| | |
|---|
| | | */
|
|---|
| | | package com.gitblit.wicket;
|
|---|
| | |
|
|---|
| | | import java.text.MessageFormat;
|
|---|
| | | import java.util.HashSet;
|
|---|
| | | import java.util.Map;
|
|---|
| | | import java.util.Set;
|
|---|
| | |
|
|---|
| | | import org.apache.wicket.IRequestTarget;
|
|---|
| | | import org.apache.wicket.Page;
|
|---|
| | | import org.apache.wicket.protocol.http.request.WebRequestCodingStrategy; |
|---|
| | | import org.apache.wicket.request.RequestParameters;
|
|---|
| | | import org.apache.wicket.request.target.coding.MixedParamUrlCodingStrategy;
|
|---|
| | | import org.apache.wicket.util.string.AppendingStringBuffer;
|
|---|
| | |
|---|
| | |
|
|---|
| | | import com.gitblit.IStoredSettings;
|
|---|
| | | import com.gitblit.Keys;
|
|---|
| | | import com.gitblit.utils.XssFilter; |
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Simple subclass of mixed parameter url coding strategy that works around the
|
|---|
| | |
|---|
| | |
|
|---|
| | | private IStoredSettings settings;
|
|---|
| | |
|
|---|
| | | private XssFilter xssFilter; |
|---|
| | | |
|---|
| | | /**
|
|---|
| | | * Construct.
|
|---|
| | | *
|
|---|
| | |
|---|
| | | */
|
|---|
| | | public <C extends Page> GitblitParamUrlCodingStrategy(
|
|---|
| | | IStoredSettings settings,
|
|---|
| | | XssFilter xssFilter, |
|---|
| | | String mountPath,
|
|---|
| | | Class<C> bookmarkablePageClass, String[] parameterNames) {
|
|---|
| | |
|
|---|
| | | super(mountPath, bookmarkablePageClass, parameterNames);
|
|---|
| | | this.parameterNames = parameterNames;
|
|---|
| | | this.settings = settings;
|
|---|
| | | this.xssFilter = xssFilter; |
|---|
| | | }
|
|---|
| | |
|
|---|
| | | /**
|
|---|
| | |
|---|
| | | */
|
|---|
| | | @Override
|
|---|
| | | public IRequestTarget decode(RequestParameters requestParameters) {
|
|---|
| | | final String parametersFragment = requestParameters.getPath().substring(
|
|---|
| | | getMountPath().length());
|
|---|
| | | logger.debug(MessageFormat
|
|---|
| | | .format("REQ: {0} PARAMS {1}", getMountPath(), parametersFragment));
|
|---|
| | | Map<String, Object> parameterMap = (Map<String, Object>) requestParameters.getParameters(); |
|---|
| | | for (Map.Entry<String, Object> entry : parameterMap.entrySet()) { |
|---|
| | | String parameter = entry.getKey(); |
|---|
| | | if (parameter.startsWith(WebRequestCodingStrategy.NAME_SPACE)) { |
|---|
| | | // ignore Wicket parameters |
|---|
| | | continue; |
|---|
| | | } |
|---|
| | | |
|---|
| | | // sanitize Gitblit request parameters |
|---|
| | | Object o = entry.getValue(); |
|---|
| | | if (o instanceof String) { |
|---|
| | | String value = o.toString(); |
|---|
| | | String safeValue = xssFilter.none(value); |
|---|
| | | if (!value.equals(safeValue)) { |
|---|
| | | logger.warn("XSS filter triggered on {} URL parameter: {}={}", |
|---|
| | | getMountPath(), parameter, value); |
|---|
| | | parameterMap.put(parameter, safeValue); |
|---|
| | | } |
|---|
| | | } else if (o instanceof String[]) { |
|---|
| | | String[] values = (String[]) o; |
|---|
| | | for (int i = 0; i < values.length; i++) { |
|---|
| | | String value = values[i].toString(); |
|---|
| | | String safeValue = xssFilter.none(value); |
|---|
| | | if (!value.equals(safeValue)) { |
|---|
| | | logger.warn("XSS filter triggered on {} URL parameter: {}={}", |
|---|
| | | getMountPath(), parameter, value); |
|---|
| | | values[i] = safeValue; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | |
|
|---|
| | | return super.decode(requestParameters);
|
|---|
| | | }
|
|---|
