From c3f93fdf4aaaf68f648e1f082171e4d5cd2da8dc Mon Sep 17 00:00:00 2001 From: Paulo Gustavo Veiga Date: Tue, 22 Feb 2022 14:16:50 -0800 Subject: [PATCH] Improve validation of xml mindmaps during save. --- .../exceptions/InvalidMindmapException.java | 56 +++++++++++++++++++ .../java/com/wisemapping/model/Mindmap.java | 5 +- .../com/wisemapping/model/MindmapUtils.java | 27 +++++++++ .../wisemapping/rest/MindmapController.java | 12 +--- .../wisemapping/rest/model/RestMindmap.java | 46 +++++++-------- .../wisemapping/service/UserServiceImpl.java | 3 +- .../src/main/resources/messages_en.properties | 5 +- .../src/main/webapp/jsp/mindmapEditor.jsp | 3 - 8 files changed, 116 insertions(+), 41 deletions(-) create mode 100755 wise-webapp/src/main/java/com/wisemapping/exceptions/InvalidMindmapException.java create mode 100644 wise-webapp/src/main/java/com/wisemapping/model/MindmapUtils.java diff --git a/wise-webapp/src/main/java/com/wisemapping/exceptions/InvalidMindmapException.java b/wise-webapp/src/main/java/com/wisemapping/exceptions/InvalidMindmapException.java new file mode 100755 index 00000000..8f0b9939 --- /dev/null +++ b/wise-webapp/src/main/java/com/wisemapping/exceptions/InvalidMindmapException.java @@ -0,0 +1,56 @@ +/* + * Copyright [2015] [wisemapping] + * + * Licensed under WiseMapping Public License, Version 1.0 (the "License"). + * It is basically the Apache License, Version 2.0 (the "License") plus the + * "powered by wisemapping" text requirement on every single page; + * you may not use this file except in compliance with the License. + * You may obtain a copy of the license at + * + * http://www.wisemapping.org/license + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.wisemapping.exceptions; + + +import org.springframework.lang.Nullable; + +import javax.validation.constraints.NotNull; + +public class InvalidMindmapException + extends ClientException { + private static final String EMPTY_MINDMAP = "MINDMAP_EMPTY_ERROR"; + private static final String INVALID_MINDMAP_FORMAT = "INVALID_MINDMAP_FORMAT"; + private static final String TOO_BIG_MINDMAP = "TOO_BIG_MINDMAP"; + + private final String bundleKey; + + private InvalidMindmapException(@NotNull String bundleKey, @Nullable String xmlDoc) { + super("Invalid mindmap format:" + xmlDoc, Severity.SEVERE); + this.bundleKey = bundleKey; + } + + static public InvalidMindmapException emptyMindmap() { + return new InvalidMindmapException(EMPTY_MINDMAP,""); + } + + static public InvalidMindmapException invalidFormat(@Nullable String xmlDoc) { + return new InvalidMindmapException(INVALID_MINDMAP_FORMAT,xmlDoc); + } + + static public InvalidMindmapException tooBigMindnap() { + return new InvalidMindmapException(TOO_BIG_MINDMAP,""); + } + + @NotNull + @Override + protected String getMsgBundleKey() { + return bundleKey; + } +} diff --git a/wise-webapp/src/main/java/com/wisemapping/model/Mindmap.java b/wise-webapp/src/main/java/com/wisemapping/model/Mindmap.java index c3e902de..5179cd61 100644 --- a/wise-webapp/src/main/java/com/wisemapping/model/Mindmap.java +++ b/wise-webapp/src/main/java/com/wisemapping/model/Mindmap.java @@ -19,6 +19,7 @@ package com.wisemapping.model; import com.wisemapping.exceptions.AccessDeniedSecurityException; +import com.wisemapping.exceptions.InvalidMindmapException; import com.wisemapping.exceptions.WiseMappingException; import com.wisemapping.util.ZipUtils; import org.apache.commons.lang.StringEscapeUtils; @@ -94,7 +95,9 @@ public class Mindmap implements Serializable { } } - public void setXmlStr(@NotNull String xml) { + public void setXmlStr(@NotNull String xml) throws InvalidMindmapException { + // Is a valid mindmap ... ? + MindmapUtils.verifyMindmap(xml); this.setUnzipXml(xml.getBytes(StandardCharsets.UTF_8)); } diff --git a/wise-webapp/src/main/java/com/wisemapping/model/MindmapUtils.java b/wise-webapp/src/main/java/com/wisemapping/model/MindmapUtils.java new file mode 100644 index 00000000..a39508f3 --- /dev/null +++ b/wise-webapp/src/main/java/com/wisemapping/model/MindmapUtils.java @@ -0,0 +1,27 @@ +package com.wisemapping.model; + + +import com.wisemapping.exceptions.InvalidMindmapException; +import org.jetbrains.annotations.Nullable; + +abstract public class MindmapUtils { + + private static final int MAX_SUPPORTED_NODES = 500; + + public static void verifyMindmap(@Nullable String xmlDoc) throws InvalidMindmapException { + if (xmlDoc == null || xmlDoc.trim().isEmpty()) { + // Perform basic structure validation. Must have a map node and + throw InvalidMindmapException.emptyMindmap(); + } + + // Perform basic structure validation without parsing the XML. + if (!xmlDoc.trim().endsWith("") || !xmlDoc.trim().startsWith(" MAX_SUPPORTED_NODES) { + throw InvalidMindmapException.tooBigMindnap(); + } + } +} diff --git a/wise-webapp/src/main/java/com/wisemapping/rest/MindmapController.java b/wise-webapp/src/main/java/com/wisemapping/rest/MindmapController.java index dd918e93..c87a567d 100644 --- a/wise-webapp/src/main/java/com/wisemapping/rest/MindmapController.java +++ b/wise-webapp/src/main/java/com/wisemapping/rest/MindmapController.java @@ -133,10 +133,7 @@ public class MindmapController extends BaseController { collaborationProperties.setMindmapProperties(properties); // Validate content ... - String xml = restMindmap.getXml(); - if (xml == null) { - throw new IllegalArgumentException("Map xml can not be null"); - } + final String xml = restMindmap.getXml(); mindmap.setXmlStr(xml); // Update map ... @@ -164,14 +161,10 @@ public class MindmapController extends BaseController { @RequestMapping(method = RequestMethod.PUT, value = {"/maps/{id}/document/xml"}, consumes = {"text/plain"}) @ResponseBody public void updateDocument(@PathVariable int id, @RequestBody String xmlDoc) throws WiseMappingException, IOException { - final Mindmap mindmap = findMindmapById(id); final User user = Utils.getUser(); - if (xmlDoc != null && !xmlDoc.isEmpty()) { - mindmap.setXmlStr(xmlDoc); - } - mindmap.setXmlStr(xmlDoc); + saveMindmapDocument(false, mindmap, user); } @@ -273,7 +266,6 @@ public class MindmapController extends BaseController { // Is there a map with the same name ? if (mindmapService.getMindmapByTitle(title, user) != null) { - throw buildValidationException("title", "You already have a mindmap with this title"); } diff --git a/wise-webapp/src/main/java/com/wisemapping/rest/model/RestMindmap.java b/wise-webapp/src/main/java/com/wisemapping/rest/model/RestMindmap.java index c9565196..fcc176c2 100644 --- a/wise-webapp/src/main/java/com/wisemapping/rest/model/RestMindmap.java +++ b/wise-webapp/src/main/java/com/wisemapping/rest/model/RestMindmap.java @@ -1,20 +1,20 @@ /* -* Copyright [2015] [wisemapping] -* -* Licensed under WiseMapping Public License, Version 1.0 (the "License"). -* It is basically the Apache License, Version 2.0 (the "License") plus the -* "powered by wisemapping" text requirement on every single page; -* you may not use this file except in compliance with the License. -* You may obtain a copy of the license at -* -* http://www.wisemapping.org/license -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ + * Copyright [2015] [wisemapping] + * + * Licensed under WiseMapping Public License, Version 1.0 (the "License"). + * It is basically the Apache License, Version 2.0 (the "License") plus the + * "powered by wisemapping" text requirement on every single page; + * you may not use this file except in compliance with the License. + * You may obtain a copy of the license at + * + * http://www.wisemapping.org/license + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package com.wisemapping.rest.model; @@ -22,9 +22,9 @@ package com.wisemapping.rest.model; import com.fasterxml.jackson.annotation.JsonAutoDetect; import com.fasterxml.jackson.annotation.JsonIgnore; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.wisemapping.exceptions.InvalidMindmapException; import com.wisemapping.exceptions.WiseMappingException; import com.wisemapping.model.*; -import com.wisemapping.security.Utils; import com.wisemapping.util.TimeUtils; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; @@ -34,10 +34,6 @@ import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlRootElement; import java.io.IOException; import java.util.Calendar; -import java.util.LinkedHashSet; -import java.util.List; -import java.util.Set; -import java.util.stream.Collectors; @XmlRootElement(name = "map") @XmlAccessorType(XmlAccessType.PROPERTY) @@ -71,7 +67,7 @@ public class RestMindmap { } } - public void setCreationTime(final String creationTime){ + public void setCreationTime(final String creationTime) { // Ignore } @@ -154,10 +150,10 @@ public class RestMindmap { return mindmap.getXmlStr(); } - public void setXml(@Nullable String xml) throws IOException { - - if (xml != null) + public void setXml(@Nullable String xml) throws IOException, InvalidMindmapException { + if (xml != null) { mindmap.setXmlStr(xml); + } } public String getOwner() { diff --git a/wise-webapp/src/main/java/com/wisemapping/service/UserServiceImpl.java b/wise-webapp/src/main/java/com/wisemapping/service/UserServiceImpl.java index b55a2a69..188e0f1b 100755 --- a/wise-webapp/src/main/java/com/wisemapping/service/UserServiceImpl.java +++ b/wise-webapp/src/main/java/com/wisemapping/service/UserServiceImpl.java @@ -19,6 +19,7 @@ package com.wisemapping.service; import com.wisemapping.dao.UserManager; +import com.wisemapping.exceptions.InvalidMindmapException; import com.wisemapping.exceptions.WiseMappingException; import com.wisemapping.mail.NotificationService; import com.wisemapping.model.*; @@ -146,7 +147,7 @@ public class UserServiceImpl return user; } - public Mindmap buildTutorialMindmap(@NotNull String firstName) { + public Mindmap buildTutorialMindmap(@NotNull String firstName) throws InvalidMindmapException { //To change body of created methods use File | Settings | File Templates. final Locale locale = LocaleContextHolder.getLocale(); Mindmap result = new Mindmap(); diff --git a/wise-webapp/src/main/resources/messages_en.properties b/wise-webapp/src/main/resources/messages_en.properties index 99bfe252..a5d746c3 100644 --- a/wise-webapp/src/main/resources/messages_en.properties +++ b/wise-webapp/src/main/resources/messages_en.properties @@ -52,4 +52,7 @@ UNEXPECTED_ERROR_DETAILS = Unexpected error processing request. NO_ENOUGH_PERMISSIONS=This mind map can opened. NO_ENOUGH_PERMISSIONS_DETAILS=You do not have enough right access to see this map. This map has been changed to private or deleted. CAPTCHA_TIMEOUT_OUT_DUPLICATE=Please, refresh the page and try again. -CAPTCHA_INVALID_INPUT_RESPONSE="Invalid input response, refresh the page and try again. \ No newline at end of file +CAPTCHA_INVALID_INPUT_RESPONSE="Invalid input response, refresh the page and try again. +MINDMAP_EMPTY_ERROR=Midnmap can not be empty. +INVALID_MINDMAP_FORMAT=Mindmap format is not valid format. +TOO_BIG_MINDMAP=You have reached the limit of 500 topics in a mindmap. diff --git a/wise-webapp/src/main/webapp/jsp/mindmapEditor.jsp b/wise-webapp/src/main/webapp/jsp/mindmapEditor.jsp index 157a7f9c..f02cc9b2 100644 --- a/wise-webapp/src/main/webapp/jsp/mindmapEditor.jsp +++ b/wise-webapp/src/main/webapp/jsp/mindmapEditor.jsp @@ -33,14 +33,11 @@