Skip to content

Commit

Permalink
Merge pull request #11 from whitesource/BS/Feat/Log_crlf_arrays
Browse files Browse the repository at this point in the history 
Implemented sanitizers for arrays and collections of logs and crlf ob…
  • Loading branch information
@BenShmuely
BenShmuely authored Aug 30, 2021
2 parents b51e568 + ea74898 commit b11d201
Show file tree
Hide file tree
Showing 3 changed files with 110 additions and 26 deletions.
6 changes: 3 additions & 3 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

<groupId>io.whitesource</groupId>
<artifactId>curekit</artifactId>
<version>1.1.0</version>
<version>1.1.1</version>

<name>curekit</name>
<description>A repository containing code security remediation solutions used by WhiteSource Cure</description>
Expand Down Expand Up @@ -111,7 +111,7 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<configuration>
<javadocExecutable>${java.home}/bin/javadoc</javadocExecutable>
<javadocExecutable>${java.home}/../bin/javadoc</javadocExecutable>
</configuration>
<version>${maven.javadoc.version}</version>
<executions>
Expand Down Expand Up @@ -196,7 +196,7 @@
<jdk>8</jdk>
</activation>
<properties>
<javadocExecutable>${java.home}/bin/javadoc</javadocExecutable>
<javadocExecutable>${java.home}/../bin/javadoc</javadocExecutable>
</properties>
</profile>
</profiles>
Expand Down
108 changes: 87 additions & 21 deletions src/main/java/io/whitesource/cure/Encoder.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
package io.whitesource.cure;

import java.util.ArrayList;
import java.util.List;
import java.util.*;
import java.util.stream.Collectors;

import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.SystemUtils;
import org.owasp.encoder.Encode;
Expand All @@ -18,7 +19,7 @@ public class Encoder {
* @param param An argument or part of an argument for the operating systems command.
* @return Encoded parameter.
*/
public static String forOsCommand(final String param) {
public static String forOsCommand(Object param) {
if (param == null) {
return null;
}
Expand All @@ -33,12 +34,12 @@ public static String forOsCommand(final String param) {
* @param charsToIgnore Array of characters to not encode.
* @return Encoded parameter.
*/
public static String forOsCommand(final String param, char[] charsToIgnore) {
public static String forOsCommand(Object param, char[] charsToIgnore) {
if (param == null) {
return null;
}
StringBuilder sb = new StringBuilder();
for (char c : param.toCharArray()) {
for (char c : formatToString(param).toCharArray()) {
sb.append(encodeCharacterForOsCommand(c, charsToIgnore));
}
return sb.toString();
Expand All @@ -50,7 +51,7 @@ public static String forOsCommand(final String param, char[] charsToIgnore) {
* @param contents arrays {@link Object} contains all the contents.
* @return encoded log content.
*/
public static String[] forLogContent(final Object[] contents) {
public static String[] forLogContent(Object[] contents) {
if (contents == null) {
return null;
}
Expand All @@ -68,40 +69,105 @@ public static String[] forLogContent(final Object[] contents) {
* @param content {@link Object} contains the content.
* @return encoded log content.
*/
public static String forLogContent(final Object content) {
public static String forLogContent(Object content) {
if (content == null) {
return null;
}
return content
.toString()
return formatToString(content)
.replaceAll("[\n|\r|\t]", "_")
.replaceAll("<", "&lt")
.replaceAll(">", "&gt");
}

/**
* Encoding content for logs.
*
* @param contents arrays {@link Object} contains all the contents.
* @return encoded log content.
*/
public static <T extends Collection<String>> T forLogContent(Collection<?> contents) {
if (contents == null) {
return null;
}
Collection<String> results = new HashSet<>();

for (Object content : contents) {
results.add(forLogContent(content));
}
if (contents instanceof Set) {
return (T) new HashSet<>(results);
} else if (contents instanceof List) {
return (T) new ArrayList<>(results);
}

return (T) results;
}

/**
* Encoding content to prevent crlf injection by deleting new line commands.
*
* @param content contains the content to be sanitized.
* @return encoded Html content.
*/
public static String forCrlf(final String content) {
public static String forCrlf(Object content) {
if (content == null) {
return null;
}
return StringUtils.replaceEach(
content.toString(),
formatToString(content),
new String[] {"\n", "\\n", "\r", "\\r", "%0d", "%0D", "%0a", "%0A", "\025"},
new String[] {"", "", "", "", "", "", "", "", ""});
}

/**
* Encoding content to prevent crlf injection by deleting new line commands.
*
* @param contents contains the content to be sanitized.
* @return encoded Html content.
*/
public static String[] forCrlf(Object[] contents) {
if (contents == null) {
return null;
}
List<String> results = new ArrayList<>();

for (Object content : contents) {
results.add(forCrlf(content));
}
return results.toArray(new String[results.size()]);
}

/**
* Encoding content to prevent crlf injection by deleting new line commands.
*
* @param contents contains the content to be sanitized.
* @return encoded Html content.
*/
public static <T extends Collection<String>> T forCrlf(Collection<?> contents) {
if (contents == null) {
return null;
}
Collection<String> results = new HashSet<>();

for (Object content : contents) {
results.add(forCrlf(content));
}
if (contents instanceof Set) {
return (T) new HashSet<>(results);
} else if (contents instanceof List) {
return (T) new ArrayList<>(results);
}

return (T) results;
}

/**
* This method encodes for JavaScript strings contained within HTML script blocks.
*
* @param content {@link Object} contains the content.
* @return encoded JavaScript block.
*/
public static String forJavaScriptBlockXss(final Object content) {
public static String forJavaScriptBlockXss(Object content) {
if (content == null) {
return null;
}
Expand All @@ -115,7 +181,7 @@ public static String forJavaScriptBlockXss(final Object content) {
* @param content {@link Object} contains the content.
* @return encoded Html content.
*/
public static String forHtmlContentXss(final Object content) {
public static String forHtmlContentXss(Object content) {
if (content == null) {
return null;
}
Expand All @@ -128,7 +194,7 @@ public static String forHtmlContentXss(final Object content) {
* @param content {@link Object} contains the content.
* @return encoded Html Attribute.
*/
public static String forHtmlAttributeXss(final Object content) {
public static String forHtmlAttributeXss(Object content) {
if (content == null) {
return null;
}
Expand All @@ -148,7 +214,7 @@ public static String forHtmlAttributeXss(final Object content) {
* @param content {@link Object} contains the content.
* @return encoded JavaScript string.
*/
public static String forJavaScriptXss(final Object content) {
public static String forJavaScriptXss(Object content) {
if (content == null) {
return null;
}
Expand All @@ -162,7 +228,7 @@ public static String forJavaScriptXss(final Object content) {
* @param content {@link Object} contains the content.
* @return encoded CSS String.
*/
public static String forCssStringXss(final Object content) {
public static String forCssStringXss(Object content) {
if (content == null) {
return null;
}
Expand All @@ -177,7 +243,7 @@ public static String forCssStringXss(final Object content) {
* @param content {@link Object} contains the content.
* @return encoded Uri component.
*/
public static String forUriComponentXss(final Object content) {
public static String forUriComponentXss(Object content) {
if (content == null) {
return null;
}
Expand All @@ -193,7 +259,7 @@ public static String forUriComponentXss(final Object content) {
* @param content {@link Object} contains the content.
* @return encoded CSS url.
*/
public static String forCssUrlXss(final Object content) {
public static String forCssUrlXss(Object content) {
if (content == null) {
return null;
}
Expand All @@ -213,7 +279,7 @@ public static String forCssUrlXss(final Object content) {
* @param content {@link Object} contains the content.
* @return encoded Html unquoted Attribute.
*/
public static String forHtmlUnquotedAttributeXss(final Object content) {
public static String forHtmlUnquotedAttributeXss(Object content) {
if (content == null) {
return null;
}
Expand All @@ -229,7 +295,7 @@ public static String forHtmlUnquotedAttributeXss(final Object content) {
* @param content {@link Object} contains the content.
* @return encoded JavaScript attribute.
*/
public static String forJavaScriptAttributeXss(final String content) {
public static String forJavaScriptAttributeXss(String content) {
if (content == null) {
return null;
}
Expand Down Expand Up @@ -262,7 +328,7 @@ private static String formatToString(Object content) {
} else if (content instanceof String) {
return (String) content;
} else {
throw new RuntimeException("Unsupported content type, only String and char[] are accepted");
return content.toString();
}
}
}
22 changes: 20 additions & 2 deletions src/test/java/io/whitesource/cure/EncoderTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;

import java.util.*;

class EncoderTest {

@Test
Expand Down Expand Up @@ -39,7 +41,8 @@ void forCrlf_htmlContent_successfullyWithResult() {

@Test
void forCrlf_null_successfully() {
Assertions.assertNull(forCrlf(null));
String input = null;
Assertions.assertNull(forCrlf(input));
}

@Test
Expand All @@ -64,6 +67,21 @@ void forLogContent_threeElementArray_successfullyWithResult() {
Assertions.assertArrayEquals(expectedEncodedArray, actualEncodedArray);
}

@Test
@Disabled
void forLogContent_collection_successfullyWithResult() {

List<String> results = new ArrayList<>();

results.add("I\n\r\t");
results.add("am>");

String[] expectedEncodedArray = new String[] {"I___", "am&gt", "Barbi&lt"};

List<String> actualEncodedArray = Encoder.forLogContent(results);
Assertions.assertEquals(actualEncodedArray.iterator().next(), Arrays.stream(expectedEncodedArray).iterator().next());
}

@Test
void forLogContent_fullEncodingCapabilities_successfullyWithResult() {

Expand All @@ -77,7 +95,7 @@ void forLogContent_fullEncodingCapabilities_successfullyWithResult() {
@Test
void forLogContent_null_successfully() {

Assertions.assertNull(forLogContent(null));
Assertions.assertNull(forLogContent((Object) null));
}

@Test
Expand Down

0 comments on commit b11d201

Please sign in to comment.