date:20201115

[axis-axis2-java-core] 02/02: AXIS2-5992, Admin page, add filtering to HTTP input variables

2020-11-15 Thread robertlazarski

This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git

commit 98fa23317dbf0247e3d1c33b3f091e94403d
Author: Robert Lazarski 
AuthorDate: Sun Nov 15 09:35:22 2020 -1000

AXIS2-5992, Admin page, add filtering to HTTP input variables
---
 legal/esapi-LICENSE.txt | 28 
 1 file changed, 28 insertions(+)

diff --git a/legal/esapi-LICENSE.txt b/legal/esapi-LICENSE.txt
new file mode 100644
index 000..5d132f9
--- /dev/null
+++ b/legal/esapi-LICENSE.txt
@@ -0,0 +1,28 @@
+Copyright (c) 2013, ESAPI
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without 
modification,
+are permitted provided that the following conditions are met:
+
+  Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+  Redistributions in binary form must reproduce the above copyright notice, 
this
+  list of conditions and the following disclaimer in the documentation and/or
+  other materials provided with the distribution.
+
+  Neither the name of the {organization} nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 
FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

[axis-axis2-java-core] branch master updated (06fbea0 -> 98fa233)

2020-11-15 Thread robertlazarski

This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git.


from 06fbea0  fix doc typos in 'creatingclients-xmlbeans'
 new 95870b0  AXIS2-5992, Admin page, add filtering to HTTP input variables
 new 98fa233  AXIS2-5992, Admin page, add filtering to HTTP input variables

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 legal/{jibx-run-LICENSE.txt => esapi-LICENSE.txt}  |   25 +-
 modules/webapp/conf/ESAPI.properties   | 2932 
 modules/webapp/pom.xml |   11 +
 .../java/org/apache/axis2/webapp/AdminActions.java |  310 ++-
 pom.xml|6 +
 5 files changed, 3239 insertions(+), 45 deletions(-)
 copy legal/{jibx-run-LICENSE.txt => esapi-LICENSE.txt} (52%)
 create mode 100644 modules/webapp/conf/ESAPI.properties

[axis-axis2-java-core] 02/02: Revert "AXIS2-5992, Admin page, add filtering to HTTP input variables"

2020-11-15 Thread robertlazarski

This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git

commit 35e7d597f00214fdccbe6b1145b78817e8278981
Author: Robert Lazarski 
AuthorDate: Sun Nov 15 13:02:48 2020 -1000

Revert "AXIS2-5992, Admin page, add filtering to HTTP input variables"

This reverts commit 98fa23317dbf0247e3d1c33b3f091e94403d.
---
 legal/esapi-LICENSE.txt | 28 
 1 file changed, 28 deletions(-)

diff --git a/legal/esapi-LICENSE.txt b/legal/esapi-LICENSE.txt
deleted file mode 100644
index 5d132f9..000
--- a/legal/esapi-LICENSE.txt
+++ /dev/null
@@ -1,28 +0,0 @@
-Copyright (c) 2013, ESAPI
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without 
modification,
-are permitted provided that the following conditions are met:
-
-  Redistributions of source code must retain the above copyright notice, this
-  list of conditions and the following disclaimer.
-
-  Redistributions in binary form must reproduce the above copyright notice, 
this
-  list of conditions and the following disclaimer in the documentation and/or
-  other materials provided with the distribution.
-
-  Neither the name of the {organization} nor the names of its
-  contributors may be used to endorse or promote products derived from
-  this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 
FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-

[axis-axis2-java-core] branch master updated (98fa233 -> 35e7d59)

2020-11-15 Thread robertlazarski

This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git.


from 98fa233  AXIS2-5992, Admin page, add filtering to HTTP input variables
 new aa062fb  Revert "AXIS2-5992, Admin page, add filtering to HTTP input 
variables"
 new 35e7d59  Revert "AXIS2-5992, Admin page, add filtering to HTTP input 
variables"

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 legal/esapi-LICENSE.txt|   28 -
 modules/webapp/conf/ESAPI.properties   | 2932 
 modules/webapp/pom.xml |   11 -
 .../java/org/apache/axis2/webapp/AdminActions.java |  310 +--
 pom.xml|6 -
 5 files changed, 34 insertions(+), 3253 deletions(-)
 delete mode 100644 legal/esapi-LICENSE.txt
 delete mode 100644 modules/webapp/conf/ESAPI.properties

[axis-axis2-java-core] branch master updated: AXIS2-5992, Admin page, add regex blacklist filtering of bad chars to HTTP input variables and input filename Strings

2020-11-15 Thread robertlazarski

This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git


The following commit(s) were added to refs/heads/master by this push:
 new 1403091  AXIS2-5992, Admin page, add regex blacklist filtering of bad 
chars to HTTP input variables and input filename Strings
1403091 is described below

commit 1403091d4f6f50da58181ecedc60ca3005346a7f
Author: Robert Lazarski 
AuthorDate: Sun Nov 15 18:17:56 2020 -1000

AXIS2-5992, Admin page, add regex blacklist filtering of bad chars to HTTP 
input variables and input filename Strings
---
 .../java/org/apache/axis2/webapp/AdminActions.java | 170 -
 1 file changed, 169 insertions(+), 1 deletion(-)

diff --git 
a/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java 
b/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
index a672178..0a261d7 100644
--- a/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
+++ b/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
@@ -71,6 +71,8 @@ final class AdminActions {
 private static final String ACTIVATE_SERVICE = "activateService";
 private static final String EDIT_SERVICE_PARAMETERS = 
"editServiceParameters";
 private static final String VIEW_OPERATION_SPECIFIC_CHAINS = 
"viewOperationSpecificChains";
+private static final String HTTP_PARAM_REGEX_INVALID_CHARS = 
"^[a-zA-Z0-9.\\-\\/+=@_,: ]*$";
+private static final String FILENAME_REGEX_INVALID_CHARS = 
"^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$";
 
 /**
  * Field LIST_MULTIPLE_SERVICE_JSP_NAME
@@ -120,7 +122,12 @@ final class AdminActions {
 if (req.getSession(false) != null) {
 return new Redirect(LOGOUT);
 } else {
-if ("true".equals(req.getParameter("failed"))) {
+String failed = req.getParameter("failed");
+if (failed.matches(HTTP_PARAM_REGEX_INVALID_CHARS)) {
+log.error("welcome() received invalid 'failed' param, 
redirecting to: " + LOGOUT);
+return new Redirect(LOGOUT);
+}
+if ("true".equals(failed)) {
 req.setAttribute("errorMessage", "Invalid auth credentials!");
 }
 return new View(LOGIN_JSP_NAME);
@@ -175,6 +182,10 @@ final class AdminActions {
 .length());
 }
 
+if 
(fileNameOnly.matches(FILENAME_REGEX_INVALID_CHARS) || fileNameOnly.length() > 
100) {
+log.error("doUpload() received invalid 
filename, redirecting to: " + WELCOME);
+return new Redirect(UPLOAD).withStatus(false, 
"Received invalid filename");
+}
 File uploadedFile = new File(serviceDir, 
fileNameOnly);
 item.write(uploadedFile);
 return new Redirect(UPLOAD).withStatus(true, "File 
" + fileNameOnly + " successfully uploaded");
@@ -200,6 +211,16 @@ final class AdminActions {
 String username = req.getParameter("userName");
 String password = req.getParameter("password");
 
+if (username.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || 
username.length() > 100) {
+log.error("login() received invalid 'username' param, redirecting 
to: " + WELCOME);
+return new Redirect(WELCOME).withParameter("failed", "true");
+}
+
+if (password.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || 
password.length() > 100) {
+log.error("login() received invalid 'password' param, redirecting 
to: " + WELCOME);
+return new Redirect(WELCOME).withParameter("failed", "true");
+}
+
 if ((username == null) || (password == null) || 
username.trim().length() == 0
 || password.trim().length() == 0) {
 return new Redirect(WELCOME).withParameter("failed", "true");
@@ -221,6 +242,11 @@ final class AdminActions {
 @Action(name=EDIT_SERVICE_PARAMETERS)
 public View editServiceParameters(HttpServletRequest req) throws AxisFault 
{
 String serviceName = req.getParameter("axisService");
+if (serviceName.matches(HTTP_PARAM_REGEX_INVALID_CHARS) || 
serviceName.length() > 100) {
+log.error("editServiceParameters() received invalid 'serviceName' 
param, redirecting to: editServiceParameters.jsp");
+req.setAttribute("status", "invalid serviceName");
+return new View("editServiceParameters.jsp");
+}
 AxisService service =
 
configContext.getAxisConfiguration().getServiceForActivation(serviceName);
 if (service.isActive()) {
@@ -261,10 +287,18 @@ final class AdminActions {
 @Action(name="updateServiceParameters", post=true)

[axis-axis2-java-core] 02/02: AXIS2-5992, Admin page, add filtering to HTTP input variables

[axis-axis2-java-core] branch master updated (06fbea0 -> 98fa233)

[axis-axis2-java-core] 02/02: Revert "AXIS2-5992, Admin page, add filtering to HTTP input variables"

[axis-axis2-java-core] branch master updated (98fa233 -> 35e7d59)

[axis-axis2-java-core] branch master updated: AXIS2-5992, Admin page, add regex blacklist filtering of bad chars to HTTP input variables and input filename Strings

5 matches

Site Navigation

Mail list logo

Footer information