Details

    • Sprint:
      Iteration 37, Iteration 38, Iteration 39, Iteration 40, Iteration 41
    • Type of Documentation:
      Developer

      Description

      Background
      AntiSamy is a Java component that can sanitize HTML/CSS to eliminate potentially malicious JavaScript, it has a specification that must be followed: https://owasp.org/www-project-antisamy/
      This development allows to apply different AntiSamy rules to different types of content, until now there were specific rules in the portal that could be applied or not, but with this development we allow to generate different rules and associate them to different classes of the portal.
      So now we can allow, for example, that KB articles have certain types of content (like iframes with videos) and prohibit that same type of content for comments.

      Features
      We have added a new menu option at System Settings - Security Tools - AntiSamy Sanitizer by Model to map the generated AntiSamy XML file to apply for each type of content (need to specify the name of the Class).
      Please note that if the object is whitelisted (at System Settings - Security Tools - AntiSamy Sanitizer), the configuration by model will not be taken into account.

      Now any developer has the option to generate a new AntiSamy file using Gradle, how to do this is explained in the next section.
      Also any file not generated with this Gradle tool could also be added, as long as it complies with the specification.
      Take into account that the AntiSamy files should be available at the AntiSamy bundle, so must be stored into: modules/apps/portal-security/portal-security-antisamy/src/main/resources/META-INF/resources

      Steps
      In portal-security-antisamy module we have allowed to add a new task to generate new AntiSamy files, to generate a new file:
      1. Go to build.gradle at portal-security-antisamy
      2. Add a new task of type Copy for your new file:

      task processMyModelFileConfiguration(type: Copy)
      

      3. Create the task depending on the existing default task:

      processMyModelFileConfiguration {
      	dependsOn processDefaultSanitizerConfiguration
      
      	File sanitizerConfigurationFile = new File("src/main/resources/META-INF/resources/my-file-name-sanitizer-configuration.xml") // Filename
      
      	ext {
      		autoClean = false
      	}
      
      	filter {
      		return _filterMyFile(it) // Filter Method
      	}
      
      	from {
      		processDefaultSanitizerConfiguration.outputs.files.singleFile
      	}
      
      	into sanitizerConfigurationFile.parentFile
      
      	onlyIf {
      		!sanitizerConfigurationFile.exists()
      	}
      
      	rename {
      		sanitizerConfigurationFile.name
      	}
      }
      

      4. Create your filter method where you can add, remove or modify the AntiSamy rules that you'll need always following the OWASP specification, note that the default file (sanitizer-configuration.xml) will be used and that you can work on the file line by line:

      private String _filterMyFile(String line) {
      	if (line.contains('<directive name="maxInputSize" value="20000"/>')) {
      		line = line.replace "20000", "99999"
      	}
      	return line
      }
      

      5. Add your new task to the processResources task:

      dependsOn processMyModelFileConfiguration
      

      6. Execute using Gradle the resources task (gradlew processResources) and you'll obtain your new file, you can map it to a class model at System Settings - Security Tools - AntiSamy Sanitizer by Model

      How to register custom AntiSamy XML config for a model through a fragment

      It is possible to provide a custom XML for a given model through a fragment bundle. Here is an example for the WikiPage model:

      1. Create a fragment bundle project and put the the following into bnd.bnd:
        bnd.bnd
        Bundle-Name: Liferay Portal Security AntiSamy Fragment
        Bundle-SymbolicName: com.liferay.portal.security.antisamy.fragment
        Bundle-Version: 1.0.0
        Fragment-Host: com.liferay.portal.security.antisamy
        Import-Package: !*
        
      2. Create a folder called configs in the project root and create the following file inside the folder:
        com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration-wiki.config
        className="com.liferay.wiki.model.WikiPage"
        configurationFileURL="/META-INF/resources/wiki-sanitizer-configuration.xml"
        
      3. Create the following folder structure src/main/resources/META-INF/resources
      4. Put your custom XML into this folder called "wiki-sanitizer-configuration.xml"
      5. Create an empty build.gradle file in the project root
      6. Build & deploy the fragment
      7. Refresh (deactivate/activate) the Host Bundle ("Liferay Portal Security AntiSamy" - "com.liferay.portal.security.antisamy") for example through the App Manager or restart the server

      Result:

      • Your custom "AntiSamyClassNameConfiguration-blogs.config" file appears under "[Liferay Home]/osgi/configs"
      • A new "AntiSamy Sanitizer by Class Name" entry appears in the System Settings

      Here you can find the example project: https://github.com/lipusz/liferay-portal/tree/LPS-112978/modules/apps/portal-security/portal-security-antisamy-fragment

      Or use the provided artifacts:

      1. Start Portal/DXP
      2. Deploy com.liferay.portal.security.antisamy.fragment-1.0.0.jar
      3. Copy com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration-wiki.config to [Liferay Home]/osgi/configs

      Note: When editing a Wiki Page, you need to change the format to "HTML" under the "Configuration" section on the edit screen, otherwise the AntiSamy Sanitizer won't be invoked.


      Code
      The code to be considered in this functionality are:

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tibor.lipusz Tibor Lipusz
              Reporter:
              nora.szel Nóra Szél
              Recent user:
              Zsigmond Rab
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package
                  7.3.X
                  Master