Potential Vulnerability in Cloned Code#6
Potential Vulnerability in Cloned Code#6bugfinderbot wants to merge 1 commit intospringboot4:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR intends to apply an upstream security patch to the XSS filter’s doFilterInternal() implementation to address a potential vulnerability in the cloned code.
Changes:
- Adds an
XssCleanerdependency toXssFilter - Updates
doFilterInternal()to pass anXssCleanerintoXssRequestWrapper
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| private final XssCleaner xssCleaner; | ||
|
|
There was a problem hiding this comment.
XssCleaner is referenced as a new dependency, but there is no XssCleaner type defined anywhere in this module/repo (searching under art-spring-boot-starter-xss only finds this file). This will not compile unless you add/introduce the XssCleaner type (and ensure it is a Spring bean), or replace it with an existing cleaner implementation used by the project.
| @Override | ||
| protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) | ||
| protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain, XssCleaner xssCleaner) | ||
| throws ServletException, IOException { |
There was a problem hiding this comment.
OncePerRequestFilter#doFilterInternal must have the exact 3-argument signature (HttpServletRequest, HttpServletResponse, FilterChain). Adding XssCleaner as a 4th parameter breaks the @Override contract and will cause compilation failure. Use the injected field (this.xssCleaner) inside the method instead of changing the override signature.
| filterChain.doFilter(new XssRequestWrapper(request,xssCleaner), response); | ||
| } |
There was a problem hiding this comment.
XssRequestWrapper currently only has a constructor that accepts (HttpServletRequest); there is no (HttpServletRequest, XssCleaner) constructor. Either update XssRequestWrapper accordingly (and implement how XssCleaner is used), or keep using the existing constructor here.
This PR fixes a potential security vulnerability in doFilterInternal() that was cloned from ballcat-projects/ballcat@2519b52 but did not receive the security patch.
Details:
Affected Function: doFilterInternal() in XssFilter.java
Original Fix: ballcat-projects/ballcat@2519b52
What this PR does:
This PR applies the same security patch that was applied to the original repository to eliminate the potential vulnerability in the cloned code.
References:
ballcat-projects/ballcat@2519b52
https://cwe.mitre.org/data/definitions/352.html
Please review and merge this PR to ensure your repository is protected against this potential vulnerability.