From a6d73aec471f4310a8e0e1779f292416d1eba244 Mon Sep 17 00:00:00 2001 From: reeshika-h Date: Mon, 6 May 2024 13:17:24 +0530 Subject: [PATCH 1/5] fixed sre issue --- .../utils/render/DefaultOption.java | 67 ++++++++++++------- 1 file changed, 41 insertions(+), 26 deletions(-) diff --git a/src/main/java/com/contentstack/utils/render/DefaultOption.java b/src/main/java/com/contentstack/utils/render/DefaultOption.java index e384698..35dae2a 100644 --- a/src/main/java/com/contentstack/utils/render/DefaultOption.java +++ b/src/main/java/com/contentstack/utils/render/DefaultOption.java @@ -6,6 +6,8 @@ import com.contentstack.utils.node.MarkType; import org.apache.commons.text.StringEscapeUtils; import org.json.JSONObject; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; import java.util.*; @@ -101,67 +103,70 @@ private String escapeInjectHtml(JSONObject nodeObj, String nodeType) { public String renderNode(String nodeType, JSONObject nodeObject, NodeCallback callback) { String strAttrs = strAttrs(nodeObject); String children = callback.renderChildren(nodeObject.optJSONArray("children")); + // Jsoup sanitization + Document sanitizedChildren = Jsoup.parse(children); + String cleanChildren = sanitizedChildren.body().html(); switch (nodeType) { case "p": - return "" + children + "

"; + return "" + cleanChildren + "

"; case "a": - return "" + children + ""; + return "" + cleanChildren + ""; case "img": String assetLink = getNodeStr(nodeObject, "asset-link"); if (!assetLink.isEmpty()) { JSONObject attrs = nodeObject.optJSONObject("attrs"); if (attrs.has("link")) { - return "" + "" + children + ""; + return "" + "" + cleanChildren + ""; } - return "" + children; + return "" + cleanChildren; } - return "" + children; + return "" + cleanChildren; case "embed": - return ""; + return ""; case "h1": - return "" + children + ""; + return "" + cleanChildren + ""; case "h2": - return "" + children + ""; + return "" + cleanChildren + ""; case "h3": - return "" + children + ""; + return "" + cleanChildren + ""; case "h4": - return "" + children + ""; + return "" + cleanChildren + ""; case "h5": - return "" + children + ""; + return "" + cleanChildren + ""; case "h6": - return "" + children + ""; + return "" + cleanChildren + ""; case "ol": - return "" + children + ""; + return "" + cleanChildren + ""; case "ul": - return "" + children + ""; + return "" + cleanChildren + ""; case "li": - return "" + children + ""; + return "" + cleanChildren + ""; case "hr": return ""; case "table": - return "" + children + "
"; + return "" + cleanChildren + "
"; case "thead": - return "" + children + ""; + return "" + cleanChildren + ""; case "tbody": - return "" + children + ""; + return "" + cleanChildren + ""; case "tfoot": - return "" + children + ""; + return "" + cleanChildren + ""; case "tr": - return "" + children + ""; + return "" + cleanChildren + ""; case "th": - return "" + children + ""; + return "" + cleanChildren + ""; case "td": - return "" + children + ""; + return "" + cleanChildren + ""; case "blockquote": - return "" + children + ""; + return "" + cleanChildren + ""; case "code": - return "" + children + ""; + return "" + cleanChildren + ""; case "reference": return ""; case "fragment": - return "" + children + ""; + return "" + cleanChildren + ""; default: - return children; + return cleanChildren; } } @@ -182,6 +187,16 @@ String strAttrs(JSONObject nodeObject) { for (String key : attrsObject.keySet()) { Object objValue = attrsObject.opt(key); String value = objValue.toString(); + + StringBuilder escapedValue = new StringBuilder(); + for (char ch : value.toCharArray()) { + if (ch == '&' || ch == '<' || ch == '>' || ch == '"' || ch == '\'') { + escapedValue.append("&#").append((int) ch).append(';'); + } else { + escapedValue.append(ch); + } + } + value = escapedValue.toString(); // If style is available, do styling calculations if (Objects.equals(key, "style")) { String resultStyle = stringifyStyles(attrsObject.optJSONObject("style")); From 810a6b1e18c3ea239ceb58591883788ec78c69f4 Mon Sep 17 00:00:00 2001 From: reeshika-h Date: Mon, 6 May 2024 15:09:55 +0530 Subject: [PATCH 2/5] version bump --- Changelog.md | 6 ++++++ pom.xml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 9bce73f..d3838f3 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,12 @@ A brief description of what changes project contains +## May 6, 2024 + +#### v1.2.9 + +- Fixed vulnerability issue related to strAttrs and children. + ## April 23, 2024 #### v1.2.8 diff --git a/pom.xml b/pom.xml index 3ff59ce..2b2b6aa 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ 4.0.0 com.contentstack.sdk utils - 1.2.8 + 1.2.9 jar Contentstack-utils Java Utils SDK for Contentstack Content Delivery API, Contentstack is a headless CMS From 47843f989ec292611ec07f36802aef83fadb4c93 Mon Sep 17 00:00:00 2001 From: reeshika-h Date: Mon, 6 May 2024 16:56:27 +0530 Subject: [PATCH 3/5] release date changed --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index d3838f3..b0ebd54 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,7 @@ A brief description of what changes project contains -## May 6, 2024 +## May 14, 2024 #### v1.2.9 From 972c6361532d30695eb31b5b77095c7c9d976c1e Mon Sep 17 00:00:00 2001 From: reeshika-h Date: Mon, 6 May 2024 17:13:02 +0530 Subject: [PATCH 4/5] snyk issues fixed --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 2b2b6aa..170ae7e 100644 --- a/pom.xml +++ b/pom.xml @@ -28,8 +28,8 @@ 2.5.3 2.0.1.Final 20240303 - 6.1.6 - 1.11.0 + 6.1.5 + 1.12.0 From 82ff4da41130b6b4ce23959cd0deddc17b7f7a19 Mon Sep 17 00:00:00 2001 From: reeshika-h Date: Mon, 6 May 2024 17:25:14 +0530 Subject: [PATCH 5/5] fixed snyk issue --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 170ae7e..06f5bf7 100644 --- a/pom.xml +++ b/pom.xml @@ -28,7 +28,7 @@ 2.5.3 2.0.1.Final 20240303 - 6.1.5 + 6.1.6 1.12.0