Fix: return proper HTTP 400/404 for invalid id in rules include endpoint#35337
Fix: return proper HTTP 400/404 for invalid id in rules include endpoint#35337
Conversation
…ool (fixes #24120) Integrates the OWASP Java Encoder (1.3.1) into dotCMS core as the standard context-aware output encoding library for XSS prevention. Changes: - bom/application/pom.xml, dotCMS/pom.xml: add org.owasp.encoder:encoder:1.3.1 - Xss.java: replace StringEscapeUtils.escapeHtml() with Encode.forHtml(); replace UtilMethods.encodeURL() with Encode.forUriComponent(); add new context-specific helpers: encodeForHTML, encodeForHTMLAttribute, encodeForJavaScript, encodeForCSS - VelocityRequestWrapper.java: replace htmlifyString() with Xss.encodeForHTML() in getParameter() for standards-compliant output encoding - XssWebAPI.java: expose all OWASP encoder contexts to Velocity templates via $xsstool — encodeForHTML, encodeForHTMLAttribute, encodeForJavaScript, encodeForURL, encodeForCSS; legacy strip/escape methods kept and deprecated Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…4120) Covers all 5 encoding contexts (HTML, HTML attribute, JavaScript, URL, CSS), null-safety, legacy methods, and XSS detection helpers. 22 tests, all passing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add $encode Velocity viewtool (OwaspEncoderTool) exposing full OWASP Java Encoder API: forHtml, forHtmlContent, forHtmlAttribute, forHtmlUnquotedAttribute, forCssString, forCssUrl, forUriComponent, forJavaScript, forJavaScriptAttribute, forJavaScriptBlock, forJavaScriptSource, forXml*, forCDATA, plus URL safety helpers (validateUrl, urlHasXSS, cleanUrl). Registered as $encode in toolbox.xml. - Wrap VelocityRequestWrapper XSS encoding in USE_OWASP_ENCODING_FOR_XSS_PARAMS config flag (default true) so it can be reverted to legacy htmlifyString if needed. Closes #24120 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Covers every encoding context exposed by the viewtool: forHtml, forHtmlContent, forHtmlAttribute, forHtmlUnquotedAttribute, forCssString, forCssUrl, forUriComponent, forJavaScript and its block/attribute/source variants, forXml family, forCDATA, forJava, plus validateUrl / urlHasXSS / cleanUrl URL-safety helpers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fixes #34888 Previously /api/portlet/rules/include responded with a JasperException (HTTP 200 with an error page body) when the id parameter was missing, invalid, or did not match an existing contentlet. Changes: - include.jsp: validate id before calling the API; throw WebApplicationException(400) for missing/empty or format-invalid id, and WebApplicationException(404) when no contentlet is found. - BaseRestPortlet.getJspResponse(): re-throw WebApplicationException instead of swallowing it in the generic catch block, so the correct HTTP status propagates back to the caller. - include.jsp: encode id and hideRulePushOptions with Xss.encodeForJavaScript() before embedding them in the script block. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…agation 4 tests verifying: - WebApplicationException(400) from a JSP dispatch propagates out of getJspResponse() with its HTTP status intact. - WebApplicationException(404) same. - Ordinary IOException is caught and converted to error-HTML (existing behaviour preserved). - Ordinary RuntimeException same. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…-handling-34888' into fix/rules-include-endpoint-error-handling-34888
Test ResultsTests added —
|
| Test | Verifies |
|---|---|
getJspResponse_propagates400WhenJspThrowsWebApplicationException |
WebApplicationException(400) from a JSP dispatch propagates out of getJspResponse() with HTTP status intact |
getJspResponse_propagates404WhenJspThrowsWebApplicationException |
Same for WebApplicationException(404) |
getJspResponse_returnsErrorHtmlForGenericException |
Ordinary IOException is still caught and converted to error-HTML (existing behaviour preserved) |
getJspResponse_returnsErrorHtmlForRuntimeException |
Ordinary RuntimeException same |
Note: the JSP validation logic (
include.jsp) requires a running servlet container and is covered by the manual test plan in the PR description.
|
Semgrep found 1 Risk: Affected versions of vite are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Missing Authentication for Critical Function. This occurs because the Vite Dev Server WebSocket improperly exposes the fetchModule method, allowing unauthenticated remote attackers to bypass filesystem restrictions and read arbitrary files from the host machine Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using Fix: Upgrade this library to at least version 7.3.2 at core/core-web/yarn.lock:22638. Reference(s): GHSA-p9ff-h696-f583, CVE-2026-39363 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of vite are vulnerable to Improper Access Control / Incorrect Behavior Order. Vite's dev server can bypass Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using Fix: Upgrade this library to at least version 7.3.2 at core/core-web/yarn.lock:22638. Reference(s): GHSA-v2wj-q39q-566r, CVE-2026-39364 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 2 Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise. Fix: Upgrade this library to at least version 1.15.0 at core/core-web/yarn.lock:10238. Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 2 Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying Manual Review Advice: A vulnerability from this advisory is reachable if you have Fix: Upgrade this library to at least version 1.15.0 at core/core-web/yarn.lock:10238. Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. |
1 participant
Summary
Fixes #34888
The
/api/portlet/rules/includeendpoint was responding with aJasperExceptionerror page (HTTP 200 with error HTML body) whenever theidparameter was missing, malformed, or didn't match any contentlet.include.jsp: validates theidparameter before touching the API:id→ throwsWebApplicationException(400)with a clear messagefindContentletByIdentifierAnyLanguagethrows (e.g. invalid UUID format) →400404idandhideRulePushOptionswithXss.encodeForJavaScript()before embedding in the script block (XSS fix)BaseRestPortlet.getJspResponse(): re-throwsWebApplicationExceptionbefore the genericcatch(Exception)handler, so the correct HTTP status propagates to the JAX-RS layer instead of being swallowed as error HTML.Test plan
GET /api/portlet/rules/include(noidparam) → 400 Bad RequestGET /api/portlet/rules/include?id=(empty) → 400 Bad RequestGET /api/portlet/rules/include?id=not-a-valid-uuid→ 400 Bad RequestGET /api/portlet/rules/include?id=00000000-0000-0000-0000-000000000000(valid format, no match) → 404 Not FoundGET /api/portlet/rules/include?id=<valid-contentlet-id>→ 200 OK with the rules iframe page🤖 Generated with Claude Code