From a9291b4e4badc779d9f55badc776765e9669c15c Mon Sep 17 00:00:00 2001 From: jamesagnew Date: Thu, 19 Jul 2018 08:09:07 -0400 Subject: [PATCH] Add security test --- ...eHighlightingInterceptorExceptionTest.java | 82 +++++++++++++------ 1 file changed, 59 insertions(+), 23 deletions(-) rename {hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server => hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor}/ServerWithResponseHighlightingInterceptorExceptionTest.java (67%) diff --git a/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/ServerWithResponseHighlightingInterceptorExceptionTest.java b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/ServerWithResponseHighlightingInterceptorExceptionTest.java similarity index 67% rename from hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/ServerWithResponseHighlightingInterceptorExceptionTest.java rename to hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/ServerWithResponseHighlightingInterceptorExceptionTest.java index 72fb556250d..7f1408247d3 100644 --- a/hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/ServerWithResponseHighlightingInterceptorExceptionTest.java +++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/interceptor/ServerWithResponseHighlightingInterceptorExceptionTest.java @@ -1,13 +1,22 @@ -package ca.uhn.fhir.rest.server; - -import static org.hamcrest.Matchers.containsString; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertThat; - -import java.util.concurrent.TimeUnit; +package ca.uhn.fhir.rest.server.interceptor; +import ca.uhn.fhir.context.FhirContext; +import ca.uhn.fhir.rest.annotation.IdParam; +import ca.uhn.fhir.rest.annotation.Read; +import ca.uhn.fhir.rest.annotation.RequiredParam; +import ca.uhn.fhir.rest.annotation.Search; +import ca.uhn.fhir.rest.api.Constants; +import ca.uhn.fhir.rest.param.TokenParam; +import ca.uhn.fhir.rest.server.IResourceProvider; +import ca.uhn.fhir.rest.server.RestfulServer; +import ca.uhn.fhir.rest.server.exceptions.InvalidRequestException; +import ca.uhn.fhir.util.PortUtil; +import ca.uhn.fhir.util.TestUtil; +import ca.uhn.fhir.util.UrlUtil; +import com.google.common.base.Charsets; import org.apache.commons.io.IOUtils; import org.apache.http.HttpResponse; +import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; @@ -15,28 +24,22 @@ import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.servlet.ServletHandler; import org.eclipse.jetty.servlet.ServletHolder; +import org.hl7.fhir.r4.model.IdType; +import org.hl7.fhir.r4.model.Patient; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; -import ca.uhn.fhir.context.FhirContext; -import ca.uhn.fhir.model.api.IResource; -import ca.uhn.fhir.model.dstu2.resource.Patient; -import ca.uhn.fhir.model.primitive.IdDt; -import ca.uhn.fhir.rest.annotation.IdParam; -import ca.uhn.fhir.rest.annotation.Read; -import ca.uhn.fhir.rest.annotation.RequiredParam; -import ca.uhn.fhir.rest.annotation.Search; -import ca.uhn.fhir.rest.param.TokenParam; -import ca.uhn.fhir.rest.server.exceptions.InvalidRequestException; -import ca.uhn.fhir.rest.server.interceptor.ResponseHighlighterInterceptor; -import ca.uhn.fhir.util.PortUtil; -import ca.uhn.fhir.util.TestUtil; +import java.util.concurrent.TimeUnit; + +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.not; +import static org.junit.Assert.*; public class ServerWithResponseHighlightingInterceptorExceptionTest { private static CloseableHttpClient ourClient; - private static FhirContext ourCtx = FhirContext.forDstu2(); + private static FhirContext ourCtx = FhirContext.forR4(); private static final org.slf4j.Logger ourLog = org.slf4j.LoggerFactory.getLogger(ServerWithResponseHighlightingInterceptorExceptionTest.class); private static int ourPort; private static Server ourServer; @@ -67,6 +70,38 @@ public class ServerWithResponseHighlightingInterceptorExceptionTest { assertThat(responseContent, containsString("")); } + @Test + public void testPreventHtmlInjectionViaInvalidResourceType() throws Exception { + // XML + HttpGet httpGet = new HttpGet( + "http://localhost:" + + ourPort + + "/AA" + + UrlUtil.escapeUrlParam("