Author: radu Date: Fri Oct 7 10:36:32 2016 New Revision: 1763732 URL: http://svn.apache.org/viewvc?rev=1763732&view=rev Log: SLING-6094 - HTL can generate invalid Java code by using user-supplied input
* added tests Added: sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.html sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.output.html sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.html sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.output.html Modified: sling/trunk/bundles/scripting/sightly/java-compiler/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java Modified: sling/trunk/bundles/scripting/sightly/java-compiler/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java URL: http://svn.apache.org/viewvc/sling/trunk/bundles/scripting/sightly/java-compiler/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java?rev=1763732&r1=1763731&r2=1763732&view=diff ============================================================================== --- sling/trunk/bundles/scripting/sightly/java-compiler/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java (original) +++ sling/trunk/bundles/scripting/sightly/java-compiler/src/test/java/org/apache/sling/scripting/sightly/compiler/java/JavaClassBackendCompilerTest.java Fri Oct 7 10:36:32 2016 @@ -18,6 +18,7 @@ package org.apache.sling.scripting.sight import java.io.PrintWriter; import java.io.StringWriter; +import java.util.HashMap; import javax.script.Bindings; import javax.script.SimpleBindings; @@ -32,6 +33,7 @@ import org.apache.sling.scripting.sightl import org.apache.sling.scripting.sightly.java.compiler.RenderUnit; import org.apache.sling.scripting.sightly.render.AbstractRuntimeObjectModel; import org.apache.sling.scripting.sightly.render.RenderContext; +import org.apache.sling.scripting.sightly.render.RuntimeObjectModel; import org.junit.Test; import static junit.framework.TestCase.assertEquals; @@ -44,50 +46,98 @@ public class JavaClassBackendCompilerTes JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler(); SightlyCompiler sightlyCompiler = new SightlyCompiler(); sightlyCompiler.compile(compilationUnit, backendCompiler); - ClassInfo classInfo = new ClassInfo() { + ClassInfo classInfo = buildClassInfo("testScript"); + String source = backendCompiler.build(classInfo); + StringWriter writer = new StringWriter(); + Bindings bindings = new SimpleBindings(); + RenderContext renderContext = buildRenderContext(bindings); + render(writer, classInfo, source, renderContext, new SimpleBindings()); + String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/test-output.html"), "UTF-8"); + assertEquals(expectedOutput, writer.toString()); + } + + @Test + public void sling_6094_1() throws Exception { + CompilationUnit compilationUnit = TestUtils.readScriptFromClasspath("/SLING-6094.1.html"); + JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler(); + SightlyCompiler sightlyCompiler = new SightlyCompiler(); + sightlyCompiler.compile(compilationUnit, backendCompiler); + ClassInfo classInfo = buildClassInfo("sling_6094_1"); + String source = backendCompiler.build(classInfo); + StringWriter writer = new StringWriter(); + Bindings bindings = new SimpleBindings(); + bindings.put("img", new HashMap<String, Object>(){{ + put("attributes", new HashMap<String, String>() {{ + put("v-bind:src", "replaced"); + }}); + }}); + RenderContext renderContext = buildRenderContext(bindings); + render(writer, classInfo, source, renderContext, new SimpleBindings()); + String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/SLING-6094.1.output.html"), "UTF-8"); + assertEquals(expectedOutput, writer.toString()); + } + + @Test + public void sling_6094_2() throws Exception { + CompilationUnit compilationUnit = TestUtils.readScriptFromClasspath("/SLING-6094.2.html"); + JavaClassBackendCompiler backendCompiler = new JavaClassBackendCompiler(); + SightlyCompiler sightlyCompiler = new SightlyCompiler(); + sightlyCompiler.compile(compilationUnit, backendCompiler); + ClassInfo classInfo = buildClassInfo("sling_6094_2"); + String source = backendCompiler.build(classInfo); + StringWriter writer = new StringWriter(); + Bindings bindings = new SimpleBindings(); + RenderContext renderContext = buildRenderContext(bindings); + render(writer, classInfo, source, renderContext, new SimpleBindings()); + String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/SLING-6094.2.output.html"), "UTF-8"); + assertEquals(expectedOutput, writer.toString()); + } + + private ClassInfo buildClassInfo(final String info) { + return new ClassInfo() { @Override public String getSimpleClassName() { - return "Test"; + return "Test_" + info; } @Override public String getPackageName() { - return "org.example.test"; + return "org.apache.sling.scripting.sightly.compiler.java"; } @Override public String getFullyQualifiedClassName() { - return "org.example.test.Test"; + return "org.apache.sling.scripting.sightly.compiler.java.Test_" + info; } }; - String source = backendCompiler.build(classInfo); - ClassLoader classLoader = JavaClassBackendCompilerTest.class.getClassLoader(); - CharSequenceJavaCompiler<RenderUnit> compiler = new CharSequenceJavaCompiler<>(classLoader, null); - Class<RenderUnit> newClass = compiler.compile(classInfo.getFullyQualifiedClassName(), source, new Class<?>[]{}); - RenderUnit renderUnit = newClass.newInstance(); - StringWriter writer = new StringWriter(); - PrintWriter printWriter = new PrintWriter(writer); - RenderContext renderContext = new RenderContext() { + } + + private RenderContext buildRenderContext(final Bindings bindings) { + return new RenderContext() { @Override - public AbstractRuntimeObjectModel getObjectModel() { + public RuntimeObjectModel getObjectModel() { return new AbstractRuntimeObjectModel() {}; } @Override public Bindings getBindings() { - return new SimpleBindings(); + return bindings; } @Override public Object call(String functionName, Object... arguments) { - assert arguments.length == 2; - // for this test case only the xss runtime function will be called; return the unfiltered input return arguments[0]; } }; - renderUnit.render(printWriter, renderContext, new SimpleBindings()); - String expectedOutput = IOUtils.toString(this.getClass().getResourceAsStream("/test-output.html"), "UTF-8"); - assertEquals(expectedOutput, writer.toString()); + } + private void render(StringWriter writer, ClassInfo classInfo, String source, RenderContext renderContext, Bindings arguments) throws + Exception { + ClassLoader classLoader = JavaClassBackendCompilerTest.class.getClassLoader(); + CharSequenceJavaCompiler<RenderUnit> compiler = new CharSequenceJavaCompiler<>(classLoader, null); + Class<RenderUnit> newClass = compiler.compile(classInfo.getFullyQualifiedClassName(), source); + RenderUnit renderUnit = newClass.newInstance(); + PrintWriter printWriter = new PrintWriter(writer); + renderUnit.render(printWriter, renderContext, arguments); } } Added: sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.html URL: http://svn.apache.org/viewvc/sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.html?rev=1763732&view=auto ============================================================================== --- sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.html (added) +++ sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.html Fri Oct 7 10:36:32 2016 @@ -0,0 +1,17 @@ +<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/--> +<img src="" v-bind:src="abc" data-sly-attribute="${img.attributes}" /> Added: sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.output.html URL: http://svn.apache.org/viewvc/sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.output.html?rev=1763732&view=auto ============================================================================== --- sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.output.html (added) +++ sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.1.output.html Fri Oct 7 10:36:32 2016 @@ -0,0 +1,2 @@ + +<img src="" v-bind:src="replaced"/> Added: sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.html URL: http://svn.apache.org/viewvc/sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.html?rev=1763732&view=auto ============================================================================== --- sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.html (added) +++ sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.html Fri Oct 7 10:36:32 2016 @@ -0,0 +1,17 @@ +<!--/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/--> +<div data-sly-test.jcr:title="${1>0}">correctly escaped variable</div> Added: sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.output.html URL: http://svn.apache.org/viewvc/sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.output.html?rev=1763732&view=auto ============================================================================== --- sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.output.html (added) +++ sling/trunk/bundles/scripting/sightly/java-compiler/src/test/resources/SLING-6094.2.output.html Fri Oct 7 10:36:32 2016 @@ -0,0 +1,2 @@ + +<div>correctly escaped variable</div>