Quoted EL in JSON.parse is safe

2017-04-12 15:43:37 -07:00
parent e6966c7ca4
commit f2683c6cb4
2 changed files with 24 additions and 7 deletions
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@ -85,22 +85,24 @@ public class VfUnescapeElRule extends AbstractVfRule {
        }
        if (quoted) {
            // check escaping too
-            if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
+            if (!(jsonParse || startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
                if (doesElContainAnyUnescapedIdentifiers(elExpression,
                        EnumSet.of(Escaping.JSENCODE, Escaping.JSINHTMLENCODE))) {
                    addViolation(data, elExpression);
                }
            }
        } else {
-            if (!(jsonParse || startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
+            if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
                addViolation(data, elExpression);
            }
        }
    }

    private boolean isJsonParse(ASTText prevText) {
-        if (prevText.getImage().endsWith("JSON.parse(") || prevText.getImage().endsWith("jQuery.parseJSON(")
-                || prevText.getImage().endsWith("$.parseJSON(")) {
+        final String text = (prevText.getImage().endsWith("'") || prevText.getImage().endsWith("'"))
+                ? prevText.getImage().substring(0, prevText.getImage().length() - 1) : prevText.getImage();
+
+        if (text.endsWith("JSON.parse(") || text.endsWith("jQuery.parseJSON(") || text.endsWith("$.parseJSON(")) {
            return true;
        }

--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@ -575,15 +575,30 @@ NOT method evaluates to safe boolean

 	<test-code>
 		<description><![CDATA[
-JSON.parse method evaluates to safe JSON
+JSON.parse method evaluates quoted EL to safe JSON
     ]]></description>
 		<expected-problems>0</expected-problems>
 		<code><![CDATA[
+<apex:page>
+	<script>
+		var x = JSON.parse('{!yes}');
+		jQuery.parseJSON('{!yes}');
+		$.parseJSON('{!yes}');
+	</script>
+</apex:page>
+]]></code>
+		<source-type>vf</source-type>
+	</test-code>
+
+	<test-code>
+		<description><![CDATA[
+JSON.parse method evaluates non quoted EL to unsafe XSS
+     ]]></description>
+		<expected-problems>1</expected-problems>
+		<code><![CDATA[
 <apex:page>
 	<script>
 		var x = JSON.parse({!yes});
-		jQuery.parseJSON({!yes});
-		$.parseJSON({!yes});
 	</script>
 </apex:page>
 ]]></code>