
- assertFalse(SecuredUpload.isValidText("getfilename", allowed));
- assertFalse(SecuredUpload.isValidText("download", allowed));
- assertFalse(SecuredUpload.isValidText("getoutputstring", allowed));
- assertFalse(SecuredUpload.isValidText("readfile", allowed));
- assertFalse(SecuredUpload.isValidText("iframe", allowed));
- assertFalse(SecuredUpload.isValidText("object", allowed));
- assertFalse(SecuredUpload.isValidText("embed", allowed));
- assertFalse(SecuredUpload.isValidText("onload", allowed));
- assertFalse(SecuredUpload.isValidText("build", allowed));
-
- assertFalse(SecuredUpload.isValidText("python", allowed));
- assertFalse(SecuredUpload.isValidText("perl ", allowed));
- assertFalse(SecuredUpload.isValidText("/perl", allowed));
- assertFalse(SecuredUpload.isValidText("ruby ", allowed));
- assertFalse(SecuredUpload.isValidText("/ruby", allowed));
- assertFalse(SecuredUpload.isValidText("process", allowed));
- assertFalse(SecuredUpload.isValidText("function", allowed));
- assertFalse(SecuredUpload.isValidText("class", allowed));
- assertFalse(SecuredUpload.isValidText("wget ", allowed));
- assertFalse(SecuredUpload.isValidText("static", allowed));
- assertFalse(SecuredUpload.isValidText("assign", allowed));
- assertFalse(SecuredUpload.isValidText("webappPath", allowed));
-
- assertFalse(SecuredUpload.isValidText("ifconfig", allowed));
- assertFalse(SecuredUpload.isValidText("route", allowed));
- assertFalse(SecuredUpload.isValidText("crontab", allowed));
- assertFalse(SecuredUpload.isValidText("netstat", allowed));
- assertFalse(SecuredUpload.isValidText("uname ", allowed));
- assertFalse(SecuredUpload.isValidText("hostname", allowed));
- assertFalse(SecuredUpload.isValidText("iptables", allowed));
- assertFalse(SecuredUpload.isValidText("whoami", allowed));
- // ip, ls, nc, ip, cat and pwd can't be used, too short
- assertFalse(SecuredUpload.isValidText("\"cmd\"", allowed));
- assertFalse(SecuredUpload.isValidText("*cmd|", allowed));
- assertFalse(SecuredUpload.isValidText("+cmd|", allowed));
- assertFalse(SecuredUpload.isValidText("=cmd|", allowed));
- assertFalse(SecuredUpload.isValidText("localhost", allowed));
- assertFalse(SecuredUpload.isValidText("thread", allowed));
- assertFalse(SecuredUpload.isValidText("require", allowed));
- assertFalse(SecuredUpload.isValidText("gzdeflate", allowed));
- assertFalse(SecuredUpload.isValidText("execute", allowed));
- assertFalse(SecuredUpload.isValidText("println", allowed));
- assertFalse(SecuredUpload.isValidText("calc", allowed));
- assertFalse(SecuredUpload.isValidText("touch", allowed));
- assertFalse(SecuredUpload.isValidText("curl", allowed));
- assertFalse(SecuredUpload.isValidText("base64", allowed));
- assertFalse(SecuredUpload.isValidText("tcp", allowed));
- assertFalse(SecuredUpload.isValidText("4444", allowed));
- } catch (IOException e) {
- fail(String.format("IOException occured : %s", e.getMessage()));
- }
- }
}
