Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add toggle for policy validation #65

Closed
wants to merge 3 commits into from
Closed

Add toggle for policy validation #65

wants to merge 3 commits into from

Conversation

spassarop
Copy link
Collaborator

@spassarop spassarop commented Jan 18, 2021
edited
Loading

  • New static method on Policy to enable/disable schema validation. It's enabled by default.
  • Test added.
  • Removed unnecesary exception catch for code that was removed.

Just for the record, this is related to issue #58.

@spassarop
Add toggle for policy validation
69a12bb 
New static method on Policy to enable/disable schema validation.
It's enabled by default.
@spassarop
Change message for fail() on new test
b39d3ee
@kwwall
Copy link
Contributor

kwwall commented Jan 18, 2021

Works for me and ESAPI.
@davewichers - How soon are you planning on releasing an official 1.6.0 release for AntiSamy? If it is soon, I will hold off on my planned ESAPI release to address the Xerces fix. I'm pretty much ready to go except for writing up ESAPI release notes, but of course if I introduce AntiSamy 1.6 instead of 1.5.13 as I was planning, I'll probably make some additional minor tweaks to provide a mechanism to address this new static method to disable the XML validation check against the AntiSamy XSD.

@spassarop
Copy link
Collaborator Author

In my opinion, after this polishing to XSD validation, the only thing we could add to release is a cherry-pick from 1.5.13 and minor changes to remove some SpotBug warnings. So future changes can be applied over 1.6.x and we don’t need to release more intermediate 1.5.x branches.

@spassarop
Refactor to issue console warnings when validating schema
593c230 
This implementation ntends to follow this steps:
1) Parsing with schema validation on and, if successful, check is validation is disabled. If it is disabled then issue a warning that it should not be.
2) If validation fails, remember the exception and then try to instantiate the parser again with validation off. If that also fails, throw that exception. If it succeeds, extract the error message from the saved exception and issue that as a warning.

That procedure is just to try to help users with the policy change.
Eventually, the changes on this commit should be reverted to always validate.
@spassarop
Copy link
Collaborator Author

@davewichers, the changes on last commit seem to work. My mind broke refactoring to avoid copying code and I'm not sure this is the best approach/solution as Java is not my strength but looks and works ok.

Aside, the <include> tag on policies was not tested and it's not currently available on the XSD (its part of one possible flow on this changes). For that to work it should be added and somehow build a policy that uses them to test those cases. I've never seen a policy which includes others, I figure out looking at the code how it should be, but I don't even know if it's used.

@kwwall
Copy link
Contributor

kwwall commented Jan 23, 2021

Clearly the first thing to do would be to write a few test case for an"" tag. But since it is not in the presenting in the XSD, that's another good reason for providing a mechanism to disable the XML validation check. That is more likely to affect direct users of AntiSamy more than it is users of AntiSamy via ESAPI. I doubt ESAPI users were even aware you could include other policy files. I know I wasn't aware.

davewichers
davewichers reviewed Jan 23, 2021
View reviewed changes
src/main/java/org/owasp/validator/html/Policy.java
@@ -120,6 +120,8 @@
* XML Schema for policy validation
*/
private static Schema schema = null;
private static boolean validateSchema = true;
private static SAXException savedSchemaValidationException;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems strange to me to have this be a class variable. Can't it be passed as a parameter to the methods that need it from the caller?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would require an API change. All Policy.getPolicy() calls would need a new Boolean parameter to pass down and the method to enable/disable validation would be removed as it won’t be needed anymore.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry. I was referring to savedSchemaValidationException, not the boolean, which I think is fine. I'm testing/making changes and I'll address my concern if I easily can. Hold on for now.

davewichers added a commit that referenced this pull request Jan 25, 2021
@davewichers
Pull in pull request #65, modify to make it work the way I want it to…
64416f1 
… work, and check it in.

There are a number of ToDo's left for test case creation and JavaDocs needed for new methods.
@davewichers
Copy link
Collaborator

I pulled in this pull request manually, tested it, modified it, and then pushed the changes directly to the 1.6.0 branch, making this pull request obsolete. So I'm closing it. There are still a number of ToDos still left to be done.

@spassarop spassarop deleted the policy-xsd-disabling branch January 25, 2021 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davewichers davewichers davewichers left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@spassarop @kwwall @davewichers