chore(merge): master into dev

bonitasoft · Apr 12, 2024 · f7ec4ef · f7ec4ef
2 parents 76c96d4 + 5b732ce
commit f7ec4ef
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 20 deletions.
diff --git a/...web-server/src/main/java/org/bonitasoft/console/common/server/filter/SanitizerFilter.java b/...web-server/src/main/java/org/bonitasoft/console/common/server/filter/SanitizerFilter.java
@@ -22,7 +22,6 @@
 import java.util.Optional;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Consumer;
-import java.util.logging.Logger;
 import java.util.stream.Stream;
 
 import javax.annotation.Nullable;
@@ -40,6 +39,7 @@
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.fasterxml.jackson.databind.node.TextNode;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.IOUtils;
 import org.bonitasoft.console.common.server.preferences.properties.PropertiesFactory;
 import org.owasp.html.HtmlChangeListener;
@@ -54,10 +54,9 @@
  *
  * @author Vincent Hemery
  */
+@Slf4j
 public class SanitizerFilter extends ExcludingPatternFilter {
 
-    protected static Logger log = Logger.getLogger(SanitizerFilter.class.getName());
-
     /**
      * Sanitizer to apply to values.
      * Do not let TABLES and LINKS which can be mis-leading as phishing.
@@ -84,14 +83,18 @@ public class SanitizerFilter extends ExcludingPatternFilter {
 
         @Override
         public void discardedTag(@Nullable Object context, String elementName) {
-            log.fine(() -> format("Tag '%s' has been discarded", elementName));
+            if (log.isDebugEnabled()) {
+                log.debug(format("Tag '%s' has been discarded", elementName));
+            }
         }
 
         @Override
         public void discardedAttributes(
                 @Nullable Object context, String elementName, String... attributeNames) {
-            log.fine(() -> format("Tag '%s' has been cleaned from the following attributes: %s", elementName,
-                    attributeNames));
+            if (log.isDebugEnabled()) {
+                log.debug(format("Tag '%s' has been cleaned from the following attributes: %s", elementName,
+                        String.join(", ", attributeNames)));
+            }
         }
     };
 
@@ -281,7 +284,7 @@ private Optional<String> sanitizeValueAndPerformAction(String value, Consumer<St
         sanitized = HtmlUtils.htmlUnescape(sanitized);
         // check whether value has effectively changed before doing anything
         if (!sanitized.equals(value)) {
-            log.warning("Incoming HTML content has been altered. More details at debug level");
+            log.warn("Incoming HTML content has been altered. More details at debug level");
             action.accept(sanitized);
             return Optional.of(sanitized);
         }

diff --git a/.../java/org/bonitasoft/console/common/server/preferences/properties/SecurityProperties.java b/.../java/org/bonitasoft/console/common/server/preferences/properties/SecurityProperties.java
@@ -108,8 +108,8 @@ public boolean isCSRFProtectionEnabled() {
      */
     public boolean isSanitizerProtectionEnabled() {
         final String res = getPlatformProperty(SANITIZER_PROTECTION);
-        // keep false as default when not set correctly (empty string, null, or any non-"true" value)
-        return Boolean.parseBoolean(res);
+        // keep true as default when not set correctly (empty string, null, or any non-"false" value)
+        return !"false".equalsIgnoreCase(res);
     }
 
     /**

diff --git a/...a/org/bonitasoft/console/common/server/preferences/properties/SecurityPropertiesTest.java b/...a/org/bonitasoft/console/common/server/preferences/properties/SecurityPropertiesTest.java
@@ -25,23 +25,23 @@ public class SecurityPropertiesTest {
     private final SecurityProperties securityProperties = spy(new SecurityProperties());
 
     @Test
-    public void invalid_or_absent_sanitizer_conf_should_be_disabled() {
+    public void invalid_or_absent_sanitizer_conf_should_be_enabled() {
         doReturn(null).when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
-        assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
+        assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();
 
         doReturn("").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
-        assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
+        assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();
 
-        doReturn("false").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
-        assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
+        doReturn("true").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
+        assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();
     }
 
     @Test
-    public void sanitizer_should_be_enabled_for_true_value_whatever_the_case() {
-        doReturn("true").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
-        assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();
+    public void sanitizer_should_be_disabled_for_false_value_whatever_the_case() {
+        doReturn("false").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
+        assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
 
-        doReturn("trUE").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
-        assertThat(securityProperties.isSanitizerProtectionEnabled()).isTrue();
+        doReturn("falSE").when(securityProperties).getPlatformProperty(SANITIZER_PROTECTION);
+        assertThat(securityProperties.isSanitizerProtectionEnabled()).isFalse();
     }
 }
diff --git a/bpm/bonita-web-server/src/test/resources/logback-test.xml b/bpm/bonita-web-server/src/test/resources/logback-test.xml
@@ -14,6 +14,7 @@
 	<logger name="org.bonitasoft.web.rest.server.api.bpm.process" level="INFO" />
 	<logger name="org.bonitasoft.web.rest.server.api.resource" level="INFO" />
 	<logger name="org.bonitasoft.console.common.server.login.servlet" level="TRACE" />
+	<logger name="org.bonitasoft.console.common.server.filter.SanitizerFilter" level="DEBUG" />
 
 	<root level="WARN">
 		<appender-ref ref="STDOUT" />

diff --git a/platform/platform-resources/src/main/resources/platform_portal/security-config.properties b/platform/platform-resources/src/main/resources/platform_portal/security-config.properties
@@ -1,7 +1,7 @@
 #Enable/disable CSRF security filter
 security.csrf.enabled true
 #Enable/disable the Sanitizer protection activation (true/false). This sanitizer protects against multiple attacks such as XSS, but may restrict the use of some character sequences.
-security.sanitizer.enabled false
+security.sanitizer.enabled true
 #Name of the Attributes excluded from sanitizer protection (comma separated)
 security.sanitizer.exclude email,password,password_confirm
 #Add  or not the secure flag to the CSRF token cookie (HTTPS only)