File tree Expand file tree Collapse file tree 3 files changed +66
-4
lines changed
com/coravy/hudson/plugins/github
org/jenkinsci/plugins/github/util
test/java/org/jenkinsci/plugins/github/util Expand file tree Collapse file tree 3 files changed +66
-4
lines changed Original file line number Diff line number Diff line change 11package com .coravy .hudson .plugins .github ;
22
3- import java .util .Collection ;
4- import java .util .Collections ;
5-
63import hudson .Extension ;
74import hudson .model .Action ;
85import hudson .model .Job ;
96import jenkins .model .TransientActionFactory ;
7+ import org .jenkinsci .plugins .github .util .XSSApi ;
8+
9+ import java .util .Collection ;
10+ import java .util .Collections ;
1011
1112/**
1213 * Add the Github Logo/Icon to the sidebar.
@@ -33,7 +34,7 @@ public String getIconFileName() {
3334
3435 @ Override
3536 public String getUrlName () {
36- return projectProperty .getProjectUrl ().baseUrl ();
37+ return XSSApi . asValidHref ( projectProperty .getProjectUrl ().baseUrl () );
3738 }
3839
3940 @ SuppressWarnings ("rawtypes" )
Original file line number Diff line number Diff line change 1+ package org .jenkinsci .plugins .github .util ;
2+
3+ import java .net .MalformedURLException ;
4+ import java .net .URL ;
5+
6+ /**
7+ * @author lanwen (Merkushev Kirill)
8+ */
9+ public final class XSSApi {
10+ private XSSApi () {
11+ }
12+
13+ /**
14+ * Method to filter invalid url for XSS. This url can be inserted to href safely
15+ *
16+ * @param urlString unsafe url
17+ *
18+ * @return safe url
19+ */
20+ public static String asValidHref (String urlString ) {
21+ try {
22+ return new URL (urlString ).toExternalForm ();
23+ } catch (MalformedURLException e ) {
24+ return "" ;
25+ }
26+ }
27+ }
Original file line number Diff line number Diff line change 1+ package org .jenkinsci .plugins .github .util ;
2+
3+ import com .tngtech .java .junit .dataprovider .DataProvider ;
4+ import com .tngtech .java .junit .dataprovider .DataProviderRunner ;
5+ import com .tngtech .java .junit .dataprovider .UseDataProvider ;
6+ import org .junit .Test ;
7+ import org .junit .runner .RunWith ;
8+
9+ import static org .hamcrest .MatcherAssert .assertThat ;
10+ import static org .hamcrest .Matchers .is ;
11+
12+ /**
13+ * @author lanwen (Merkushev Kirill)
14+ */
15+ @ RunWith (DataProviderRunner .class )
16+ public class XSSApiTest {
17+
18+ @ DataProvider
19+ public static Object [][] links () {
20+ return new Object [][]{
21+ new Object []{"javascript:alert(1);//" , "" },
22+ new Object []{"http://abcxyz.com?a=b&c=d';alert(1);//" , "http://abcxyz.com?a=b&c=d';alert(1);//" },
23+ new Object []{"http://github.com/bla/bla" , "http://github.com/bla/bla" },
24+ new Object []{"https://github.com/bla/bla" , "https://github.com/bla/bla" },
25+ new Object []{"https://company.com/bla" , "https://company.com/bla" }
26+ };
27+ }
28+
29+ @ Test
30+ @ UseDataProvider ("links" )
31+ public void shouldSanitizeUrl (String url , String expected ) throws Exception {
32+ assertThat (XSSApi .asValidHref (url ), is (expected ));
33+ }
34+ }
You can’t perform that action at this time.
0 commit comments