Skip to content

Commit

Permalink
Fixes Issue #1211 (#1237)
Browse files Browse the repository at this point in the history
Co-authored-by: Aaron Klish <[email protected]>
  • Loading branch information
aklish and Aaron Klish authored Mar 26, 2020
1 parent 7239e47 commit d56cf07
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 3 deletions.
7 changes: 7 additions & 0 deletions elide-spring/elide-spring-boot-autoconfigure/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,13 @@
<optional>true</optional>
</dependency>

<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.2</version>
<optional>true</optional>
</dependency>

<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

import com.yahoo.elide.contrib.swagger.SwaggerBuilder;

import org.owasp.encoder.Encode;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.context.annotation.Configuration;
Expand Down Expand Up @@ -82,10 +83,11 @@ public ResponseEntity<String> list() {
*/
@GetMapping(value = "/{name}", produces = JSON_CONTENT_TYPE)
public ResponseEntity<String> list(@PathVariable("name") String name) {
String encodedName = Encode.forHtml(name);

if (documents.containsKey(name)) {
return ResponseEntity.status(HttpStatus.OK).body(documents.get(name));
if (documents.containsKey(encodedName)) {
return ResponseEntity.status(HttpStatus.OK).body(documents.get(encodedName));
}
return ResponseEntity.status(404).body("Unknown document: " + name);
return ResponseEntity.status(404).body("Unknown document: " + encodedName);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,15 @@ public void swaggerDocumentTest() {
.statusCode(HttpStatus.SC_OK);
}

@Test
public void swaggerXSSDocumentTest() {
when()
.get("/doc/<script>")
.then()
.statusCode(HttpStatus.SC_NOT_FOUND)
.body(equalTo("Unknown document: &lt;script&gt;"));
}

@Test
public void graphqlTestForbiddenCreate() {
ArtifactGroup group = new ArtifactGroup();
Expand Down

0 comments on commit d56cf07

Please sign in to comment.