Merge pull request SORMAS-Foundation#4262 from hzi-braunschweig/bugfix-4057-findings

Bugfixes for findings SORMAS-Foundation#4057, SORMAS-Foundation#2906

Author: syntakker

sormas-api/src/main/java/de/symeda/sormas/api/utils/DataHelper.java

@@ -1,20 +1,18 @@
-/*******************************************************************************
+/*
  * SORMAS® - Surveillance Outbreak Response Management & Analysis System
- * Copyright © 2016-2018 Helmholtz-Zentrum für Infektionsforschung GmbH (HZI)
- *
+ * Copyright © 2016-2021 Helmholtz-Zentrum für Infektionsforschung GmbH (HZI)
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, either version 3 of the License, or
  * (at your option) any later version.
- *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  * GNU General Public License for more details.
- *
  * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <https://www.gnu.org/licenses/>.
- *******************************************************************************/
+ */
+
 package de.symeda.sormas.api.utils;
 
 import java.io.BufferedReader;
@@ -35,7 +33,6 @@
 import java.util.TreeSet;
 
 import de.symeda.sormas.api.AgeGroup;
-import de.symeda.sormas.api.EntityDto;
 import de.symeda.sormas.api.HasUuid;
 import de.symeda.sormas.api.Language;
 import de.symeda.sormas.api.caze.AgeAndBirthDateDto;
@@ -156,7 +153,7 @@ public static byte[] longToBytes(long x, long y) {
 		return buffer.array();
 	}
 
-	public static String getShortUuid(EntityDto domainObject) {
+	public static String getShortUuid(HasUuid domainObject) {
 		return getShortUuid(domainObject.getUuid());
 	}
 

sormas-api/src/test/java/de/symeda/sormas/api/utils/DataHelperTest.java

@@ -2,10 +2,13 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.fail;
 
 import org.junit.Test;
 
 import de.symeda.sormas.api.Disease;
+import de.symeda.sormas.api.EntityDto;
+import de.symeda.sormas.api.ReferenceDto;
 import de.symeda.sormas.api.caze.CaseDataDto;
 import de.symeda.sormas.api.region.RegionReferenceDto;
 
@@ -42,4 +45,29 @@ public void testTryParseLong() {
 		assertEquals((Long) Long.MAX_VALUE, DataHelper.tryParseLong(String.valueOf(Long.MAX_VALUE)));
 		assertNull(DataHelper.tryParseLong(String.valueOf(Long.MAX_VALUE) + "0"));
 	}
+
+	@Test
+	public void testShortUuid() {
+		EntityDto entityDto = new EntityDto() {
+		};
+		entityDto.setUuid("ABCDEF-GHIJKL");
+
+		assertEquals("ABCDEF", DataHelper.getShortUuid(entityDto));
+
+		ReferenceDto referenceDto = new ReferenceDto() {
+		};
+		referenceDto.setUuid("MNOPQR-STUVWX");
+
+		assertEquals("MNOPQR", DataHelper.getShortUuid(referenceDto));
+
+		assertEquals("UZOUEH", DataHelper.getShortUuid("UZOUEH-HP7DRG-YOJ74F-PXWL2JZ4"));
+		assertNull(DataHelper.getShortUuid((String) null));
+
+		try {
+			assertEquals("A", DataHelper.getShortUuid("A"));
+			fail("getShortUuid should not be graceful on Uuids that are too short.");
+		} catch (StringIndexOutOfBoundsException e) {
+			assertEquals("begin 0, end 6, length 1", e.getMessage());
+		}
+	}
 }

sormas-backend/src/main/java/de/symeda/sormas/backend/docgeneration/CleanHtmlReference.java

@@ -0,0 +1,28 @@
+/*
+ * SORMAS® - Surveillance Outbreak Response Management & Analysis System
+ * Copyright © 2016-2021 Helmholtz-Zentrum für Infektionsforschung GmbH (HZI)
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package de.symeda.sormas.backend.docgeneration;
+
+import org.apache.velocity.app.event.ReferenceInsertionEventHandler;
+
+import de.symeda.sormas.api.utils.HtmlHelper;
+
+public class CleanHtmlReference implements ReferenceInsertionEventHandler {
+
+	@Override
+	public Object referenceInsert(String s, Object o) {
+		return o == null ? null : HtmlHelper.cleanHtml(o.toString(), HtmlHelper.EVENTACTION_WHITELIST);
+	}
+}

sormas-backend/src/main/java/de/symeda/sormas/backend/docgeneration/TemplateEngine.java

@@ -25,6 +25,7 @@
 import java.io.InputStreamReader;
 import java.io.Reader;
 import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
 import java.util.HashSet;
 import java.util.Properties;
 import java.util.Set;
@@ -43,13 +44,17 @@
 import org.apache.velocity.util.introspection.SecureUberspector;
 import org.docx4j.openpackaging.exceptions.Docx4JException;
 import org.docx4j.openpackaging.packages.WordprocessingMLPackage;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document.OutputSettings;
+import org.jsoup.safety.Whitelist;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import de.symeda.sormas.api.docgeneneration.DocumentTemplateException;
 import de.symeda.sormas.api.docgeneneration.DocumentVariables;
 import de.symeda.sormas.api.i18n.I18nProperties;
 import de.symeda.sormas.api.i18n.Strings;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import fr.opensagres.xdocreport.core.XDocReportException;
 import fr.opensagres.xdocreport.document.IXDocReport;
 import fr.opensagres.xdocreport.document.registry.XDocReportRegistry;
@@ -63,9 +68,11 @@
 public class TemplateEngine {
 
 	private static final Pattern VARIABLE_PATTERN = Pattern.compile("([{] *(!)? *([A-Za-z0-9._]+) *[}]| *(!)? *([A-Za-z0-9._]+) *)");
+	private static final Whitelist HTML_TEMPLATE_WHITELIST =
+		HtmlHelper.EVENTACTION_WHITELIST.addAttributes("div", "class").addAttributes("span", "class").addAttributes("table", "class");
 	private static final Logger logger = LoggerFactory.getLogger(TemplateEngine.class);
 
-	private Properties xdocVelocityProperties;
+	private final Properties xdocVelocityProperties;
 
 	public TemplateEngine() {
 		xdocVelocityProperties = new Properties();
@@ -136,6 +143,9 @@ public String generateDocumentTxt(Properties properties, File templateFile) {
 		velocityEngine.setProperty(RuntimeConstants.UBERSPECT_CLASSNAME, SecureUberspector.class.getCanonicalName());
 		// Disable Includes
 		velocityEngine.setProperty(RuntimeConstants.EVENTHANDLER_INCLUDE, NoIncludesEventHandler.class.getCanonicalName());
+		// Clean Html
+		velocityEngine.setProperty(RuntimeConstants.EVENTHANDLER_REFERENCEINSERTION, CleanHtmlReference.class.getCanonicalName());
+
 		velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file");
 		velocityEngine.setProperty(RuntimeConstants.FILE_RESOURCE_LOADER_PATH, FilenameUtils.getFullPathNoEndSeparator(templateFile.getPath()));
 		Template template = velocityEngine.getTemplate(templateFile.getName());
@@ -152,7 +162,10 @@ public String generateDocumentTxt(Properties properties, File templateFile) {
 
 		StringWriter stringWriter = new StringWriter();
 		template.merge(velocityContext, stringWriter);
-		return stringWriter.toString();
+		OutputSettings outputSettings = new OutputSettings();
+		outputSettings.prettyPrint(false);
+		outputSettings.charset(StandardCharsets.UTF_8);
+		return Jsoup.clean(stringWriter.toString(), "", HTML_TEMPLATE_WHITELIST, outputSettings);
 	}
 
 	public void validateTemplateDocx(InputStream templateInputStream) throws DocumentTemplateException {

sormas-backend/src/main/resources/docgeneration/sormasStyle.html

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandout.cmp

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>
@@ -44,18 +47,18 @@
 <p>...where people meet</p>
 
 <table>
-    <tr><th>Disease</th><th>Status</th><th>Event Date</th><th>Report Date</th></tr>
+    <tbody><tr><th>Disease</th><th>Status</th><th>Event Date</th><th>Report Date</th></tr>
     <tr><td>COVID-19</td><td>Signal</td><td>11/12/2020</td><td>11/13/2020</td></tr>
-</table>
+</tbody></table>
 
 <h2>Event Participants</h2>
 
 <table>
-    <tr><th>First Name</th><th>Last Name</th><th>Phone</th><th>Contacted</th></tr>
+    <tbody><tr><th>First Name</th><th>Last Name</th><th>Phone</th><th>Contacted</th></tr>
         <tr><td>Georges</td><td>Bataille</td><td>+49 681 8901</td><td>[ ]</td></tr>
         <tr><td>Guy</td><td>Debord</td><td>+49 681 4567</td><td>[ ]</td></tr>
         <tr><td>Isidore</td><td>Isou</td><td>+49 681 1234</td><td>[ ]</td></tr>
-    </table>
+    </tbody></table>
 
 
 <div class="actions">
@@ -68,7 +71,7 @@
     <h2>Another action</h2>
     <p>11/15/2020</p>
     <div> This action hast no reply </div>
-    <div> <span style="color:#f00">*</span> </div>
+    <div> <span class="red">*</span> </div>
 </div>
 
 </body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandout.html

@@ -23,6 +23,6 @@ <h2>Event Participants</h2>
     <h2>$action.title</h2>
     <p>$F.format($action.getDate())</p>
     <div>#if($action.getDescription()) $action.getDescription() #else <span style="color:#f00">*</span> #end</div>
-    <div>#if($action.reply) $action.reply #else <span style="color:#f00">*</span> #end</div>
+    <div>#if($action.reply) $action.reply #else <span class="red">*</span> #end</div>
 </div>
 #end

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandoutError.cmp

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandoutNullableVariables.cmp

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandoutPreformatting.cmp

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>
@@ -44,18 +47,18 @@
 <p>...where people meet</p>
 
 <table>
-    <tr><th>Disease</th><th>Status</th><th>Event Date</th><th>Report Date</th><th>User</th></tr>
+    <tbody><tr><th>Disease</th><th>Status</th><th>Event Date</th><th>Report Date</th><th>User</th></tr>
     <tr><td>COVID-19</td><td>Signal</td><td>11/12/2020</td><td>11/13/2020</td><td>Surv Sup</td></tr>
-</table>
+</tbody></table>
 
 <h2>Event Participants</h2>
 
 <table>
-    <tr><th>First Name</th><th>Last Name</th><th>Phone</th><th>Contacted</th></tr>
+    <tbody><tr><th>First Name</th><th>Last Name</th><th>Phone</th><th>Contacted</th></tr>
         <tr><td>Georges</td><td>Bataille</td><td>+49 681 8901</td><td>[ ]</td></tr>
         <tr><td>Guy</td><td>Debord</td><td>+49 681 4567</td><td>[ ]</td></tr>
         <tr><td>Isidore</td><td>Isou</td><td>+49 681 1234</td><td>[ ]</td></tr>
-    </table>
+    </tbody></table>
 
 
 <div class="actions">
@@ -68,7 +71,7 @@
     <h2>Another action</h2>
     <p>11/15/2020</p>
     <div> This action hast no reply </div>
-    <div> <span style="color:#f00">*</span> </div>
+    <div> <span class="red">*</span> </div>
 </div>
 
 </body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandoutPreformatting.html

@@ -23,6 +23,6 @@ <h2>Event Participants</h2>
     <h2>$action.title</h2>
     <p>$F.format($action.getDate())</p>
     <div>#if($action.getDescription()) $action.getDescription() #else <span style="color:#f00">*</span> #end</div>
-    <div>#if($action.reply) $action.reply #else <span style="color:#f00">*</span> #end</div>
+    <div>#if($action.reply) $action.reply #else <span class="red">*</span> #end</div>
 </div>
 #end

sormas-backend/src/test/resources/docgeneration/testcasesTxt/CleanHtml.cmp

@@ -0,0 +1 @@
+This is a test:

sormas-backend/src/test/resources/docgeneration/testcasesTxt/CleanHtml.properties

@@ -0,0 +1 @@
+alert=This is a test: <script>alert('Hey!');</script>

sormas-backend/src/test/resources/docgeneration/testcasesTxt/CleanHtml.txt

@@ -0,0 +1 @@
+$alert