From 496cbfba3a6d749f5f56c089a466ed17a3f0fa18 Mon Sep 17 00:00:00 2001
From: pandaapo <35672972+pandaapo@users.noreply.github.com>
Date: Thu, 4 Aug 2022 10:17:44 +0800
Subject: [PATCH] Fix the code analysis error. (#479)
Co-authored-by: Haotian Zhang <928016560@qq.com>
---
CHANGELOG.md | 3 ++-
changes/changes-1.6.0.md | 2 +-
.../adapter/PolarisPropertySourceAutoRefresher.java | 2 +-
.../polaris-circuitbreaker-example-a/pom.xml | 5 +++++
.../circuitbreaker/example/ServiceAController.java | 10 +++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
.../gateway-callee-service/pom.xml | 5 +++++
.../example/callee/GatewayCalleeController.java | 9 ++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
.../gateway-callee-service2/pom.xml | 5 +++++
.../example/callee/GatewayCalleeController.java | 9 ++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
.../router-callee-service1/pom.xml | 5 +++++
.../router/example/RouterCalleeController.java | 11 ++++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
.../router-callee-service2/pom.xml | 5 +++++
.../router/example/RouterCalleeController.java | 11 ++++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
spring-cloud-tencent-examples/pom.xml | 10 ++++++++++
19 files changed, 124 insertions(+), 8 deletions(-)
create mode 100644 spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties
create mode 100644 spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties
create mode 100644 spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties
create mode 100644 spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties
create mode 100644 spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 932585e9..7fc4b8ca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,4 +2,5 @@
---
- [Feature: support ribbon service-level rule customization](https://github.com/Tencent/spring-cloud-tencent/pull/478)
-- [Feature: delete implement ServiceInstance](https://github.com/Tencent/spring-cloud-tencent/pull/481)
\ No newline at end of file
+- [Fix the code analysis error.](https://github.com/Tencent/spring-cloud-tencent/pull/479)
+- [Feature: delete implement ServiceInstance](https://github.com/Tencent/spring-cloud-tencent/pull/481)
diff --git a/changes/changes-1.6.0.md b/changes/changes-1.6.0.md
index 81941578..24de5fce 100644
--- a/changes/changes-1.6.0.md
+++ b/changes/changes-1.6.0.md
@@ -39,4 +39,4 @@
- [docs:optimize example](https://github.com/Tencent/spring-cloud-tencent/pull/385)
- [Optimize starters auto-configuration. (main)](https://github.com/Tencent/spring-cloud-tencent/pull/391/files)
- [Feature: format code](https://github.com/Tencent/spring-cloud-tencent/pull/394)
-- [test: add PostInitPolarisSDKContextTest](https://github.com/Tencent/spring-cloud-tencent/pull/397)
+- [test: add PostInitPolarisSDKContextTest](https://github.com/Tencent/spring-cloud-tencent/pull/397)
\ No newline at end of file
diff --git a/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java b/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java
index 9aa00119..5e5e6a3f 100644
--- a/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java
+++ b/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java
@@ -120,7 +120,7 @@ public class PolarisPropertySourceAutoRefresher
LOGGER.info(
"[SCT Config] received polaris config change event and will refresh spring context."
- + "namespace = {}, group = {}, fileName = {}",
+ + " namespace = {}, group = {}, fileName = {}",
polarisPropertySource.getNamespace(),
polarisPropertySource.getGroup(),
polarisPropertySource.getFileName());
diff --git a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/pom.xml b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/pom.xml
index 5975aabc..282093f2 100644
--- a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/pom.xml
@@ -33,6 +33,11 @@
org.springframework.cloud
spring-cloud-starter-netflix-ribbon
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java
index 79ba2c0e..04570498 100644
--- a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java
+++ b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java
@@ -17,6 +17,8 @@
package com.tencent.cloud.polaris.circuitbreaker.example;
+import org.owasp.esapi.ESAPI;
+
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
@@ -62,6 +64,12 @@ public class ServiceAController {
ResponseEntity entity = restTemplate.getForEntity(
"http://polaris-circuitbreaker-example-b/example/service/b/info",
String.class);
- return entity.getBody();
+ String response = entity.getBody();
+ return cleanXSS(response);
+ }
+
+ private String cleanXSS(String str) {
+ str = ESAPI.encoder().encodeForHTML(str);
+ return str;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties
new file mode 100644
index 00000000..d83195ab
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml
index cc37a455..17c54354 100644
--- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml
@@ -28,5 +28,10 @@
org.springframework.boot
spring-boot-starter-web
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
index 580af7ca..79050dc4 100644
--- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
@@ -21,6 +21,7 @@ import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import com.tencent.cloud.common.constant.MetadataConstant;
+import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -67,7 +68,13 @@ public class GatewayCalleeController {
@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr)
throws UnsupportedEncodingException {
LOG.info(URLDecoder.decode(metadataStr, UTF_8));
- return URLDecoder.decode(metadataStr, UTF_8);
+ metadataStr = URLDecoder.decode(metadataStr, UTF_8);
+ return cleanXSS(metadataStr);
+ }
+
+ private String cleanXSS(String str) {
+ str = ESAPI.encoder().encodeForHTML(str);
+ return str;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties
new file mode 100644
index 00000000..d83195ab
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml
index f96b25e1..41cc550a 100644
--- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml
@@ -27,5 +27,10 @@
org.springframework.boot
spring-boot-starter-web
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
index 580af7ca..79050dc4 100644
--- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
@@ -21,6 +21,7 @@ import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import com.tencent.cloud.common.constant.MetadataConstant;
+import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -67,7 +68,13 @@ public class GatewayCalleeController {
@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr)
throws UnsupportedEncodingException {
LOG.info(URLDecoder.decode(metadataStr, UTF_8));
- return URLDecoder.decode(metadataStr, UTF_8);
+ metadataStr = URLDecoder.decode(metadataStr, UTF_8);
+ return cleanXSS(metadataStr);
+ }
+
+ private String cleanXSS(String str) {
+ str = ESAPI.encoder().encodeForHTML(str);
+ return str;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties
new file mode 100644
index 00000000..d83195ab
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml
index 253d3739..bbf3bdb9 100644
--- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml
@@ -17,6 +17,11 @@
com.tencent.cloud
spring-cloud-starter-tencent-polaris-discovery
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
index 925031a7..f42cd969 100644
--- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
@@ -18,6 +18,7 @@
package com.tencent.cloud.polaris.router.example;
+import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -48,7 +49,15 @@ public class RouterCalleeController {
@PostMapping("/info")
public String info(String name, @RequestBody User user) {
LOG.info("Discovery Service Callee [{}] is called.", port);
- return String.format("Discovery Service Callee [%s] is called. user = %s", port, user);
+ return String.format("Discovery Service Callee [%s] is called. user = %s", port, cleanXSS(user));
+ }
+
+ private User cleanXSS(User user) {
+ User u = new User();
+ String name = ESAPI.encoder().encodeForHTML(user.getName());
+ u.setName(name);
+ u.setAge(user.getAge());
+ return u;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties
new file mode 100644
index 00000000..d83195ab
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml
index 0dd00a78..2397f448 100644
--- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml
@@ -17,6 +17,11 @@
com.tencent.cloud
spring-cloud-starter-tencent-polaris-discovery
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
index b3e365ab..6d6915b7 100644
--- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
@@ -18,6 +18,7 @@
package com.tencent.cloud.polaris.router.example;
+import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -49,7 +50,15 @@ public class RouterCalleeController {
@PostMapping("/info")
public String info(@RequestParam("name") String name, @RequestBody User user) {
LOG.info("Discovery Service Callee [{}] is called.", port);
- return String.format("Discovery Service Callee [%s] is called. user = %s", port, user);
+ return String.format("Discovery Service Callee [%s] is called. user = %s", port, cleanXSS(user));
+ }
+
+ private User cleanXSS(User user) {
+ User u = new User();
+ String name = ESAPI.encoder().encodeForHTML(user.getName());
+ u.setName(name);
+ u.setAge(user.getAge());
+ return u;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties
new file mode 100644
index 00000000..d83195ab
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/pom.xml b/spring-cloud-tencent-examples/pom.xml
index 3395e9b0..17752a14 100644
--- a/spring-cloud-tencent-examples/pom.xml
+++ b/spring-cloud-tencent-examples/pom.xml
@@ -31,4 +31,14 @@
true
+
+
+
+ org.owasp.esapi
+ esapi
+ 2.1.0.1
+
+
+
+