Skip to content

Commit

Permalink
feat(sanitizer): enable it by default from 10.0+ versions (#2969)
Browse files Browse the repository at this point in the history
Default activation if missing or incorrect is ENABLED

Relates to https://bonitasoft.atlassian.net/browse/RUNTIME-1840
  • Loading branch information
educhastenier authored Apr 12, 2024
1 parent 3f2470d commit 5b732ce
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 20 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import java.util.logging.Logger;
import java.util.stream.Stream;

import javax.annotation.Nullable;
Expand All @@ -40,6 +39,7 @@
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.fasterxml.jackson.databind.node.TextNode;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.io.IOUtils;
import org.bonitasoft.console.common.server.preferences.properties.PropertiesFactory;
import org.owasp.html.HtmlChangeListener;
Expand All @@ -54,10 +54,9 @@
*
* @author Vincent Hemery
*/
@Slf4j
public class SanitizerFilter extends ExcludingPatternFilter {

protected static Logger log = Logger.getLogger(SanitizerFilter.class.getName());

/**
* Sanitizer to apply to values.
* Do not let TABLES and LINKS which can be mis-leading as phishing.
Expand All @@ -84,14 +83,18 @@ public class SanitizerFilter extends ExcludingPatternFilter {

@Override
public void discardedTag(@Nullable Object context, String elementName) {
log.fine(() -> format("Tag '%s' has been discarded", elementName));
if (log.isDebugEnabled()) {
log.debug(format("Tag '%s' has been discarded", elementName));
}
}

@Override
public void discardedAttributes(
@Nullable Object context, String elementName, String... attributeNames) {
log.fine(() -> format("Tag '%s' has been cleaned from the following attributes: %s", elementName,
attributeNames));
if (log.isDebugEnabled()) {
log.debug(format("Tag '%s' has been cleaned from the following attributes: %s", elementName,
String.join(", ", attributeNames)));
}
}
};

Expand Down Expand Up @@ -281,7 +284,7 @@ private Optional<String> sanitizeValueAndPerformAction(String value, Consumer<St
sanitized = HtmlUtils.htmlUnescape(sanitized);
// check whether value has effectively changed before doing anything
if (!sanitized.equals(value)) {
log.warning("Incoming HTML content has been altered. More details at debug level");
log.warn("Incoming HTML content has been altered. More details at debug level");
action.accept(sanitized);
return Optional.of(sanitized);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,8 @@ public boolean isCSRFProtectionEnabled() {
*/
public boolean isSanitizerProtectionEnabled() {
final String res = getPlatformProperty(SANITIZER_PROTECTION);
// keep false as default when not set correctly (empty string, null, or any non-"true" value)
return Boolean.parseBoolean(res);
// keep true as default when not set correctly (empty string, null, or any non-"false" value)
return !"false".equalsIgnoreCase(res);
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,23 +25,23 @@ public class SecurityPropertiesTest {
private final SecurityProperties securityProperties = spy(new SecurityProperties());

@Test
public void invalid_or_absent_sanitizer_conf_should_be_disabled() {
public void invalid_or_absent_sanitizer_conf_should_be_enabled() {
doReturn(null).when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();

doReturn("").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();

doReturn("false").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
doReturn("true").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();
}

@Test
public void sanitizer_should_be_enabled_for_true_value_whatever_the_case() {
doReturn("true").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();
public void sanitizer_should_be_disabled_for_false_value_whatever_the_case() {
doReturn("false").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();

doReturn("trUE").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();
doReturn("falSE").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
}
}
1 change: 1 addition & 0 deletions bpm/bonita-web-server/src/test/resources/logback-test.xml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
<logger name="org.bonitasoft.web.rest.server.api.bpm.process" level="INFO" />
<logger name="org.bonitasoft.web.rest.server.api.resource" level="INFO" />
<logger name="org.bonitasoft.console.common.server.login.servlet" level="TRACE" />
<logger name="org.bonitasoft.console.common.server.filter.SanitizerFilter" level="DEBUG" />

<root level="WARN">
<appender-ref ref="STDOUT" />
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#Enable/disable CSRF security filter
security.csrf.enabled true
#Enable/disable the Sanitizer protection activation (true/false). This sanitizer protects against multiple attacks such as XSS, but may restrict the use of some character sequences.
security.sanitizer.enabled false
security.sanitizer.enabled true
#Name of the Attributes excluded from sanitizer protection (comma separated)
security.sanitizer.exclude email,password,password_confirm
#Add or not the secure flag to the CSRF token cookie (HTTPS only)
Expand Down

0 comments on commit 5b732ce

Please sign in to comment.