cxf-fediz git commit: Adding ESAPI protection to OIDC

Thu, 24 Nov 2016 04:31:59 -0800 

Repository: cxf-fediz
Updated Branches:
  refs/heads/1.3.x-fixes 9958f08ff -> 6ed0eb02a


Adding ESAPI protection to OIDC


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/6ed0eb02
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/6ed0eb02
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/6ed0eb02

Branch: refs/heads/1.3.x-fixes
Commit: 6ed0eb02a6b2c5ae31850a99a2d3191a14074f51
Parents: 9958f08
Author: Colm O hEigeartaigh <[email protected]>
Authored: Thu Nov 24 12:12:10 2016 +0000
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Thu Nov 24 12:12:44 2016 +0000

----------------------------------------------------------------------
 pom.xml                                                         | 1 +
 services/oidc/pom.xml                                           | 5 +++++
 services/oidc/src/main/resources/ESAPI.properties               | 1 +
 services/oidc/src/main/webapp/WEB-INF/views/client.jsp          | 3 ++-
 .../oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp     | 3 ++-
 services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp    | 3 ++-
 .../src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp    | 3 ++-
 .../oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp    | 4 +++-
 8 files changed, 18 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6ed0eb02/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index a82ae12..8a2ed6d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -49,6 +49,7 @@
         <easymock.version>3.4</easymock.version>
         <ecj.version>4.6.1</ecj.version>
         <ehcache.version>2.10.3</ehcache.version>
+        <esapi.version>2.1.0.1</esapi.version>
         <httpclient.version>4.3.5</httpclient.version>
         <hsqldb.version>2.3.4</hsqldb.version>
         <htmlunit.version>2.23</htmlunit.version>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6ed0eb02/services/oidc/pom.xml
----------------------------------------------------------------------
diff --git a/services/oidc/pom.xml b/services/oidc/pom.xml
index aede1dd..fc00d01 100644
--- a/services/oidc/pom.xml
+++ b/services/oidc/pom.xml
@@ -77,6 +77,11 @@
             <artifactId>commons-validator</artifactId>
             <version>${commons.validator.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.esapi</groupId>
+            <artifactId>esapi</artifactId>
+            <version>${esapi.version}</version>
+        </dependency>
         <!--
         <dependency>
             <groupId>org.apache.geronimo.specs</groupId>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6ed0eb02/services/oidc/src/main/resources/ESAPI.properties
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/resources/ESAPI.properties 
b/services/oidc/src/main/resources/ESAPI.properties
new file mode 100644
index 0000000..077737c
--- /dev/null
+++ b/services/oidc/src/main/resources/ESAPI.properties
@@ -0,0 +1 @@
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6ed0eb02/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/client.jsp 
b/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
index 58438a9..6bdd74d 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
@@ -4,6 +4,7 @@
 <%@ page import="java.util.Locale"%>
 <%@ page import="java.util.TimeZone"%>
 <%@ page import="javax.servlet.http.HttpServletRequest" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 <%
        Client client = (Client)request.getAttribute("data");
@@ -72,7 +73,7 @@
 </head>
 <body>
 <div class="padded">
-<h1><%= client.getApplicationName() %></h1>
+<h1><%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) %></h1>
 <br/>
 <table border="1" id=client>
     <%

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6ed0eb02/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp 
b/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
index a303bd4..4b170e6 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
@@ -7,6 +7,7 @@
 <%@ page import="java.util.TimeZone"%>
 <%@ page import="javax.servlet.http.HttpServletRequest" %>
 <%@ page import="org.apache.cxf.fediz.service.oidc.clients.ClientCodeGrants" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 <%
        ClientCodeGrants tokens = 
(ClientCodeGrants)request.getAttribute("data");
@@ -41,7 +42,7 @@
 </head>
 <body>
 <div class="padded">
-<h1>Code Grants issued to <%= client.getApplicationName() + " (" + 
client.getClientId() + ")"%></h1>
+<h1>Code Grants issued to <%= 
ESAPI.encoder().encodeForHTML(client.getApplicationName()) + " (" + 
client.getClientId() + ")"%></h1>
 <br/>
 <table border="1">
     <tr><th>ID</th><th>Issue Date</th><th>Expiry Date</th><th>Action</th></tr> 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6ed0eb02/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp 
b/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
index 4ccd6de..54ea6a9 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
@@ -8,6 +8,7 @@
 <%@ page import="java.util.TimeZone"%>
 <%@ page import="javax.servlet.http.HttpServletRequest" %>
 <%@ page import="org.apache.cxf.fediz.service.oidc.clients.ClientTokens" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 <%
        ClientTokens tokens = (ClientTokens)request.getAttribute("data");
@@ -44,7 +45,7 @@
        </STYLE>
 </head>
 <body>
-<h1>Tokens issued to <%= client.getApplicationName() + " (" + 
client.getClientId() + ")"%></h1>
+<h1>Tokens issued to <%= 
ESAPI.encoder().encodeForHTML(client.getApplicationName()) + " (" + 
client.getClientId() + ")"%></h1>
 <br/>
 <div class="padded">
 <h2>Access Tokens</h2>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6ed0eb02/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
----------------------------------------------------------------------
diff --git 
a/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp 
b/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
index 1a71624..a4420c6 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
@@ -2,6 +2,7 @@
 <%@ page import="java.util.List" %>
 <%@ page 
import="org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData" %>
 <%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthPermission" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 
 <%
@@ -76,7 +77,7 @@
                             }
                         %>
 
-                        <h2>Would you like to grant <%= 
data.getApplicationName() %><br />the following permissions:</h2>
+                        <h2>Would you like to grant <%= 
ESAPI.encoder().encodeForHTML(client.getApplicationName()) %><br />the 
following permissions:</h2>
 
                         <table> 
                             <%

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6ed0eb02/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp 
b/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
index 5fca5f7..009cccf 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
@@ -6,6 +6,7 @@
 <%@ page import="java.util.TimeZone"%>
 <%@ page import="javax.servlet.http.HttpServletRequest" %>
 <%@ page import="org.apache.cxf.fediz.service.oidc.clients.RegisteredClients" 
%>
+<%@ page import="org.owasp.esapi.ESAPI" %>
 
 <%
        Collection<Client> regs = 
((RegisteredClients)request.getAttribute("data")).getClients();
@@ -50,7 +51,8 @@
        for (Client client : regs) {
     %>
        <tr>
-           <td><a href="<%= basePath + "console/clients/" + 
client.getClientId() %>"><%= client.getApplicationName() %></a></td>
+           <td><a href="<%= basePath + "console/clients/" + 
client.getClientId() %>"><%= 
+               ESAPI.encoder().encodeForHTML(client.getApplicationName()) 
%></a></td>
            <td>
               <%= client.getClientId() %>
            </td>

Reply via email to