From 867a7b57aac83b83dd1e99942f6342389affa89d Mon Sep 17 00:00:00 2001 From: Zipeng WU Date: Thu, 15 Dec 2022 11:24:01 +0100 Subject: [PATCH] SONAR-17579 add security Link attributes noopener and noreferrer --- server/sonar-webserver-api/p1.jar | 0 server/sonar-webserver-api/p2.jar | 0 .../org/sonar/server/setting/ws/LoginMessageActionTest.java | 2 +- .../java/org/sonar/server/setting/ws/ValuesActionTest.java | 2 +- .../src/main/java/org/sonar/markdown/HtmlLinkChannel.java | 2 +- .../src/main/java/org/sonar/markdown/HtmlUrlChannel.java | 6 +++++- .../src/test/java/org/sonar/markdown/MarkdownTest.java | 4 ++-- 7 files changed, 10 insertions(+), 6 deletions(-) create mode 100644 server/sonar-webserver-api/p1.jar create mode 100644 server/sonar-webserver-api/p2.jar diff --git a/server/sonar-webserver-api/p1.jar b/server/sonar-webserver-api/p1.jar new file mode 100644 index 00000000000..e69de29bb2d diff --git a/server/sonar-webserver-api/p2.jar b/server/sonar-webserver-api/p2.jar new file mode 100644 index 00000000000..e69de29bb2d diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/LoginMessageActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/LoginMessageActionTest.java index 60090a6bad6..08448c9f944 100644 --- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/LoginMessageActionTest.java +++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/LoginMessageActionTest.java @@ -43,7 +43,7 @@ public class LoginMessageActionTest { private final LoginMessageAction underTest = new LoginMessageAction(dbClient, loginMessageFeature); private final WsActionTester ws = new WsActionTester(underTest); private static final String LOGIN_MESSAGE_TEXT = "test link [SonarQube™ Home Page](https://www.sonarqube.org)\n* list 1\n* list 2"; - private static final String FORMATTED_LOGIN_MESSAGE_TEXT = "test link \\u003ca href\\u003d\\\"https://www.sonarqube.org\\\" target\\u003d\\\"_blank\\\"\\u003eSonarQube\\u0026trade; Home Page\\u003c/a\\u003e\\u003cbr/\\u003e\\u003cul\\u003e\\u003cli\\u003elist 1\\u003c/li\\u003e\\n\\u003cli\\u003elist 2\\u003c/li\\u003e\\u003c/ul\\u003e"; + private static final String FORMATTED_LOGIN_MESSAGE_TEXT = "test link \\u003ca href\\u003d\\\"https://www.sonarqube.org\\\" target\\u003d\\\"_blank\\\" rel\\u003d\\\"noopener noreferrer\\\"\\u003eSonarQube\\u0026trade; Home Page\\u003c/a\\u003e\\u003cbr/\\u003e\\u003cul\\u003e\\u003cli\\u003elist 1\\u003c/li\\u003e\\n\\u003cli\\u003elist 2\\u003c/li\\u003e\\u003c/ul\\u003e"; private static final String JSON_RESPONSE = "{\"message\":\"" + FORMATTED_LOGIN_MESSAGE_TEXT + "\"}"; private static final String EMPTY_JSON_RESPONSE = "{\"message\":\"\"}"; private PropertiesDao propertiesDao; diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java index 235be1d3c35..e82dfea34c7 100644 --- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java +++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java @@ -124,7 +124,7 @@ public class ValuesActionTest { assertThat(value.getKey()).isEqualTo(propertyKey); assertThat(value.getValues().getValuesList()) .hasSize(2) - .containsExactly("[link](https://link.com)", "link"); + .containsExactly("[link](https://link.com)", "link"); } @Test diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlLinkChannel.java b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlLinkChannel.java index cccae47ce95..66e88e15c5f 100644 --- a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlLinkChannel.java +++ b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlLinkChannel.java @@ -49,7 +49,7 @@ class HtmlLinkChannel extends RegexChannel { String url = matcher.group(2); output.append(""); + output.append("\" target=\"_blank\" rel=\"noopener noreferrer\">"); output.append(content); output.append(""); } diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlUrlChannel.java b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlUrlChannel.java index 5aadee1a0fb..50424d4b0c3 100644 --- a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlUrlChannel.java +++ b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlUrlChannel.java @@ -33,6 +33,10 @@ class HtmlUrlChannel extends RegexChannel { @Override protected void consume(CharSequence token, MarkdownOutput output) { - output.append("" + token + ""); + output.append(""); + output.append(token); + output.append(""); } } diff --git a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java index d0c64578bb2..b4838a12d8d 100644 --- a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java +++ b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java @@ -28,13 +28,13 @@ public class MarkdownTest { @Test public void shouldDecorateUrl() { assertThat(Markdown.convertToHtml("http://google.com")) - .isEqualTo("http://google.com"); + .isEqualTo("http://google.com"); } @Test public void shouldDecorateDocumentedLink() { assertThat(Markdown.convertToHtml("For more details, please [check online documentation](http://docs.sonarqube.org/display/SONAR).")) - .isEqualTo("For more details, please check online documentation."); + .isEqualTo("For more details, please check online documentation."); } -- 2.39.5