From a5cb3573f832bd786fa4512145645b0102fa654c Mon Sep 17 00:00:00 2001 From: Marvin Date: Mon, 21 Oct 2024 13:55:26 +0000 Subject: [PATCH] Fix code scanning alert no. 8: Cross-site scripting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- feign-form/pom.xml | 5 +++++ feign-form/src/test/java/feign/form/Server.java | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/feign-form/pom.xml b/feign-form/pom.xml index 5de6dd3cbd..82271a3f62 100644 --- a/feign-form/pom.xml +++ b/feign-form/pom.xml @@ -30,6 +30,11 @@ Open Feign Forms Core + + org.apache.commons + commons-text + 1.12.0 + org.projectlombok lombok diff --git a/feign-form/src/test/java/feign/form/Server.java b/feign-form/src/test/java/feign/form/Server.java index f2ae708645..935d905499 100644 --- a/feign-form/src/test/java/feign/form/Server.java +++ b/feign-form/src/test/java/feign/form/Server.java @@ -28,6 +28,7 @@ import java.io.IOException; import java.util.Collection; import java.util.List; +import org.apache.commons.text.StringEscapeUtils; import lombok.val; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.http.HttpStatus; @@ -166,8 +167,9 @@ public ResponseEntity uploadUnknownType(@RequestPart("file") MultipartFi @PostMapping(path = "/upload/form_data", consumes = MULTIPART_FORM_DATA_VALUE) public ResponseEntity uploadFormData(@RequestPart("file") MultipartFile file) { val status = file != null ? OK : I_AM_A_TEAPOT; + String sanitizedFilename = StringEscapeUtils.escapeHtml4(file.getOriginalFilename()); return ResponseEntity.status(status) - .body(file.getOriginalFilename() + ':' + file.getContentType()); + .body(sanitizedFilename + ':' + file.getContentType()); } @PostMapping(path = "/submit/url", consumes = APPLICATION_FORM_URLENCODED_VALUE)