2021.0:Fix the code analysis error. (#500)

* Fix the code analysis error.

* Upgrade owasp esapi's configuration

* Add information of this PR to CHANGELOG.md
pull/512/head
pandaapo 2 years ago committed by GitHub
parent 1af75606b4
commit fe2da06f92
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -13,3 +13,4 @@
- [Feature: delete implement ServiceInstance](https://github.com/Tencent/spring-cloud-tencent/pull/483) - [Feature: delete implement ServiceInstance](https://github.com/Tencent/spring-cloud-tencent/pull/483)
- [test: add loadbalancer unit test](https://github.com/Tencent/spring-cloud-tencent/pull/485) - [test: add loadbalancer unit test](https://github.com/Tencent/spring-cloud-tencent/pull/485)
- [Bugfix: update byte-buddy scope test to compile](https://github.com/Tencent/spring-cloud-tencent/pull/498) - [Bugfix: update byte-buddy scope test to compile](https://github.com/Tencent/spring-cloud-tencent/pull/498)
- [Fix the code analysis error.](https://github.com/Tencent/spring-cloud-tencent/pull/500)

@ -38,6 +38,11 @@
<groupId>org.springframework.cloud</groupId> <groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-circuitbreaker-spring-retry</artifactId> <artifactId>spring-cloud-circuitbreaker-spring-retry</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
</dependency>
</dependencies> </dependencies>
<build> <build>

@ -17,6 +17,8 @@
package com.tencent.cloud.polaris.circuitbreaker.example; package com.tencent.cloud.polaris.circuitbreaker.example;
import org.owasp.esapi.ESAPI;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
@ -59,8 +61,15 @@ public class ServiceAController {
*/ */
@GetMapping("/testRest") @GetMapping("/testRest")
public String testRest() { public String testRest() {
ResponseEntity<String> entity = restTemplate ResponseEntity<String> entity = restTemplate.getForEntity(
.getForEntity("http://polaris-circuitbreaker-example-b/example/service/b/info", String.class); "http://polaris-circuitbreaker-example-b/example/service/b/info",
return entity.getBody(); String.class);
String response = entity.getBody();
return cleanXSS(response);
}
private String cleanXSS(String str) {
str = ESAPI.encoder().encodeForHTML(str);
return str;
} }
} }

@ -0,0 +1,14 @@
ESAPI.printProperties=true
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Encoder.AllowMultipleEncoding=false
Encoder.AllowMixedEncoding=false
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
Logger.LogEncodingRequired=false
Logger.UserInfo=false
Logger.ClientInfo=false
Logger.ApplicationName=ExampleApplication
Logger.LogApplicationName=false
Logger.LogServerIP=false

@ -23,5 +23,10 @@
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId> <artifactId>spring-boot-starter-web</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
</dependency>
</dependencies> </dependencies>
</project> </project>

@ -21,6 +21,7 @@ import java.io.UnsupportedEncodingException;
import java.net.URLDecoder; import java.net.URLDecoder;
import com.tencent.cloud.common.constant.MetadataConstant; import com.tencent.cloud.common.constant.MetadataConstant;
import org.owasp.esapi.ESAPI;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -66,7 +67,13 @@ public class GatewayCalleeController {
public String echoHeader(@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr) public String echoHeader(@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr)
throws UnsupportedEncodingException { throws UnsupportedEncodingException {
LOG.info(URLDecoder.decode(metadataStr, UTF_8)); LOG.info(URLDecoder.decode(metadataStr, UTF_8));
return URLDecoder.decode(metadataStr, UTF_8); metadataStr = URLDecoder.decode(metadataStr, UTF_8);
return cleanXSS(metadataStr);
}
private String cleanXSS(String str) {
str = ESAPI.encoder().encodeForHTML(str);
return str;
} }
} }

@ -0,0 +1,14 @@
ESAPI.printProperties=true
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Encoder.AllowMultipleEncoding=false
Encoder.AllowMixedEncoding=false
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
Logger.LogEncodingRequired=false
Logger.UserInfo=false
Logger.ClientInfo=false
Logger.ApplicationName=ExampleApplication
Logger.LogApplicationName=false
Logger.LogServerIP=false

@ -23,6 +23,11 @@
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId> <artifactId>spring-boot-starter-web</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
</dependency>
</dependencies> </dependencies>
</project> </project>

@ -21,6 +21,7 @@ import java.io.UnsupportedEncodingException;
import java.net.URLDecoder; import java.net.URLDecoder;
import com.tencent.cloud.common.constant.MetadataConstant; import com.tencent.cloud.common.constant.MetadataConstant;
import org.owasp.esapi.ESAPI;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -66,7 +67,13 @@ public class GatewayCalleeController {
public String echoHeader(@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr) public String echoHeader(@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr)
throws UnsupportedEncodingException { throws UnsupportedEncodingException {
LOG.info(URLDecoder.decode(metadataStr, UTF_8)); LOG.info(URLDecoder.decode(metadataStr, UTF_8));
return URLDecoder.decode(metadataStr, UTF_8); metadataStr = URLDecoder.decode(metadataStr, UTF_8);
return cleanXSS(metadataStr);
}
private String cleanXSS(String str) {
str = ESAPI.encoder().encodeForHTML(str);
return str;
} }
} }

@ -0,0 +1,14 @@
ESAPI.printProperties=true
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Encoder.AllowMultipleEncoding=false
Encoder.AllowMixedEncoding=false
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
Logger.LogEncodingRequired=false
Logger.UserInfo=false
Logger.ClientInfo=false
Logger.ApplicationName=ExampleApplication
Logger.LogApplicationName=false
Logger.LogServerIP=false

@ -17,6 +17,11 @@
<groupId>com.tencent.cloud</groupId> <groupId>com.tencent.cloud</groupId>
<artifactId>spring-cloud-starter-tencent-polaris-discovery</artifactId> <artifactId>spring-cloud-starter-tencent-polaris-discovery</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
</dependency>
</dependencies> </dependencies>
<build> <build>

@ -18,6 +18,7 @@
package com.tencent.cloud.polaris.router.example; package com.tencent.cloud.polaris.router.example;
import org.owasp.esapi.ESAPI;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -48,7 +49,15 @@ public class RouterCalleeController {
@PostMapping("/info") @PostMapping("/info")
public String info(String name, @RequestBody User user) { public String info(String name, @RequestBody User user) {
LOG.info("Discovery Service Callee [{}] is called.", port); LOG.info("Discovery Service Callee [{}] is called.", port);
return String.format("Discovery Service Callee [%s] is called. user = %s", port, user); return String.format("Discovery Service Callee [%s] is called. user = %s", port, cleanXSS(user));
}
private User cleanXSS(User user) {
User u = new User();
String name = ESAPI.encoder().encodeForHTML(user.getName());
u.setName(name);
u.setAge(user.getAge());
return u;
} }
} }

@ -0,0 +1,14 @@
ESAPI.printProperties=true
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Encoder.AllowMultipleEncoding=false
Encoder.AllowMixedEncoding=false
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
Logger.LogEncodingRequired=false
Logger.UserInfo=false
Logger.ClientInfo=false
Logger.ApplicationName=ExampleApplication
Logger.LogApplicationName=false
Logger.LogServerIP=false

@ -17,6 +17,11 @@
<groupId>com.tencent.cloud</groupId> <groupId>com.tencent.cloud</groupId>
<artifactId>spring-cloud-starter-tencent-polaris-discovery</artifactId> <artifactId>spring-cloud-starter-tencent-polaris-discovery</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
</dependency>
</dependencies> </dependencies>
<build> <build>

@ -18,6 +18,7 @@
package com.tencent.cloud.polaris.router.example; package com.tencent.cloud.polaris.router.example;
import org.owasp.esapi.ESAPI;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -49,7 +50,15 @@ public class RouterCalleeController {
@PostMapping("/info") @PostMapping("/info")
public String info(@RequestParam("name") String name, @RequestBody User user) { public String info(@RequestParam("name") String name, @RequestBody User user) {
LOG.info("Discovery Service Callee [{}] is called.", port); LOG.info("Discovery Service Callee [{}] is called.", port);
return String.format("Discovery Service Callee [%s] is called. user = %s", port, user); return String.format("Discovery Service Callee [%s] is called. user = %s", port, cleanXSS(user));
}
private User cleanXSS(User user) {
User u = new User();
String name = ESAPI.encoder().encodeForHTML(user.getName());
u.setName(name);
u.setAge(user.getAge());
return u;
} }
} }

@ -0,0 +1,14 @@
ESAPI.printProperties=true
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Encoder.AllowMultipleEncoding=false
Encoder.AllowMixedEncoding=false
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
Logger.LogEncodingRequired=false
Logger.UserInfo=false
Logger.ClientInfo=false
Logger.ApplicationName=ExampleApplication
Logger.LogApplicationName=false
Logger.LogServerIP=false

@ -30,4 +30,14 @@
<maven.deploy.skip>true</maven.deploy.skip> <maven.deploy.skip>true</maven.deploy.skip>
</properties> </properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.1.0.1</version>
</dependency>
</dependencies>
</dependencyManagement>
</project> </project>

Loading…
Cancel
Save