Merge pull request #43 from support-project/develop

koda-masaru · web-flow · commit f1426eb5b46d · 2016-08-06T09:19:33.000+09:00
Release v1.5.0
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,6 @@
 language: java
 jdk: oraclejdk8
   
-install: mvn install -DskipTests=true -Dmaven.javadoc.skip=true
+install: mvn -U clean install -DskipTests=true -Dmaven.javadoc.skip=true
 script: mvn test site
 
diff --git a/LICENSE.md b/LICENSE.md
@@ -40,3 +40,7 @@
    - License: [Creative Commons Attribution-ShareAlike 3.0 license] http://creativecommons.org/licenses/by-sa/3.0/
    - project-url: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
 
+- Apache Directory LDAP API
+   - License: [Apache License, Version 2.0] http://www.apache.org/licenses/LICENSE-2.0
+   - project-url: http://directory.apache.org/api/
+
diff --git a/deploy.sh b/deploy.sh
@@ -1,2 +1,2 @@
 #! /bin/bash
-mvn clean deploy -DperformRelease=true -Dmaven.javadoc.skip=true -e
+mvn clean deploy -DperformRelease=true -e
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
 
     <groupId>org.support-project</groupId>
     <artifactId>web</artifactId>
-    <version>1.4.0</version>
+    <version>1.5.0</version>
     <packaging>jar</packaging>
 
     <name>web</name>
@@ -59,7 +59,7 @@
         <dependency>
             <groupId>org.support-project</groupId>
             <artifactId>common</artifactId>
-            <version>1.4.0</version>
+            <version>1.5.0</version>
         </dependency>
 
         <dependency>
diff --git a/src/main/java/org/support/project/web/dao/UsersDao.java b/src/main/java/org/support/project/web/dao/UsersDao.java
@@ -197,4 +197,18 @@ public void truncate() {
         String sql = SQLManager.getInstance().getSql("/org/support/project/web/dao/sql/UsersDao/UsersDao_truncate.sql");
         executeUpdate(sql);
     }
+    
+    /**
+     * メールアドレスで検索
+     * （Ldapログイン時は、USER_KEYはIDになるので注意）
+     * @param mail メールアドレス
+     * @return ユーザ情報
+     */
+    public UsersEntity selectOnMail(String mail) {
+        if (mail == null) {
+            return null;
+        }
+        String sql = "SELECT * FROM USERS WHERE LOWER(MAIL_ADDRESS) = ?;";
+        return executeQuerySingle(sql, UsersEntity.class, mail.toLowerCase());
+    }
 }
diff --git a/src/main/java/org/support/project/web/logic/SanitizingLogic.java b/src/main/java/org/support/project/web/logic/SanitizingLogic.java
@@ -54,7 +54,8 @@ public static SanitizingLogic get() {
     private static final Pattern HTML_CLASS = Pattern.compile("[a-zA-Z0-9\\s,\\-_]+");
     private static final Pattern ONSITE_URL = Pattern.compile("(?:[\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!]+|\\#(\\w)+)");
     private static final Pattern OFFSITE_URL = Pattern
-            .compile("\\s*(?:(?:ht|f)tps?://|mailto:)[\\p{L}\\p{N}]" + "[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*+\\s*");
+            .compile("\\s*(?:(?:ht|f)tps?://|file://|smb://|\\\\\\\\|mailto:)[\\p{L}\\p{N}]"
+                    + "[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*+\\s*");
     private static final Pattern NUMBER = Pattern.compile("[+-]?(?:(?:[0-9]+(?:\\.[0-9]*)?)|\\.[0-9]+)");
     private static final Pattern NAME = Pattern.compile("[a-zA-Z0-9\\-_\\$]+");
     private static final Pattern ALIGN = Pattern.compile("(?i)center|left|right|justify|char");
@@ -66,7 +67,11 @@ public boolean apply(String s) {
     };
     private static final Predicate<String> ONSITE_OR_OFFSITE_URL = new Predicate<String>() {
         public boolean apply(String s) {
-            return ONSITE_URL.matcher(s).matches() || OFFSITE_URL.matcher(s).matches();
+            boolean result = ONSITE_URL.matcher(s).matches() || OFFSITE_URL.matcher(s).matches();
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("[ONSITE_OR_OFFSITE_URL]: " + result + "\t" + s);
+            }
+            return result;
         }
     };
     private static final Pattern HISTORY_BACK = Pattern.compile("(?:javascript:)?\\Qhistory.go(-1)\\E");
@@ -76,7 +81,10 @@ public boolean apply(String s) {
             .allowAttributes("title").matching(HTML_TITLE).globally().allowStyling().allowAttributes("align").matching(ALIGN).onElements("p")
             .allowAttributes("for").matching(HTML_ID).onElements("label").allowAttributes("color").matching(COLOR_NAME_OR_COLOR_CODE)
             .onElements("font").allowAttributes("face").matching(Pattern.compile("[\\w;, \\-]+")).onElements("font").allowAttributes("size")
-            .matching(NUMBER).onElements("font").allowAttributes("href").matching(ONSITE_OR_OFFSITE_URL).onElements("a").allowStandardUrlProtocols()
+            .matching(NUMBER).onElements("font")
+            .allowAttributes("href").matching(ONSITE_OR_OFFSITE_URL).onElements("a")
+//            .allowStandardUrlProtocols()
+            .allowUrlProtocols("http", "https", "mailto", "file", "smb", "\\\\")
             .allowAttributes("target")
             // .onElements("a")
             // .allowAttributes("name")
diff --git a/src/test/java/org/support/project/web/logic/SanitizingLogicTest.java b/src/test/java/org/support/project/web/logic/SanitizingLogicTest.java
@@ -66,5 +66,59 @@ public void testSanitize()
             throw e;
         }
     }
-
+    
+    @Test
+    @Order(order = 2)
+    public void testUNC() throws Exception {
+        LOG.info("testUNC");
+        String base = "<p><a href=\"\\\\hoge\\data\" title=\"UNCPathLink\">UNCPathLink</a></p>";
+        String result = SanitizingLogic.get().sanitize(base);
+        try {
+            String check = "<p><a href=\"\\\\hoge\\data\" title=\"UNCPathLink\" rel=\"nofollow\">UNCPathLink</a></p>";
+            org.junit.Assert.assertEquals(check, result);
+        } catch (AssertionError e) {
+            LOG.info("Sanitize");
+            LOG.info("[Base]   : " + base);
+            LOG.info("[Result] : " + result);
+            throw e;
+        }
+    }
+    
+    @Test
+    @Order(order = 3)
+    public void testFile() throws Exception {
+        LOG.info("testFile");
+        String base = "<p><a href=\"file://hoge/data\" title=\"UNCPathLink\">UNCPathLink</a></p>";
+        String result = SanitizingLogic.get().sanitize(base);
+        try {
+            String check = "<p><a href=\"file://hoge/data\" title=\"UNCPathLink\" rel=\"nofollow\">UNCPathLink</a></p>";
+            org.junit.Assert.assertEquals(check, result);
+        } catch (AssertionError e) {
+            LOG.info("Sanitize");
+            LOG.info("[Base]   : " + base);
+            LOG.info("[Result] : " + result);
+            throw e;
+        }
+    }
+    
+    @Test
+    @Order(order = 4)
+    public void testSamba() throws Exception {
+        LOG.info("testSamba");
+        String base = "<p><a href=\"smb://hoge/data\" title=\"UNCPathLink\">UNCPathLink</a></p>";
+        String result = SanitizingLogic.get().sanitize(base);
+        try {
+            String check = "<p><a href=\"smb://hoge/data\" title=\"UNCPathLink\" rel=\"nofollow\">UNCPathLink</a></p>";
+            org.junit.Assert.assertEquals(check, result);
+        } catch (AssertionError e) {
+            LOG.info("Sanitize");
+            LOG.info("[Base]   : " + base);
+            LOG.info("[Result] : " + result);
+            throw e;
+        }
+    }
+    
+    
+    
+    
 }

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`#! /bin/bash`
`2`		`-mvn clean deploy -DperformRelease=true -Dmaven.javadoc.skip=true -e`
	`2`	`+mvn clean deploy -DperformRelease=true -e`