From a9291b4e4badc779d9f55badc776765e9669c15c Mon Sep 17 00:00:00 2001
From: jamesagnew <jamesagnew@gmail.com>
Date: Thu, 19 Jul 2018 08:09:07 -0400
Subject: [PATCH] Add security test

---
 ...eHighlightingInterceptorExceptionTest.java | 82 +++++++++++++------
 1 file changed, 59 insertions(+), 23 deletions(-)
 rename {hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server => hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor}/ServerWithResponseHighlightingInterceptorExceptionTest.java (67%)

diff --git a/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/ServerWithResponseHighlightingInterceptorExceptionTest.java b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/ServerWithResponseHighlightingInterceptorExceptionTest.java
similarity index 67%
rename from hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/ServerWithResponseHighlightingInterceptorExceptionTest.java
rename to hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/ServerWithResponseHighlightingInterceptorExceptionTest.java
index 72fb556250d..7f1408247d3 100644
--- a/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/ServerWithResponseHighlightingInterceptorExceptionTest.java
+++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/ServerWithResponseHighlightingInterceptorExceptionTest.java
@@ -1,13 +1,22 @@
-package ca.uhn.fhir.rest.server;
-
-import static org.hamcrest.Matchers.containsString;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertThat;
-
-import java.util.concurrent.TimeUnit;
+package ca.uhn.fhir.rest.server.interceptor;
 
+import ca.uhn.fhir.context.FhirContext;
+import ca.uhn.fhir.rest.annotation.IdParam;
+import ca.uhn.fhir.rest.annotation.Read;
+import ca.uhn.fhir.rest.annotation.RequiredParam;
+import ca.uhn.fhir.rest.annotation.Search;
+import ca.uhn.fhir.rest.api.Constants;
+import ca.uhn.fhir.rest.param.TokenParam;
+import ca.uhn.fhir.rest.server.IResourceProvider;
+import ca.uhn.fhir.rest.server.RestfulServer;
+import ca.uhn.fhir.rest.server.exceptions.InvalidRequestException;
+import ca.uhn.fhir.util.PortUtil;
+import ca.uhn.fhir.util.TestUtil;
+import ca.uhn.fhir.util.UrlUtil;
+import com.google.common.base.Charsets;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
+import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
@@ -15,28 +24,22 @@ import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.servlet.ServletHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
+import org.hl7.fhir.r4.model.IdType;
+import org.hl7.fhir.r4.model.Patient;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
-import ca.uhn.fhir.context.FhirContext;
-import ca.uhn.fhir.model.api.IResource;
-import ca.uhn.fhir.model.dstu2.resource.Patient;
-import ca.uhn.fhir.model.primitive.IdDt;
-import ca.uhn.fhir.rest.annotation.IdParam;
-import ca.uhn.fhir.rest.annotation.Read;
-import ca.uhn.fhir.rest.annotation.RequiredParam;
-import ca.uhn.fhir.rest.annotation.Search;
-import ca.uhn.fhir.rest.param.TokenParam;
-import ca.uhn.fhir.rest.server.exceptions.InvalidRequestException;
-import ca.uhn.fhir.rest.server.interceptor.ResponseHighlighterInterceptor;
-import ca.uhn.fhir.util.PortUtil;
-import ca.uhn.fhir.util.TestUtil;
+import java.util.concurrent.TimeUnit;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+import static org.junit.Assert.*;
 
 public class ServerWithResponseHighlightingInterceptorExceptionTest {
 	private static CloseableHttpClient ourClient;
 
-	private static FhirContext ourCtx = FhirContext.forDstu2();
+	private static FhirContext ourCtx = FhirContext.forR4();
 	private static final org.slf4j.Logger ourLog = org.slf4j.LoggerFactory.getLogger(ServerWithResponseHighlightingInterceptorExceptionTest.class);
 	private static int ourPort;
 	private static Server ourServer;
@@ -67,6 +70,38 @@ public class ServerWithResponseHighlightingInterceptorExceptionTest {
 		assertThat(responseContent, containsString("<diagnostics value=\"Failed to call access method: java.lang.Error: AAABBB\"/>"));
 	}
 
+	@Test
+	public void testPreventHtmlInjectionViaInvalidResourceType() throws Exception {
+	// XML
+		HttpGet httpGet = new HttpGet(
+			"http://localhost:" +
+				ourPort +
+				"/AA" +
+				UrlUtil.escapeUrlParam("<script>"));
+		httpGet.addHeader(Constants.HEADER_ACCEPT, Constants.CT_HTML+", " +Constants.CT_FHIR_XML_NEW);
+		try (CloseableHttpResponse status = ourClient.execute(httpGet)) {
+			String responseContent = IOUtils.toString(status.getEntity().getContent(), Charsets.UTF_8);
+			ourLog.info(responseContent);
+
+			assertEquals(404, status.getStatusLine().getStatusCode());
+			assertThat(responseContent, not(containsString("<script>>")));
+		}
+
+		// JSON
+		httpGet = new HttpGet(
+			"http://localhost:" +
+				ourPort +
+				"/AA" +
+				UrlUtil.escapeUrlParam("<script>"));
+		httpGet.addHeader(Constants.HEADER_ACCEPT, Constants.CT_HTML+", " +Constants.CT_FHIR_JSON_NEW);
+		try (CloseableHttpResponse status = ourClient.execute(httpGet)) {
+			String responseContent = IOUtils.toString(status.getEntity().getContent(), Charsets.UTF_8);
+			ourLog.info(responseContent);
+
+			assertEquals(404, status.getStatusLine().getStatusCode());
+			assertThat(responseContent, not(containsString("<script>>")));
+		}
+	}
 
 	@AfterClass
 	public static void afterClassClearContext() throws Exception {
@@ -102,12 +137,12 @@ public class ServerWithResponseHighlightingInterceptorExceptionTest {
 	public static class DummyPatientResourceProvider implements IResourceProvider {
 
 		@Override
-		public Class<? extends IResource> getResourceType() {
+		public Class<? extends Patient> getResourceType() {
 			return Patient.class;
 		}
 
 		@Read
-		public Patient read(@IdParam IdDt theId) {
+		public Patient read(@IdParam IdType theId) {
 			throw new InvalidRequestException("AAABBB");
 		}
 
@@ -116,6 +151,7 @@ public class ServerWithResponseHighlightingInterceptorExceptionTest {
 			throw new Error("AAABBB");
 		}
 
+
 	}
 
 }