From 9a2ac14b0522595a3f1b101f62f166b44baace1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20So=CC=88semann?= Date: Wed, 16 May 2018 15:46:40 +0200 Subject: [PATCH 1/3] [vf] URLENCODE is ignored as valid escape method #1100 --- .../pmd/lang/vf/rule/security/VfUnescapeElRule.java | 2 +- .../pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java index 89145c4ff2..c28d3eab7a 100644 --- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java +++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java @@ -226,7 +226,7 @@ public class VfUnescapeElRule extends AbstractVfRule { } if (doesElContainAnyUnescapedIdentifiers(el, - EnumSet.of(Escaping.JSINHTMLENCODE, Escaping.JSENCODE))) { + EnumSet.of(Escaping.ANY))) { isEL = true; toReport.add(el); } diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml index 9a0a38d89d..48aeb3d19b 100644 --- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml +++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml @@ -654,5 +654,15 @@ NOW() is a safe call vf + + + 0 + +]]> + vf + From 7b51dd1570e54afa21b4140e0e504a5d04035dfe Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Wed, 16 May 2018 19:30:02 +0200 Subject: [PATCH 2/3] Extend unit tests, refs #1100 --- .../vf/rule/security/xml/VfUnescapeEl.xml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml index 48aeb3d19b..fca8199fc3 100644 --- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml +++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml @@ -665,4 +665,29 @@ URLENCODE is ignored as valid escape method #1100 vf + + + 1 + +]]> + vf + + + + + 0 + + + + +]]> + vf + + From 0544441caad000205465705f339ed02a08b26b78 Mon Sep 17 00:00:00 2001 From: Andreas Dangel Date: Wed, 16 May 2018 19:32:00 +0200 Subject: [PATCH 3/3] Update release notes, refs #1106, fixes #1100 --- docs/pages/release_notes.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/pages/release_notes.md b/docs/pages/release_notes.md index 30af3f624d..19ee55fbaa 100644 --- a/docs/pages/release_notes.md +++ b/docs/pages/release_notes.md @@ -25,6 +25,8 @@ This is a minor release. * [#848](https://github.com/pmd/pmd/issues/848): \[doc] Test failures when building pmd-doc under Windows * doc * [#791](https://github.com/pmd/pmd/issues/791): \[doc] Documentation site reorganisation +* vf-security + * [#1100](https://github.com/pmd/pmd/issues/1100): \[vf] URLENCODE is ignored as valid escape method ### API Changes @@ -34,4 +36,5 @@ This is a minor release. * [#803](https://github.com/pmd/pmd/pull/803): \[doc] Added SpotBugs as successor of FindBugs - [Tobias Weimer](https://github.com/tweimer) * [#830](https://github.com/pmd/pmd/pull/830): \[java] UseArraysAsList: Description added - [Tobias Weimer](https://github.com/tweimer) * [#845](https://github.com/pmd/pmd/pull/845): \[java] Fix false negative PreserveStackTrace on string concatenation - [Alberto Fernández](https://github.com/albfernandez) +* [#1106](https://github.com/pmd/pmd/pull/1106): \[vf] URLENCODE is ignored as valid escape method - [Robert Sösemann](https://github.com/rsoesemann)