Clover icon

XWiki Enterprise - Parent POM 9.0-SNAPSHOT

  1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.test.escaping.framework

File AbstractVelocityEscapingTest.java

 

Coverage histogram

../../../../../img/srcFileCovDistChart10.png
0% of files have more coverage

Code metrics

8
17
2
1
106
59
9
0.53
8.5
2
4.5

Classes

Class Line # Actions
AbstractVelocityEscapingTest 38 17 0% 9 2
0.925925992.6%
 

Contributing tests

No tests hitting this source file were found.

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.test.escaping.framework;
21   
22    import java.io.BufferedReader;
23    import java.io.IOException;
24    import java.io.Reader;
25    import java.util.HashSet;
26    import java.util.Set;
27    import java.util.regex.Matcher;
28    import java.util.regex.Pattern;
29   
30   
31    /**
32    * Abstract base class for automatic escaping tests that need to parse velocity. Implements simple
33    * regular expression base parsing.
34    *
35    * @version $Id: 26fdd5092b320fa954ce2ab625357c40d3e09517 $
36    * @since 2.5M1
37    */
 
38    public abstract class AbstractVelocityEscapingTest extends AbstractAutomaticTest
39    {
40    /**
41    * Create new AbstractVelocityEscapingTest.
42    *
43    * @param fileNameMatcher file name pattern matcher
44    */
 
45  3707 toggle protected AbstractVelocityEscapingTest(Pattern fileNameMatcher)
46    {
47  3707 super(fileNameMatcher);
48    }
49   
50    /**
51    * {@inheritDoc}
52    * <p>
53    * This implementation does some approximate regex matching to find used parameters and other
54    * common user-controlled things like user name.</p>
55    */
 
56  948 toggle @Override
57    protected Set<String> parse(Reader reader)
58    {
59    // parameters in this set are known to produce false positives only
60  948 Set<String> ignored = new HashSet<String>();
61    // xpage is handled by actions (in xwiki-core) to render a velocity template
62    // invalid template names produce "Unexpected empty response" warnings
63  948 ignored.add("xpage");
64    // form token is never (should not be) rendered, but is checked by CSRF protection
65  948 ignored.add("form_token");
66    // TODO match if user name, space name or action is used
67  948 Set<String> input = new HashSet<String>();
68  948 BufferedReader data = new BufferedReader(reader);
69  948 Pattern pattern = Pattern.compile("\\$!?\\{?request\\.get\\((?:\"|')(\\w+)(?:\"|')\\)|"
70    + "\\$!?\\{?request\\.getParameter\\((?:\"|')(\\w+)(?:\"|')\\)|"
71    + "\\$!?\\{?request\\.(\\w+)[^(a-zA-Z_0-9]|"
72    + "\\b(editor)\\b|"
73    + "\\b(viewer)\\b|"
74    + "\\b(section)\\b|"
75    + "\\$!?\\{?(template)\\b|"
76    + "\\$!?\\{?(revparams)\\b|"
77    + "\\b(xredirect)\\b|"
78    + "\\b(x-maximized)\\b|"
79    + "\\b(xnotification)\\b|"
80    + "\\b(classname)\\b|"
81    + "\\b(comment)\\b|"
82    + "\\b(rev1)\\b|"
83    + "\\b(rev2)\\b|"
84    + "\\b(sourcedoc)\\b|"
85    + "\\b(targetdoc)\\b|"
86    + "\\b(srid)\\b|"
87    + "\\b(language)\\b");
88  948 try {
89  948 String line;
90  ? while ((line = data.readLine()) != null) {
91  219958 Matcher match = pattern.matcher(line);
92  225756 while (match.find()) {
93  115960 for (int i = 1; i <= match.groupCount(); i++) {
94  110162 String parameter = match.group(i);
95  110162 if (parameter != null && !parameter.matches("\\s*") && !ignored.contains(parameter)) {
96  5664 input.add(parameter);
97    }
98    }
99    }
100    }
101    } catch (IOException exception) {
102    // ignore, use what was already found
103    }
104  948 return input;
105    }
106    }
  • Report generated by Atlassian Clover v 4.1.2 on Tue Dec 20 2016 21:29:03 CET using coverage data from Tue Dec 20 2016 21:25:02 CET.
  • Clover: Open Source License registered to XWiki.