From 9f47c61e158a9605c37b27ef9bcc562b90cb9ce5 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 10:30:52 -0600 Subject: [PATCH 01/13] XSS coverage --- .gitignore | 1 + src/java/UpdateLine.java | 4 ++-- src/java/characterImage.java | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 85c0a8aa..91b4b235 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,4 @@ nbproject *.properties # End of https://www.toptal.com/developers/gitignore/api/macos,netbeans +.vscode/settings.json diff --git a/src/java/UpdateLine.java b/src/java/UpdateLine.java index bbc1a557..68b41910 100644 --- a/src/java/UpdateLine.java +++ b/src/java/UpdateLine.java @@ -52,7 +52,7 @@ else if (request.getParameter("projectID") == null) { response.sendError(SC_BAD_REQUEST); } else{ - String text = request.getParameter("text"); + String text = encoder().encodeForHTML(request.getParameter("text")); String comment = ""; int projectID = parseInt(request.getParameter("projectID")); int uid = parseInt(session.getAttribute("UID").toString()); @@ -60,7 +60,7 @@ else if (request.getParameter("projectID") == null) { try{ Project thisProject = new Project(projectID); if (request.getParameter("comment") != null) { - comment = request.getParameter("comment"); + comment = encoder().encodeForHTML(request.getParameter("comment")); } if (line == null) { if (request.getParameter("projectID") != null) { diff --git a/src/java/characterImage.java b/src/java/characterImage.java index 14369cef..165276a3 100644 --- a/src/java/characterImage.java +++ b/src/java/characterImage.java @@ -67,8 +67,8 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re int blobIdentifier; try { - blobIdentifier = parseInt(request.getParameter("blob")); - pageIdentifier = request.getParameter("page"); + blobIdentifier = parseInt(request.getParameter("blob").replaceAll("[^\\d]", "")); + pageIdentifier = request.getParameter("page").replaceAll("[^\\w]", ""); } catch (NumberFormatException | NullPointerException e) { return; } From 2b453de4db6d9222a707d36ab1edd2d777eeade6 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 10:59:41 -0600 Subject: [PATCH 02/13] XSS and others --- src/java/UploadTextfile.java | 113 +++++++++--------- .../slu/tpen/servlet/AcceptIPRServlet.java | 3 +- .../tpen/servlet/AddProjectToolServlet.java | 17 ++- 3 files changed, 74 insertions(+), 59 deletions(-) diff --git a/src/java/UploadTextfile.java b/src/java/UploadTextfile.java index 995d2682..1542ba5f 100644 --- a/src/java/UploadTextfile.java +++ b/src/java/UploadTextfile.java @@ -1,9 +1,3 @@ -/* - * To change this template, choose Tools | Templates - * and open the template in the editor. - */ - - import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; @@ -42,49 +36,63 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re throws ServletException, IOException, SQLException, FileUploadException { response.setContentType("text/html;charset=UTF-8"); try (PrintWriter out = response.getWriter()) { - int projectID=0; + int projectID = 0; + textdisplay.Project thisProject = null; + + if (request.getParameter("projectID") == null) { + out.print("projectID parameter is missing."); + return; + } - textdisplay.Project thisProject=null; - if(request.getParameter("projectID")!=null) - { String location = ""; - projectID=parseInt(request.getParameter("projectID")); - location = (parseInt(request.getParameter("p"))>0) ? "?projectID="+projectID+"&p="+request.getParameter("p") : "?projectID="+projectID; - thisProject=new textdisplay.Project(projectID); - if (isMultipartContent(request)){ - ServletFileUpload servletFileUpload = new ServletFileUpload(new DiskFileItemFactory()); - List fileItemsList = servletFileUpload.parseRequest(request); + try { + projectID = parseInt(request.getParameter("projectID")); + } catch (NumberFormatException e) { + out.print("Invalid projectID format."); + return; + } - String optionalFileName = ""; - FileItem fileItem = null; - Iterator it = fileItemsList.iterator(); - while (it.hasNext()){ - FileItem fileItemTemp = (FileItem)it.next(); - String tmp=fileItemTemp.getFieldName(); - if (fileItemTemp.getFieldName().compareTo("file")==0 && (fileItemTemp.getName().endsWith("txt") || fileItemTemp.getName().endsWith("xml"))){ + try { + int p = request.getParameter("p") != null ? parseInt(request.getParameter("p")) : 0; + location = (p > 0) ? "?projectID=" + projectID + "&p=" + p : "?projectID=" + projectID; + } catch (NumberFormatException e) { + location = "?projectID=" + projectID; + } - String textData;//=fileItemTemp.getString(); - BufferedReader in = new BufferedReader(new InputStreamReader(fileItemTemp.getInputStream() , "UTF-8")); - StringBuilder b=new StringBuilder(""); - while(in.ready()) - { - b.append(in.readLine()); - } - textData=b.toString(); - thisProject.setLinebreakText(textData); - response.sendRedirect("transcription.html"+location); - return; + thisProject = new textdisplay.Project(projectID); - } - else - { - out.print("You must upload a .txt or .xml file, other formats are not supported at this time."); - } - } -} - } + if (!isMultipartContent(request)) { + out.print("Request is not multipart."); + return; + } + + ServletFileUpload servletFileUpload = new ServletFileUpload(new DiskFileItemFactory()); + List fileItemsList = servletFileUpload.parseRequest(request); + + String optionalFileName = ""; + FileItem fileItem = null; + Iterator it = fileItemsList.iterator(); + while (it.hasNext()) { + FileItem fileItemTemp = (FileItem) it.next(); + String tmp = fileItemTemp.getFieldName(); + if (fileItemTemp.getFieldName().compareTo("file") == 0 && (fileItemTemp.getName().endsWith("txt") || fileItemTemp.getName().endsWith("xml"))) { + String textData; + try (BufferedReader in = new BufferedReader(new InputStreamReader(fileItemTemp.getInputStream(), "UTF-8"))) { + StringBuilder b = new StringBuilder(""); + String line; + while ((line = in.readLine()) != null) { + b.append(line).append("\n"); + } + textData = b.toString(); + } + thisProject.setLinebreakText(textData); + response.sendRedirect("transcription.html" + location); + return; + } + } + out.print("You must upload a .txt or .xml file, other formats are not supported at this time."); } - } + } // /** @@ -97,14 +105,12 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - try - { + try { processRequest(request, response); - } catch (SQLException | FileUploadException ex) - { + } catch (SQLException | FileUploadException ex) { getLogger(UploadTextfile.class.getName()).log(SEVERE, null, ex); - } - } + } + } /** * Handles the HTTP POST method. @@ -116,13 +122,11 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - try - { + try { processRequest(request, response); - } catch (SQLException | FileUploadException ex) - { + } catch (SQLException | FileUploadException ex) { getLogger(UploadTextfile.class.getName()).log(SEVERE, null, ex); - } + } } /** @@ -133,5 +137,4 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) public String getServletInfo() { return "Short description"; }// - } diff --git a/src/java/edu/slu/tpen/servlet/AcceptIPRServlet.java b/src/java/edu/slu/tpen/servlet/AcceptIPRServlet.java index 51c86164..a2a1c2d6 100644 --- a/src/java/edu/slu/tpen/servlet/AcceptIPRServlet.java +++ b/src/java/edu/slu/tpen/servlet/AcceptIPRServlet.java @@ -17,6 +17,7 @@ import net.sf.json.JSONObject; import static net.sf.json.JSONObject.fromObject; import user.User; +import org.owasp.encoder.Encode; /** * @@ -35,7 +36,7 @@ public class AcceptIPRServlet extends HttpServlet { */ protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); - String content = request.getParameter("content"); + String content = Encode.forHtml(request.getParameter("content")); JSONObject params = fromObject(content); User user = null; int folioNum = params.getInt("folio"); diff --git a/src/java/edu/slu/tpen/servlet/AddProjectToolServlet.java b/src/java/edu/slu/tpen/servlet/AddProjectToolServlet.java index 3d9065cd..46c81c98 100644 --- a/src/java/edu/slu/tpen/servlet/AddProjectToolServlet.java +++ b/src/java/edu/slu/tpen/servlet/AddProjectToolServlet.java @@ -21,10 +21,12 @@ import java.sql.SQLException; import static java.util.logging.Level.SEVERE; import static java.util.logging.Logger.getLogger; +import java.net.MalformedURLException; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.owasp.encoder.Encode; import utils.UserTool; /** @@ -36,10 +38,19 @@ public class AddProjectToolServlet extends HttpServlet { @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - Connection conn = getDBConnection(); + String name = Encode.forHtml(request.getParameter("name")); UserTool ut = new UserTool(); - ut.saveUserTool(conn, request.getParameter("name"), request.getParameter("url"), parseInt(request.getParameter("projectID"))); - response.getWriter().print("1"); + String urlParam = request.getParameter("url"); + String url = Encode.forHtml(urlParam); + new java.net.URL(urlParam); + } catch (MalformedURLException e) { + throw new ServletException("Invalid URL format", e); + } + int projectID = parseInt(request.getParameter("projectID")); + ut.saveUserTool(conn, name, url, projectID); + Connection conn = getDBConnection(); + ut.saveUserTool(conn, name, url, projectID); + conn.close(); } catch (SQLException ex) { getLogger(AddProjectToolServlet.class.getName()).log(SEVERE, null, ex); } From 91c2d0ca761405191551abd9d370f48ab7003780 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 11:04:23 -0600 Subject: [PATCH 03/13] null protection for XSS --- src/java/UpdateLine.java | 68 ++++++++++++++++++---------------------- 1 file changed, 31 insertions(+), 37 deletions(-) diff --git a/src/java/UpdateLine.java b/src/java/UpdateLine.java index 68b41910..7f6df604 100644 --- a/src/java/UpdateLine.java +++ b/src/java/UpdateLine.java @@ -1,22 +1,17 @@ -/* - * To change this template, choose Tools | Templates - * and open the template in the editor. - */ - import java.io.IOException; import java.io.PrintWriter; -import static java.lang.Integer.parseInt; import java.sql.SQLException; -import static java.util.logging.Level.SEVERE; -import static java.util.logging.Logger.getLogger; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import static java.lang.Integer.parseInt; +import static java.util.logging.Level.SEVERE; +import static java.util.logging.Logger.getLogger; import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST; import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN; import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR; -import javax.servlet.http.HttpSession; import static org.owasp.esapi.ESAPI.encoder; import textdisplay.Project; import textdisplay.Transcription; @@ -42,33 +37,35 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re HttpSession session = request.getSession(); if (session.getAttribute("UID") == null) { response.sendError(SC_FORBIDDEN); + return; } - else if (request.getParameter("text") == null) { + if (request.getParameter("text") == null) { getLogger(UpdateLine.class.getName()).log(SEVERE, null, "'text' was not provided."); response.sendError(SC_BAD_REQUEST); + return; } - else if (request.getParameter("projectID") == null) { + if (request.getParameter("projectID") == null) { getLogger(UpdateLine.class.getName()).log(SEVERE, null, "'projectID' was not provided."); response.sendError(SC_BAD_REQUEST); + return; } - else{ - String text = encoder().encodeForHTML(request.getParameter("text")); - String comment = ""; - int projectID = parseInt(request.getParameter("projectID")); - int uid = parseInt(session.getAttribute("UID").toString()); - String line = request.getParameter("line"); - try{ - Project thisProject = new Project(projectID); - if (request.getParameter("comment") != null) { - comment = encoder().encodeForHTML(request.getParameter("comment")); - } - if (line == null) { - if (request.getParameter("projectID") != null) { - if (new Group(thisProject.getGroupID()).isMember(uid)) { - thisProject.setLinebreakText(text); - } - } + + String text = encoder().encodeForHTML(request.getParameter("text")); + String comment = ""; + int projectID = parseInt(request.getParameter("projectID")); + int uid = parseInt(session.getAttribute("UID").toString()); + String line = request.getParameter("line"); + + try { + Project thisProject = new Project(projectID); + if (request.getParameter("comment") != null) { + comment = encoder().encodeForHTML(request.getParameter("comment")); + } + if (line == null) { + if (new Group(thisProject.getGroupID()).isMember(uid)) { + thisProject.setLinebreakText(text); } + } else { if (new Group(thisProject.getGroupID()).isMember(uid)) { Transcription t = new Transcription(line); t.archive(); //create an archived version before making changes @@ -76,19 +73,16 @@ else if (request.getParameter("projectID") == null) { t.setComment(comment); t.setCreator(uid); out.print(encoder().decodeForHTML(new Transcription(line).getText())); - } - else { + } else { response.sendError(SC_FORBIDDEN); } } - catch(SQLException e){ - System.out.println("UpdateLine SQL failure"); - getLogger(UpdateLine.class.getName()).log(SEVERE, null, e); - response.sendError(SC_INTERNAL_SERVER_ERROR); - } + } catch (SQLException e) { + System.out.println("UpdateLine SQL failure"); + getLogger(UpdateLine.class.getName()).log(SEVERE, null, e); + response.sendError(SC_INTERNAL_SERVER_ERROR); } - } - catch(Exception e){ + } catch (Exception e) { System.out.println("UpdateLine generic failure"); getLogger(UpdateLine.class.getName()).log(SEVERE, null, e); response.sendError(SC_INTERNAL_SERVER_ERROR); From 7dd1e942090c5bbe149dd19af299c727c14a034b Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 11:11:11 -0600 Subject: [PATCH 04/13] XSS washing --- src/java/characterImage.java | 19 +++++++++++++++---- .../tpen/servlet/AddUserToProjectServlet.java | 13 ++++++++----- .../slu/tpen/servlet/AddUserToolServlet.java | 3 ++- 3 files changed, 25 insertions(+), 10 deletions(-) diff --git a/src/java/characterImage.java b/src/java/characterImage.java index 165276a3..db54ed5d 100644 --- a/src/java/characterImage.java +++ b/src/java/characterImage.java @@ -67,15 +67,26 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re int blobIdentifier; try { - blobIdentifier = parseInt(request.getParameter("blob").replaceAll("[^\\d]", "")); - pageIdentifier = request.getParameter("page").replaceAll("[^\\w]", ""); - } catch (NumberFormatException | NullPointerException e) { + String blobParam = request.getParameter("blob"); + String pageParam = request.getParameter("page"); + if (blobParam == null || pageParam == null) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing parameters"); + return; + } + blobIdentifier = parseInt(blobParam.replaceAll("[^\\d]", "")); + pageIdentifier = pageParam.replaceAll("[^\\w]", ""); + } catch (NumberFormatException e) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid parameters"); return; } blobGetter thisBlob = new blobGetter(pageIdentifier, blobIdentifier); String s = (getRbTok("SERVERCONTEXT") + "imageResize?folioNum=" + pageIdentifier + "&height=2000"); out.print(s + "\n"); - BufferedImage originalImg = getImage(parseInt(pageIdentifier));//imageHelpers.readAsBufferedImage(new URL(Folio.getRbTok("SERVERCONTEXT")+"imageResize?folioNum="+pageIdentifier+"&height=2000&code="+Folio.getRbTok("imageCode"))); + BufferedImage originalImg = getImage(parseInt(pageIdentifier)); + if (originalImg == null) { + response.sendError(HttpServletResponse.SC_NOT_FOUND, "Image not found"); + return; + } width = thisBlob.getHeight(); height = thisBlob.getWidth(); x = thisBlob.getX(); diff --git a/src/java/edu/slu/tpen/servlet/AddUserToProjectServlet.java b/src/java/edu/slu/tpen/servlet/AddUserToProjectServlet.java index 934180bb..7b62075e 100644 --- a/src/java/edu/slu/tpen/servlet/AddUserToProjectServlet.java +++ b/src/java/edu/slu/tpen/servlet/AddUserToProjectServlet.java @@ -28,6 +28,7 @@ import static javax.servlet.http.HttpServletResponse.SC_NOT_ACCEPTABLE; import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import javax.servlet.http.HttpSession; +import org.owasp.encoder.Encode; import textdisplay.Project; import user.Group; import user.User; @@ -42,19 +43,21 @@ public class AddUserToProjectServlet extends HttpServlet { @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(); - //System.out.println("Add user to project ID:"+request.getParameter("projectID")); if (session.getAttribute("UID") != null) { int UID = parseInt(session.getAttribute("UID").toString()); try { User thisUser = new user.User(UID); if(null != request.getParameter("uname") && null != request.getParameter("projectID")){ + String uname = Encode.forHtml(request.getParameter("uname")); + String fname = Encode.forHtml(request.getParameter("fname")); + String lname = Encode.forHtml(request.getParameter("lname")); Project thisProject = new Project(parseInt(request.getParameter("projectID"))); - int result = thisUser.invite(request.getParameter("uname"), request.getParameter("fname"), request.getParameter("lname")); + int result = thisUser.invite(uname, fname, lname); if (result == 0) { //successfully send out email to user Group g = new Group(thisProject.getGroupID()); if (g.isAdmin(thisUser.getUID())) { - User newUser = new User(request.getParameter("uname")); + User newUser = new User(uname); g.addMember(newUser.getUID()); response.getWriter().print(newUser.getUID()); }else{ @@ -65,7 +68,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) //account created but email issue occured, usually happens in dev environments with no email server. user.Group g = new user.Group(thisProject.getGroupID()); if (g.isAdmin(thisUser.getUID())) { - User newUser = new User(request.getParameter("uname")); + User newUser = new User(uname); g.addMember(newUser.getUID()); response.getWriter().print(newUser.getUID()); }else{ @@ -76,7 +79,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) //user exits user.Group g = new user.Group(thisProject.getGroupID()); if (g.isAdmin(thisUser.getUID())) { - User newUser = new User(request.getParameter("uname")); + User newUser = new User(uname); g.addMember(newUser.getUID()); response.getWriter().print(newUser.getUID()); }else{ diff --git a/src/java/edu/slu/tpen/servlet/AddUserToolServlet.java b/src/java/edu/slu/tpen/servlet/AddUserToolServlet.java index 58cf6f40..566f3ece 100644 --- a/src/java/edu/slu/tpen/servlet/AddUserToolServlet.java +++ b/src/java/edu/slu/tpen/servlet/AddUserToolServlet.java @@ -34,7 +34,8 @@ public class AddUserToolServlet extends HttpServlet { @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - saveTool(request.getParameter("toolName"), parseInt(request.getParameter("uid"))); + String toolName = request.getParameter("toolName").replaceAll("[^a-zA-Z0-9]", ""); + saveTool(toolName, parseInt(request.getParameter("uid"))); response.getWriter().print("1"); } catch (SQLException ex) { getLogger(AddUserToolServlet.class.getName()).log(SEVERE, null, ex); From b121a9ccac08072a2921011cb26a3f66f52239e4 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 11:24:40 -0600 Subject: [PATCH 05/13] xss --- .../servlet/ChangeUserPermissionServlet.java | 2 - .../tpen/servlet/CreateProjectClassic.java | 108 ++++++++---------- 2 files changed, 46 insertions(+), 64 deletions(-) diff --git a/src/java/edu/slu/tpen/servlet/ChangeUserPermissionServlet.java b/src/java/edu/slu/tpen/servlet/ChangeUserPermissionServlet.java index c0b0acfe..a60d3032 100644 --- a/src/java/edu/slu/tpen/servlet/ChangeUserPermissionServlet.java +++ b/src/java/edu/slu/tpen/servlet/ChangeUserPermissionServlet.java @@ -69,8 +69,6 @@ public class ChangeUserPermissionServlet extends HttpServlet { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { int result = 0; if (request.getParameter("projectID") != null && null != request.getSession().getAttribute("UID")) { - //System.out.println("UID !!!!!!!!!!!!!!!!!!!!"); - //System.out.println(request.getSession().getAttribute("UID")); int currentUserId = parseInt(request.getSession().getAttribute("UID") + ""); int projectId = new Integer(request.getParameter("projectID")); if(null != request.getParameter("uid")){ diff --git a/src/java/edu/slu/tpen/servlet/CreateProjectClassic.java b/src/java/edu/slu/tpen/servlet/CreateProjectClassic.java index 6f458f71..e91c4ba7 100644 --- a/src/java/edu/slu/tpen/servlet/CreateProjectClassic.java +++ b/src/java/edu/slu/tpen/servlet/CreateProjectClassic.java @@ -1,18 +1,5 @@ -/* - * Copyright 2014- Saint Louis University. Licensed under the - * Educational Community License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. You may - * obtain a copy of the License at - * - * http://www.osedu.org/licenses/ECL-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an "AS IS" - * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing - * permissions and limitations under the License. - */ package edu.slu.tpen.servlet; + import static edu.slu.util.ServletUtils.getDBConnection; import java.io.IOException; import java.io.PrintWriter; @@ -47,59 +34,56 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t this.doPost(request, response); } - /* - * Create manuscript, folio and project. Servlet taken from transcription.jsp code for creating a project from T-PEN 1.0 - * - * Bryan H: FIXME: This servlet fails sometimes and sends this into a very deep loop. Why? - */ public String createProject(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, SQLException { - int UID = parseInt(request.getSession().getAttribute("UID").toString()); - int projectID = 0; - textdisplay.Project thisProject = null; - if (UID > 0 && request.getParameter("ms")!=null) { - textdisplay.Manuscript mss=new textdisplay.Manuscript(parseInt(request.getParameter("ms")),true); - int [] msIDs=new int[0]; - User u = new User(UID); - textdisplay.Project[] p = u.getUserProjects(); - msIDs = new int[p.length]; - // firstPage() fails ALOT - // Cambridge, Cologny - for (int i = 0; i < p.length; i++) { - try { - msIDs[i] = new textdisplay.Manuscript(p[i].firstPage()).getID(); - } catch (Exception e) { - msIDs[i] = -1; - } + int UID = 0; + try { + UID = parseInt(request.getSession().getAttribute("UID").toString()); + if (UID < 1) { + throw new ServletException("User Session is not valid."); + } + } catch (NumberFormatException e) { + throw new ServletException("User Session is unrecognizable."); + } + int projectID = 0; + textdisplay.Project thisProject = null; + if (request.getParameter("ms") != null) { + textdisplay.Manuscript mss = new textdisplay.Manuscript(parseInt(request.getParameter("ms")), true); + int[] msIDs = new int[0]; + User u = new User(UID); + textdisplay.Project[] p = u.getUserProjects(); + msIDs = new int[p.length]; + for (int i = 0; i < p.length; i++) { + try { + msIDs[i] = new textdisplay.Manuscript(p[i].firstPage()).getID(); + } catch (Exception e) { + msIDs[i] = -1; + } + } + for (int l = 0; l < msIDs.length; l++) { + if (msIDs[l] == mss.getID()) { + projectID = p[l].getProjectID(); + thisProject = p[l]; } - for (int l = 0; l < msIDs.length; l++) { - if (msIDs[l] == mss.getID()) { - projectID=p[l].getProjectID(); - thisProject=p[l]; - } + } + if (projectID < 1) { + String tmpProjName = mss.getShelfMark() + " project"; + if (request.getParameter("title") != null) { + tmpProjName = org.owasp.encoder.Encode.forHtml(request.getParameter("title")); } - if(projectID<1) { - //create a project for them - String tmpProjName = mss.getShelfMark()+" project"; - if (request.getParameter("title") != null) { - tmpProjName = request.getParameter("title"); - } - try (Connection conn = getDBConnection()) { - conn.setAutoCommit(false); - Group newgroup = new Group(conn, tmpProjName, UID); - Project newProject = new Project(conn, tmpProjName, newgroup.getGroupID()); - newProject.setFolios(conn, mss.getFolios()); - newProject.addLogEntry(conn, "Added manuscript " + mss.getShelfMark(), UID); - thisProject=newProject; - projectID=thisProject.getProjectID(); - newProject.importData(UID); - conn.commit(); - } + try (Connection conn = getDBConnection()) { + conn.setAutoCommit(false); + Group newgroup = new Group(conn, tmpProjName, UID); + Project newProject = new Project(conn, tmpProjName, newgroup.getGroupID()); + newProject.setFolios(conn, mss.getFolios()); + newProject.addLogEntry(conn, "Added manuscript " + mss.getShelfMark(), UID); + thisProject = newProject; + projectID = thisProject.getProjectID(); + newProject.importData(UID); + conn.commit(); } } - return ""+projectID; } - + return "" + projectID; + } } - - From 03f178f5e99740f82e7e45077c65d247f9c5eb32 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 11:28:33 -0600 Subject: [PATCH 06/13] guard clauses --- .../tpen/servlet/CreateProjectClassic.java | 82 +++++++++++-------- 1 file changed, 46 insertions(+), 36 deletions(-) diff --git a/src/java/edu/slu/tpen/servlet/CreateProjectClassic.java b/src/java/edu/slu/tpen/servlet/CreateProjectClassic.java index e91c4ba7..6e51c275 100644 --- a/src/java/edu/slu/tpen/servlet/CreateProjectClassic.java +++ b/src/java/edu/slu/tpen/servlet/CreateProjectClassic.java @@ -36,7 +36,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t public String createProject(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, SQLException { - int UID = 0; + int UID; try { UID = parseInt(request.getSession().getAttribute("UID").toString()); if (UID < 1) { @@ -45,45 +45,55 @@ public String createProject(HttpServletRequest request, HttpServletResponse resp } catch (NumberFormatException e) { throw new ServletException("User Session is unrecognizable."); } + + if (request.getParameter("ms") == null) { + throw new ServletException("No manuscript ID provided."); + } + + textdisplay.Manuscript mss = new textdisplay.Manuscript(parseInt(request.getParameter("ms")), true); + int[] msIDs = new int[0]; + User u = new User(UID); + textdisplay.Project[] p = u.getUserProjects(); + msIDs = new int[p.length]; + for (int i = 0; i < p.length; i++) { + try { + msIDs[i] = new textdisplay.Manuscript(p[i].firstPage()).getID(); + } catch (Exception e) { + msIDs[i] = -1; + } + } + int projectID = 0; textdisplay.Project thisProject = null; - if (request.getParameter("ms") != null) { - textdisplay.Manuscript mss = new textdisplay.Manuscript(parseInt(request.getParameter("ms")), true); - int[] msIDs = new int[0]; - User u = new User(UID); - textdisplay.Project[] p = u.getUserProjects(); - msIDs = new int[p.length]; - for (int i = 0; i < p.length; i++) { - try { - msIDs[i] = new textdisplay.Manuscript(p[i].firstPage()).getID(); - } catch (Exception e) { - msIDs[i] = -1; - } - } - for (int l = 0; l < msIDs.length; l++) { - if (msIDs[l] == mss.getID()) { - projectID = p[l].getProjectID(); - thisProject = p[l]; - } - } - if (projectID < 1) { - String tmpProjName = mss.getShelfMark() + " project"; - if (request.getParameter("title") != null) { - tmpProjName = org.owasp.encoder.Encode.forHtml(request.getParameter("title")); - } - try (Connection conn = getDBConnection()) { - conn.setAutoCommit(false); - Group newgroup = new Group(conn, tmpProjName, UID); - Project newProject = new Project(conn, tmpProjName, newgroup.getGroupID()); - newProject.setFolios(conn, mss.getFolios()); - newProject.addLogEntry(conn, "Added manuscript " + mss.getShelfMark(), UID); - thisProject = newProject; - projectID = thisProject.getProjectID(); - newProject.importData(UID); - conn.commit(); - } + for (int l = 0; l < msIDs.length; l++) { + if (msIDs[l] == mss.getID()) { + projectID = p[l].getProjectID(); + thisProject = p[l]; + break; } } + + if (projectID > 0) { + return "" + projectID; + } + + String tmpProjName = mss.getShelfMark() + " project"; + if (request.getParameter("title") != null) { + tmpProjName = org.owasp.encoder.Encode.forHtml(request.getParameter("title")); + } + + try (Connection conn = getDBConnection()) { + conn.setAutoCommit(false); + Group newgroup = new Group(conn, tmpProjName, UID); + Project newProject = new Project(conn, tmpProjName, newgroup.getGroupID()); + newProject.setFolios(conn, mss.getFolios()); + newProject.addLogEntry(conn, "Added manuscript " + mss.getShelfMark(), UID); + thisProject = newProject; + projectID = thisProject.getProjectID(); + newProject.importData(UID); + conn.commit(); + } + return "" + projectID; } } From 09dcd8af3d71e3b6afeca482524c9d9610187790 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 11:34:50 -0600 Subject: [PATCH 07/13] Update CreateProjectFromMSIDServlet.java --- .../servlet/CreateProjectFromMSIDServlet.java | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/src/java/edu/slu/tpen/servlet/CreateProjectFromMSIDServlet.java b/src/java/edu/slu/tpen/servlet/CreateProjectFromMSIDServlet.java index 277254e4..28a4a209 100644 --- a/src/java/edu/slu/tpen/servlet/CreateProjectFromMSIDServlet.java +++ b/src/java/edu/slu/tpen/servlet/CreateProjectFromMSIDServlet.java @@ -5,23 +5,19 @@ */ package edu.slu.tpen.servlet; -import static edu.slu.tpen.servlet.Constant.ANNOTATION_SERVER_ADDR; -import static edu.slu.tpen.servlet.util.CreateAnnoListUtil.createEmptyAnnoList; -import static edu.slu.util.ServletUtils.getDBConnection; -import static edu.slu.util.ServletUtils.getUID; import java.io.BufferedReader; import java.io.DataOutputStream; import java.io.IOException; import java.io.InputStreamReader; import java.io.PrintWriter; -import static java.lang.Integer.parseInt; import java.net.HttpURLConnection; import java.net.URL; -import static java.net.URLEncoder.encode; import java.sql.Connection; import java.sql.SQLException; import java.util.LinkedList; import java.util.List; +import java.util.logging.Level; +import java.util.logging.Logger; import static java.util.logging.Level.SEVERE; import static java.util.logging.Logger.getLogger; import javax.servlet.ServletException; @@ -30,14 +26,20 @@ import javax.servlet.http.HttpServletResponse; import net.sf.json.JSONArray; import net.sf.json.JSONObject; -import servlets.createManuscript; import textdisplay.Folio; -import static textdisplay.Folio.getRbTok; import textdisplay.Manuscript; import textdisplay.Metadata; import textdisplay.Project; import user.Group; +import static edu.slu.tpen.servlet.Constant.ANNOTATION_SERVER_ADDR; +import static edu.slu.tpen.servlet.util.CreateAnnoListUtil.createEmptyAnnoList; +import static edu.slu.util.ServletUtils.getDBConnection; +import static edu.slu.util.ServletUtils.getUID; +import static java.lang.Integer.parseInt; +import static java.net.URLEncoder.encode; +import static textdisplay.Folio.getRbTok; + /** * * @author bhaberbe @@ -47,7 +49,7 @@ public class CreateProjectFromMSIDServlet extends HttpServlet { @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try (PrintWriter writer = response.getWriter()) { - writer.print(creatManuscriptFolioProject(request, response)); //To change body of generated methods, choose Tools | Templates. + writer.print(createManuscriptFolioProject(request, response)); //To change body of generated methods, choose Tools | Templates. } //To change body of generated methods, choose Tools | Templates. } @@ -67,7 +69,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t * @throws javax.servlet.ServletException * @throws java.io.IOException */ - public String creatManuscriptFolioProject(HttpServletRequest request, HttpServletResponse response) + public String createManuscriptFolioProject(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { //receive parameters. @@ -104,14 +106,14 @@ public String creatManuscriptFolioProject(HttpServletRequest request, HttpServle array_folios = man.getFolios(); String tmpProjName = man.getShelfMark() + " project"; if (request.getParameter("title") != null) { - tmpProjName = request.getParameter("title"); + tmpProjName = org.owasp.encoder.Encode.forHtml(request.getParameter("title")); } try (Connection conn = getDBConnection()) { conn.setAutoCommit(false); Group newgroup = new Group(conn, tmpProjName, UID); Project newProject = new Project(conn, tmpProjName, newgroup.getGroupID()); man.setArchive(getRbTok("SERVERURL") + "/project/" + newProject.getProjectID()); - if (array_folios.length > 0) { + if (array_folios != null && array_folios.length > 0) { for (Folio folio : array_folios) { //This needs to be the same one the JSON Exporter creates and needs to be unique and unchangeable. String canvasID_check = folio.getCanvas(); @@ -156,11 +158,10 @@ public String creatManuscriptFolioProject(HttpServletRequest request, HttpServle conn.commit(); //String propVal = Folio.getRbTok("CREATE_PROJECT_RETURN_DOMAIN"); return "project/" + projectID_return; //TODO: Make this the resolvable project url? - } + Logger.getLogger(CreateProjectFromMSIDServlet.class.getName()).log(Level.SEVERE, null, ex); } catch (SQLException ex) { - getLogger(createManuscript.class.getName()).log(SEVERE, null, ex); + getLogger(CreateProjectFromMSIDServlet.class.getName()).log(SEVERE, null, ex); + return "500: Database error"; } - return "500"; } - } From 4e69c776594d77cac90322612fa9aee856d41d98 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 11:42:38 -0600 Subject: [PATCH 08/13] Update GetManuscriptsByCityAndRepository.java --- .../GetManuscriptsByCityAndRepository.java | 56 +++++++++---------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/src/java/edu/slu/tpen/servlet/GetManuscriptsByCityAndRepository.java b/src/java/edu/slu/tpen/servlet/GetManuscriptsByCityAndRepository.java index d1d3582f..8faa3a28 100644 --- a/src/java/edu/slu/tpen/servlet/GetManuscriptsByCityAndRepository.java +++ b/src/java/edu/slu/tpen/servlet/GetManuscriptsByCityAndRepository.java @@ -46,39 +46,29 @@ public class GetManuscriptsByCityAndRepository extends HttpServlet { */ @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + response.setContentType("application/json"); JSONObject jo = new JSONObject(); - if (null != request.getParameter("city")) { - if (null != request.getParameter("repository")) { - try { - String city = request.getParameter("city"); - String repo = request.getParameter("repository"); - Manuscript[] mss = getManuscriptsByCityAndRepository(city, repo); - jo.element("ls_manu", mss); - } catch (SQLException ex) { - getLogger(GetManuscriptsByCityAndRepository.class.getName()).log(SEVERE, null, ex); - } - }else{ - try { - String city = request.getParameter("city"); - Manuscript[] mss = getManuscriptsByCity(city); - jo.element("ls_manu", mss); - } catch (SQLException ex) { - getLogger(GetManuscriptsByCityAndRepository.class.getName()).log(SEVERE, null, ex); - } - } - }else{ - if (request.getParameter("repository") != null) { - try { - String repo = request.getParameter("repository"); - Manuscript[] mss = getManuscriptsByRepository(repo); - jo.element("ls_manu", mss); - } catch (SQLException ex) { - getLogger(GetManuscriptsByCityAndRepository.class.getName()).log(SEVERE, null, ex); - } - }else{ + + String city = sanitize(request.getParameter("city")); + String repo = sanitize(request.getParameter("repository")); + + try { + if (city != null && repo != null) { + Manuscript[] mss = getManuscriptsByCityAndRepository(city, repo); + jo.element("ls_manu", mss); + } else if (city != null) { + Manuscript[] mss = getManuscriptsByCity(city); + jo.element("ls_manu", mss); + } else if (repo != null) { + Manuscript[] mss = getManuscriptsByRepository(repo); + jo.element("ls_manu", mss); + } else { jo.element("error", "no city or repository specified"); } + } catch (SQLException ex) { + getLogger(GetManuscriptsByCityAndRepository.class.getName()).log(SEVERE, null, ex); } + try (PrintWriter out = response.getWriter()) { out.print(jo); } @@ -86,7 +76,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - super.doPost(req, resp); //To change body of generated methods, choose Tools | Templates. + doPost(req, resp); } + private String sanitize(String input) { + if (input == null) { + return null; + } + return input.replaceAll("[<>\"'%;()&+]", ""); + } } From ee17fbc0004de95e24f37cf898b290e96db14d1f Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 11:59:34 -0600 Subject: [PATCH 09/13] xss and some guard clausing so I can read it --- src/java/UpdateLine.java | 44 ++++++++++--------- .../GetSharedProjectsByUserServlet.java | 6 +++ 2 files changed, 29 insertions(+), 21 deletions(-) diff --git a/src/java/UpdateLine.java b/src/java/UpdateLine.java index 7f6df604..fcd485a2 100644 --- a/src/java/UpdateLine.java +++ b/src/java/UpdateLine.java @@ -6,6 +6,10 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import textdisplay.Project; +import textdisplay.Transcription; +import user.Group; + import static java.lang.Integer.parseInt; import static java.util.logging.Level.SEVERE; import static java.util.logging.Logger.getLogger; @@ -13,9 +17,6 @@ import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN; import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR; import static org.owasp.esapi.ESAPI.encoder; -import textdisplay.Project; -import textdisplay.Transcription; -import user.Group; /** * @@ -36,21 +37,21 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re try (PrintWriter out = response.getWriter()) { HttpSession session = request.getSession(); if (session.getAttribute("UID") == null) { - response.sendError(SC_FORBIDDEN); + response.sendError(SC_FORBIDDEN, "User not logged in."); return; } if (request.getParameter("text") == null) { - getLogger(UpdateLine.class.getName()).log(SEVERE, null, "'text' was not provided."); - response.sendError(SC_BAD_REQUEST); + getLogger(UpdateLine.class.getName()).log(SEVERE, "'text' was not provided."); + response.sendError(SC_BAD_REQUEST, "'text' parameter is missing."); return; } if (request.getParameter("projectID") == null) { - getLogger(UpdateLine.class.getName()).log(SEVERE, null, "'projectID' was not provided."); - response.sendError(SC_BAD_REQUEST); + getLogger(UpdateLine.class.getName()).log(SEVERE, "'projectID' was not provided."); + response.sendError(SC_BAD_REQUEST, "'projectID' parameter is missing."); return; } - String text = encoder().encodeForHTML(request.getParameter("text")); + String text = request.getParameter("text"); String comment = ""; int projectID = parseInt(request.getParameter("projectID")); int uid = parseInt(session.getAttribute("UID").toString()); @@ -59,22 +60,24 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re try { Project thisProject = new Project(projectID); if (request.getParameter("comment") != null) { - comment = encoder().encodeForHTML(request.getParameter("comment")); - } - if (line == null) { - if (new Group(thisProject.getGroupID()).isMember(uid)) { + if (line == null) { + if (!new Group(thisProject.getGroupID()).isMember(uid)) { + response.sendError(SC_FORBIDDEN, "User is not a member of the project group."); + return; + } thisProject.setLinebreakText(text); - } - } else { - if (new Group(thisProject.getGroupID()).isMember(uid)) { + out.print(encoder().decodeForHTML(thisProject.getLinebreakText())); + } else { + if (!new Group(thisProject.getGroupID()).isMember(uid)) { + response.sendError(SC_FORBIDDEN, "User is not a member of the project group."); + return; + } Transcription t = new Transcription(line); t.archive(); //create an archived version before making changes t.setText(text); t.setComment(comment); t.setCreator(uid); - out.print(encoder().decodeForHTML(new Transcription(line).getText())); - } else { - response.sendError(SC_FORBIDDEN); + out.print(encoder().decodeForHTML(t.getText())); } } } catch (SQLException e) { @@ -107,8 +110,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) * Handles the HTTP POST method. * @param request servlet request * @param response servlet response - * @throws ServletException if a servlet-specific error occurs - * @throws IOException if an I/O error occurs + * @throws ServletException if an I/O error occurs */ @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) diff --git a/src/java/edu/slu/tpen/servlet/GetSharedProjectsByUserServlet.java b/src/java/edu/slu/tpen/servlet/GetSharedProjectsByUserServlet.java index 90fd6602..f569c5e5 100644 --- a/src/java/edu/slu/tpen/servlet/GetSharedProjectsByUserServlet.java +++ b/src/java/edu/slu/tpen/servlet/GetSharedProjectsByUserServlet.java @@ -22,6 +22,7 @@ import net.sf.json.JSONObject; import static textdisplay.DatabaseWrapper.getConnection; import static user.Group.roles.Contributor; +import org.owasp.esapi.ESAPI; /** * Retrieve all a user's shared projects. @@ -42,6 +43,11 @@ public class GetSharedProjectsByUserServlet extends HttpServlet { */ protected void processRequest(HttpServletRequest request, HttpServletResponse response) { String uName = request.getParameter("username"); + if (uName == null || uName.trim().isEmpty() || !uName.matches("^[a-zA-Z0-9_]+$")) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid username"); + return; + } + uName = ESAPI.encoder().encodeForHTML(uName); String query = "select p.id, p.name from groupmembers as gm, groups as g, project as p, users as u where gm.UID = u.UID and g.GID=gm.GID and p.grp=g.GID AND u.Uname = ? AND gm.role = ?"; Connection conn = getConnection(); try { From 7fb8292069db0f70d9a5aa205deb4621d88b1e79 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 12:53:54 -0600 Subject: [PATCH 10/13] xss cleanup --- src/java/servlets/validate.java | 3 +- web/WEB-INF/includes/projectPriority.jspf | 36 +++++++++++++++-------- web/js/transcription.js | 3 ++ web/uploadHeader.jsp | 7 ++--- web/uploadText.jsp | 29 +++++++++++------- 5 files changed, 48 insertions(+), 30 deletions(-) diff --git a/src/java/servlets/validate.java b/src/java/servlets/validate.java index 28e615ae..974eaca8 100644 --- a/src/java/servlets/validate.java +++ b/src/java/servlets/validate.java @@ -69,13 +69,12 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re schemaType=RELAXNG_COMPACT; XmlSchema s=new XmlSchema(p.getSchemaURL(),schemaType); - Manuscript ms=new Manuscript(5); String content=getFullDocument(p, remove,false,false,false); if(!(s.validate(content))) out.print("validation failed: "+s.getMessages()+"\n"); else out.print("valid"); - } catch (SAXException | SQLException ex) { + } catch (SAXException | SQLException | IOException ex) { getLogger(validate.class.getName()).log(SEVERE, null, ex); } diff --git a/web/WEB-INF/includes/projectPriority.jspf b/web/WEB-INF/includes/projectPriority.jspf index e5c40ab0..66312e6b 100644 --- a/web/WEB-INF/includes/projectPriority.jspf +++ b/web/WEB-INF/includes/projectPriority.jspf @@ -63,20 +63,30 @@ if (request.getParameter("priority")!=null){ var url = window.location.pathname; // Check for other parameters var append = new Array(); - <%if(request.getParameter("p") != null) { - out.println("append.push('p='+" - + request.getParameter("p") + ");"); - }else if(request.getParameter("pageno") != null) { - out.println("append.push('p='+" - + request.getParameter("pageno") + ");"); - }else if(request.getParameter("folio") != null) { - out.println("append.push('p='+" - + request.getParameter("folio") + ");"); - }; + <% + if(request.getParameter("p") != null) { + try { + int p = Integer.parseInt(request.getParameter("p")); + out.println("append.push('p='+" + p + ");"); + } catch (NumberFormatException e) { } + } else if(request.getParameter("pageno") != null) { + try { + int pageno = Integer.parseInt(request.getParameter("pageno")); + out.println("append.push('p='+" + pageno + ");"); + } catch (NumberFormatException e) { } + } else if(request.getParameter("folio") != null) { + try { + int folio = Integer.parseInt(request.getParameter("folio")); + out.println("append.push('p='+" + folio + ");"); + } catch (NumberFormatException e) { } + } if(request.getParameter("projectID") != null) { - out.println("append.push('projectID='+" - + request.getParameter("projectID") + ");"); - };%> + try { + int projectID = Integer.parseInt(request.getParameter("projectID")); + out.println("append.push('projectID='+" + projectID + ");"); + } catch (NumberFormatException e) { } + } + %> if (!isNaN($("#tabs").tabs("option","selected"))){ // Retain selected tab on page reload append.push("selecTab="+$("#tabs").tabs("option","selected")); diff --git a/web/js/transcription.js b/web/js/transcription.js index e93102f2..4eaf9df0 100644 --- a/web/js/transcription.js +++ b/web/js/transcription.js @@ -3038,6 +3038,9 @@ var Data = { */ saveLine: function(transcription,notes,lineid,folioNum){ if(!isMember && !permitModify && !permitNotes)return false; + // avoid XSS and SQL injection + transcription = transcription.replace(/&/g, "&").replace(/"/g, """).replace(/'/g, "'"); + notes = notes.replace(//g, ">"); $.ajax({ url:"updateLine", type:"POST", diff --git a/web/uploadHeader.jsp b/web/uploadHeader.jsp index 5503e080..7d69039d 100644 --- a/web/uploadHeader.jsp +++ b/web/uploadHeader.jsp @@ -5,8 +5,7 @@ --%> <%@page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> - + <% int UID = 0; if (session.getAttribute("UID") == null) @@ -35,9 +34,9 @@ int projectID=0; JSP Page -
" ENCTYPE="multipart/form-data" method="POST"> + " enctype="multipart/form-data" method="POST">
-
+
diff --git a/web/uploadText.jsp b/web/uploadText.jsp index 2f294956..661fdaa9 100644 --- a/web/uploadText.jsp +++ b/web/uploadText.jsp @@ -21,18 +21,25 @@ int projectID=0; int p=0; String location = ""; - if(request.getParameter("projectID")!=null) - { - if (request.getParameter("p")!=null) p=Integer.parseInt(request.getParameter("p")); - projectID=Integer.parseInt(request.getParameter("projectID")); - location = (p>0) ? - "?projectID="+projectID+"&p="+p : - "?projectID="+projectID; - } - else{ - out.print("no project specified!"); +if (request.getParameter("projectID") == null) { + out.print("no project specified!"); + return; +} +try { + projectID = Integer.parseInt(request.getParameter("projectID")); +} catch (NumberFormatException e) { + out.print("Invalid project ID!"); + return; +} +if (request.getParameter("p") != null) { + try { + p = Integer.parseInt(request.getParameter("p")); + } catch (NumberFormatException e) { + location = "?projectID=" + projectID; return; - } + } +} +location = "?projectID=" + projectID + "&p=" + p; %> From 842c65ab04eacfcc1c9e71150aa4bf3c4409ed34 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 13:05:15 -0600 Subject: [PATCH 11/13] Update transcription.jsp --- web/transcription.jsp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/web/transcription.jsp b/web/transcription.jsp index 88289852..5a59a95d 100644 --- a/web/transcription.jsp +++ b/web/transcription.jsp @@ -692,7 +692,8 @@ filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#a64129', end out.println("nextFolio = \"" + thisProject.getFollowingPage(pageno) + "\";"); } if (request.getParameter("tool") != null){ - out.println("liveTool = '"+request.getParameter("tool")+"';"); + // XSS prevent on input + out.println("liveTool = '"+ESAPI.encoder().encodeForJavaScript(request.getParameter("tool"))+"';"); } if (request.getParameter("compareIndex") != null){ out.println("compareIndex = '"+request.getParameter("compareIndex")+"';"); From 8da95fdfde83540ea891937bafd2613def675bb3 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 13:15:30 -0600 Subject: [PATCH 12/13] Update signup.jsp --- web/signup.jsp | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/web/signup.jsp b/web/signup.jsp index be3263c5..cf03baf6 100644 --- a/web/signup.jsp +++ b/web/signup.jsp @@ -59,13 +59,12 @@

<% - if (request.getParameter("uname") != null - && request.getParameter("uname").contains("@") - && request.getParameter("uname").contains(".") - && request.getParameter("fname") != null - && request.getParameter("lname") != null) { + String emailParam = request.getParameter("uname"); + String fnameParam = request.getParameter("fname"); + String lnameParam = request.getParameter("lname"); + if (emailParam.contains("@") && emailParam.contains(".") && fnameParam != null && lnameParam != null) { //create a user with a blank password. Their password will be set when they are approved by an admin - int result = user.User.signup(request.getParameter("uname"), request.getParameter("lname"), request.getParameter("fname")); + int result = user.User.signup(emailParam, fnameParam, lnameParam); //total success if (result == 0) { out.println("

Your account was created. You will recieve an email from TPEN@t-pen.org when an administrator has activated your account. If your e-mail does not arrive, please verify that it has not been caught by a spam filter.

"); @@ -80,20 +79,15 @@ out.println("

Account created but the emails could not be sent! Contact the TPEN team.

"); } } else { - if (request.getParameter("uname") != null){ out.println("

There was an error with your submission. Please check the form and try again.

"); - } %> -
- Email/>

- first name/>

- last name/>

+ + Email"/>

+ first name"/>

+ last name"/>

<%}%> From 365988d925cdb48f1e3bc91b7d209bb4a425a5d0 Mon Sep 17 00:00:00 2001 From: cubap Date: Wed, 27 Nov 2024 13:27:23 -0600 Subject: [PATCH 13/13] Update search.jsp --- web/search.jsp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/web/search.jsp b/web/search.jsp index 7b7c4262..3fd3bb7c 100644 --- a/web/search.jsp +++ b/web/search.jsp @@ -55,7 +55,10 @@ //Initialize search parameters, populate if available String searchWord=""; //query if (request.getParameter("searchWord") != null) { - searchWord = request.getParameter("searchWord"); + searchWord = request.getParameter("searchWord") + .replaceAll(".*?", "") // Remove script tags and content + .replaceAll("[<>]", "") // Remove angle brackets + .replaceAll("'", "''"); // Escape single quotes for SQL if(manuscript>0) searchWord += " AND manuscript:"+manuscript; if(projectID>0)