Skip to content

Commit

Permalink
fix #2837 Removed scriptlet usage in Admin Design page for better cod…
Browse files Browse the repository at this point in the history
…e maintainability.
  • Loading branch information
marevol committed Jul 28, 2024
1 parent 9066999 commit c895e16
Show file tree
Hide file tree
Showing 7 changed files with 67 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import java.util.regex.Pattern;

import org.apache.commons.io.FileUtils;
import org.apache.logging.log4j.LogManager;
Expand All @@ -47,6 +48,10 @@
*/
public class AdminDesignAction extends FessAdminAction {

private static final String CACHE_AND_SESSION_INVALIDATE_STATEMENT = "<!--CACHE_AND_SESSION_INVALIDATE-->";

private static final String TRY_STATEMENT = "<!--TRY-->";

public static final String ROLE = "admin-design";

private static final Logger logger = LogManager.getLogger(AdminDesignAction.class);
Expand Down Expand Up @@ -237,7 +242,7 @@ public HtmlResponse edit(final EditForm form) {
final String jspType = "view";
final File jspFile = getJspFile(form.fileName, jspType);
try {
form.content = new String(FileUtil.readBytes(jspFile), Constants.UTF_8);
form.content = encodeJsp(new String(FileUtil.readBytes(jspFile), Constants.UTF_8));
} catch (final UnsupportedEncodingException e) {
throw new FessSystemException("Invalid encoding", e);
}
Expand All @@ -251,7 +256,7 @@ public HtmlResponse editAsUseDefault(final EditForm form) {
final String jspType = "orig/view";
final File jspFile = getJspFile(form.fileName, jspType);
try {
form.content = new String(FileUtil.readBytes(jspFile), Constants.UTF_8);
form.content = encodeJsp(new String(FileUtil.readBytes(jspFile), Constants.UTF_8));
} catch (final UnsupportedEncodingException e) {
throw new FessSystemException("Invalid encoding", e);
}
Expand All @@ -272,7 +277,7 @@ public HtmlResponse update(final EditForm form) {
validate(form, messages -> {}, () -> asEditHtml(form));
verifyToken(() -> asEditHtml(form));
try {
write(jspFile.getAbsolutePath(), form.content.getBytes(Constants.UTF_8));
write(jspFile.getAbsolutePath(), decodeJsp(form.content).getBytes(Constants.UTF_8));
saveInfo(messages -> messages.addSuccessUpdateDesignJspFile(GLOBAL, jspFile.getAbsolutePath()));
} catch (final Exception e) {
logger.warn("Failed to update {}", form.fileName, e);
Expand Down Expand Up @@ -351,4 +356,15 @@ private HtmlResponse asEditHtml(final EditForm form) {
data.register("displayFileName", getJspFile(form.fileName, "view").getAbsolutePath());
});
}

public static String decodeJsp(final String value) {
return value.replaceAll("<%(?![@-])([\\s\\S]*?)%>", "&lt;%$1%&gt;").replaceAll("<%=([\\s\\S]*?)%>", "&lt;%=$1%&gt;")
.replaceAll(TRY_STATEMENT, "<% try{ %>")
.replaceAll(CACHE_AND_SESSION_INVALIDATE_STATEMENT, "<% }catch(Exception e){session.invalidate();} %>");
}

public static String encodeJsp(final String value) {
return value.replaceAll(Pattern.quote("<% try{ %>"), TRY_STATEMENT)
.replaceAll(Pattern.quote("<% }catch(Exception e){session.invalidate();} %>"), CACHE_AND_SESSION_INVALIDATE_STATEMENT);
}
}
4 changes: 0 additions & 4 deletions src/main/resources/fess.xml
Original file line number Diff line number Diff line change
Expand Up @@ -95,10 +95,6 @@
<arg>"errorSystem"</arg>
<arg>"error/system.jsp"</arg>
</postConstruct>
<postConstruct name="addDesignJspFileName">
<arg>"errorRedirect"</arg>
<arg>"error/redirect.jsp"</arg>
</postConstruct>
<postConstruct name="addDesignJspFileName">
<arg>"errorBadRequest"</arg>
<arg>"error/badRequest.jsp"</arg>
Expand Down
4 changes: 2 additions & 2 deletions src/main/webapp/WEB-INF/view/error/badRequest.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@
</div>
</main>
<jsp:include page="../footer.jsp" />
<input type="hidden" id="contextPath" value="<%=request.getContextPath()%>" />
<input type="hidden" id="contextPath" value="${pageContext.request.contextPath}" />
<script type="text/javascript"
src="${fe:url('/js/jquery-3.6.3.min.js')}"></script>
<script type="text/javascript" src="${fe:url('/js/bootstrap.min.js')}"></script>
<script type="text/javascript" src="${fe:url('/js/suggestor.js')}"></script>
<script type="text/javascript" src="${fe:url('/js/search.js')}"></script>
</body>
</html>
<% }catch(Exception e){ session.invalidate();}%>
<% }catch(Exception e){session.invalidate();} %>
2 changes: 1 addition & 1 deletion src/main/webapp/WEB-INF/view/error/error.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
</div>
</main>
<jsp:include page="../footer.jsp" />
<input type="hidden" id="contextPath" value="<%=request.getContextPath()%>" />
<input type="hidden" id="contextPath" value="${pageContext.request.contextPath}" />
<script type="text/javascript"
src="${fe:url('/js/jquery-3.6.3.min.js')}"></script>
<script type="text/javascript" src="${fe:url('/js/bootstrap.min.js')}"></script>
Expand Down
2 changes: 1 addition & 1 deletion src/main/webapp/WEB-INF/view/error/notFound.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
</div>
</main>
<jsp:include page="../footer.jsp" />
<input type="hidden" id="contextPath" value="<%=request.getContextPath()%>" />
<input type="hidden" id="contextPath" value="${pageContext.request.contextPath}" />
<script type="text/javascript"
src="${fe:url('/js/jquery-3.6.3.min.js')}"></script>
<script type="text/javascript" src="${fe:url('/js/bootstrap.min.js')}"></script>
Expand Down
4 changes: 2 additions & 2 deletions src/main/webapp/WEB-INF/view/error/system.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@
</div>
</main>
<jsp:include page="../footer.jsp" />
<input type="hidden" id="contextPath" value="<%=request.getContextPath()%>" />
<input type="hidden" id="contextPath" value="${pageContext.request.contextPath}" />
<script type="text/javascript"
src="${fe:url('/js/jquery-3.6.3.min.js')}"></script>
<script type="text/javascript" src="${fe:url('/js/bootstrap.min.js')}"></script>
<script type="text/javascript" src="${fe:url('/js/suggestor.js')}"></script>
<script type="text/javascript" src="${fe:url('/js/search.js')}"></script>
</body>
</html>
<% }catch(Exception e){ session.invalidate();}%>
<% }catch(Exception e){session.invalidate();} %>
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/*
* Copyright 2012-2024 CodeLibs Project and the Others.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the specific language
* governing permissions and limitations under the License.
*/
package org.codelibs.fess.app.web.admin.design;

import org.codelibs.fess.unit.UnitFessTestCase;

public class AdminDesignActionTest extends UnitFessTestCase {
public void test_decodeJsp() {
assertEquals("&lt;% a %&gt;", AdminDesignAction.decodeJsp("<% a %>"));
assertEquals("&lt;%= a %&gt;", AdminDesignAction.decodeJsp("<%= a %>"));
assertEquals("&lt;% a\nb %&gt;", AdminDesignAction.decodeJsp("<% a\nb %>"));
assertEquals("&lt;%= a\nb %&gt;", AdminDesignAction.decodeJsp("<%= a\nb %>"));
assertEquals("<% a", AdminDesignAction.decodeJsp("<% a"));
assertEquals("<%= a", AdminDesignAction.decodeJsp("<%= a"));
assertEquals("<% try{ %>", AdminDesignAction.decodeJsp("<!--TRY-->"));
assertEquals("<% }catch(Exception e){session.invalidate();} %>",
AdminDesignAction.decodeJsp("<!--CACHE_AND_SESSION_INVALIDATE-->"));
assertEquals("&lt;% a %&gt; %>", AdminDesignAction.decodeJsp("<% a %> %>"));
assertEquals("&lt;% a %&gt; <%", AdminDesignAction.decodeJsp("<% a %> <%"));
assertEquals("&lt;% <% a %&gt;", AdminDesignAction.decodeJsp("<% <% a %>"));
assertEquals("%> &lt;% a %&gt;", AdminDesignAction.decodeJsp("%> <% a %>"));
}

public void test_encodeJsp() {
assertEquals("<!--TRY-->", AdminDesignAction.encodeJsp("<% try{ %>"));
assertEquals("<!--CACHE_AND_SESSION_INVALIDATE-->",
AdminDesignAction.encodeJsp("<% }catch(Exception e){session.invalidate();} %>"));
}
}

0 comments on commit c895e16

Please sign in to comment.