1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.velocity.internal.util

File RestrictParseLocationEventHandler.java

 

Coverage histogram

../../../../../img/srcFileCovDistChart10.png
0% of files have more coverage

Code metrics

2
6
1
1
57
23
2
0.33
6
1
2

Classes

Class Line # Actions
RestrictParseLocationEventHandler 34 6 0% 2 0
1.0100%
 

Contributing tests

This file is covered by 2 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.velocity.internal.util;
21   
22    import java.net.URI;
23   
24    import org.apache.velocity.app.event.IncludeEventHandler;
25    import org.slf4j.Logger;
26    import org.slf4j.LoggerFactory;
27   
28    /**
29    * Velocity event handler that filters #parse calls to forbid including files outside the templates directory.
30    *
31    * @version $Id: 1d9ec27051da3ca08ec22084491b9e90b51a6be5 $
32    * @since 3.5M1
33    */
 
34    public class RestrictParseLocationEventHandler implements IncludeEventHandler
35    {
36    /** Logging helper object. */
37    private static final Logger LOGGER = LoggerFactory.getLogger(RestrictParseLocationEventHandler.class);
38   
39    /**
40    * Base template directory from where template inclusion is allowed.
41    */
42    private static final String BASE_TEMPLATE_DIRECTORY = "/templates/";
43   
 
44  2 toggle @Override
45    public String includeEvent(String includeResourcePath, String currentResourcePath,
46    String directiveName)
47    {
48  2 LOGGER.trace("Velocity include event: include [{}] from [{}] using [{}]",
49    new Object[] { includeResourcePath, currentResourcePath, directiveName });
50  2 String template = URI.create(BASE_TEMPLATE_DIRECTORY + includeResourcePath).normalize().toString();
51  2 if (!template.startsWith(BASE_TEMPLATE_DIRECTORY)) {
52  1 LOGGER.warn("Direct access to template file [{}] refused. Possible break-in attempt!", template);
53  1 return null;
54    }
55  1 return template;
56    }
57    }