Vulnerability in the default error renderer #1366

- Added XSS functions
- Redo UrlParser

Author: jknack

jooby/pom.xml

@@ -93,6 +93,7 @@
                 <includes>
                   <include>org.ow2.asm:*</include>
                   <include>commons-io:*</include>
+                  <include>org.unbescape:*</include>
                 </includes>
               </artifactSet>
               <relocations>
@@ -101,8 +102,12 @@
                   <shadedPattern>${shaded.package}.asm</shadedPattern>
                 </relocation>
                 <relocation>
-                  <pattern>org.apache.commons.io</pattern>
-                  <shadedPattern>${shaded.package}.commonsio</shadedPattern>
+                  <pattern>org.apache.commons</pattern>
+                  <shadedPattern>${shaded.package}</shadedPattern>
+                </relocation>
+                <relocation>
+                  <pattern>org.unbescape</pattern>
+                  <shadedPattern>${shaded.package}</shadedPattern>
                 </relocation>
               </relocations>
             </configuration>
@@ -158,6 +163,14 @@
       <optional>true</optional>
     </dependency>
 
+    <!-- unbescape -->
+    <dependency>
+      <groupId>org.unbescape</groupId>
+      <artifactId>unbescape</artifactId>
+      <optional>true</optional>
+    </dependency>
+
+
     <!-- javax.inject -->
     <dependency>
       <groupId>javax.inject</groupId>

jooby/src/main/java/io/jooby/DefaultContext.java

@@ -128,7 +128,7 @@ public interface DefaultContext extends Context {
     String value = pathMap().get(name);
     return value == null
         ? new MissingValue(name)
-        : new SingleValue(name, UrlParser.decodePath(value));
+        : new SingleValue(name, UrlParser.decodePathSegment(value));
   }
 
   @Override @Nonnull default <T> T path(@Nonnull Reified<T> type) {

jooby/src/main/java/io/jooby/ErrorHandler.java

@@ -52,7 +52,7 @@ public interface ErrorHandler {
           .append("<hr>\n");
 
       if (message != null && !message.equals(statusCode.toString())) {
-        html.append("<h2>message: ").append(message).append("</h2>\n");
+        html.append("<h2>message: ").append(XSS.html(message)).append("</h2>\n");
       }
       html.append("<h2>status code: ").append(statusCode.value()).append("</h2>\n");
 
@@ -67,7 +67,7 @@ public interface ErrorHandler {
       String message = Optional.ofNullable(cause.getMessage()).orElse(statusCode.reason());
       ctx.setResponseType(json)
           .setResponseCode(statusCode)
-          .send("{\"message\":\"" + message + "\",\"statusCode\":" + statusCode.value()
+          .send("{\"message\":\"" + XSS.json(message) + "\",\"statusCode\":" + statusCode.value()
               + ",\"reason\":\"" + statusCode.reason() + "\"}");
     }
   };

jooby/src/main/java/io/jooby/XSS.java

@@ -0,0 +1,229 @@
+/**
+ * Jooby https://jooby.io
+ * Apache License Version 2.0 https://jooby.io/LICENSE.txt
+ * Copyright 2014 Edgar Espina
+ */
+package io.jooby;
+
+import org.unbescape.html.HtmlEscape;
+import org.unbescape.javascript.JavaScriptEscape;
+import org.unbescape.json.JsonEscape;
+import org.unbescape.uri.UriEscape;
+import org.unbescape.xml.XmlEscape;
+
+import javax.annotation.Nullable;
+
+/**
+ * Set of escaping routines for fixing cross-site scripting (XSS).
+ */
+public final class XSS {
+  private XSS() {}
+
+  /**
+   * <p>
+   *   Perform am URI path <strong>escape</strong> operation
+   *   on a <tt>String</tt> input using <tt>UTF-8</tt> as encoding.
+   * </p>
+   * <p>
+   *   The following are the only allowed chars in an URI path (will not be escaped):
+   * </p>
+   * <ul>
+   *   <li><tt>A-Z a-z 0-9</tt></li>
+   *   <li><tt>- . _ ~</tt></li>
+   *   <li><tt>! $ &amp; ' ( ) * + , ; =</tt></li>
+   *   <li><tt>: @</tt></li>
+   *   <li><tt>/</tt></li>
+   * </ul>
+   * <p>
+   *   All other chars will be escaped by converting them to the sequence of bytes that
+   *   represents them in the <tt>UTF-8</tt> and then representing each byte
+   *   in <tt>%HH</tt> syntax, being <tt>HH</tt> the hexadecimal representation of the byte.
+   * </p>
+   * <p>
+   *   This method is <strong>thread-safe</strong>.
+   * </p>
+   *
+   * @param value the <tt>String</tt> to be escaped.
+   * @return The escaped result <tt>String</tt>. As a memory-performance improvement, will return the exact
+   *         same object as the <tt>text</tt> input argument if no escaping modifications were required (and
+   *         no additional <tt>String</tt> objects will be created during processing). Will
+   *         return <tt>null</tt> if input is <tt>null</tt>.
+   */
+  public static @Nullable String uri(@Nullable String value) {
+    return UriEscape.escapeUriPath(value);
+  }
+
+  /**
+   * <p>
+   *   Perform an HTML5 level 2 (result is ASCII) <strong>escape</strong> operation on a <tt>String</tt> input.
+   * </p>
+   * <p>
+   *   <em>Level 2</em> means this method will escape:
+   * </p>
+   * <ul>
+   *   <li>The five markup-significant characters: <tt>&lt;</tt>, <tt>&gt;</tt>, <tt>&amp;</tt>,
+   *       <tt>&quot;</tt> and <tt>&#39;</tt></li>
+   *   <li>All non ASCII characters.</li>
+   * </ul>
+   * <p>
+   *   This escape will be performed by replacing those chars by the corresponding HTML5 Named Character References
+   *   (e.g. <tt>'&amp;acute;'</tt>) when such NCR exists for the replaced character, and replacing by a decimal
+   *   character reference (e.g. <tt>'&amp;#8345;'</tt>) when there there is no NCR for the replaced character.
+   * </p>
+   * <p>
+   *   This method is <strong>thread-safe</strong>.
+   * </p>
+   *
+   * @param value the <tt>String</tt> to be escaped.
+   * @return The escaped result <tt>String</tt>. As a memory-performance improvement, will return the exact
+   *         same object as the <tt>text</tt> input argument if no escaping modifications were required (and
+   *         no additional <tt>String</tt> objects will be created during processing). Will
+   *         return <tt>null</tt> if input is <tt>null</tt>.
+   */
+  public static @Nullable String html(@Nullable String value) {
+    return HtmlEscape.escapeHtml5(value);
+  }
+
+  /**
+   * <p>
+   *   Perform a JavaScript level 2 (basic set and all non-ASCII chars) <strong>escape</strong> operation
+   *   on a <tt>String</tt> input.
+   * </p>
+   * <p>
+   *   <em>Level 2</em> means this method will escape:
+   * </p>
+   * <ul>
+   *   <li>The JavaScript basic escape set:
+   *         <ul>
+   *           <li>The <em>Single Escape Characters</em>:
+   *               <tt>&#92;0</tt> (<tt>U+0000</tt>),
+   *               <tt>&#92;b</tt> (<tt>U+0008</tt>),
+   *               <tt>&#92;t</tt> (<tt>U+0009</tt>),
+   *               <tt>&#92;n</tt> (<tt>U+000A</tt>),
+   *               <tt>&#92;v</tt> (<tt>U+000B</tt>),
+   *               <tt>&#92;f</tt> (<tt>U+000C</tt>),
+   *               <tt>&#92;r</tt> (<tt>U+000D</tt>),
+   *               <tt>&#92;&quot;</tt> (<tt>U+0022</tt>),
+   *               <tt>&#92;&#39;</tt> (<tt>U+0027</tt>),
+   *               <tt>&#92;&#92;</tt> (<tt>U+005C</tt>) and
+   *               <tt>&#92;&#47;</tt> (<tt>U+002F</tt>).
+   *               Note that <tt>&#92;&#47;</tt> is optional, and will only be used when the <tt>&#47;</tt>
+   *               symbol appears after <tt>&lt;</tt>, as in <tt>&lt;&#47;</tt>. This is to avoid accidentally
+   *               closing <tt>&lt;script&gt;</tt> tags in HTML. Also, note that <tt>&#92;v</tt>
+   *               (<tt>U+000B</tt>) is actually included as a Single Escape
+   *               Character in the JavaScript (ECMAScript) specification, but will not be used as it
+   *               is not supported by Microsoft Internet Explorer versions &lt; 9.
+   *           </li>
+   *           <li>
+   *               Two ranges of non-displayable, control characters (some of which are already part of the
+   *               <em>single escape characters</em> list): <tt>U+0001</tt> to <tt>U+001F</tt> and
+   *               <tt>U+007F</tt> to <tt>U+009F</tt>.
+   *           </li>
+   *         </ul>
+   *   </li>
+   *   <li>All non ASCII characters.</li>
+   * </ul>
+   * <p>
+   *   This escape will be performed by using the Single Escape Chars whenever possible. For escaped
+   *   characters that do not have an associated SEC, default to using <tt>&#92;xFF</tt> Hexadecimal Escapes
+   *   if possible (characters &lt;= <tt>U+00FF</tt>), then default to <tt>&#92;uFFFF</tt>
+   *   Hexadecimal Escapes. This type of escape <u>produces the smallest escaped string possible</u>.
+   * </p>
+   * <p>
+   *   This method is <strong>thread-safe</strong>.
+   * </p>
+   *
+   * @param value the <tt>String</tt> to be escaped.
+   * @return The escaped result <tt>String</tt>. As a memory-performance improvement, will return the exact
+   *         same object as the <tt>text</tt> input argument if no escaping modifications were required (and
+   *         no additional <tt>String</tt> objects will be created during processing). Will
+   *         return <tt>null</tt> if input is <tt>null</tt>.
+   */
+  public static @Nullable String javaScript(@Nullable String value) {
+    return JavaScriptEscape.escapeJavaScript(value);
+  }
+
+  /**
+   * <p>
+   *   Perform a JSON level 2 (basic set and all non-ASCII chars) <strong>escape</strong> operation
+   *   on a <tt>String</tt> input.
+   * </p>
+   * <p>
+   *   <em>Level 2</em> means this method will escape:
+   * </p>
+   * <ul>
+   *   <li>The JSON basic escape set:
+   *         <ul>
+   *           <li>The <em>Single Escape Characters</em>:
+   *               <tt>&#92;b</tt> (<tt>U+0008</tt>),
+   *               <tt>&#92;t</tt> (<tt>U+0009</tt>),
+   *               <tt>&#92;n</tt> (<tt>U+000A</tt>),
+   *               <tt>&#92;f</tt> (<tt>U+000C</tt>),
+   *               <tt>&#92;r</tt> (<tt>U+000D</tt>),
+   *               <tt>&#92;&quot;</tt> (<tt>U+0022</tt>),
+   *               <tt>&#92;&#92;</tt> (<tt>U+005C</tt>) and
+   *               <tt>&#92;&#47;</tt> (<tt>U+002F</tt>).
+   *               Note that <tt>&#92;&#47;</tt> is optional, and will only be used when the <tt>&#47;</tt>
+   *               symbol appears after <tt>&lt;</tt>, as in <tt>&lt;&#47;</tt>. This is to avoid accidentally
+   *               closing <tt>&lt;script&gt;</tt> tags in HTML.
+   *           </li>
+   *           <li>
+   *               Two ranges of non-displayable, control characters (some of which are already part of the
+   *               <em>single escape characters</em> list): <tt>U+0000</tt> to <tt>U+001F</tt> (required
+   *               by the JSON spec) and <tt>U+007F</tt> to <tt>U+009F</tt> (additional).
+   *           </li>
+   *         </ul>
+   *   </li>
+   *   <li>All non ASCII characters.</li>
+   * </ul>
+   * <p>
+   *   This escape will be performed by using the Single Escape Chars whenever possible. For escaped
+   *   characters that do not have an associated SEC, default to <tt>&#92;uFFFF</tt>
+   *   Hexadecimal Escapes.
+   * </p>
+   * <p>
+   *   This method is <strong>thread-safe</strong>.
+   * </p>
+   *
+   * @param value the <tt>String</tt> to be escaped.
+   * @return The escaped result <tt>String</tt>. As a memory-performance improvement, will return the exact
+   *         same object as the <tt>text</tt> input argument if no escaping modifications were required (and
+   *         no additional <tt>String</tt> objects will be created during processing). Will
+   *         return <tt>null</tt> if input is <tt>null</tt>.
+   */
+  public static @Nullable String json(@Nullable String value) {
+    return JsonEscape.escapeJson(value);
+  }
+
+  /**
+   * <p>
+   *   Perform an XML 1.1 level 2 (markup-significant and all non-ASCII chars) <strong>escape</strong> operation
+   *   on a <tt>String</tt> input.
+   * </p>
+   * <p>
+   *   <em>Level 2</em> means this method will escape:
+   * </p>
+   * <ul>
+   *   <li>The five markup-significant characters: <tt>&lt;</tt>, <tt>&gt;</tt>, <tt>&amp;</tt>,
+   *       <tt>&quot;</tt> and <tt>&#39;</tt></li>
+   *   <li>All non ASCII characters.</li>
+   * </ul>
+   * <p>
+   *   This escape will be performed by replacing those chars by the corresponding XML Character Entity References
+   *   (e.g. <tt>'&amp;lt;'</tt>) when such CER exists for the replaced character, and replacing by a hexadecimal
+   *   character reference (e.g. <tt>'&amp;#x2430;'</tt>) when there there is no CER for the replaced character.
+   * </p>
+   * <p>
+   *   This method is <strong>thread-safe</strong>.
+   * </p>
+   *
+   * @param value the <tt>String</tt> to be escaped.
+   * @return The escaped result <tt>String</tt>. As a memory-performance improvement, will return the exact
+   *         same object as the <tt>text</tt> input argument if no escaping modifications were required (and
+   *         no additional <tt>String</tt> objects will be created during processing). Will
+   *         return <tt>null</tt> if input is <tt>null</tt>.
+   */
+  public static @Nullable String xml(@Nullable String value) {
+    return XmlEscape.escapeXml11(value);
+  }
+}