[IMIS] Use Jsoup instead of StringEscapeUtils to sanitize inputs and prevent XSS attacks SORMAS-Foundation#3389 (SORMAS-Foundation#3448)

* replace stringescapeutils with jsoup SORMAS-Foundation#3389

* Replace escapeHtml4 with jsoup.clean SORMAS-Foundation#3389

* Introduce whitelist constant for actions (SORMAS-Foundation#3389)

* modified escaping to be more accurate SORMAS-Foundation#3389

* Move Jsoup.clean to helper method HtmlHelper.cleanHtml SORMAS-Foundation#3389

* make null check inline SORMAS-Foundation#3389

* Merge branch 'development' into feature-3389-jsoup-xss-prevention

Co-authored-by: syntakker <[email protected]>

Author: DavidBaldsiefen

sormas-api/pom.xml

@@ -67,6 +67,11 @@
 			<artifactId>simmetrics-core</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>org.jsoup</groupId>
+			<artifactId>jsoup</artifactId>
+		</dependency>
+
 	</dependencies>
 
 </project>

sormas-api/src/main/java/de/symeda/sormas/api/caze/classification/ClassificationHtmlRenderer.java

@@ -17,14 +17,11 @@
  *******************************************************************************/
 package de.symeda.sormas.api.caze.classification;
 
-import static de.symeda.sormas.api.utils.HtmlHelper.escapeAndUnescapeBasicTags;
-import static de.symeda.sormas.api.utils.HtmlHelper.unescapeBasicTags;
-
 import java.util.Date;
 import java.util.List;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.text.StringEscapeUtils;
+import org.jsoup.safety.Whitelist;
 
 import de.symeda.sormas.api.Disease;
 import de.symeda.sormas.api.FacadeProvider;
@@ -34,6 +31,7 @@
 import de.symeda.sormas.api.i18n.Strings;
 import de.symeda.sormas.api.utils.DataHelper;
 import de.symeda.sormas.api.utils.DateHelper;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import de.symeda.sormas.api.utils.InfoProvider;
 
 /**
@@ -176,7 +174,7 @@ public static String createHtmlForDownload(String sormasServerUrl, List<Disease>
 		html.append("<h1 style=\"text-align: center; color: #005A9C;\">").append(I18nProperties.getString(Strings.classificationClassificationRules)).append("</h1>");
 		html.append("<h4 style=\"text-align: center;\">")
 				.append(I18nProperties.getString(Strings.classificationGeneratedFor))
-				.append(" ").append(StringEscapeUtils.escapeHtml4(InfoProvider.get().getVersion()))
+				.append(" ").append(HtmlHelper.cleanHtml(InfoProvider.get().getVersion()))
 				.append(StringUtils.wrap(I18nProperties.getString(Strings.on), " "))
 				.append(sormasServerUrl).append(StringUtils.wrap(I18nProperties.getString(Strings.at), " "))
 				.append(DateHelper.formatLocalDateTime(new Date(), language)).append("</h4>");
@@ -241,7 +239,7 @@ private static String buildSubCriteriaDiv(
 		for (ClassificationCriteriaDto subCriteria : ((ClassificationCollectiveCriteria) criteria).getSubCriteria()) {
 			if (!(subCriteria instanceof ClassificationCollectiveCriteria) || subCriteria instanceof ClassificationCompactCriteria) {
 				// For non-collective or compact collective criteria, add the description as a list item
-				subCriteriaSb.append("- " + escapeAndUnescapeBasicTags(subCriteria.buildDescription() + "</br>"));
+				subCriteriaSb.append("- " + HtmlHelper.cleanHtml(subCriteria.buildDescription(), Whitelist.basic()) + "</br>");
 			} else if (subCriteria instanceof ClassificationCollectiveCriteria
 				&& !(subCriteria instanceof ClassificationAllOfCriteriaDto)
 				&& !(subCriteria.getClass() == ClassificationXOfCriteriaDto.class)) {
@@ -273,7 +271,7 @@ private static String createSurroundingDiv(ClassificationCriteriaType criteriaTy
 		//@formatter:off
 		return "<div class='classification-rules'>"
 				+ "<div class='main-criteria main-criteria-"
-				+ StringEscapeUtils.escapeHtml4(criteriaType.toString())
+				+ HtmlHelper.cleanHtml(criteriaType.toString())
 				+ "'>"
 				+ content
 				+ "</div></div>";
@@ -287,7 +285,7 @@ private static String createHeadlineDiv(String headline) {
 
 		//@formatter:off
 		return "<div class='headline'>"
-				+ StringEscapeUtils.escapeHtml4(headline)
+				+ HtmlHelper.cleanHtml(headline, Whitelist.basic())
 				+ "</div>";
 		//@formatter:on
 	}
@@ -296,13 +294,12 @@ private static String createHeadlineDiv(String headline) {
 	 * Creates a div containing an info text.
 	 */
 	private static String createInfoDiv() {
-		return unescapeBasicTags(StringEscapeUtils.escapeHtml4(I18nProperties.getString(Strings.classificationInfoText)));
+		return HtmlHelper.cleanI18nString(I18nProperties.getString(Strings.classificationInfoText));
 	}
 
 	private static String createInfoDiv(int requirementsNumber) {
-		return unescapeBasicTags(
-			StringEscapeUtils.escapeHtml4(
-				String.format(I18nProperties.getString(Strings.classificationInfoNumberText), DataHelper.parseNumberToString(requirementsNumber))));
+		return HtmlHelper.cleanI18nString(
+			String.format(I18nProperties.getString(Strings.classificationInfoNumberText), DataHelper.parseNumberToString(requirementsNumber)));
 	}
 
 	/**
@@ -334,7 +331,7 @@ private static String createSubCriteriaSurroundingDiv(String content) {
 	 * Specific tags are allowed to be contained in i18n strings and are thus unescaped
 	 */
 	private static String createCriteriaItemDiv(String text) {
-		return unescapeBasicTags(StringEscapeUtils.escapeHtml4(text) + "<br>");
+		return (HtmlHelper.cleanHtml(text, Whitelist.basic()) + "<br>");
 	}
 
 	private enum ClassificationCriteriaType {

sormas-api/src/main/java/de/symeda/sormas/api/utils/HtmlHelper.java

@@ -1,35 +1,45 @@
+/*******************************************************************************
+ * SORMAS® - Surveillance Outbreak Response Management & Analysis System
+ * Copyright © 2016-2018 Helmholtz-Zentrum für Infektionsforschung GmbH (HZI)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *******************************************************************************/
 package de.symeda.sormas.api.utils;
 
-import org.apache.commons.text.StringEscapeUtils;
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Whitelist;
 
+// This class provides general XSS-Prevention methods using Jsoup.clean
 public class HtmlHelper {
 
-	// unescape specific tags (<b>,<i>,<br>,<li>,<ul>) escaped using StringEscapeUtils.escapeHtml4(String)
-	public static String unescapeBasicTags(String escapedString) {
-		String res = escapedString;
+	public static final Whitelist EventActionWhitelist =
+		Whitelist.relaxed().addTags("hr", "font").addAttributes("font", "size", "face", "color").addAttributes("div", "align");
 
-		// <b> Tags
-		res = res.replaceAll("&lt;b&gt;", "<b>");
-		res = res.replaceAll("&lt;/b&gt;", "</b>");
-		// <i> Tags
-		res = res.replaceAll("&lt;i&gt;", "<i>");
-		res = res.replaceAll("&lt;/i&gt;", "</i>");
-		// <ul> Tags
-		res = res.replaceAll("&lt;ul&gt;", "<ul>");
-		res = res.replaceAll("&lt;/ul&gt;", "</ul>");
-		// <li> Tags
-		res = res.replaceAll("&lt;li&gt;", "<li>");
-		res = res.replaceAll("&lt;/li&gt;", "</li>");
-		// <br> Tags
-		res = res.replaceAll("&lt;br&gt;", "<br>");
-		res = res.replaceAll("&lt;/br&gt;", "<br>");
-		res = res.replaceAll("&lt;br/&gt;", "<br>");
+	public static String cleanHtml(String string) {
+		return (string == null) ? "" : Jsoup.clean(string, Whitelist.none());
+	}
+
+	public static String cleanHtml(String string, Whitelist whitelist) {
+		return (string == null) ? "" : Jsoup.clean(string, whitelist);
+	}
 
-		return res;
+	// this method should be used for i18n-strings and captions so that custom whitelist rules can be added when needed
+	public static String cleanI18nString(String string) {
+		return (string == null) ? "" : Jsoup.clean(string, Whitelist.basic());
 	}
 
-	// escapes html4 and then unescapes specific tags
-	public static String escapeAndUnescapeBasicTags(String text) {
-		return unescapeBasicTags(StringEscapeUtils.escapeHtml4(text));
+	public static String cleanHtmlRelaxed(String string) {
+		return (string == null) ? "" : Jsoup.clean(string, Whitelist.relaxed());
 	}
 }

sormas-backend/src/main/java/de/symeda/sormas/backend/campaign/form/CampaignFormMetaFacadeEjb.java

@@ -20,7 +20,6 @@
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
-import org.jsoup.Jsoup;
 import org.jsoup.safety.Whitelist;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -34,6 +33,7 @@
 import de.symeda.sormas.api.campaign.form.CampaignFormTranslations;
 import de.symeda.sormas.api.i18n.I18nProperties;
 import de.symeda.sormas.api.i18n.Validations;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import de.symeda.sormas.api.utils.ValidationRuntimeException;
 import de.symeda.sormas.backend.user.UserService;
 import de.symeda.sormas.backend.util.DtoHelper;
@@ -224,7 +224,7 @@ public void validateAndClean(CampaignFormMetaDto campaignFormMetaDto) throws Val
 			if (StringUtils.isNotBlank(element.getCaption())) {
 				Whitelist whitelist = Whitelist.none();
 				whitelist.addTags(CampaignFormElement.ALLOWED_HTML_TAGS);
-				element.setCaption(Jsoup.clean(element.getCaption(), whitelist));
+				element.setCaption(HtmlHelper.cleanHtml(element.getCaption(), whitelist));
 			}
 
 			// Validate form elements
@@ -250,7 +250,7 @@ public void validateAndClean(CampaignFormMetaDto campaignFormMetaDto) throws Val
 					if (StringUtils.isNotBlank(e.getCaption())) {
 						Whitelist whitelist = Whitelist.none();
 						whitelist.addTags(CampaignFormElement.ALLOWED_HTML_TAGS);
-						e.setCaption(Jsoup.clean(e.getCaption(), whitelist));
+						e.setCaption(HtmlHelper.cleanHtml(e.getCaption(), whitelist));
 					}
 				});
 			}

sormas-ui/src/main/java/de/symeda/sormas/ui/action/ActionListEntry.java

@@ -19,8 +19,7 @@
 
 import java.util.Optional;
 
-import org.jsoup.Jsoup;
-import org.jsoup.safety.Whitelist;
+import static de.symeda.sormas.api.utils.HtmlHelper.cleanHtml;
 
 import com.google.common.base.MoreObjects;
 import com.google.common.base.Strings;
@@ -39,6 +38,7 @@
 import de.symeda.sormas.api.i18n.Captions;
 import de.symeda.sormas.api.i18n.I18nProperties;
 import de.symeda.sormas.api.utils.DataHelper;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import de.symeda.sormas.ui.utils.ButtonHelper;
 import de.symeda.sormas.ui.utils.CssStyles;
 import de.symeda.sormas.ui.utils.DateFormatHelper;
@@ -82,15 +82,11 @@ public ActionListEntry(ActionDto action) {
 		descReplyLayout.addStyleName(CssStyles.RICH_TEXT_CONTENT_CONTAINER);
 		withContentLayout.addComponents(descReplyLayout);
 
-		Whitelist whitelist = Whitelist.relaxed();
-		whitelist.addTags("hr", "font");
-		whitelist.addAttributes("font", "size", "face", "color");
-		whitelist.addAttributes("div", "align");
-		Label description = new Label(Jsoup.clean(Optional.ofNullable(action.getDescription()).orElse(""), whitelist), ContentMode.HTML);
+		Label description = new Label(cleanHtml(action.getDescription(), HtmlHelper.EventActionWhitelist), ContentMode.HTML);
 		description.setWidth(100, Unit.PERCENTAGE);
 		descReplyLayout.addComponent(description);
 		if (!Strings.isNullOrEmpty(action.getReply())) {
-			Label replyLabel = new Label(Jsoup.clean(Optional.ofNullable(action.getReply()).orElse(""), whitelist), ContentMode.HTML);
+			Label replyLabel = new Label(cleanHtml(action.getReply(), HtmlHelper.EventActionWhitelist), ContentMode.HTML);
 			replyLabel.setWidth(100, Unit.PERCENTAGE);
 			replyLabel.addStyleName(CssStyles.REPLY);
 			descReplyLayout.addComponent(replyLabel);

sormas-ui/src/main/java/de/symeda/sormas/ui/configuration/linelisting/LineListingActiveDistrictsLayout.java

@@ -9,9 +9,9 @@
 import de.symeda.sormas.api.feature.FeatureConfigurationIndexDto;
 import de.symeda.sormas.api.i18n.I18nProperties;
 import de.symeda.sormas.api.i18n.Strings;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import de.symeda.sormas.ui.utils.CssStyles;
 import de.symeda.sormas.ui.utils.DateFormatHelper;
-import org.apache.commons.text.StringEscapeUtils;
 
 @SuppressWarnings("serial")
 public class LineListingActiveDistrictsLayout extends CssLayout {
@@ -28,7 +28,7 @@ private void buildLayout() {
 
 		for (FeatureConfigurationIndexDto config : configurations) {
 			StringBuilder captionBuilder = new StringBuilder();
-			captionBuilder.append("<b>").append(StringEscapeUtils.escapeHtml4(config.getDistrictName())).append("</b><br/>");
+			captionBuilder.append("<b>").append(HtmlHelper.cleanHtml(config.getDistrictName())).append("</b><br/>");
 			if (config.getEndDate() != null) {
 				captionBuilder.append(I18nProperties.getString(Strings.until)).append(" ").append(DateFormatHelper.formatDate(config.getEndDate()));
 			} else {

sormas-ui/src/main/java/de/symeda/sormas/ui/configuration/linelisting/LineListingConfigurationEditLayout.java

@@ -22,9 +22,9 @@
 import de.symeda.sormas.api.i18n.Captions;
 import de.symeda.sormas.api.i18n.I18nProperties;
 import de.symeda.sormas.api.i18n.Strings;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import de.symeda.sormas.ui.utils.ButtonHelper;
 import de.symeda.sormas.ui.utils.CssStyles;
-import org.apache.commons.text.StringEscapeUtils;
 
 @SuppressWarnings("serial")
 public class LineListingConfigurationEditLayout extends VerticalLayout {
@@ -67,7 +67,7 @@ private void buildLayout() {
 					I18nProperties.getString(
 						regionName != null ? Strings.infoLineListingConfigurationRegionEdit : Strings.infoLineListingConfigurationNationEdit),
 					disease.toString(),
-					StringEscapeUtils.escapeHtml4(regionName)),
+					HtmlHelper.cleanHtml(regionName)),
 			ContentMode.HTML);
 		CssStyles.style(lblInfo, CssStyles.VSPACE_4);
 		addComponent(lblInfo);

sormas-ui/src/main/java/de/symeda/sormas/ui/events/EventController.java

@@ -56,6 +56,7 @@
 import de.symeda.sormas.api.user.UserReferenceDto;
 import de.symeda.sormas.api.user.UserRight;
 import de.symeda.sormas.api.utils.DataHelper;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import de.symeda.sormas.ui.SormasUI;
 import de.symeda.sormas.ui.UserProvider;
 import de.symeda.sormas.ui.events.eventLink.EventSelectionField;
@@ -494,7 +495,7 @@ public void deleteAllSelectedItems(Collection<EventIndexDto> selectedRows, Runna
 								String.format(
 									I18nProperties.getString(Strings.messageCountEventsNotDeleted),
 									String.format("<b>%s</b>", countNotDeletedEvents),
-									String.format("<b>%s</b>", StringEscapeUtils.escapeHtml4(nonDeletableEvents.toString()))),
+									String.format("<b>%s</b>", HtmlHelper.cleanHtml(nonDeletableEvents.toString()))),
 								I18nProperties.getString(Strings.messageEventsNotDeletedReason)),
 							ContentMode.HTML);
 						response.setWidth(600, Sizeable.Unit.PIXELS);

sormas-ui/src/main/java/de/symeda/sormas/ui/utils/CaseUuidRenderer.java

@@ -26,8 +26,8 @@
 import de.symeda.sormas.api.i18n.I18nProperties;
 import de.symeda.sormas.api.i18n.Strings;
 import de.symeda.sormas.api.utils.DataHelper;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import elemental.json.JsonValue;
-import org.apache.commons.text.StringEscapeUtils;
 
 @SuppressWarnings("serial")
 public class CaseUuidRenderer extends HtmlRenderer {
@@ -48,7 +48,7 @@ public JsonValue encode(String value) {
 		}
 
 		if (value != null && !value.isEmpty()) {
-			value = "<a title='" + value + "'>" + StringEscapeUtils.escapeHtml4(DataHelper.getShortUuid(value)) + "</a>";
+			value = "<a title='" + value + "'>" + HtmlHelper.cleanHtml(DataHelper.getShortUuid(value)) + "</a>";
 			return super.encode(value);
 		} else {
 			return null;

sormas-ui/src/main/java/de/symeda/sormas/ui/utils/CollectionValueProvider.java

@@ -20,7 +20,8 @@
 import java.util.Collection;
 
 import com.vaadin.data.ValueProvider;
-import org.apache.commons.text.StringEscapeUtils;
+
+import de.symeda.sormas.api.utils.HtmlHelper;
 
 /**
  * A ValueProvider that allows displaying a collection as a comma separated list of
@@ -44,7 +45,7 @@ public String apply(T source) {
 			b.append(", ");
 		}
 		if (b.length() >= 2) {
-			return StringEscapeUtils.escapeHtml4(b.substring(0, b.length() - 2));
+			return HtmlHelper.cleanHtml(b.substring(0, b.length() - 2));
 		}
 		return "";
 	}