phoedos/pmd
1
1
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Quoted EL in JSON.parse is safe

Browse Source
This commit is contained in:
Sergey
2017-04-12 15:43:37 -07:00
parent e6966c7ca4
commit f2683c6cb4
2 changed files with 24 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
View File

@ -85,22 +85,24 @@ public class VfUnescapeElRule extends AbstractVfRule {
} }
if (quoted) { if (quoted) {
// check escaping too // check escaping too
if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) { if (!(jsonParse || startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
if (doesElContainAnyUnescapedIdentifiers(elExpression, if (doesElContainAnyUnescapedIdentifiers(elExpression,
EnumSet.of(Escaping.JSENCODE, Escaping.JSINHTMLENCODE))) { EnumSet.of(Escaping.JSENCODE, Escaping.JSINHTMLENCODE))) {
addViolation(data, elExpression); addViolation(data, elExpression);
} }
} }
} else { } else {
if (!(jsonParse || startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) { if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
addViolation(data, elExpression); addViolation(data, elExpression);
} }
} }
} }
private boolean isJsonParse(ASTText prevText) { private boolean isJsonParse(ASTText prevText) {
if (prevText.getImage().endsWith("JSON.parse(") || prevText.getImage().endsWith("jQuery.parseJSON(") final String text = (prevText.getImage().endsWith("'") || prevText.getImage().endsWith("'"))
|| prevText.getImage().endsWith("$.parseJSON(")) { ? prevText.getImage().substring(0, prevText.getImage().length() - 1) : prevText.getImage();
if (text.endsWith("JSON.parse(") || text.endsWith("jQuery.parseJSON(") || text.endsWith("$.parseJSON(")) {
return true; return true;
} }

21
pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
View File

@ -575,15 +575,30 @@ NOT method evaluates to safe boolean
<test-code> <test-code>
<description><![CDATA[ <description><![CDATA[
JSON.parse method evaluates to safe JSON JSON.parse method evaluates quoted EL to safe JSON
]]></description> ]]></description>
<expected-problems>0</expected-problems> <expected-problems>0</expected-problems>
<code><![CDATA[ <code><![CDATA[
<apex:page>
<script>
var x = JSON.parse('{!yes}');
jQuery.parseJSON('{!yes}');
$.parseJSON('{!yes}');
</script>
</apex:page>
]]></code>
<source-type>vf</source-type>
</test-code>
<test-code>
<description><![CDATA[
JSON.parse method evaluates non quoted EL to unsafe XSS
]]></description>
<expected-problems>1</expected-problems>
<code><![CDATA[
<apex:page> <apex:page>
<script> <script>
var x = JSON.parse({!yes}); var x = JSON.parse({!yes});
jQuery.parseJSON({!yes});
$.parseJSON({!yes});
</script> </script>
</apex:page> </apex:page>
]]></code> ]]></code>