1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
|
11 |
|
|
12 |
|
|
13 |
|
|
14 |
|
|
15 |
|
|
16 |
|
|
17 |
|
|
18 |
|
|
19 |
|
|
20 |
|
package com.xpn.xwiki.web; |
21 |
|
|
22 |
|
import java.io.IOException; |
23 |
|
import java.net.URI; |
24 |
|
import java.util.Arrays; |
25 |
|
import java.util.Date; |
26 |
|
|
27 |
|
import org.apache.commons.io.IOUtils; |
28 |
|
import org.apache.commons.lang3.StringUtils; |
29 |
|
import org.slf4j.Logger; |
30 |
|
import org.slf4j.LoggerFactory; |
31 |
|
import org.xwiki.model.reference.DocumentReference; |
32 |
|
import org.xwiki.model.reference.EntityReference; |
33 |
|
import org.xwiki.model.reference.EntityReferenceSerializer; |
34 |
|
import org.xwiki.model.reference.ObjectPropertyReference; |
35 |
|
import org.xwiki.security.authorization.AuthorExecutor; |
36 |
|
|
37 |
|
import com.xpn.xwiki.XWiki; |
38 |
|
import com.xpn.xwiki.XWikiContext; |
39 |
|
import com.xpn.xwiki.XWikiException; |
40 |
|
import com.xpn.xwiki.doc.XWikiAttachment; |
41 |
|
import com.xpn.xwiki.doc.XWikiDocument; |
42 |
|
import com.xpn.xwiki.objects.BaseObject; |
43 |
|
import com.xpn.xwiki.user.api.XWikiRightService; |
44 |
|
import com.xpn.xwiki.util.Util; |
45 |
|
|
46 |
|
|
47 |
|
|
48 |
|
|
49 |
|
|
50 |
|
|
51 |
|
|
52 |
|
|
53 |
|
|
54 |
|
|
55 |
|
|
56 |
|
|
57 |
|
@version |
58 |
|
@since |
59 |
|
|
|
|
| 62.2% |
Uncovered Elements: 74 (196) |
Complexity: 49 |
Complexity Density: 0.35 |
|
60 |
|
public class SkinAction extends XWikiAction |
61 |
|
{ |
62 |
|
|
63 |
|
private static final Logger LOGGER = LoggerFactory.getLogger(SkinAction.class); |
64 |
|
|
65 |
|
|
66 |
|
private static final String DELIMITER = "/"; |
67 |
|
|
68 |
|
|
69 |
|
private static final String SKINS_DIRECTORY = "skins"; |
70 |
|
|
71 |
|
|
72 |
|
private static final String RESOURCES_DIRECTORY = "resources"; |
73 |
|
|
74 |
|
|
75 |
|
|
76 |
|
|
77 |
|
private static final String ENCODING = "UTF-8"; |
78 |
|
|
|
|
| 50% |
Uncovered Elements: 2 (4) |
Complexity: 2 |
Complexity Density: 0.5 |
|
79 |
1114 |
@Override... |
80 |
|
public String render(XWikiContext context) throws XWikiException |
81 |
|
{ |
82 |
1112 |
try { |
83 |
1110 |
return render(context.getRequest().getPathInfo(), context); |
84 |
|
} catch (IOException e) { |
85 |
0 |
context.getResponse().setStatus(404); |
86 |
0 |
return "docdoesnotexist"; |
87 |
|
} |
88 |
|
} |
89 |
|
|
|
|
| 76.9% |
Uncovered Elements: 12 (52) |
Complexity: 14 |
Complexity Density: 0.41 |
|
90 |
1091 |
public String render(String path, XWikiContext context) throws XWikiException, IOException... |
91 |
|
{ |
92 |
|
|
93 |
|
|
94 |
|
|
95 |
|
|
96 |
|
|
97 |
|
|
98 |
|
|
99 |
|
|
100 |
|
|
101 |
|
|
102 |
|
|
103 |
|
|
104 |
|
|
105 |
|
|
106 |
1103 |
XWiki xwiki = context.getWiki(); |
107 |
|
|
108 |
|
|
109 |
|
|
110 |
1104 |
XWikiDocument doc = context.getDoc(); |
111 |
|
|
112 |
|
|
113 |
1110 |
String baseskin = xwiki.getBaseSkin(context, true); |
114 |
1113 |
XWikiDocument baseskindoc = xwiki.getDocument(baseskin, context); |
115 |
|
|
116 |
|
|
117 |
1114 |
String defaultbaseskin = xwiki.getDefaultBaseSkin(context); |
118 |
|
|
119 |
1114 |
LOGGER.debug("document: [{}] ; baseskin: [{}] ; defaultbaseskin: [{}]", |
120 |
|
new Object[] { doc.getDocumentReference(), baseskin, defaultbaseskin }); |
121 |
|
|
122 |
|
|
123 |
|
|
124 |
1110 |
int idx = path.lastIndexOf(DELIMITER); |
125 |
1111 |
boolean found = false; |
126 |
3297 |
while (idx > 0) { |
127 |
3292 |
try { |
128 |
3293 |
String filename = Util.decodeURI(path.substring(idx + 1), context); |
129 |
3293 |
LOGGER.debug("Trying [{}]", filename); |
130 |
|
|
131 |
|
|
132 |
3292 |
if (renderSkin(filename, doc, context)) { |
133 |
148 |
found = true; |
134 |
148 |
break; |
135 |
|
} |
136 |
|
|
137 |
|
|
138 |
3148 |
if (StringUtils.isNotEmpty(baseskin) && !doc.getName().equals(baseskin)) { |
139 |
3149 |
if (renderSkin(filename, baseskindoc, context)) { |
140 |
95 |
found = true; |
141 |
95 |
break; |
142 |
|
} |
143 |
|
} |
144 |
|
|
145 |
|
|
146 |
3054 |
if (StringUtils.isNotEmpty(baseskin) |
147 |
|
&& !(doc.getName().equals(defaultbaseskin) || baseskin.equals(defaultbaseskin))) { |
148 |
|
|
149 |
|
|
150 |
0 |
if (renderFileFromFilesystem(getSkinFilePath(filename, defaultbaseskin), context)) { |
151 |
0 |
found = true; |
152 |
0 |
break; |
153 |
|
} |
154 |
|
} |
155 |
|
|
156 |
|
|
157 |
3053 |
if (renderFileFromFilesystem(getResourceFilePath(filename), context)) { |
158 |
869 |
found = true; |
159 |
869 |
break; |
160 |
|
} |
161 |
|
} catch (XWikiException ex) { |
162 |
0 |
if (ex.getCode() == XWikiException.ERROR_XWIKI_APP_SEND_RESPONSE_EXCEPTION) { |
163 |
|
|
164 |
|
|
165 |
0 |
throw ex; |
166 |
|
} |
167 |
0 |
LOGGER.debug(String.valueOf(idx), ex); |
168 |
|
} |
169 |
2184 |
idx = path.lastIndexOf(DELIMITER, idx - 1); |
170 |
|
} |
171 |
1113 |
if (!found) { |
172 |
1 |
context.getResponse().setStatus(404); |
173 |
1 |
return "docdoesnotexist"; |
174 |
|
} |
175 |
1112 |
return null; |
176 |
|
} |
177 |
|
|
178 |
|
|
179 |
|
|
180 |
|
|
181 |
|
@param |
182 |
|
@param |
183 |
|
@throws |
184 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (7) |
Complexity: 2 |
Complexity Density: 0.4 |
|
185 |
6436 |
public String getSkinFilePath(String filename, String skin) throws IOException... |
186 |
|
{ |
187 |
6440 |
String path = |
188 |
|
URI.create(DELIMITER + SKINS_DIRECTORY + DELIMITER + skin + DELIMITER + filename).normalize().toString(); |
189 |
|
|
190 |
6440 |
if (!path.startsWith(DELIMITER + SKINS_DIRECTORY)) { |
191 |
4 |
LOGGER.warn("Illegal access, tried to use file [{}] as a skin. Possible break-in attempt!", path); |
192 |
4 |
throw new IOException("Invalid filename: '" + filename + "' for skin '" + skin + "'"); |
193 |
|
} |
194 |
6430 |
return path; |
195 |
|
} |
196 |
|
|
197 |
|
|
198 |
|
|
199 |
|
|
200 |
|
@param |
201 |
|
@throws |
202 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (7) |
Complexity: 2 |
Complexity Density: 0.4 |
|
203 |
3057 |
public String getResourceFilePath(String filename) throws IOException... |
204 |
|
{ |
205 |
3057 |
String path = URI.create(DELIMITER + RESOURCES_DIRECTORY + DELIMITER + filename).normalize().toString(); |
206 |
|
|
207 |
3057 |
if (!path.startsWith(DELIMITER + RESOURCES_DIRECTORY)) { |
208 |
3 |
LOGGER.warn("Illegal access, tried to use file [{}] as a resource. Possible break-in attempt!", path); |
209 |
3 |
throw new IOException("Invalid filename: '" + filename + "'"); |
210 |
|
} |
211 |
3054 |
return path; |
212 |
|
} |
213 |
|
|
214 |
|
|
215 |
|
|
216 |
|
|
217 |
|
|
218 |
|
|
219 |
|
|
220 |
|
|
221 |
|
|
222 |
|
|
223 |
|
|
224 |
|
@param |
225 |
|
@param@link |
226 |
|
@param@link |
227 |
|
@return |
228 |
|
@throws |
229 |
|
@throws |
230 |
|
|
|
|
| 66.7% |
Uncovered Elements: 3 (9) |
Complexity: 3 |
Complexity Density: 0.43 |
|
231 |
6439 |
private boolean renderSkin(String filename, XWikiDocument doc, XWikiContext context)... |
232 |
|
throws XWikiException, IOException |
233 |
|
{ |
234 |
6443 |
LOGGER.debug("Rendering file [{}] within the [{}] document", filename, doc.getDocumentReference()); |
235 |
6436 |
try { |
236 |
6441 |
if (doc.isNew()) { |
237 |
6438 |
LOGGER.debug("[{}] is not a document", doc.getDocumentReference().getName()); |
238 |
|
} else { |
239 |
0 |
return renderFileFromObjectField(filename, doc, context) |
240 |
|
|| renderFileFromAttachment(filename, doc, context) || (SKINS_DIRECTORY.equals(doc.getSpace()) |
241 |
|
&& renderFileFromFilesystem(getSkinFilePath(filename, doc.getName()), context)); |
242 |
|
} |
243 |
|
} catch (IOException e) { |
244 |
0 |
throw new XWikiException(XWikiException.MODULE_XWIKI_APP, |
245 |
|
XWikiException.ERROR_XWIKI_APP_SEND_RESPONSE_EXCEPTION, "Exception while sending response:", e); |
246 |
|
} |
247 |
|
|
248 |
6437 |
return renderFileFromFilesystem(getSkinFilePath(filename, doc.getName()), context); |
249 |
|
} |
250 |
|
|
251 |
|
|
252 |
|
|
253 |
|
|
254 |
|
@param |
255 |
|
@param@link |
256 |
|
@return |
257 |
|
@throws |
258 |
|
|
|
|
| 93.9% |
Uncovered Elements: 2 (33) |
Complexity: 9 |
Complexity Density: 0.33 |
|
259 |
9471 |
private boolean renderFileFromFilesystem(String path, XWikiContext context) throws XWikiException... |
260 |
|
{ |
261 |
9486 |
LOGGER.debug("Rendering filesystem file from path [{}]", path); |
262 |
|
|
263 |
9489 |
XWikiResponse response = context.getResponse(); |
264 |
9491 |
try { |
265 |
9494 |
byte[] data; |
266 |
9489 |
data = context.getWiki().getResourceContentAsBytes(path); |
267 |
1113 |
if (data != null && data.length > 0) { |
268 |
1112 |
String filename = path.substring(path.lastIndexOf("/") + 1, path.length()); |
269 |
|
|
270 |
1113 |
Date modified = null; |
271 |
|
|
272 |
|
|
273 |
1113 |
String mimetype = context.getEngineContext().getMimeType(filename.toLowerCase()); |
274 |
1111 |
if (isCssMimeType(mimetype) || isJavascriptMimeType(mimetype) || isLessCssFile(filename)) { |
275 |
|
|
276 |
963 |
String rawContent = new String(data, ENCODING); |
277 |
|
|
278 |
|
|
279 |
967 |
DocumentReference superadminUserReference = new DocumentReference(context.getMainXWiki(), |
280 |
|
XWiki.SYSTEM_SPACE, XWikiRightService.SUPERADMIN_USER); |
281 |
965 |
String evaluatedContent = evaluateVelocity(rawContent, path, superadminUserReference, context); |
282 |
|
|
283 |
966 |
byte[] newdata = evaluatedContent.getBytes(ENCODING); |
284 |
|
|
285 |
967 |
if (Arrays.equals(newdata, data)) { |
286 |
172 |
modified = context.getWiki().getResourceLastModificationDate(path); |
287 |
|
} else { |
288 |
795 |
modified = new Date(); |
289 |
795 |
data = newdata; |
290 |
|
} |
291 |
|
|
292 |
967 |
response.setCharacterEncoding(ENCODING); |
293 |
|
} else { |
294 |
146 |
modified = context.getWiki().getResourceLastModificationDate(path); |
295 |
|
} |
296 |
|
|
297 |
|
|
298 |
1113 |
setupHeaders(response, mimetype, modified, data.length); |
299 |
1112 |
try { |
300 |
1113 |
response.getOutputStream().write(data); |
301 |
|
} catch (IOException e) { |
302 |
0 |
throw new XWikiException(XWikiException.MODULE_XWIKI_APP, |
303 |
|
XWikiException.ERROR_XWIKI_APP_SEND_RESPONSE_EXCEPTION, "Exception while sending response", e); |
304 |
|
} |
305 |
|
|
306 |
1113 |
return true; |
307 |
|
} |
308 |
|
} catch (IOException ex) { |
309 |
8380 |
LOGGER.info("Skin file [{}] does not exist or cannot be accessed", path); |
310 |
|
} |
311 |
8380 |
return false; |
312 |
|
} |
313 |
|
|
314 |
|
|
315 |
|
|
316 |
|
|
317 |
|
@param |
318 |
|
@param@link |
319 |
|
@param@link |
320 |
|
@return |
321 |
|
|
322 |
|
@throws |
323 |
|
|
|
|
| 0% |
Uncovered Elements: 25 (25) |
Complexity: 5 |
Complexity Density: 0.26 |
|
324 |
0 |
public boolean renderFileFromObjectField(String filename, XWikiDocument doc, final XWikiContext context)... |
325 |
|
throws IOException |
326 |
|
{ |
327 |
0 |
LOGGER.debug("... as object property"); |
328 |
|
|
329 |
0 |
BaseObject object = doc.getObject("XWiki.XWikiSkins"); |
330 |
0 |
String content = null; |
331 |
0 |
if (object != null) { |
332 |
0 |
content = object.getStringValue(filename); |
333 |
|
} |
334 |
|
|
335 |
0 |
if (!StringUtils.isBlank(content)) { |
336 |
0 |
XWiki xwiki = context.getWiki(); |
337 |
|
|
338 |
|
|
339 |
0 |
String mimetype = xwiki.getEngineContext().getMimeType(filename.toLowerCase()); |
340 |
0 |
if (isCssMimeType(mimetype) || isJavascriptMimeType(mimetype)) { |
341 |
0 |
final ObjectPropertyReference propertyReference = |
342 |
|
new ObjectPropertyReference(filename, object.getReference()); |
343 |
|
|
344 |
|
|
345 |
0 |
content = evaluateVelocity(content, propertyReference, doc.getAuthorReference(), context); |
346 |
|
} |
347 |
|
|
348 |
|
|
349 |
0 |
XWikiResponse response = context.getResponse(); |
350 |
|
|
351 |
|
|
352 |
0 |
response.setCharacterEncoding(ENCODING); |
353 |
|
|
354 |
|
|
355 |
0 |
byte[] data = content.getBytes(ENCODING); |
356 |
0 |
setupHeaders(response, mimetype, doc.getDate(), data.length); |
357 |
0 |
response.getOutputStream().write(data); |
358 |
|
|
359 |
0 |
return true; |
360 |
|
} else { |
361 |
0 |
LOGGER.debug("Object field not found or empty"); |
362 |
|
} |
363 |
|
|
364 |
0 |
return false; |
365 |
|
} |
366 |
|
|
|
|
| 0% |
Uncovered Elements: 3 (3) |
Complexity: 1 |
Complexity Density: 0.33 |
|
367 |
0 |
private String evaluateVelocity(String content, EntityReference reference, DocumentReference author,... |
368 |
|
XWikiContext context) |
369 |
|
{ |
370 |
0 |
EntityReferenceSerializer<String> serializer = Utils.getComponent(EntityReferenceSerializer.TYPE_STRING); |
371 |
0 |
String namespace = serializer.serialize(reference); |
372 |
|
|
373 |
0 |
return evaluateVelocity(content, namespace, author, context); |
374 |
|
} |
375 |
|
|
|
|
| 80% |
Uncovered Elements: 1 (5) |
Complexity: 2 |
Complexity Density: 0.4 |
|
376 |
966 |
private String evaluateVelocity(final String content, final String namespace, final DocumentReference author,... |
377 |
|
final XWikiContext context) |
378 |
|
{ |
379 |
964 |
String result = content; |
380 |
|
|
381 |
966 |
try { |
382 |
965 |
result = Utils.getComponent(AuthorExecutor.class) |
383 |
|
.call(() -> context.getWiki().evaluateVelocity(content, namespace), author); |
384 |
|
} catch (Exception e) { |
385 |
|
|
386 |
0 |
LOGGER.error("Failed to evaluate velocity content for namespace {} with the rights of the user {}", |
387 |
|
namespace, author, e); |
388 |
|
} |
389 |
|
|
390 |
967 |
return result; |
391 |
|
} |
392 |
|
|
393 |
|
|
394 |
|
|
395 |
|
|
396 |
|
@param |
397 |
|
@param@link |
398 |
|
@param@link |
399 |
|
@return |
400 |
|
@throws |
401 |
|
@throws |
402 |
|
|
|
|
| 0% |
Uncovered Elements: 23 (23) |
Complexity: 4 |
Complexity Density: 0.21 |
|
403 |
0 |
public boolean renderFileFromAttachment(String filename, XWikiDocument doc, XWikiContext context)... |
404 |
|
throws IOException, XWikiException |
405 |
|
{ |
406 |
0 |
LOGGER.debug("... as attachment"); |
407 |
|
|
408 |
0 |
XWikiAttachment attachment = doc.getAttachment(filename); |
409 |
0 |
if (attachment != null) { |
410 |
0 |
XWiki xwiki = context.getWiki(); |
411 |
0 |
XWikiResponse response = context.getResponse(); |
412 |
|
|
413 |
|
|
414 |
0 |
String mimetype = xwiki.getEngineContext().getMimeType(filename.toLowerCase()); |
415 |
0 |
if (isCssMimeType(mimetype) || isJavascriptMimeType(mimetype)) { |
416 |
0 |
byte[] data = attachment.getContent(context); |
417 |
|
|
418 |
0 |
String velocityCode = new String(data, ENCODING); |
419 |
|
|
420 |
|
|
421 |
0 |
String evaluatedContent = |
422 |
|
evaluateVelocity(velocityCode, attachment.getReference(), doc.getAuthorReference(), context); |
423 |
|
|
424 |
|
|
425 |
0 |
response.setCharacterEncoding(ENCODING); |
426 |
|
|
427 |
|
|
428 |
0 |
data = evaluatedContent.getBytes(ENCODING); |
429 |
0 |
setupHeaders(response, mimetype, attachment.getDate(), data.length); |
430 |
0 |
response.getOutputStream().write(data); |
431 |
|
} else { |
432 |
|
|
433 |
0 |
setupHeaders(response, mimetype, attachment.getDate(), attachment.getContentSize(context)); |
434 |
0 |
IOUtils.copy(attachment.getContentInputStream(context), response.getOutputStream()); |
435 |
|
} |
436 |
|
|
437 |
0 |
return true; |
438 |
|
} else { |
439 |
0 |
LOGGER.debug("Attachment not found"); |
440 |
|
} |
441 |
|
|
442 |
0 |
return false; |
443 |
|
} |
444 |
|
|
445 |
|
|
446 |
|
|
447 |
|
|
448 |
|
@param |
449 |
|
@return |
450 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (3) |
Complexity: 1 |
Complexity Density: 0.33 |
|
451 |
653 |
public boolean isJavascriptMimeType(String mimetype)... |
452 |
|
{ |
453 |
652 |
boolean result = |
454 |
|
"text/javascript".equalsIgnoreCase(mimetype) || "application/x-javascript".equalsIgnoreCase(mimetype) |
455 |
|
|| "application/javascript".equalsIgnoreCase(mimetype); |
456 |
652 |
result |= "application/ecmascript".equalsIgnoreCase(mimetype) || "text/ecmascript".equalsIgnoreCase(mimetype); |
457 |
653 |
return result; |
458 |
|
} |
459 |
|
|
460 |
|
|
461 |
|
|
462 |
|
|
463 |
|
@param |
464 |
|
@return |
465 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
466 |
1112 |
public boolean isCssMimeType(String mimetype)... |
467 |
|
{ |
468 |
1110 |
return "text/css".equalsIgnoreCase(mimetype); |
469 |
|
} |
470 |
|
|
471 |
|
|
472 |
|
|
473 |
|
|
474 |
|
@param |
475 |
|
@return |
476 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
477 |
147 |
private boolean isLessCssFile(String filename)... |
478 |
|
{ |
479 |
147 |
return filename.toLowerCase().endsWith(".less.vm"); |
480 |
|
} |
481 |
|
|
482 |
|
|
483 |
|
|
484 |
|
|
485 |
|
@param |
486 |
|
@param |
487 |
|
@param |
488 |
|
@param |
489 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (9) |
Complexity: 2 |
Complexity Density: 0.29 |
|
490 |
1113 |
protected void setupHeaders(XWikiResponse response, String mimetype, Date lastChanged, int length)... |
491 |
|
{ |
492 |
1112 |
if (!StringUtils.isBlank(mimetype)) { |
493 |
1018 |
response.setContentType(mimetype); |
494 |
|
} else { |
495 |
95 |
response.setContentType("application/octet-stream"); |
496 |
|
} |
497 |
1113 |
response.setDateHeader("Last-Modified", lastChanged.getTime()); |
498 |
|
|
499 |
1113 |
response.setHeader("Cache-Control", "public"); |
500 |
1113 |
response.setDateHeader("Expires", (new Date()).getTime() + 30 * 24 * 3600 * 1000L); |
501 |
1113 |
response.setContentLength(length); |
502 |
|
} |
503 |
|
} |