SOLR-111 : Validate JSONP callback function name to avoid XSS

seboo · seboo · commit b5ce118600d4 · 2018-07-31T14:01:44.000+02:00
diff --git a/src/java/fr/paris/lutece/plugins/search/solr/web/SolrSuggestServlet.java b/src/java/fr/paris/lutece/plugins/search/solr/web/SolrSuggestServlet.java
@@ -59,6 +59,8 @@ public class SolrSuggestServlet extends HttpServlet
 {
     private static final long serialVersionUID = -3273825949482572338L;
 
+    private static final String CALLBACK_FUNCTION_NAME_ERROR_MESSAGE = "Callback function name must match [_\\-A-Za-z0-9]+" ;
+    
     public void init(  )
     {
     }
@@ -76,6 +78,13 @@ public String getSuggest( HttpServletRequest request )
 
         SolrSearchEngine engine = SolrSearchEngine.getInstance(  );
         StringBuffer result = new StringBuffer(  );
+
+        // XSS control
+        if (callback == null || !callback.matches( "[_\\-A-Za-z0-9]+" ))
+        {
+            return CALLBACK_FUNCTION_NAME_ERROR_MESSAGE;
+        }
+
         result.append( callback );
 
         result.append( "({\"response\":{\"docs\":[" );

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,8 @@ public class SolrSuggestServlet extends HttpServlet`
`59`	`59`	`{`
`60`	`60`	`private static final long serialVersionUID = -3273825949482572338L;`
`61`	`61`
	`62`	`+ private static final String CALLBACK_FUNCTION_NAME_ERROR_MESSAGE = "Callback function name must match [_\\-A-Za-z0-9]+" ;`
	`63`	`+`
`62`	`64`	`public void init( )`
`63`	`65`	`{`
`64`	`66`	`}`
`@@ -76,6 +78,13 @@ public String getSuggest( HttpServletRequest request )`
`76`	`78`
`77`	`79`	`SolrSearchEngine engine = SolrSearchEngine.getInstance( );`
`78`	`80`	`StringBuffer result = new StringBuffer( );`
	`81`	`+`
	`82`	`+ // XSS control`
	`83`	`+ if (callback == null \|\| !callback.matches( "[_\\-A-Za-z0-9]+" ))`
	`84`	`+ {`
	`85`	`+ return CALLBACK_FUNCTION_NAME_ERROR_MESSAGE;`
	`86`	`+ }`
	`87`	`+`
`79`	`88`	`result.append( callback );`
`80`	`89`
`81`	`90`	`result.append( "({\"response\":{\"docs\":[" );`