[seam-commits] Seam SVN: r14084 - in branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam: core and 1 other directories.

Thu Apr 21 10:32:44 EDT 2011

Author: manaRH
Date: 2011-04-21 10:32:43 -0400 (Thu, 21 Apr 2011)
New Revision: 14084

Added:
   branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/blacklist.properties
Modified:
   branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/core/Expressions.java
   branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/navigation/Pages.java
Log:
JBPAPP-6388 back port from one-off patch

Added: branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/blacklist.properties
===================================================================

--- branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/blacklist.properties	                        (rev 0)
+++ branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/blacklist.properties	2011-04-21 14:32:43 UTC (rev 14084)
@@ -0,0 +1,4 @@
+.getClass()
+.addRole(
+.getPassword(
+.removeRole(
\ No newline at end of file

Modified: branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/core/Expressions.java
===================================================================
--- branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/core/Expressions.java	2011-04-21 14:24:58 UTC (rev 14083)
+++ branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/core/Expressions.java	2011-04-21 14:32:43 UTC (rev 14084)
@@ -3,7 +3,13 @@
 
 import static org.jboss.seam.annotations.Install.BUILT_IN;
 
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
 
 import javax.el.ELContext;
 import javax.el.ExpressionFactory;
@@ -16,6 +22,8 @@
 import org.jboss.seam.annotations.intercept.BypassInterceptors;
 import org.jboss.seam.el.EL;
 import org.jboss.seam.el.SeamExpressionFactory;
+import org.jboss.seam.log.LogProvider;
+import org.jboss.seam.log.Logging;
 
 /**
  * Factory for EL method and value expressions.
@@ -30,6 +38,42 @@
 @Name("org.jboss.seam.core.expressions")
 public class Expressions implements Serializable
 {
+   private static final LogProvider log = Logging.getLogProvider(Expressions.class);
+   private static List<String> blacklist = new ArrayList<String>();
+
+   // loading blacklisted patterns of non-valid EL expressions
+   static
+   {
+      BufferedReader reader = null;
+      try
+      {
+         InputStream blacklistIS = ResourceLoader.instance().getResourceAsStream("blacklist.properties");
+         reader = new BufferedReader(new InputStreamReader(blacklistIS));
+         String line;
+         while ((line = reader.readLine()) != null)
+         {
+            blacklist.add(line);
+         }
+      }
+      catch (IOException e)
+      {
+         log.warn("Black list of non-valid EL expressions was not found!");
+      }
+      finally
+      {
+         if (reader != null)
+         {
+            try
+            {
+               reader.close();
+            }
+            catch (IOException e)
+            {
+            }
+         }
+      }
+
+   }
    
    /**
     * Get the JBoss EL ExpressionFactory
@@ -75,6 +119,7 @@
     */
    public <T> ValueExpression<T> createValueExpression(final String expression, final Class<T> type)
    {
+      checkELExpression(expression);
       
       return new ValueExpression<T>()
       {
@@ -138,6 +183,8 @@
     */
    public <T> MethodExpression<T> createMethodExpression(final String expression, final Class<T> type, final Class... argTypes)
    {
+      checkELExpression(expression);
+      
       return new MethodExpression<T>()
       {
          private javax.el.MethodExpression facesMethodExpression;
@@ -251,5 +298,22 @@
    {
       return (Expressions) Component.getInstance(Expressions.class, ScopeType.APPLICATION);
    }
+
+   private static void checkELExpression(final String expression)
+   {
+      for (int index = 0; blacklist.size() > index; index++)
+      {
+         if ( expression.contains(blacklist.get(index)) ) 
+         {
+            throw new IllegalArgumentException("This EL expression is not allowed!");
+         }
+      }
    
+      // for any case blacklist is not provided this is definitely not permitted
+      if ( expression.contains(".getClass()") )
+      {
+         throw new IllegalArgumentException("This EL expression is not allowed!");
+      }
+   }
+
 }

Modified: branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/navigation/Pages.java
===================================================================
--- branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/navigation/Pages.java	2011-04-21 14:24:58 UTC (rev 14083)
+++ branches/enterprise/JBPAPP_4_3_FP01/src/main/org/jboss/seam/navigation/Pages.java	2011-04-21 14:32:43 UTC (rev 14084)
@@ -647,6 +647,11 @@
                .getRequestParameterMap().get("actionMethod");
          if (actionId!=null)
          {
+            String decodedActionId = URLDecoder.decode(actionId);
+            if (decodedActionId != null && (decodedActionId.indexOf('#') >= 0 || decodedActionId.indexOf('{') >= 0) ){
+               throw new IllegalArgumentException("EL expressions are not allowed in actionMethod parameter");
+            }
+
             if ( !SafeActions.instance().isActionSafe(actionId) ) return result;
             String expression = SafeActions.toAction(actionId);
             result = true;

