refactor(calm-hub): use centralized strict sanitization policy to prevent XSS

calm-hub/src/main/java/org/finos/calm/resources/CoreSchemaResource.java

@@ -14,9 +14,7 @@
 import org.finos.calm.security.CalmHubScopes;
 import org.finos.calm.security.PermittedScopes;
 import org.finos.calm.store.CoreSchemaStore;
-import org.owasp.html.HtmlPolicyBuilder;
 import org.owasp.html.PolicyFactory;
-
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.ArrayList;
@@ -25,7 +23,7 @@
 @Path("/calm/schemas")
 public class CoreSchemaResource {
 
-    private static final PolicyFactory STRICT_SANITIZATION_POLICY = new HtmlPolicyBuilder().toFactory();
+    private static final PolicyFactory STRICT_SANITIZATION_POLICY = ResourceValidationConstants.STRICT_SANITIZATION_POLICY;
 
     private final CoreSchemaStore coreSchemaStore;
 
@@ -139,4 +137,4 @@ public void setSchemas(Map<String, Object> schemas) {
             this.schemas = schemas;
         }
     }
-}
+}

calm-hub/src/test/java/org/finos/calm/resources/TestSanitizationSecurityShould.java

@@ -0,0 +1,43 @@
+package org.finos.calm.resources;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.owasp.html.PolicyFactory;
+
+public class TestSanitizationSecurityShould {
+
+    @Test
+    void withstand_noscript_style_injection_attack() {
+        // This test verifies the fix for the specific vulnerability where allowTextIn("style") 
+        // combined with noscript tags could lead to XSS.
+        // The application uses a strict policy that should NOT be vulnerable.
+
+        PolicyFactory policy = ResourceValidationConstants.STRICT_SANITIZATION_POLICY;
+
+        String pocPayload1 = "<noscript><style></noscript><script>alert(1)</script>";
+        String sanitized1 = policy.sanitize(pocPayload1);
+
+        // The strict policy (default factory) should strip everything not allowed. 
+        // Since nothing is allowed, it should ideally be empty or just text content if any remains valid text.
+        // But definitively NO <script> tags should survive.
+        Assertions.assertFalse(sanitized1.contains("<script>"), "Sanitized output should not contain script tags: " + sanitized1);
+        Assertions.assertFalse(sanitized1.contains("alert(1)"), "Sanitized output should not contain executable code: " + sanitized1);
+
+        String pocPayload2 = "<p><style></p><script>alert(1)</script>";
+        String sanitized2 = policy.sanitize(pocPayload2);
+        Assertions.assertFalse(sanitized2.contains("<script>"), "Sanitized output should not contain script tags: " + sanitized2);
+        Assertions.assertFalse(sanitized2.contains("alert(1)"), "Sanitized output should not contain executable code: " + sanitized2);
+    }
+
+    @Test
+    void act_as_strict_policy() {
+        PolicyFactory policy = ResourceValidationConstants.STRICT_SANITIZATION_POLICY;
+
+        String input = "<div><b>bold</b><script>alert('xss')</script></div>";
+        String output = policy.sanitize(input);
+
+        // Default builder().toFactory() allows NO elements.
+        // So it should strip all tags.
+        Assertions.assertEquals("bold", output, "Strict policy should strip all tags");
+    }
+}