Skip to content

Commit eae25b6

Browse files
committed
[KNOWAGE-9198] Sanitize XML inputs and refactor DispatchContext decoding logic
1 parent 744f73c commit eae25b6

3 files changed

Lines changed: 208 additions & 158 deletions

File tree

knowage-core/src/main/java/it/eng/spagobi/services/scheduler/service/XSchedulerServiceSupplier.java

Lines changed: 53 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,14 @@
1717
*/
1818
package it.eng.spagobi.services.scheduler.service;
1919

20+
import java.nio.charset.StandardCharsets;
2021
import java.util.ArrayList;
2122
import java.util.List;
23+
import java.util.regex.Matcher;
24+
import java.util.regex.Pattern;
2225

2326
import org.apache.commons.lang3.StringUtils;
27+
import org.apache.commons.text.StringEscapeUtils;
2428
import org.apache.log4j.Logger;
2529
import org.json.JSONArray;
2630
import org.json.JSONException;
@@ -238,8 +242,10 @@ public JSONObject scheduleJob2(String xmlRequest) {
238242
JSONObject resp = new JSONObject();
239243
Trigger trigger = null;
240244
try {
245+
String sanitizedXmlRequest = sanitizeXmlWithEmbeddedHtml(xmlRequest);
246+
241247
Deserializer deserializer = DeserializerFactory.getDeserializer("application/xml");
242-
trigger = (Trigger) deserializer.deserialize(xmlRequest, Trigger.class);
248+
trigger = (Trigger) deserializer.deserialize(sanitizedXmlRequest, Trigger.class);
243249

244250
schedulerDAO.saveTrigger(trigger);
245251

@@ -266,6 +272,52 @@ public JSONObject scheduleJob2(String xmlRequest) {
266272
return resp;
267273
}
268274

275+
private String sanitizeXmlWithEmbeddedHtml(String xmlContent) {
276+
if (xmlContent == null || xmlContent.isEmpty()) {
277+
return xmlContent;
278+
}
279+
280+
try {
281+
Pattern parameterPattern = Pattern.compile(
282+
"(<PARAMETER[^>]*value=\")([^\"]*?)(\")([^>]*/>)",
283+
Pattern.DOTALL
284+
);
285+
286+
Matcher matcher = parameterPattern.matcher(xmlContent);
287+
StringBuilder result = new StringBuilder();
288+
289+
while (matcher.find()) {
290+
String prefix = matcher.group(1);
291+
String value = matcher.group(2);
292+
String quote = matcher.group(3);
293+
String suffix = matcher.group(4);
294+
295+
if (containsHtmlTags(value)) {
296+
String decodedValue = java.net.URLDecoder.decode(value, StandardCharsets.UTF_8);
297+
String escapedValue = StringEscapeUtils.escapeXml11(decodedValue);
298+
String finalValue = java.net.URLEncoder.encode(escapedValue, StandardCharsets.UTF_8);
299+
matcher.appendReplacement(result, prefix + finalValue + quote + suffix);
300+
} else {
301+
matcher.appendReplacement(result, matcher.group(0));
302+
}
303+
}
304+
matcher.appendTail(result);
305+
306+
return result.toString();
307+
308+
} catch (Exception e) {
309+
LOGGER.warn("Error sanitizing XML content, returning original: " + e.getMessage());
310+
return xmlContent;
311+
}
312+
}
313+
314+
private boolean containsHtmlTags(String value) {
315+
// Simple check for HTML tags in the value
316+
return value.contains("<") && value.contains(">");
317+
}
318+
319+
320+
269321
@Override
270322
public String existJobDefinition(String jobName, String jobGroupName) {
271323
StringBuilder buffer;

0 commit comments

Comments
 (0)