From 3a4926bd38f5af273e9547ecbc6f359484dc0514 Mon Sep 17 00:00:00 2001 From: houyingchao <1348375921@qq.com> Date: Mon, 23 Aug 2021 15:45:52 +0800 Subject: [PATCH] Fix CVE-2019-10219 (cherry picked from commit c5832429096b8b9b87f40f4bd23aa5bc5d3491e0) --- CVE-2019-10219.patch | 95 ++++++++++++++++++++++++++++++++++++++++ hibernate-validator.spec | 7 ++- 2 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-10219.patch diff --git a/CVE-2019-10219.patch b/CVE-2019-10219.patch new file mode 100644 index 0000000..d475701 --- /dev/null +++ b/CVE-2019-10219.patch @@ -0,0 +1,95 @@ +From 124b7dd6d9a4ad24d4d49f74701f05a13e56ceee Mon Sep 17 00:00:00 2001 +From: Davide D'Alto +Date: Fri, 18 Oct 2019 16:45:20 +0200 +Subject: [PATCH] HV-1739 Fix CVE-2019-10219 Security issue with @SafeHtml + +--- + .../hv/SafeHtmlValidator.java | 10 ++--- + .../hv/SafeHtmlValidatorTest.java | 38 +++++++++++++++++++ + 2 files changed, 43 insertions(+), 5 deletions(-) + +diff --git a/engine/src/main/java/org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java b/engine/src/main/java/org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java +index 7fba356..26e4361 100644 +--- a/engine/src/main/java/org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java ++++ b/engine/src/main/java/org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java +@@ -6,13 +6,13 @@ + */ + package org.hibernate.validator.internal.constraintvalidators.hv; + +-import java.util.Iterator; ++import java.util.List; + import javax.validation.ConstraintValidator; + import javax.validation.ConstraintValidatorContext; + + import org.jsoup.Jsoup; + import org.jsoup.nodes.Document; +-import org.jsoup.nodes.Element; ++import org.jsoup.nodes.Node; + import org.jsoup.parser.Parser; + import org.jsoup.safety.Cleaner; + import org.jsoup.safety.Whitelist; +@@ -76,9 +76,9 @@ private Document getFragmentAsDocument(CharSequence value) { + Document document = Document.createShell( "" ); + + // add the fragment's nodes to the body of resulting document +- Iterator nodes = fragment.children().iterator(); +- while ( nodes.hasNext() ) { +- document.body().appendChild( nodes.next() ); ++ List childNodes = fragment.childNodes(); ++ for ( Node node : childNodes ) { ++ document.body().appendChild( node.clone() ); + } + + return document; +diff --git a/engine/src/test/java/org/hibernate/validator/test/internal/constraintvalidators/hv/SafeHtmlValidatorTest.java b/engine/src/test/java/org/hibernate/validator/test/internal/constraintvalidators/hv/SafeHtmlValidatorTest.java +index 65a1f8a..c45aad3 100644 +--- a/engine/src/test/java/org/hibernate/validator/test/internal/constraintvalidators/hv/SafeHtmlValidatorTest.java ++++ b/engine/src/test/java/org/hibernate/validator/test/internal/constraintvalidators/hv/SafeHtmlValidatorTest.java +@@ -54,6 +54,44 @@ public void testInvalidScriptTagIncluded() throws Exception { + assertFalse( getSafeHtmlValidator().isValid( "HelloWorld !", null ) ); + } + ++ @Test ++ // A "downlevel revealed" conditional 'comment' is not an (X)HTML comment at all, ++ // despite the misleading name, it is default Microsoft syntax. ++ // The tag is unrecognized by therefore executed ++ public void testDownlevelRevealedConditionalComment() throws Exception { ++ descriptorBuilder.setAttribute( "whitelistType", WhiteListType.BASIC ); ++ ++ assertFalse( getSafeHtmlValidator().isValid( "\n\n", null ) ); ++ } ++ ++ @Test ++ public void testDownlevelHiddenConditionalComment() throws Exception { ++ descriptorBuilder.setAttribute( "whitelistType", WhiteListType.BASIC ); ++ ++ assertFalse( getSafeHtmlValidator().isValid( "", null ) ); ++ } ++ ++ @Test ++ public void testSimpleComment() throws Exception { ++ descriptorBuilder.setAttribute( "whitelistType", WhiteListType.BASIC ); ++ ++ assertFalse( getSafeHtmlValidator().isValid( "", null ) ); ++ } ++ ++ @Test ++ public void testServerSideIncludesSSI() throws Exception { ++ descriptorBuilder.setAttribute( "whitelistType", WhiteListType.BASIC ); ++ ++ assertFalse( getSafeHtmlValidator().isValid( "alert{\"XSS\"}'}; ?>", null ) ); ++ } ++ ++ @Test ++ public void testPHPScript() throws Exception { ++ descriptorBuilder.setAttribute( "whitelistType", WhiteListType.BASIC ); ++ ++ assertFalse( getSafeHtmlValidator().isValid( "alert{\"XSS\"}'}; ?>", null ) ); ++ } ++ + @Test + public void testInvalidIncompleteImgTagWithScriptIncluded() { + descriptor.setValue( "whitelistType", WhiteListType.BASIC ); +-- +2.23.0 + diff --git a/hibernate-validator.spec b/hibernate-validator.spec index 71629b8..c3758a3 100644 --- a/hibernate-validator.spec +++ b/hibernate-validator.spec @@ -4,7 +4,7 @@ Name: hibernate-validator Version: 5.2.4 -Release: 3 +Release: 4 Summary: Bean Validation 1.1 (JSR 349) Reference Implementation License: ASL 2.0 URL: http://www.hibernate.org/subprojects/validator.html @@ -17,6 +17,7 @@ Patch3: CVE-2020-10693-1.patch Patch4: CVE-2020-10693-2.patch Patch5: CVE-2020-10693-3.patch Patch6: CVE-2020-10693-4.patch +Patch7: CVE-2019-10219.patch BuildRequires: maven-local mvn(com.fasterxml:classmate) mvn(com.sun.xml.bind:jaxb-impl) BuildRequires: mvn(com.thoughtworks.paranamer:paranamer) @@ -86,6 +87,7 @@ find . -name "*.jar" -delete %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %pom_disable_module distribution %pom_disable_module documentation %pom_disable_module engine-jdk8-tests @@ -142,6 +144,9 @@ rm engine/src/main/java/org/hibernate/validator/internal/engine/valuehandling/Ja %license copyright.txt license.txt %changelog +* Mon Aug 23 2021 houyingchao - 5.2.4-4 +- Fix CVE-2019-10219 + * Mon Mar 15 2021 wangxiao - 5.2.4-3 - Fix CVE-2020-10693 -- Gitee