Sanitize value in setHeader call. (#727)

* Sanitize value in setHeade call. Issue: 102771 * Include blank space, quotes, and colons in allowed header characters. * Include 0 character in allowed header characters. * Obtains the character from the whitelist to put on the output in an attempt to cut Fortify path detection. It does not change the end result of the function. --------- Co-authored-by: sgrampone <[email protected]> Co-authored-by: ARTECH\sgrampone <[email protected]>
genexuslabs · Jun 7, 2023 · d61c48a · d61c48a
1 parent b79768d
commit d61c48a
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/common/src/main/java/com/genexus/CommonUtil.java b/common/src/main/java/com/genexus/CommonUtil.java
@@ -47,6 +47,11 @@ public final class CommonUtil
 	private static DateFormat parse_asctime;
 	private static final Object http_parse_lock  = new Object();
 
+	private static final String LOG_USER_ENTRY_WHITELIST_STRING = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890+-_=/[]{}\":, ";
+	private static final String HTTP_HEADER_WHITELIST_STRING = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890.;+-_=/[]{}\"':, @()?<>\\";
+	public static final HashMap<Character, Character> LOG_USER_ENTRY_WHITELIST;
+	public static final HashMap<Character, Character> HTTP_HEADER_WHITELIST;
+
 	public static final ILogger logger = LogManager.getLogger(CommonUtil.class);
 
 	static
@@ -159,6 +164,9 @@ public Object initialValue()
 					{"Big5_HKSCS","Big5-HKSCS"},
 					{"EncodingWrapper","EncodingWrapper"}
 				};
+
+			LOG_USER_ENTRY_WHITELIST = stringToHashMap(LOG_USER_ENTRY_WHITELIST_STRING);
+			HTTP_HEADER_WHITELIST    = stringToHashMap(HTTP_HEADER_WHITELIST_STRING);
 		}
 		catch (Exception e)
 		{
@@ -3443,4 +3451,25 @@ public static String getClassName(String pgmName) {
 
 		return classPackage + pgmName.replace('\\', '.').trim();
 	}
+
+	private static HashMap<Character, Character> stringToHashMap(String input) {
+		HashMap<Character, Character> hashMap = new HashMap<>();
+
+		for (char c : input.toCharArray()) {
+			hashMap.put(c, c);
+		}
+		return hashMap;
+	}
+
+	public static String Sanitize(String input, HashMap<Character, Character> whiteList) {
+		StringBuilder sanitizedInput  = new StringBuilder();
+
+		for (char c : input.toCharArray()) {
+			if (whiteList.containsKey(c)) {
+				char safeC = whiteList.get(c);
+				sanitizedInput.append(safeC);
+			}
+		}
+		return sanitizedInput.toString();
+	}
 }
diff --git a/java/src/test/java/com/genexus/TestCommonUtil.java b/java/src/test/java/com/genexus/TestCommonUtil.java
@@ -15,6 +15,23 @@ private void initialize()
 		LogManager.initialize(".");
 	}
 
+	@Test
+	public void testSanitize() {
+		initialize();
+
+		//Test case 1: Sanitize using LogUserEntryWhiteList
+		String value = "This is a string without Sanitize %@, let's see what happens ";
+		String expectedResult = "This is a string without Sanitize , lets see what happens ";
+		String result = CommonUtil.Sanitize(value, CommonUtil.LOG_USER_ENTRY_WHITELIST);
+		Assert.assertEquals(expectedResult, result);
+
+		//Test case 2: Sanitize using HttpHeaderWhiteList
+		value = "This is a string without Sanitize %@, let's see what happens ";
+		expectedResult = "This is a string without Sanitize @, let's see what happens ";
+		result = CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST);
+		Assert.assertEquals(expectedResult, result);
+	}
+
 	@Test
 	public void testFormat() {
 		initialize();

diff --git a/wrapperjakarta/src/main/java/com/genexus/servlet/http/HttpServletResponse.java b/wrapperjakarta/src/main/java/com/genexus/servlet/http/HttpServletResponse.java
@@ -1,5 +1,6 @@
 package com.genexus.servlet.http;
 
+import com.genexus.CommonUtil;
 import com.genexus.servlet.ServletOutputStream;
 import com.genexus.servlet.IServletOutputStream;
 import java.io.IOException;
@@ -23,7 +24,7 @@ public jakarta.servlet.http.HttpServletResponse getWrappedClass() {
 	}
 
 	public void setHeader(String name, String value) {
-		resp.setHeader(name, value);
+		resp.setHeader(name, CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST));
 	}
 
 	public void addDateHeader(String name, long date) {

diff --git a/wrapperjavax/src/main/java/com/genexus/servlet/http/HttpServletResponse.java b/wrapperjavax/src/main/java/com/genexus/servlet/http/HttpServletResponse.java
@@ -1,5 +1,6 @@
 package com.genexus.servlet.http;
 
+import com.genexus.CommonUtil;
 import com.genexus.servlet.ServletOutputStream;
 import com.genexus.servlet.IServletOutputStream;
 
@@ -23,7 +24,7 @@ public javax.servlet.http.HttpServletResponse getWrappedClass() {
 	}
 
 	public void setHeader(String name, String value) {
-		resp.setHeader(name, value);
+		resp.setHeader(name, CommonUtil.Sanitize(value, CommonUtil.HTTP_HEADER_WHITELIST));
 	}
 
 	public void addDateHeader(String name, long date) {