From 99c355fc8de3ddaa4250e46fde70b231c26058aa Mon Sep 17 00:00:00 2001 From: seboo <25958061+seboo@users.noreply.github.com> Date: Tue, 31 Jul 2018 14:01:44 +0200 Subject: [PATCH] SOLR-111 : Validate JSONP callback function name to avoid XSS --- .../plugins/search/solr/util/SolrUtil.java | 17 +++++++++++++++++ .../search/solr/web/SolrSuggestServlet.java | 10 ++++++++++ .../WEB-INF/conf/plugins/search-solr.properties | 6 +++++- 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/src/java/fr/paris/lutece/plugins/search/solr/util/SolrUtil.java b/src/java/fr/paris/lutece/plugins/search/solr/util/SolrUtil.java index 50f76f6..b4181d3 100644 --- a/src/java/fr/paris/lutece/plugins/search/solr/util/SolrUtil.java +++ b/src/java/fr/paris/lutece/plugins/search/solr/util/SolrUtil.java @@ -70,6 +70,10 @@ public final class SolrUtil private static final String PROPERTY_ENCODE_URI_ENCODING = "search.encode.uri.encoding"; private static final String DEFAULT_URI_ENCODING = "ISO-8859-1"; + private static final String PROPERTY_CALLBACK_FUNCTION_NAME_PATTERN = "search.callbackFunctionName.pattern" ; + private static final String CONSTANT_DEFAULT_FUNCTION_NAME_PATTERN = "[_$A-Za-z0-9]+"; + public static final String PROPERTY_CALLBACK_FUNCTION_NAME_ERROR_MESSAGE = "search.callbackFunctionName.error.message" ; + /** * Empty private constructor */ @@ -201,4 +205,17 @@ public static String getEncoding( ) return strURIEncoding; } + + /** + * Test if the name is a valid javascript function name + * + * @param strName + * @return true if valid + */ + public static boolean isValidJavascriptFunctionName( String strName ) + { + String strFunctionNamePattern = AppPropertiesService.getProperty( PROPERTY_CALLBACK_FUNCTION_NAME_PATTERN, CONSTANT_DEFAULT_FUNCTION_NAME_PATTERN ); + + return ( strName != null && strName.matches( strFunctionNamePattern ) ) ; + } } diff --git a/src/java/fr/paris/lutece/plugins/search/solr/web/SolrSuggestServlet.java b/src/java/fr/paris/lutece/plugins/search/solr/web/SolrSuggestServlet.java index a13402d..9b3fc00 100644 --- a/src/java/fr/paris/lutece/plugins/search/solr/web/SolrSuggestServlet.java +++ b/src/java/fr/paris/lutece/plugins/search/solr/web/SolrSuggestServlet.java @@ -34,6 +34,8 @@ package fr.paris.lutece.plugins.search.solr.web; import fr.paris.lutece.plugins.search.solr.business.SolrSearchEngine; +import fr.paris.lutece.plugins.search.solr.util.SolrUtil; +import fr.paris.lutece.portal.service.util.AppPropertiesService; import org.apache.solr.client.solrj.response.QueryResponse; import org.apache.solr.client.solrj.response.SpellCheckResponse.Collation; @@ -59,6 +61,7 @@ public class SolrSuggestServlet extends HttpServlet { private static final long serialVersionUID = -3273825949482572338L; + public void init( ) { } @@ -76,6 +79,13 @@ public String getSuggest( HttpServletRequest request ) SolrSearchEngine engine = SolrSearchEngine.getInstance( ); StringBuffer result = new StringBuffer( ); + + // XSS control + if ( !SolrUtil.isValidJavascriptFunctionName( callback ) ) + { + return AppPropertiesService.getProperty( SolrUtil.PROPERTY_CALLBACK_FUNCTION_NAME_ERROR_MESSAGE, "Invalid function name" ) ; + } + result.append( callback ); result.append( "({\"response\":{\"docs\":[" ); diff --git a/webapp/WEB-INF/conf/plugins/search-solr.properties b/webapp/WEB-INF/conf/plugins/search-solr.properties index 8089621..1b10511 100644 --- a/webapp/WEB-INF/conf/plugins/search-solr.properties +++ b/webapp/WEB-INF/conf/plugins/search-solr.properties @@ -66,4 +66,8 @@ solr.field.or=OR solr.field.switch=SWITCH -solr.field.and=AND \ No newline at end of file +solr.field.and=AND + +#Callback jsonp function control +search.callbackFunctionName.pattern=[_$A-Za-z0-9]+ +search.callbackFunctionName.error.message=Invalid Function Name \ No newline at end of file