OF-807: Allow hyphens in S2S server names

Replace standard XSS filter with something more specific to domain name validation for the S2S server whitelist/blacklist form.

OF-807: Allow hyphens in S2S server names
Replace standard XSS filter with something more specific to domain name validation for the S2S server whitelist/blacklist form.
5e9af5f2 · Tom Evans · fd090d88 · 5e9af5f2 · 5e9af5f2 · 5e9af5f2
Commit 5e9af5f2 authored Oct 22, 2014 by Tom Evans
3 changed files
--- a/src/java/org/jivesoftware/util/StringUtils.java
+++ b/src/java/org/jivesoftware/util/StringUtils.java
@@ -33,6 +33,7 @@ import java.util.Map;
 import java.util.Random;
 import java.util.StringTokenizer;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.regex.Pattern;

 import javax.mail.internet.AddressException;
 import javax.mail.internet.InternetAddress;
@@ -52,6 +53,8 @@ public class StringUtils {
    private static final char[] AMP_ENCODE = "&amp;".toCharArray();
    private static final char[] LT_ENCODE = "&lt;".toCharArray();
    private static final char[] GT_ENCODE = "&gt;".toCharArray();
+    
+    private static final String DOMAIN_NAME = "^(?:[A-Za-z0-9][A-Za-z0-9\\-]{0,61}[A-Za-z0-9]|[A-Za-z0-9])$";

    private StringUtils() {
        // Not instantiable.
@@ -1118,6 +1121,26 @@ public class StringUtils {
        }
    }
    
+    /**
+     * Returns true if the string passed in is a valid domain name
+     * 
+     * @param domain Proposed domain name
+     * @return true if the string passed in is a valid domain name
+     */
+    public static boolean isValidDomainName(String domain) {
+    	if (domain == null) {
+    		return false;
+    	}
+    	Pattern re = Pattern.compile(DOMAIN_NAME);
+    	StringTokenizer parser = new StringTokenizer(domain, ".");
+    	while (parser.hasMoreTokens()) {
+    		if (!re.matcher(parser.nextToken()).matches()) {
+    			return false;
+    		}
+    	}
+    	return true;
+    }
+    
    /**
 	 * Removes characters likely to enable Cross Site Scripting attacks from the
 	 * provided input string. The characters that are removed from the input

--- a/src/test/java/org/jivesoftware/util/StringUtilsTest.java
+++ b/src/test/java/org/jivesoftware/util/StringUtilsTest.java
+package org.jivesoftware.util;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import org.junit.Test;
+
+public class StringUtilsTest {
+	
+    @Test
+    public void testValidDomainNames() {
+    	
+        String domain = "www.mycompany.com";
+        assertTrue("Domain should be valid", StringUtils.isValidDomainName(domain));
+    	
+        domain = "www.my-company.com";
+        assertTrue("Domain should be valid", StringUtils.isValidDomainName(domain));
+    	
+        domain = "abc.de";
+        assertTrue("Domain should be valid", StringUtils.isValidDomainName(domain));
+    }
+    
+    @Test
+    public void testInvalidDomainNames() {
+    	
+        String domain = "www.my_company.com";
+        assertFalse("Domain should not be valid", StringUtils.isValidDomainName(domain));
+    	
+        domain = "www.-dash.com";
+        assertFalse("Domain should not be valid", StringUtils.isValidDomainName(domain));
+    	
+        domain = "www.dash-.com";
+        assertFalse("Domain should not be valid", StringUtils.isValidDomainName(domain));
+    	
+        domain = "abc.<test>.de";
+        assertFalse("Domain should not be valid", StringUtils.isValidDomainName(domain));
+    }
+
+}
--- a/src/web/server2server-settings.jsp
+++ b/src/web/server2server-settings.jsp
@@ -46,11 +46,8 @@
    boolean serverAllowed = request.getParameter("serverAllowed") != null;
    boolean serverBlocked = request.getParameter("serverBlocked") != null;
    String domain = ParamUtils.getParameter(request,"domain");
-    // OF-671
-    if (domain != null) {
-    	domain = StringUtils.removeXSSCharacters(domain);
-    }
-    String remotePort = ParamUtils.getParameter(request,"remotePort");
+	String remotePort = ParamUtils.getParameter(request,"remotePort");
+	
    boolean updateSucess = false;
    boolean allowSuccess = false;
    boolean blockSuccess = false;
@@ -139,7 +136,7 @@
    if (serverAllowed) {
        int intRemotePort = 0;
        // Validate params
-        if (domain == null || domain.trim().length() == 0) {
+        if (domain == null || domain.trim().length() == 0 || !StringUtils.isValidDomainName(domain)) {
            errors.put("domain","");
        }
        if (remotePort == null || remotePort.trim().length() == 0 ||  "0".equals(remotePort)) {
@@ -167,7 +164,7 @@

    if (serverBlocked) {
        // Validate params
-        if (domain == null || domain.trim().length() == 0) {
+        if (domain == null || domain.trim().length() == 0 || !StringUtils.isValidDomainName(domain)) {
            errors.put("domain","");
        }
        // If no errors, continue: