Fix more shapes of log-injection (#485)

This change fixes more shapes of log injection vulnerabilities, and bumps the toolkit version to guarantee safety when passing non-`String` types to `stripAll`.
pixee · Dec 12, 2024 · 394739f · 394739f
1 parent 56aba73
commit 394739f
Show file tree

Hide file tree

Showing 11 changed files with 153,506 additions and 40 deletions.
diff --git a/core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLLogInjectionCodemodTest.java b/core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLLogInjectionCodemodTest.java
@@ -2,13 +2,29 @@
 
 import io.codemodder.testutils.CodemodTestMixin;
 import io.codemodder.testutils.Metadata;
+import org.junit.jupiter.api.Nested;
 
-@Metadata(
-    codemodType = CodeQLLogInjectionCodemod.class,
-    testResourceDir = "codeql-log-injection",
-    renameTestFile =
-        "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Templates.java",
-    doRetransformTest = false,
-    expectingFixesAtLines = {124},
-    dependencies = {})
-final class CodeQLLogInjectionCodemodTest implements CodemodTestMixin {}
+final class CodeQLLogInjectionCodemodTest {
+
+  @Nested
+  @Metadata(
+      codemodType = CodeQLLogInjectionCodemod.class,
+      testResourceDir = "codeql-log-injection/template",
+      renameTestFile =
+          "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Templates.java",
+      doRetransformTest = false,
+      expectingFixesAtLines = {124},
+      dependencies = {})
+  class TemplateTest implements CodemodTestMixin {}
+
+  @Nested
+  @Metadata(
+      codemodType = CodeQLLogInjectionCodemod.class,
+      testResourceDir = "codeql-log-injection/templateedit",
+      renameTestFile =
+          "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/TemplateEdit.java",
+      doRetransformTest = false,
+      expectingFixesAtLines = {128},
+      dependencies = {})
+  class TemplateEditTest implements CodemodTestMixin {}
+}
diff --git a/...codeql-log-injection/Templates.java.after → ...g-injection/template/Templates.java.after b/...codeql-log-injection/Templates.java.after → ...g-injection/template/Templates.java.after
@@ -18,7 +18,7 @@
 
 package org.apache.roller.weblogger.ui.struts2.editor;
 
-import static io.github.pixee.security.Newlines.stripNewLines;
+import static io.github.pixee.security.Newlines.stripAll;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -123,7 +123,7 @@ public class Templates extends UIAction {
 
         } catch (WebloggerException ex) {
             log.error("Error getting templates for weblog - "
-                + stripNewLines(getActionWeblog().getHandle()), ex);
+                + stripAll(getActionWeblog().getHandle()), ex);
             addError("Error getting template list - check Roller logs");
         }
 
@@ -196,7 +196,7 @@ public class Templates extends UIAction {
                 setNewTmplAction(null);
 
             } catch (WebloggerException ex) {
-                log.error("Error adding new template for weblog - " + stripNewLines(getActionWeblog().getHandle()), ex);
+                log.error("Error adding new template for weblog - " + stripAll(getActionWeblog().getHandle()), ex);
                 addError("Error adding new template - check Roller logs");
             }
         }
@@ -254,7 +254,7 @@ public class Templates extends UIAction {
                 }
 
             } catch (Exception ex) {
-                log.error("Error removing page - " + stripNewLines(getRemoveId()), ex);
+                log.error("Error removing page - " + stripAll(getRemoveId()), ex);
                 addError("editPages.remove.error");
             }
         } else {

diff --git a/...odeql-log-injection/Templates.java.before → ...-injection/template/Templates.java.before b/...odeql-log-injection/Templates.java.before → ...-injection/template/Templates.java.before
diff --git a/.../resources/codeql-log-injection/out.sarif → ...s/codeql-log-injection/template/out.sarif b/.../resources/codeql-log-injection/out.sarif → ...s/codeql-log-injection/template/out.sarif
diff --git a/core-codemods/src/test/resources/codeql-log-injection/templateedit/TemplateEdit.java.after b/core-codemods/src/test/resources/codeql-log-injection/templateedit/TemplateEdit.java.after
@@ -0,0 +1,202 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.  For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
+package org.apache.roller.weblogger.ui.struts2.editor;
+
+import static io.github.pixee.security.Newlines.stripAll;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.roller.weblogger.WebloggerException;
+import org.apache.roller.weblogger.business.WebloggerFactory;
+import org.apache.roller.weblogger.pojos.TemplateRendition.TemplateLanguage;
+import org.apache.roller.weblogger.pojos.WeblogTemplate;
+import org.apache.roller.weblogger.ui.struts2.util.UIAction;
+import org.apache.roller.weblogger.util.cache.CacheManager;
+import org.apache.struts2.convention.annotation.AllowedMethods;
+import org.apache.struts2.interceptor.validation.SkipValidation;
+
+import java.util.Date;
+import java.util.EnumMap;
+import java.util.Map;
+
+
+/**
+ * Action which handles editing for a single WeblogTemplate.
+ */
+// TODO: make this work @AllowedMethods({"execute","move"})
+public class TemplateEdit extends UIAction {
+
+    private static Log log = LogFactory.getLog(TemplateEdit.class);
+
+    // form bean for collection all template properties
+    private TemplateEditBean bean = new TemplateEditBean();
+
+    // the template we are working on
+    private WeblogTemplate template = null;
+
+    public TemplateEdit() {
+        this.actionName = "templateEdit";
+        this.desiredMenu = "editor";
+        this.pageTitle = "pagesForm.title";
+    }
+
+    @Override
+    public void myPrepare() {
+        try {
+            setTemplate(WebloggerFactory.getWeblogger().getWeblogManager().getTemplate(getBean().getId()));
+        } catch (WebloggerException ex) {
+            log.error("Error looking up template - " + stripAll(getBean().getId()), ex);
+        }
+    }
+
+
+    /**
+     * Show template edit page.
+     */
+    @SkipValidation
+    @Override
+    public String execute() {
+        try {
+            if (getTemplate() == null) {
+                addError("Unable to locate specified template");
+                return LIST;
+            }
+            WeblogTemplate page = getTemplate();
+            getBean().copyFrom(template);
+
+            // empty content-type indicates that page uses auto content-type detection
+            if (StringUtils.isEmpty(page.getOutputContentType())) {
+                getBean().setAutoContentType(Boolean.TRUE);
+            } else {
+                getBean().setAutoContentType(Boolean.FALSE);
+                getBean().setManualContentType(page.getOutputContentType());
+            }
+
+        } catch (WebloggerException ex) {
+           log.error("Error updating page - " + stripAll(getBean().getId()), ex);
+           addError("Error saving template - check Roller logs");
+        }
+
+        return INPUT;
+    }
+
+    /**
+     * Save an existing template.
+     */
+    public String save() {
+        log.debug("Entering save()");
+
+        if (getTemplate() == null) {
+            addError("Unable to locate specified template");
+            return LIST;
+        }
+
+        // validation
+        myValidate();
+
+        if (!hasActionErrors()) {
+            try {
+
+                WeblogTemplate templateToSave = getTemplate();
+                getBean().copyTo(templateToSave);
+                templateToSave.setLastModified(new Date());
+
+                if (getBean().getAutoContentType() == null || !getBean().getAutoContentType()) {
+                    templateToSave.setOutputContentType(getBean().getManualContentType());
+                } else {
+                    // empty content-type indicates that template uses auto content-type detection
+                    templateToSave.setOutputContentType(null);
+                }
+
+                // save template
+                WebloggerFactory.getWeblogger().getWeblogManager().saveTemplate(templateToSave);
+                log.debug("Saved template: " + stripAll(templateToSave.getId()));
+
+                //flush
+                WebloggerFactory.getWeblogger().flush();
+
+                // notify caches
+                CacheManager.invalidate(templateToSave);
+
+                // success message
+                addMessage("pageForm.save.success", templateToSave.getName());
+
+            } catch (Exception ex) {
+                log.error("Error updating page - " + stripAll(getBean().getId()), ex);
+                addError("Error updating template - check Roller logs");
+            }
+        }
+
+        log.debug("Leaving save()");
+        return INPUT;
+    }
+
+    private void myValidate() {
+
+        // if name changed make sure there isn't a conflict
+        if (!getTemplate().getName().equals(getBean().getName())) {
+            try {
+                if (WebloggerFactory.getWeblogger().getWeblogManager()
+                        .getTemplateByName(getActionWeblog(), getBean().getName()) != null) {
+                    addError("pagesForm.error.alreadyExists", getBean().getName());
+                }
+            } catch (WebloggerException ex) {
+                log.error("Error checking page name uniqueness", ex);
+            }
+        }
+
+        // if link changed make sure there isn't a conflict
+        if (!StringUtils.isEmpty(getBean().getLink()) &&
+                !getBean().getLink().equals(getTemplate().getLink())) {
+            try {
+                if (WebloggerFactory.getWeblogger().getWeblogManager()
+                        .getTemplateByLink(getActionWeblog(), getBean().getLink()) != null) {
+                    addError("pagesForm.error.alreadyExists", getBean().getLink());
+                }
+            } catch (WebloggerException ex) {
+                log.error("Error checking page link uniqueness", ex);
+            }
+        }
+    }
+
+    public Map<TemplateLanguage, String> getTemplateLanguages() {
+        Map<TemplateLanguage, String> langMap = new EnumMap<>(TemplateLanguage.class);
+        for (TemplateLanguage lang : TemplateLanguage.values()) {
+            langMap.put(lang, lang.getReadableName());
+        }
+        return langMap;
+    }
+
+
+    public TemplateEditBean getBean() {
+        return bean;
+    }
+
+    public void setBean(TemplateEditBean bean) {
+        this.bean = bean;
+    }
+
+    public WeblogTemplate getTemplate() {
+        return template;
+    }
+
+    public void setTemplate(WeblogTemplate template) {
+        this.template = template;
+    }
+}