Skip to content

Commit 3b5d693

Browse files
authored
Improve CodeQL handling of multiple rules (#474)
Also fixed incidental bug in header injection remediation when applied to interfaces.
1 parent 33844c5 commit 3b5d693

File tree

15 files changed

+103395
-94
lines changed

15 files changed

+103395
-94
lines changed

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLXSSCodemod.java

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,6 @@ public CodemodFileScanningResult visit(
4848
r ->
4949
Optional.ofNullable(
5050
r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
51-
r ->
52-
Optional.ofNullable(
53-
r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn()));
51+
r -> Optional.empty());
5452
}
5553
}
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
package io.codemodder.codemods.codeql;
2+
3+
import io.codemodder.DependencyGAV;
4+
import io.codemodder.testutils.CodemodTestMixin;
5+
import io.codemodder.testutils.Metadata;
6+
7+
@Metadata(
8+
codemodType = CodeQLHttpResponseSplittingCodemod.class,
9+
testResourceDir = "codeql-http-response-splitting",
10+
expectingFixesAtLines = {155},
11+
doRetransformTest = false,
12+
renameTestFile =
13+
"app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
14+
dependencies = DependencyGAV.JAVA_SECURITY_TOOLKIT_GAV)
15+
final class CodeQLHttpResponseSplittingCodemodTest implements CodemodTestMixin {}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
package io.codemodder.codemods.codeql;
2+
3+
import io.codemodder.testutils.CodemodTestMixin;
4+
import io.codemodder.testutils.Metadata;
5+
6+
@Metadata(
7+
codemodType = CodeQLXSSCodemod.class,
8+
testResourceDir = "codeql-xss",
9+
renameTestFile =
10+
"app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
11+
expectingFixesAtLines = 302,
12+
doRetransformTest = false,
13+
dependencies = {})
14+
final class CodeQLXSSCodemodTest implements CodemodTestMixin {}
Lines changed: 171 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,171 @@
1+
/*
2+
* Copyright 2007 AOL, LLC.
3+
* Portions Copyright 2009 Apache Software Foundation
4+
*
5+
* Licensed under the Apache License, Version 2.0 (the "License");
6+
* you may not use this file except in compliance with the License.
7+
* You may obtain a copy of the License at
8+
*
9+
* http://www.apache.org/licenses/LICENSE-2.0
10+
*
11+
* Unless required by applicable law or agreed to in writing, software
12+
* distributed under the License is distributed on an "AS IS" BASIS,
13+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
* See the License for the specific language governing permissions and
15+
* limitations under the License.
16+
*/
17+
18+
package org.apache.roller.weblogger.webservices.oauth;
19+
20+
import java.io.IOException;
21+
import java.io.PrintWriter;
22+
23+
import javax.servlet.ServletException;
24+
import javax.servlet.http.HttpServlet;
25+
import javax.servlet.http.HttpServletRequest;
26+
import javax.servlet.http.HttpServletResponse;
27+
28+
import net.oauth.OAuth;
29+
import net.oauth.OAuthAccessor;
30+
import net.oauth.OAuthMessage;
31+
import net.oauth.server.OAuthServlet;
32+
import org.apache.commons.logging.Log;
33+
import org.apache.commons.logging.LogFactory;
34+
import org.apache.roller.weblogger.business.OAuthManager;
35+
import org.apache.roller.weblogger.business.WebloggerFactory;
36+
37+
/**
38+
* Authorization request handler.
39+
*
40+
* @author Praveen Alavilli
41+
* @author Dave Johnson (adapted for Roller)
42+
*/
43+
public class AuthorizationServlet extends HttpServlet {
44+
protected static final Log log = LogFactory.getFactory().getInstance(AuthorizationServlet.class);
45+
46+
@Override
47+
public void doGet(HttpServletRequest request, HttpServletResponse response)
48+
throws IOException, ServletException {
49+
50+
try{
51+
OAuthMessage requestMessage = OAuthServlet.getMessage(request, null);
52+
53+
OAuthManager omgr = WebloggerFactory.getWeblogger().getOAuthManager();
54+
OAuthAccessor accessor = omgr.getAccessor(requestMessage);
55+
56+
if (Boolean.TRUE.equals(accessor.getProperty("authorized"))) {
57+
// already authorized send the user back
58+
returnToConsumer(request, response, accessor);
59+
} else {
60+
sendToAuthorizePage(request, response, accessor);
61+
}
62+
63+
} catch (Exception e){
64+
handleException(e, request, response, true);
65+
}
66+
}
67+
68+
@Override
69+
public void doPost(HttpServletRequest request, HttpServletResponse response)
70+
throws IOException, ServletException {
71+
72+
try{
73+
OAuthMessage requestMessage = OAuthServlet.getMessage(request, null);
74+
75+
OAuthManager omgr = WebloggerFactory.getWeblogger().getOAuthManager();
76+
OAuthAccessor accessor = omgr.getAccessor(requestMessage);
77+
78+
String userId = request.getParameter("userId");
79+
if (userId == null) {
80+
userId = request.getParameter("xoauth_requestor_id");
81+
}
82+
83+
if (userId == null) {
84+
// no user associted with the key, must be site-wide key,
85+
// so get user to login and do the authorization process
86+
sendToAuthorizePage(request, response, accessor);
87+
88+
} else {
89+
90+
// if consumer key is for specific user, check username match
91+
String consumerUserId = (String)accessor.consumer.getProperty("userId");
92+
if (consumerUserId != null && !userId.equals(consumerUserId)) {
93+
throw new ServletException("ERROR: invalid or unspecified userId");
94+
}
95+
96+
// set userId in accessor and mark it as authorized
97+
omgr.markAsAuthorized(accessor, userId);
98+
WebloggerFactory.getWeblogger().flush();
99+
}
100+
101+
returnToConsumer(request, response, accessor);
102+
103+
} catch (Exception e){
104+
handleException(e, request, response, true);
105+
}
106+
}
107+
108+
private void sendToAuthorizePage(HttpServletRequest request,
109+
HttpServletResponse response, OAuthAccessor accessor)
110+
throws IOException, ServletException{
111+
String callback = request.getParameter("oauth_callback");
112+
if(callback == null || callback.length() <=0) {
113+
callback = "none";
114+
}
115+
String consumer_description = (String)accessor.consumer.getProperty("description");
116+
request.setAttribute("CONS_DESC", consumer_description);
117+
request.setAttribute("CALLBACK", callback);
118+
request.setAttribute("TOKEN", accessor.requestToken);
119+
request.getRequestDispatcher("/roller-ui/oauthAuthorize.rol").forward(request, response);
120+
}
121+
122+
private void returnToConsumer(HttpServletRequest request,
123+
HttpServletResponse response, OAuthAccessor accessor)
124+
throws IOException, ServletException {
125+
126+
// send the user back to site's callBackUrl
127+
String callback = request.getParameter("oauth_callback");
128+
if ("none".equals(callback)
129+
&& accessor.consumer.callbackURL != null
130+
&& accessor.consumer.callbackURL.length() > 0){
131+
// first check if we have something in our properties file
132+
callback = accessor.consumer.callbackURL;
133+
}
134+
135+
if ( "none".equals(callback) ) {
136+
// no call back it must be a client
137+
response.setContentType("text/plain");
138+
try (PrintWriter out = response.getWriter()) {
139+
out.println("You have successfully authorized for consumer key '"
140+
+ accessor.consumer.consumerKey
141+
+ "'. Please close this browser window and click continue"
142+
+ " in the client.");
143+
}
144+
} else {
145+
// if callback is not passed in, use the callback from config
146+
if(callback == null || callback.length() <=0 ) {
147+
callback = accessor.consumer.callbackURL;
148+
}
149+
String token = accessor.requestToken;
150+
if (token != null && callback != null) {
151+
callback = OAuth.addParameters(callback, "oauth_token", token);
152+
}
153+
154+
response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
155+
response.setHeader("Location", stripNewlines(callback));
156+
}
157+
}
158+
159+
public void handleException(Exception e, HttpServletRequest request,
160+
HttpServletResponse response, boolean sendBody)
161+
throws IOException, ServletException {
162+
log.debug("ERROR authorizing token", e);
163+
String realm = (request.isSecure())?"https://":"http://";
164+
realm += request.getLocalName();
165+
OAuthServlet.handleException(response, e, realm, sendBody);
166+
}
167+
168+
private static String stripNewlines(final String s) {
169+
return s.replaceAll("[\n\r]", "");
170+
}
171+
}
Lines changed: 167 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,167 @@
1+
/*
2+
* Copyright 2007 AOL, LLC.
3+
* Portions Copyright 2009 Apache Software Foundation
4+
*
5+
* Licensed under the Apache License, Version 2.0 (the "License");
6+
* you may not use this file except in compliance with the License.
7+
* You may obtain a copy of the License at
8+
*
9+
* http://www.apache.org/licenses/LICENSE-2.0
10+
*
11+
* Unless required by applicable law or agreed to in writing, software
12+
* distributed under the License is distributed on an "AS IS" BASIS,
13+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
* See the License for the specific language governing permissions and
15+
* limitations under the License.
16+
*/
17+
18+
package org.apache.roller.weblogger.webservices.oauth;
19+
20+
import java.io.IOException;
21+
import java.io.PrintWriter;
22+
23+
import javax.servlet.ServletException;
24+
import javax.servlet.http.HttpServlet;
25+
import javax.servlet.http.HttpServletRequest;
26+
import javax.servlet.http.HttpServletResponse;
27+
28+
import net.oauth.OAuth;
29+
import net.oauth.OAuthAccessor;
30+
import net.oauth.OAuthMessage;
31+
import net.oauth.server.OAuthServlet;
32+
import org.apache.commons.logging.Log;
33+
import org.apache.commons.logging.LogFactory;
34+
import org.apache.roller.weblogger.business.OAuthManager;
35+
import org.apache.roller.weblogger.business.WebloggerFactory;
36+
37+
/**
38+
* Authorization request handler.
39+
*
40+
* @author Praveen Alavilli
41+
* @author Dave Johnson (adapted for Roller)
42+
*/
43+
public class AuthorizationServlet extends HttpServlet {
44+
protected static final Log log = LogFactory.getFactory().getInstance(AuthorizationServlet.class);
45+
46+
@Override
47+
public void doGet(HttpServletRequest request, HttpServletResponse response)
48+
throws IOException, ServletException {
49+
50+
try{
51+
OAuthMessage requestMessage = OAuthServlet.getMessage(request, null);
52+
53+
OAuthManager omgr = WebloggerFactory.getWeblogger().getOAuthManager();
54+
OAuthAccessor accessor = omgr.getAccessor(requestMessage);
55+
56+
if (Boolean.TRUE.equals(accessor.getProperty("authorized"))) {
57+
// already authorized send the user back
58+
returnToConsumer(request, response, accessor);
59+
} else {
60+
sendToAuthorizePage(request, response, accessor);
61+
}
62+
63+
} catch (Exception e){
64+
handleException(e, request, response, true);
65+
}
66+
}
67+
68+
@Override
69+
public void doPost(HttpServletRequest request, HttpServletResponse response)
70+
throws IOException, ServletException {
71+
72+
try{
73+
OAuthMessage requestMessage = OAuthServlet.getMessage(request, null);
74+
75+
OAuthManager omgr = WebloggerFactory.getWeblogger().getOAuthManager();
76+
OAuthAccessor accessor = omgr.getAccessor(requestMessage);
77+
78+
String userId = request.getParameter("userId");
79+
if (userId == null) {
80+
userId = request.getParameter("xoauth_requestor_id");
81+
}
82+
83+
if (userId == null) {
84+
// no user associted with the key, must be site-wide key,
85+
// so get user to login and do the authorization process
86+
sendToAuthorizePage(request, response, accessor);
87+
88+
} else {
89+
90+
// if consumer key is for specific user, check username match
91+
String consumerUserId = (String)accessor.consumer.getProperty("userId");
92+
if (consumerUserId != null && !userId.equals(consumerUserId)) {
93+
throw new ServletException("ERROR: invalid or unspecified userId");
94+
}
95+
96+
// set userId in accessor and mark it as authorized
97+
omgr.markAsAuthorized(accessor, userId);
98+
WebloggerFactory.getWeblogger().flush();
99+
}
100+
101+
returnToConsumer(request, response, accessor);
102+
103+
} catch (Exception e){
104+
handleException(e, request, response, true);
105+
}
106+
}
107+
108+
private void sendToAuthorizePage(HttpServletRequest request,
109+
HttpServletResponse response, OAuthAccessor accessor)
110+
throws IOException, ServletException{
111+
String callback = request.getParameter("oauth_callback");
112+
if(callback == null || callback.length() <=0) {
113+
callback = "none";
114+
}
115+
String consumer_description = (String)accessor.consumer.getProperty("description");
116+
request.setAttribute("CONS_DESC", consumer_description);
117+
request.setAttribute("CALLBACK", callback);
118+
request.setAttribute("TOKEN", accessor.requestToken);
119+
request.getRequestDispatcher("/roller-ui/oauthAuthorize.rol").forward(request, response);
120+
}
121+
122+
private void returnToConsumer(HttpServletRequest request,
123+
HttpServletResponse response, OAuthAccessor accessor)
124+
throws IOException, ServletException {
125+
126+
// send the user back to site's callBackUrl
127+
String callback = request.getParameter("oauth_callback");
128+
if ("none".equals(callback)
129+
&& accessor.consumer.callbackURL != null
130+
&& accessor.consumer.callbackURL.length() > 0){
131+
// first check if we have something in our properties file
132+
callback = accessor.consumer.callbackURL;
133+
}
134+
135+
if ( "none".equals(callback) ) {
136+
// no call back it must be a client
137+
response.setContentType("text/plain");
138+
try (PrintWriter out = response.getWriter()) {
139+
out.println("You have successfully authorized for consumer key '"
140+
+ accessor.consumer.consumerKey
141+
+ "'. Please close this browser window and click continue"
142+
+ " in the client.");
143+
}
144+
} else {
145+
// if callback is not passed in, use the callback from config
146+
if(callback == null || callback.length() <=0 ) {
147+
callback = accessor.consumer.callbackURL;
148+
}
149+
String token = accessor.requestToken;
150+
if (token != null && callback != null) {
151+
callback = OAuth.addParameters(callback, "oauth_token", token);
152+
}
153+
154+
response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
155+
response.setHeader("Location", callback);
156+
}
157+
}
158+
159+
public void handleException(Exception e, HttpServletRequest request,
160+
HttpServletResponse response, boolean sendBody)
161+
throws IOException, ServletException {
162+
log.debug("ERROR authorizing token", e);
163+
String realm = (request.isSecure())?"https://":"http://";
164+
realm += request.getLocalName();
165+
OAuthServlet.handleException(response, e, realm, sendBody);
166+
}
167+
}

0 commit comments

Comments
 (0)