10000 Merge pull request #114 from lanwen/xss · github-cloud/github-plugin@b61b10d · GitHub
[go: up one dir, main page]
Skip to content

Commit b61b10d

Browse files
lanwenlanwen
committed
Merge pull request jenkinsci#114 from lanwen/xss
prevent JS in link to github
2 parents 44a8781 + 12aaa78 commit b61b10d

File tree

3 files changed

+86
-4
lines changed

3 files changed

+86
-4
lines changed

src/main/java/com/coravy/hudson/plugins/github/GithubLinkAction.java

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,13 @@
11
package com.coravy.hudson.plugins.github;
22

3-
import java.util.Collection;
4-
import java.util.Collections;
5-
63
import hudson.Extension;
74
import hudson.model.Action;
85
import hudson.model.Job;
96
import jenkins.model.TransientActionFactory;
7+
import org.jenkinsci.plugins.github.util.XSSApi;
8+
9+
import java.util.Collection;
10+
import java.util.Collections;
1011

1112
/**
1213
* Add the Github Logo/Icon to the sidebar.
@@ -33,7 +34,7 @@ public String getIconFileName() {
3334

3435
@Override
3536
public String getUrlName() {
36-
return projectProperty.getProjectUrl().baseUrl();
37+
return XSSApi.asValidHref(projectProperty.getProjectUrl().baseUrl());
3738
}
3839

3940
@SuppressWarnings("rawtypes")

src/main/java/org/jenkinsci/plugins/github/util/XSSApi.java

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
package org.jenkinsci.plugins.github.util;
2+
3+
import org.kohsuke.accmod.Restricted;
4+
import org.kohsuke.accmod.restrictions.NoExternalUse;
5+
import org.slf4j.Logger;
6+
import org.slf4j.LoggerFactory;
7+
8+
import java.net.MalformedURLException;
9+
import java.net.URL;
10+
11+
/**
12+
* @author lanwen (Merkushev Kirill)
13+
*/
14+
@Restricted(NoExternalUse.class)
15+
public final class XSSApi {
16+
private static final Logger LOG = LoggerFactory.getLogger(XSSApi.class);
17+
18+
private XSSApi() {
19+
}
20+
21+
/**
22+
* Method to filter invalid url for XSS. This url can be inserted to href safely
23+
*
24+
* @param urlString unsafe url
25+
*
26+
* @return safe url
27+
*/
28+
public static String asValidHref(String urlString) {
29+
try {
30+
return new URL(urlString).toExternalForm();
31+
} catch (MalformedURLException e) {
32+
LOG.debug("Malformed url - {}, empty string will be returned", urlString);
33+
return "";
34+
}
35+
}
36+
}

src/test/java/org/jenkinsci/plugins/github/util/XSSApiTest.java

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
package org.jenkinsci.plugins.github.util;
2+
3+
import com.tngtech.java.junit.dataprovider.DataProvider;
4+
import com.tngtech.java.junit.dataprovider.DataProviderRunner;
5+
import com.tngtech.java.junit.dataprovider.UseDataProvider;
6+
import org.junit.Test;
7+
import org.junit.runner.RunWith;
8+
9+
import static java.lang.String.format;
10+
import static org.hamcrest.MatcherAssert.assertThat;
11+
import static org.hamcrest.Matchers.is;
12+
13+
/**
14+
* @author lanwen (Merkushev Kirill)
15+
*/
16+
@RunWith(DataProviderRunner.class)
17+
public class XSSApiTest {
18+
19+
@DataProvider
20+
public static Object[][] links() {
21+
return new Object[][]{
22+
new Object[]{"javascript:alert(1);//", ""},
23+
new Object[]{"javascript:alert(1)://", ""},
24+
new Object[]{"http://abcxyz.com?a=b&c=d';alert(1);//", "http://abcxyz.com?a=b&c=d';alert(1);//"},
25+
new Object[]{"http://github.com/bla/bla", "http://github.com/bla/bla"},
26+
new Object[]{"https://github.com/bla/bla", "https://github.com/bla/bla"},
27+
new Object[]{"https://company.com/bla", "https://company.com/bla"},
28+
new Object[]{"/company.com/bla", ""},
29+
new Object[]{"//", ""},
30+
new Object[]{"//text", ""},
31+
new Object[]{"//text/", ""},
32+
new Object[]{"ftp://", "ftp:"},
33+
new Object[]{"ftp://a", "ftp://a"},
34+
new Object[]{"text", ""},
35+
new Object[]{"github.com/bla/bla", ""},
36+
new Object[]{"http://127.0.0.1/", "http://127.0.0.1/"},
37+
};
38+
}
39+
40+
@Test
41+
@UseDataProvider("links")
42+
public void shouldSanitizeUrl(String url, String expected) throws Exception {
43+
assertThat(format("For %s", url), XSSApi.asValidHref(url), is(expected));
44+
}
45+
}

0 commit comments

Comments
 (0)
0