From 9ffdfd36a02eae7e42028bc5b098eecfaab042e2 Mon Sep 17 00:00:00 2001
From: pandaapo <35672972+pandaapo@users.noreply.github.com>
Date: Thu, 4 Aug 2022 10:17:44 +0800
Subject: [PATCH] Fix the code analysis error.
---
CHANGELOG.md | 2 +-
.../adapter/PolarisPropertySourceAutoRefresher.java | 2 +-
.../polaris-circuitbreaker-example-a/pom.xml | 5 +++++
.../circuitbreaker/example/ServiceAController.java | 12 ++++++++++++
.../src/main/resources/ESAPI.properties | 8 ++++++++
.../gateway-callee-service/pom.xml | 5 +++++
.../example/callee/GatewayCalleeController.java | 9 ++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
.../gateway-callee-service2/pom.xml | 5 +++++
.../example/callee/GatewayCalleeController.java | 9 ++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
.../router-callee-service1/pom.xml | 5 +++++
.../router/example/RouterCalleeController.java | 11 ++++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
.../router-callee-service2/pom.xml | 5 +++++
.../router/example/RouterCalleeController.java | 11 ++++++++++-
.../src/main/resources/ESAPI.properties | 8 ++++++++
spring-cloud-tencent-examples/pom.xml | 10 ++++++++++
18 files changed, 125 insertions(+), 6 deletions(-)
create mode 100644 spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties
create mode 100644 spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties
create mode 100644 spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties
create mode 100644 spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties
create mode 100644 spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties
diff --git a/CHANGELOG.md b/CHANGELOG.md
index eceb54294..7bf658b64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,4 +12,4 @@
- [docs:update configuration metadata.](https://github.com/Tencent/spring-cloud-tencent/pull/474)
- [Feature: delete implement ServiceInstance](https://github.com/Tencent/spring-cloud-tencent/pull/483)
- [test: add loadbalancer unit test](https://github.com/Tencent/spring-cloud-tencent/pull/485)
-- [Bugfix: update byte-buddy scope test to compile](https://github.com/Tencent/spring-cloud-tencent/pull/498)
\ No newline at end of file
+- [Bugfix: update byte-buddy scope test to compile](https://github.com/Tencent/spring-cloud-tencent/pull/498)
diff --git a/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java b/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java
index d4816612f..6eebdc043 100644
--- a/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java
+++ b/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java
@@ -93,7 +93,7 @@ public class PolarisPropertySourceAutoRefresher
public void onChange(ConfigKVFileChangeEvent configKVFileChangeEvent) {
LOGGER.info(
"[SCT Config] received polaris config change event and will refresh spring context."
- + "namespace = {}, group = {}, fileName = {}",
+ + " namespace = {}, group = {}, fileName = {}",
polarisPropertySource.getNamespace(), polarisPropertySource.getGroup(),
polarisPropertySource.getFileName());
diff --git a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/pom.xml b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/pom.xml
index 9833b5f88..352989fbd 100644
--- a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/pom.xml
@@ -38,6 +38,11 @@
org.springframework.cloud
spring-cloud-circuitbreaker-spring-retry
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java
index 73fc55bd3..68d8acf9e 100644
--- a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java
+++ b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java
@@ -17,6 +17,8 @@
package com.tencent.cloud.polaris.circuitbreaker.example;
+import org.owasp.esapi.ESAPI;
+
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
@@ -62,5 +64,15 @@ public class ServiceAController {
ResponseEntity entity = restTemplate
.getForEntity("http://polaris-circuitbreaker-example-b/example/service/b/info", String.class);
return entity.getBody();
+ ResponseEntity entity = restTemplate.getForEntity(
+ "http://polaris-circuitbreaker-example-b/example/service/b/info",
+ String.class);
+ String response = entity.getBody();
+ return cleanXSS(response);
+ }
+
+ private String cleanXSS(String str) {
+ str = ESAPI.encoder().encodeForHTML(str);
+ return str;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties
new file mode 100644
index 000000000..d83195ab8
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml
index 4cb4412c6..1f681bb38 100644
--- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml
@@ -23,5 +23,10 @@
org.springframework.boot
spring-boot-starter-web
+
+
+ org.owasp.esapi
+ esapi
+
\ No newline at end of file
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
index c603c3cea..53d9fdf71 100644
--- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
@@ -21,6 +21,7 @@ import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import com.tencent.cloud.common.constant.MetadataConstant;
+import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -66,7 +67,13 @@ public class GatewayCalleeController {
public String echoHeader(@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr)
throws UnsupportedEncodingException {
LOG.info(URLDecoder.decode(metadataStr, UTF_8));
- return URLDecoder.decode(metadataStr, UTF_8);
+ metadataStr = URLDecoder.decode(metadataStr, UTF_8);
+ return cleanXSS(metadataStr);
+ }
+
+ private String cleanXSS(String str) {
+ str = ESAPI.encoder().encodeForHTML(str);
+ return str;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties
new file mode 100644
index 000000000..d83195ab8
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml
index 842363af9..5d8f34fdf 100644
--- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml
@@ -23,6 +23,11 @@
org.springframework.boot
spring-boot-starter-web
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
index c603c3cea..53d9fdf71 100644
--- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java
@@ -21,6 +21,7 @@ import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import com.tencent.cloud.common.constant.MetadataConstant;
+import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -66,7 +67,13 @@ public class GatewayCalleeController {
public String echoHeader(@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr)
throws UnsupportedEncodingException {
LOG.info(URLDecoder.decode(metadataStr, UTF_8));
- return URLDecoder.decode(metadataStr, UTF_8);
+ metadataStr = URLDecoder.decode(metadataStr, UTF_8);
+ return cleanXSS(metadataStr);
+ }
+
+ private String cleanXSS(String str) {
+ str = ESAPI.encoder().encodeForHTML(str);
+ return str;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties
new file mode 100644
index 000000000..d83195ab8
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml
index 253d3739a..bbf3bdb93 100644
--- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml
@@ -17,6 +17,11 @@
com.tencent.cloud
spring-cloud-starter-tencent-polaris-discovery
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
index 925031a7b..f42cd969d 100644
--- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
@@ -18,6 +18,7 @@
package com.tencent.cloud.polaris.router.example;
+import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -48,7 +49,15 @@ public class RouterCalleeController {
@PostMapping("/info")
public String info(String name, @RequestBody User user) {
LOG.info("Discovery Service Callee [{}] is called.", port);
- return String.format("Discovery Service Callee [%s] is called. user = %s", port, user);
+ return String.format("Discovery Service Callee [%s] is called. user = %s", port, cleanXSS(user));
+ }
+
+ private User cleanXSS(User user) {
+ User u = new User();
+ String name = ESAPI.encoder().encodeForHTML(user.getName());
+ u.setName(name);
+ u.setAge(user.getAge());
+ return u;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties
new file mode 100644
index 000000000..d83195ab8
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml
index 0dd00a788..2397f4481 100644
--- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml
@@ -17,6 +17,11 @@
com.tencent.cloud
spring-cloud-starter-tencent-polaris-discovery
+
+
+ org.owasp.esapi
+ esapi
+
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
index b3e365ab8..6d6915b7f 100644
--- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java
@@ -18,6 +18,7 @@
package com.tencent.cloud.polaris.router.example;
+import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -49,7 +50,15 @@ public class RouterCalleeController {
@PostMapping("/info")
public String info(@RequestParam("name") String name, @RequestBody User user) {
LOG.info("Discovery Service Callee [{}] is called.", port);
- return String.format("Discovery Service Callee [%s] is called. user = %s", port, user);
+ return String.format("Discovery Service Callee [%s] is called. user = %s", port, cleanXSS(user));
+ }
+
+ private User cleanXSS(User user) {
+ User u = new User();
+ String name = ESAPI.encoder().encodeForHTML(user.getName());
+ u.setName(name);
+ u.setAge(user.getAge());
+ return u;
}
}
diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties
new file mode 100644
index 000000000..d83195ab8
--- /dev/null
+++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties
@@ -0,0 +1,8 @@
+ESAPI.printProperties=true
+
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+
+# ESAPI Encoder
+Encoder.AllowMultipleEncoding=false
+Encoder.AllowMixedEncoding=false
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
diff --git a/spring-cloud-tencent-examples/pom.xml b/spring-cloud-tencent-examples/pom.xml
index a4c6c9bda..40f7b2ed6 100644
--- a/spring-cloud-tencent-examples/pom.xml
+++ b/spring-cloud-tencent-examples/pom.xml
@@ -30,4 +30,14 @@
true
+
+
+
+ org.owasp.esapi
+ esapi
+ 2.1.0.1
+
+
+
+