Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix(User): Fix XSS vulnerability for revoke token endpoint #2751

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Fix(User): Fix XSS vulnerability for revoke token endpoint
Signed-off-by: hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
  • Loading branch information
hoangnt2 committed Nov 26, 2024
commit 60541654a2124b385c2a155f3d3c9cf3ab4cd2a0
Original file line number Diff line number Diff line change
@@ -23,7 +23,6 @@
import lombok.extern.slf4j.Slf4j;

import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.thrift.TException;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change for org.apache.commons.text.StringEscapeUtils

import org.eclipse.sw360.datahandler.common.CommonUtils;
import org.eclipse.sw360.datahandler.common.SW360Constants;
@@ -368,7 +367,7 @@ public ResponseEntity<String> revokeUserRestApiToken(
User sw360User = restControllerHelper.getSw360UserFromAuthentication();

if (!userService.isTokenNameExisted(sw360User, tokenName)) {
return new ResponseEntity<>("Token not found: " + StringEscapeUtils.escapeHtml(tokenName), HttpStatus.NOT_FOUND);
return new ResponseEntity<>("Token not found", HttpStatus.NOT_FOUND);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change for escapeHtml4

}

sw360User.getRestApiTokens().removeIf(t -> t.getName().equals(tokenName));