From 5de499331924dafc42944b8853d6c3d84204bfa6 Mon Sep 17 00:00:00 2001
From: mharindu <milanharindu.ucsc@gmail.com>
Date: Tue, 28 Jun 2016 17:23:39 +0530
Subject: [PATCH] Fixed URL tampering issue

---
 .../pom.xml                                               | 7 ++++++-
 .../framework/AuthenticationFrameworkUtil.java            | 3 ++-
 .../framework/WebappAuthenticationValve.java              | 8 ++++----
 .../framework/authorizer/PermissionAuthorizer.java        | 5 +++--
 pom.xml                                                   | 6 ++++++
 5 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
index 6893eb1e88..5927c345da 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
@@ -121,7 +121,8 @@
                             org.wso2.carbon.registry.core.*,
                             org.wso2.carbon.registry.common.*;version="${carbon.registry.imp.pkg.version.range}",
                             org.wso2.carbon.registry.indexing.*; version="${carbon.registry.imp.pkg.version.range}",
-                            org.wso2.carbon.base
+                            org.wso2.carbon.base,
+                            org.owasp.encoder
                         </Import-Package>
                     </instructions>
                 </configuration>
@@ -226,6 +227,10 @@
             <groupId>org.wso2.carbon</groupId>
             <artifactId>org.wso2.carbon.registry.core</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.orbit.org.owasp.encoder</groupId>
+            <artifactId>encoder</artifactId>
+        </dependency>
     </dependencies>
 
 </project>
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java
index 72fe8c958d..1ae7b83116 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java
@@ -21,6 +21,7 @@ import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.owasp.encoder.Encode;
 import org.w3c.dom.Document;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.core.authenticate.APITokenValidator;
@@ -42,7 +43,7 @@ public class AuthenticationFrameworkUtil {
     public static void handleNoMatchAuthScheme(Request request, Response response, String httpVerb, String version,
                                                String context) {
         String msg = "Resource is not matched for HTTP Verb: '" + httpVerb + "', API context: '" + context +
-                "', Version: '" + version + "' and RequestURI: '" + request.getRequestURI() + "'";
+                "', Version: '" + version + "' and RequestURI: '" + Encode.forHtml(request.getRequestURI()) + "'";
         handleResponse(request, response, HttpServletResponse.SC_FORBIDDEN, msg);
     }
 
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
index 93ab9c32a3..feb5c77415 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
@@ -22,6 +22,7 @@ import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.owasp.encoder.Encode;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
 import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
@@ -151,11 +152,10 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
                     response.setHeader("WWW-Authenticate", msg);
                 }
                 if (log.isDebugEnabled()) {
-                    log.debug(msg + " , API : " + request.getRequestURI());
+                    log.debug(msg + " , API : " + Encode.forUriComponent(request.getRequestURI()));
                 }
-                AuthenticationFrameworkUtil
-                        .handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED,
-                                        msg);
+                AuthenticationFrameworkUtil.
+                        handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, msg);
                 break;
         }
     }
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
index efbe30bc5b..6d5138d3a2 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
@@ -22,6 +22,7 @@ import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.owasp.encoder.Encode;
 import org.wso2.carbon.context.CarbonContext;
 import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
@@ -57,13 +58,13 @@ public class PermissionAuthorizer {
             requestPermission = registryBasedPermissionManager.getPermission(properties);
         } catch (PermissionManagementException e) {
             log.error(
-                    "Error occurred while fetching the permission for URI : " + requestUri + " ," +
+                    "Error occurred while fetching the permission for URI : " + Encode.forJava(requestUri) + " ," +
                     " METHOD : " + requestMethod + ", msg = " + e.getMessage());
         }
 
         if (requestPermission == null) {
             if (log.isDebugEnabled()) {
-                log.debug("Permission to request '" + requestUri + "' is not defined in the configuration");
+                log.debug("Permission to request '" + Encode.forJava(requestUri) + "' is not defined in the configuration");
             }
             return WebappAuthenticator.Status.FAILURE;
         }
diff --git a/pom.xml b/pom.xml
index 40e528385b..c4f8466689 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1511,6 +1511,11 @@
                 <artifactId>jackson-annotations</artifactId>
                 <version>${jackson-annotations.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.orbit.org.owasp.encoder</groupId>
+                <artifactId>encoder</artifactId>
+                <version>${owasp.encoder.version}</version>
+            </dependency>
 
         </dependencies>
     </dependencyManagement>
@@ -1880,6 +1885,7 @@
         <!--JWT grant type extension feature-->
         <identity.jwt.extension.version>1.0.2</identity.jwt.extension.version>
         <jackson-annotations.version>2.7.4</jackson-annotations.version>
+        <owasp.encoder.version>1.2.0.wso2v1</owasp.encoder.version>
     </properties>
 
 </project>