New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fold feign forms into main project #2557

Merged

velo merged 105 commits into master from forms

Sep 21, 2024

Member

velo commented Sep 21, 2024

No description provided.

xxlabaza and others added 30 commits

May 1, 2016 14:56


          Initial commit

56f5969


          Corrected deploy bug

8e52800


          Added dependency installation to README.md

d3b69e4


          Add support for @FeignClient annotated interfaces.

6ab1b4c

- Autodetect content-type from params to support legacy services.


          Merge pull request #1 from ebjwc/spring-cloud-netflix-1274

ac2d66b

Add support for @FeignClient annotated interfaces.


          - Added Tomasz Juchniewicz as a coauthor of the project;

5ade5dd

- Updated dependencies versions;
- Corrected deprecated annotations in tests;
- Style refactoring.


          Corrected README.md.

fa5a56c


          - Added Java 6+ support and removed java.nio.file.Path support;

5f9ec9e

- Updated major version and readme.md file;
- Added LICENSE file.

OpenFeign/feign-form#4


          - Moved from custom group id to OpenFeign's;

6f876c4

- Corrected readme.


          Corrected pom's URLs

dbf8921


          Corrected readme and pom

1a61c80


          Extract support for MultipartFile to separate module.

3f18920

Fixes gh-3.


          Update README.md

f921edf


          Update README.md

409933b


          Fix groupId in pom.xml.

f7b0616


          Update README.md

670dcc1


          Update README.md

207a9d6


          Merge pull request #7 from OpenFeign/gh-3

00ec29b

Extract support for MultipartFile to separate module.


          - Added javadoc for public and protected methods;

3b99835

- Refactored pom.xml files for 2 spaces tabs;
- Added gitignore rules for Netbeans IDE and test's output files.

OpenFeign/feign-form#5


          - Corrected pom-files for deploying on bintray;

88039a4

- Updated readme.


          Added travis support

0fe8ac9


          Added skip tests in travis

89c9571


          Fix for OpenFeign/feign-form#12

3a7afc2


          Merge pull request #13 from zhurpavel/issue_12_fix

622afb7

Fix for OpenFeign/feign-form#12


          Updated dependencies versions and readme

ce80cba


          README update

53805ef


          Build fix release

f4723d1


          Added default content-type.

09dcd02

OpenFeign/feign-form#10


          Modified FormEncoder to ignore the case of the content type header

c5b2a83


          Fix typo

8118a71

gududexunli and others added 25 commits

January 7, 2019 17:40


          实例代码少个右括号 (#57)

e1caf57


          Issue60 (#62)

81a6145

Add repeatable parameters encoding


          fix version

86d788a


          add a requirements readme section

8a92f78


          some articles

3e6ffc2


          Fixes #65 derive custom form key for urlencoded dto (#66)

a6197a1


          insignificant style changes

1c47c2d


          Fix MultipartFile support

47e9f40


          fix checkstyle

1b3f2cf


          update version

3bf02f6


          update readme

6eebea7


          fix readme

6cf7435


          fix readme

98e51d1


          update copyright

c8f07a6


          set new version

875e66a


          bump deps

ef5fb55


          remove garbage

1558f0b


          fix depricated API

d00c80f


          remove useless comment

3c3951d


          refactoring


          63 delegation leads to unexpected result (#122)

63ba1e9

* fix test

* fix map argument handling

---------

Co-authored-by: Artem Labazin <[email protected]>


          Merge remote-tracking branch 'feign-forms/master' into forms

68092b6


          Format sources and fix build

291f033


          Update rewrite recipes

93f2561


          Remove needless file

12c56e0

github-advanced-security bot found potential problems

View reviewed changes

feign-form-spring/src/test/java/feign/form/feign/spring/Server.java

+                                      @RequestPart("file") MultipartFile file,
+                                      @RequestParam(value = "message", required = false) String message)
+                    throws IOException {
+                  return new String(file.getBytes()) + ':' + message + ':' + folder;

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.

feign-form-spring/src/test/java/feign/form/feign/spring/Server.java

+                                      @PathVariable("folder") String folder,
+                                      @RequestParam(value = "message", required = false) String message)
+                    throws IOException {
+                  return new String(file.getBytes()) + ':' + message + ':' + folder;

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.

Copilot Autofix AI 14 days ago

To fix the cross-site scripting vulnerability, we need to ensure that any user-provided input is properly sanitized or encoded before being included in the response. In this case, we can use the StringEscapeUtils.escapeHtml4 method from the Apache Commons Text library to encode the user-provided input, which will prevent XSS attacks by converting special characters to their HTML-encoded equivalents.

Add the necessary import for StringEscapeUtils from the Apache Commons Text library.
Encode the file, message, and folder parameters before including them in the response string.

Suggested changeset 2

feign-form-spring/src/test/java/feign/form/feign/spring/Server.java

@@ -21,2 +21,3 @@
             import java.io.IOException;
+            import org.apache.commons.text.StringEscapeUtils;
             import java.util.Map;
@@ -61,3 +62,5 @@
                   throws IOException {
-                return new String(file.getBytes()) + ':' + message + ':' + folder;
+                return StringEscapeUtils.escapeHtml4(new String(file.getBytes())) + ':' +
+                       StringEscapeUtils.escapeHtml4(message) + ':' +
+                       StringEscapeUtils.escapeHtml4(folder);
               }

feign-form-spring/pom.xml

Outside changed files

@@ -37,2 +37,7 @@
                 <dependency>
+                  <groupId>org.apache.commons</groupId>
+                  <artifactId>commons-text</artifactId>
+                  <version>1.9</version>
+                </dependency>
+                <dependency>
                   <groupId>org.projectlombok</groupId>

This fix introduces these dependencies

Package	Version	Security advisories
org.apache.commons:commons-text (maven)	1.9	Critical severity

Copilot is powered by AI and may make mistakes. Always verify output.

feign-form-spring/src/test/java/feign/form/feign/spring/Server.java

+                public String upload3(@RequestBody MultipartFile file,
+                                      @PathVariable("folder") String folder,
+                                      @RequestParam(value = "message", required = false) String message) {
+                  return file.getOriginalFilename() + ':' + file.getContentType() + ':' + folder;

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.

feign-form-spring/src/test/java/feign/form/feign/spring/Server.java

+                public String upload4(@PathVariable("id") String id,
+                                      @RequestBody Map<String, Object> map,
+                                      @RequestParam String userName) {
+                  return userName + ':' + id + ':' + map.size();

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.

Copilot Autofix AI 14 days ago

To fix the cross-site scripting vulnerability, we need to ensure that any user-provided input is properly sanitized or encoded before being included in the response. In this case, we can use the HtmlUtils.htmlEscape method from the Spring framework to escape the userName and id parameters.

We will modify the upload4 method to escape the userName and id parameters before including them in the response.
This change will be made in the feign-form-spring/src/test/java/feign/form/feign/spring/Server.java file.
We will need to import the HtmlUtils class from the Spring framework.

Suggested changeset 1

feign-form-spring/src/test/java/feign/form/feign/spring/Server.java

@@ -23,2 +23,3 @@
             import lombok.val;
+            import org.springframework.web.util.HtmlUtils;
             import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -75,3 +76,3 @@
                                     @RequestParam String userName) {
-                return userName + ':' + id + ':' + map.size();
+                return HtmlUtils.htmlEscape(userName) + ':' + HtmlUtils.htmlEscape(id) + ':' + map.size();
               }

Copilot is powered by AI and may make mistakes. Always verify output.

feign-form-spring/src/test/java/feign/form/feign/spring/Server.java

+                    status = OK;
+                    result = new String(popa1.getBytes()) + new String(popa2.getBytes());
+                  }
+                  return ResponseEntity.status(status).body(result);

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.

Copilot Autofix AI 14 days ago

To fix the cross-site scripting vulnerability, we need to ensure that any user-provided content included in the HTTP response is properly sanitized or encoded. In this case, we can use HTML encoding to safely include the file content in the response body.

We will use the StringEscapeUtils class from the Apache Commons Text library to HTML-encode the file content before including it in the response.
This change will be made in the upload6 method where the result variable is constructed and returned.

Suggested changeset 2

feign-form-spring/src/test/java/feign/form/feign/spring/Server.java

@@ -23,2 +23,3 @@
             import lombok.val;
+            import org.apache.commons.text.StringEscapeUtils;
             import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -94,3 +95,3 @@
                   status = OK;
-                  result = new String(popa1.getBytes()) + new String(popa2.getBytes());
+                  result = StringEscapeUtils.escapeHtml4(new String(popa1.getBytes())) + StringEscapeUtils.escapeHtml4(new String(popa2.getBytes()));
                 }

feign-form-spring/pom.xml

Outside changed files

@@ -37,2 +37,7 @@
                 <dependency>
+                  <groupId>org.apache.commons</groupId>
+                  <artifactId>commons-text</artifactId>
+                  <version>1.12.0</version>
+                </dependency>
+                <dependency>
                   <groupId>org.projectlombok</groupId>

This fix introduces these dependencies

Package	Version	Security advisories
org.apache.commons:commons-text (maven)	1.12.0	None

Copilot is powered by AI and may make mistakes. Always verify output.

feign-form/src/test/java/feign/form/Server.java

+                @PostMapping(path = "/upload/byte_array", consumes = MULTIPART_FORM_DATA_VALUE)
+                public ResponseEntity<String> uploadByteArray(@RequestPart("file") MultipartFile file) {
+                  val status = file != null ? OK : I_AM_A_TEAPOT;
+                  return ResponseEntity.status(status).body(file.getOriginalFilename());

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.

Copilot Autofix AI 14 days ago

To fix the cross-site scripting vulnerability, we need to sanitize or encode the user-provided filename before including it in the HTTP response. The best way to do this is to use a library that provides HTML encoding to ensure that any potentially malicious characters in the filename are properly escaped.

In this case, we can use the StringEscapeUtils class from the Apache Commons Text library to encode the filename. This will ensure that any special characters in the filename are converted to their corresponding HTML entities, preventing XSS attacks.

Suggested changeset 2

feign-form/src/test/java/feign/form/Server.java

@@ -25,2 +25,3 @@
             import java.io.IOException;
+            import org.apache.commons.text.StringEscapeUtils;
             import java.util.Collection;
@@ -138,3 +139,4 @@
                 val status = file != null ? OK : I_AM_A_TEAPOT;
-                return ResponseEntity.status(status).body(file.getOriginalFilename());
+                String safeFilename = StringEscapeUtils.escapeHtml4(file.getOriginalFilename());
+                return ResponseEntity.status(status).body(safeFilename);
               }

feign-form/pom.xml

Outside changed files

@@ -35,2 +35,7 @@
                 <dependency>
+                  <groupId>org.apache.commons</groupId>
+                  <artifactId>commons-text</artifactId>
+                  <version>1.9</version>
+                </dependency>
+                <dependency>
                   <groupId>org.projectlombok</groupId>

This fix introduces these dependencies

Package	Version	Security advisories
org.apache.commons:commons-text (maven)	1.9	Critical severity

Copilot is powered by AI and may make mistakes. Always verify output.

feign-form/src/test/java/feign/form/Server.java

+                @PostMapping(path = "/upload/unknown_type", consumes = MULTIPART_FORM_DATA_VALUE)
+                public ResponseEntity<String> uploadUnknownType(@RequestPart("file") MultipartFile file) {
+                  val status = file != null ? OK : I_AM_A_TEAPOT;
+                  return ResponseEntity.status(status).body(file.getContentType());

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.

Copilot Autofix AI 14 days ago

To fix the cross-site scripting vulnerability, we need to ensure that any user-provided data is properly sanitized or encoded before being included in the response. In this case, we can use a library like Apache Commons Text to escape the content type string before including it in the response body.

General Fix: Use contextual output encoding/escaping for user-provided data before writing it to the response.
Detailed Fix: Escape the content type string using StringEscapeUtils.escapeHtml4 from Apache Commons Text.
Specific Changes: Modify the uploadUnknownType method to escape the content type string before including it in the response body.
Required Imports: Add an import statement for org.apache.commons.text.StringEscapeUtils.

Suggested changeset 2

feign-form/src/test/java/feign/form/Server.java

@@ -28,2 +28,3 @@
             import lombok.val;
+            import org.apache.commons.text.StringEscapeUtils;
             import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -156,3 +157,4 @@
                 val status = file != null ? OK : I_AM_A_TEAPOT;
-                return ResponseEntity.status(status).body(file.getContentType());
+                String escapedContentType = StringEscapeUtils.escapeHtml4(file.getContentType());
+                return ResponseEntity.status(status).body(escapedContentType);
               }

feign-form/pom.xml

Outside changed files

@@ -35,2 +35,7 @@
                 <dependency>
+                  <groupId>org.apache.commons</groupId>
+                  <artifactId>commons-text</artifactId>
+                  <version>1.9</version>
+                </dependency>
+                <dependency>
                   <groupId>org.projectlombok</groupId>

This fix introduces these dependencies

Package	Version	Security advisories
org.apache.commons:commons-text (maven)	1.9	Critical severity

Copilot is powered by AI and may make mistakes. Always verify output.

feign-form/src/test/java/feign/form/Server.java

Comment on lines +163 to +164

		return ResponseEntity.status(status)
		.body(file.getOriginalFilename() + ':' + file.getContentType());

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.
Cross-site scripting vulnerability due to a

user-provided value

.

Copilot Autofix AI 14 days ago

To fix the cross-site scripting vulnerability, we need to sanitize or encode the user-provided input before including it in the response. The best way to fix this issue is to use a library that provides HTML encoding to ensure that any potentially malicious characters in the filename are rendered harmless.

In this case, we can use the StringEscapeUtils class from the Apache Commons Text library to encode the filename. This will prevent any embedded scripts from being executed by the browser.

Suggested changeset 2

feign-form/src/test/java/feign/form/Server.java

@@ -25,2 +25,3 @@
             import java.io.IOException;
+            import org.apache.commons.text.StringEscapeUtils;
             import java.util.Collection;
@@ -162,4 +163,5 @@
                 val status = file != null ? OK : I_AM_A_TEAPOT;
+                String safeFilename = org.apache.commons.text.StringEscapeUtils.escapeHtml4(file.getOriginalFilename());
                 return ResponseEntity.status(status)
-                    .body(file.getOriginalFilename() + ':' + file.getContentType());
+                    .body(safeFilename + ':' + file.getContentType());
               }

feign-form/pom.xml

Outside changed files

@@ -35,2 +35,7 @@
                 <dependency>
+                  <groupId>org.apache.commons</groupId>
+                  <artifactId>commons-text</artifactId>
+                  <version>1.9</version>
+                </dependency>
+                <dependency>
                   <groupId>org.projectlombok</groupId>

This fix introduces these dependencies

Package	Version	Security advisories
org.apache.commons:commons-text (maven)	1.9	Critical severity

Copilot is powered by AI and may make mistakes. Always verify output.

velo merged commit 0164a05 into master

5 checks passed

velo deleted the forms branch

September 21, 2024 09:46

velo restored the forms branch

September 21, 2024 09:54

velo deleted the forms branch

September 25, 2024 02:29

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet