-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fold feign forms into main project #2557
Conversation
- Autodetect content-type from params to support legacy services.
Add support for @FeignClient annotated interfaces.
- Updated dependencies versions; - Corrected deprecated annotations in tests; - Style refactoring.
- Updated major version and readme.md file; - Added LICENSE file. OpenFeign/feign-form#4
- Corrected readme.
Extract support for MultipartFile to separate module.
- Refactored pom.xml files for 2 spaces tabs; - Added gitignore rules for Netbeans IDE and test's output files. OpenFeign/feign-form#5
- Updated readme.
* fix test * fix map argument handling --------- Co-authored-by: Artem Labazin <[email protected]>
@RequestPart("file") MultipartFile file, | ||
@RequestParam(value = "message", required = false) String message) | ||
throws IOException { | ||
return new String(file.getBytes()) + ':' + message + ':' + folder; |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
@PathVariable("folder") String folder, | ||
@RequestParam(value = "message", required = false) String message) | ||
throws IOException { | ||
return new String(file.getBytes()) + ':' + message + ':' + folder; |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the cross-site scripting vulnerability, we need to ensure that any user-provided input is properly sanitized or encoded before being included in the response. In this case, we can use the StringEscapeUtils.escapeHtml4
method from the Apache Commons Text library to encode the user-provided input, which will prevent XSS attacks by converting special characters to their HTML-encoded equivalents.
- Add the necessary import for
StringEscapeUtils
from the Apache Commons Text library. - Encode the
file
,message
, andfolder
parameters before including them in the response string.
-
Copy modified line R22 -
Copy modified lines R63-R65
@@ -21,2 +21,3 @@ | ||
import java.io.IOException; | ||
import org.apache.commons.text.StringEscapeUtils; | ||
import java.util.Map; | ||
@@ -61,3 +62,5 @@ | ||
throws IOException { | ||
return new String(file.getBytes()) + ':' + message + ':' + folder; | ||
return StringEscapeUtils.escapeHtml4(new String(file.getBytes())) + ':' + | ||
StringEscapeUtils.escapeHtml4(message) + ':' + | ||
StringEscapeUtils.escapeHtml4(folder); | ||
} |
-
Copy modified lines R38-R42
@@ -37,2 +37,7 @@ | ||
<dependency> | ||
<groupId>org.apache.commons</groupId> | ||
<artifactId>commons-text</artifactId> | ||
<version>1.9</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.projectlombok</groupId> |
Package | Version | Security advisories |
org.apache.commons:commons-text (maven) | 1.9 | Critical severity |
public String upload3(@RequestBody MultipartFile file, | ||
@PathVariable("folder") String folder, | ||
@RequestParam(value = "message", required = false) String message) { | ||
return file.getOriginalFilename() + ':' + file.getContentType() + ':' + folder; |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
public String upload4(@PathVariable("id") String id, | ||
@RequestBody Map<String, Object> map, | ||
@RequestParam String userName) { | ||
return userName + ':' + id + ':' + map.size(); |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the cross-site scripting vulnerability, we need to ensure that any user-provided input is properly sanitized or encoded before being included in the response. In this case, we can use the HtmlUtils.htmlEscape
method from the Spring framework to escape the userName
and id
parameters.
- We will modify the
upload4
method to escape theuserName
andid
parameters before including them in the response. - This change will be made in the
feign-form-spring/src/test/java/feign/form/feign/spring/Server.java
file. - We will need to import the
HtmlUtils
class from the Spring framework.
-
Copy modified line R24 -
Copy modified line R77
@@ -23,2 +23,3 @@ | ||
import lombok.val; | ||
import org.springframework.web.util.HtmlUtils; | ||
import org.springframework.boot.autoconfigure.SpringBootApplication; | ||
@@ -75,3 +76,3 @@ | ||
@RequestParam String userName) { | ||
return userName + ':' + id + ':' + map.size(); | ||
return HtmlUtils.htmlEscape(userName) + ':' + HtmlUtils.htmlEscape(id) + ':' + map.size(); | ||
} |
status = OK; | ||
result = new String(popa1.getBytes()) + new String(popa2.getBytes()); | ||
} | ||
return ResponseEntity.status(status).body(result); |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the cross-site scripting vulnerability, we need to ensure that any user-provided content included in the HTTP response is properly sanitized or encoded. In this case, we can use HTML encoding to safely include the file content in the response body.
- We will use the
StringEscapeUtils
class from the Apache Commons Text library to HTML-encode the file content before including it in the response. - This change will be made in the
upload6
method where theresult
variable is constructed and returned.
-
Copy modified line R24 -
Copy modified line R96
@@ -23,2 +23,3 @@ | ||
import lombok.val; | ||
import org.apache.commons.text.StringEscapeUtils; | ||
import org.springframework.boot.autoconfigure.SpringBootApplication; | ||
@@ -94,3 +95,3 @@ | ||
status = OK; | ||
result = new String(popa1.getBytes()) + new String(popa2.getBytes()); | ||
result = StringEscapeUtils.escapeHtml4(new String(popa1.getBytes())) + StringEscapeUtils.escapeHtml4(new String(popa2.getBytes())); | ||
} |
-
Copy modified lines R38-R42
@@ -37,2 +37,7 @@ | ||
<dependency> | ||
<groupId>org.apache.commons</groupId> | ||
<artifactId>commons-text</artifactId> | ||
<version>1.12.0</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.projectlombok</groupId> |
Package | Version | Security advisories |
org.apache.commons:commons-text (maven) | 1.12.0 | None |
@PostMapping(path = "/upload/byte_array", consumes = MULTIPART_FORM_DATA_VALUE) | ||
public ResponseEntity<String> uploadByteArray(@RequestPart("file") MultipartFile file) { | ||
val status = file != null ? OK : I_AM_A_TEAPOT; | ||
return ResponseEntity.status(status).body(file.getOriginalFilename()); |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the cross-site scripting vulnerability, we need to sanitize or encode the user-provided filename before including it in the HTTP response. The best way to do this is to use a library that provides HTML encoding to ensure that any potentially malicious characters in the filename are properly escaped.
In this case, we can use the StringEscapeUtils
class from the Apache Commons Text library to encode the filename. This will ensure that any special characters in the filename are converted to their corresponding HTML entities, preventing XSS attacks.
-
Copy modified line R26 -
Copy modified lines R140-R141
@@ -25,2 +25,3 @@ | ||
import java.io.IOException; | ||
import org.apache.commons.text.StringEscapeUtils; | ||
import java.util.Collection; | ||
@@ -138,3 +139,4 @@ | ||
val status = file != null ? OK : I_AM_A_TEAPOT; | ||
return ResponseEntity.status(status).body(file.getOriginalFilename()); | ||
String safeFilename = StringEscapeUtils.escapeHtml4(file.getOriginalFilename()); | ||
return ResponseEntity.status(status).body(safeFilename); | ||
} |
-
Copy modified lines R36-R40
@@ -35,2 +35,7 @@ | ||
<dependency> | ||
<groupId>org.apache.commons</groupId> | ||
<artifactId>commons-text</artifactId> | ||
<version>1.9</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.projectlombok</groupId> |
Package | Version | Security advisories |
org.apache.commons:commons-text (maven) | 1.9 | Critical severity |
@PostMapping(path = "/upload/unknown_type", consumes = MULTIPART_FORM_DATA_VALUE) | ||
public ResponseEntity<String> uploadUnknownType(@RequestPart("file") MultipartFile file) { | ||
val status = file != null ? OK : I_AM_A_TEAPOT; | ||
return ResponseEntity.status(status).body(file.getContentType()); |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the cross-site scripting vulnerability, we need to ensure that any user-provided data is properly sanitized or encoded before being included in the response. In this case, we can use a library like Apache Commons Text to escape the content type string before including it in the response body.
- General Fix: Use contextual output encoding/escaping for user-provided data before writing it to the response.
- Detailed Fix: Escape the content type string using
StringEscapeUtils.escapeHtml4
from Apache Commons Text. - Specific Changes: Modify the
uploadUnknownType
method to escape the content type string before including it in the response body. - Required Imports: Add an import statement for
org.apache.commons.text.StringEscapeUtils
.
-
Copy modified line R29 -
Copy modified lines R158-R159
@@ -28,2 +28,3 @@ | ||
import lombok.val; | ||
import org.apache.commons.text.StringEscapeUtils; | ||
import org.springframework.boot.autoconfigure.SpringBootApplication; | ||
@@ -156,3 +157,4 @@ | ||
val status = file != null ? OK : I_AM_A_TEAPOT; | ||
return ResponseEntity.status(status).body(file.getContentType()); | ||
String escapedContentType = StringEscapeUtils.escapeHtml4(file.getContentType()); | ||
return ResponseEntity.status(status).body(escapedContentType); | ||
} |
-
Copy modified lines R36-R40
@@ -35,2 +35,7 @@ | ||
<dependency> | ||
<groupId>org.apache.commons</groupId> | ||
<artifactId>commons-text</artifactId> | ||
<version>1.9</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.projectlombok</groupId> |
Package | Version | Security advisories |
org.apache.commons:commons-text (maven) | 1.9 | Critical severity |
return ResponseEntity.status(status) | ||
.body(file.getOriginalFilename() + ':' + file.getContentType()); |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Cross-site scripting vulnerability due to a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the cross-site scripting vulnerability, we need to sanitize or encode the user-provided input before including it in the response. The best way to fix this issue is to use a library that provides HTML encoding to ensure that any potentially malicious characters in the filename are rendered harmless.
In this case, we can use the StringEscapeUtils
class from the Apache Commons Text library to encode the filename. This will prevent any embedded scripts from being executed by the browser.
-
Copy modified line R26 -
Copy modified line R164 -
Copy modified line R166
@@ -25,2 +25,3 @@ | ||
import java.io.IOException; | ||
import org.apache.commons.text.StringEscapeUtils; | ||
import java.util.Collection; | ||
@@ -162,4 +163,5 @@ | ||
val status = file != null ? OK : I_AM_A_TEAPOT; | ||
String safeFilename = org.apache.commons.text.StringEscapeUtils.escapeHtml4(file.getOriginalFilename()); | ||
return ResponseEntity.status(status) | ||
.body(file.getOriginalFilename() + ':' + file.getContentType()); | ||
.body(safeFilename + ':' + file.getContentType()); | ||
} |
-
Copy modified lines R36-R40
@@ -35,2 +35,7 @@ | ||
<dependency> | ||
<groupId>org.apache.commons</groupId> | ||
<artifactId>commons-text</artifactId> | ||
<version>1.9</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.projectlombok</groupId> |
Package | Version | Security advisories |
org.apache.commons:commons-text (maven) | 1.9 | Critical severity |
No description provided.