From d9f9b196b17983d902c622593bbf6fb1638cc655 Mon Sep 17 00:00:00 2001
From: Alessandro Russo <alessandro.russo.it@gmail.com>
Date: Mon, 23 Nov 2020 19:23:26 +0100
Subject: [PATCH] Security improvements

* Added OWASP Java Encoder to encode error messages and avoid "ill-formed" url parameters
* Tuning of jetty config to avoid directory listing and contexts listing
---
 pom.xml                                       | 19 ++++++
 .../java/it/essepuntato/lode/GetSource.java   | 22 ++++---
 .../java/it/essepuntato/lode/LodeServlet.java | 44 +++++++------
 src/main/resources/jetty/jetty.xml            | 64 +++++++++++++++++++
 src/main/resources/jetty/override-web.xml     | 10 +++
 5 files changed, 128 insertions(+), 31 deletions(-)
 create mode 100644 src/main/resources/jetty/jetty.xml
 create mode 100644 src/main/resources/jetty/override-web.xml

diff --git a/pom.xml b/pom.xml
index 843d54c..9411f84 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,6 +12,7 @@
 		<apachecommonsbeanutils.version>1.9.3</apachecommonsbeanutils.version>
 		<log4j.version>1.7.7</log4j.version>
 		<sl4j.version>1.7.7</sl4j.version>
+		<owaspencoder.version>1.2.3</owaspencoder.version>
 	</properties>
 
 	<dependencies>
@@ -83,11 +84,27 @@
 			<version>${sl4j.version}</version>
 		</dependency>
 
+		<!-- OWASP Java Encoder -->
+		<dependency>
+			<groupId>org.owasp.encoder</groupId>
+			<artifactId>encoder</artifactId>
+			<version>${owaspencoder.version}</version>
+		</dependency>
+
 	</dependencies>
 
 
 	<build>
 
+		<resources>
+			<resource>
+				<directory>src/main/resources</directory>
+				<excludes>
+					<exclude>jetty/*.*</exclude>
+				</excludes>
+			</resource>
+		</resources>
+
 		<plugins>
 
 			<plugin>
@@ -103,11 +120,13 @@
 				<groupId>org.mortbay.jetty</groupId>
 				<artifactId>jetty-maven-plugin</artifactId>
 				<configuration>
+					<jettyXml>src/main/resources/jetty/jetty.xml</jettyXml>
 					<stopPort>9966</stopPort>
 					<stopKey>foo</stopKey>
 					<scanIntervalSeconds>10</scanIntervalSeconds>
 					<webApp>
 						<contextPath>/lode</contextPath>
+						<overrideDescriptor>src/main/resources/jetty/override-web.xml</overrideDescriptor>
 					</webApp>
 					<connectors>
 						<connector
diff --git a/src/main/java/it/essepuntato/lode/GetSource.java b/src/main/java/it/essepuntato/lode/GetSource.java
index ca1ccff..0f23b87 100644
--- a/src/main/java/it/essepuntato/lode/GetSource.java
+++ b/src/main/java/it/essepuntato/lode/GetSource.java
@@ -1,10 +1,10 @@
-/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *      
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
  * Copyright (c) 2010-2013, Silvio Peroni <essepuntato@gmail.com>
- * 
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
- * 
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
@@ -24,12 +24,14 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.owasp.encoder.Encode;
+
 /**
  * Servlet implementation class GetSource
  */
 public class GetSource extends HttpServlet {
 	private static final long serialVersionUID = 1L;
-       
+
     /**
      * @see HttpServlet#HttpServlet()
      */
@@ -42,18 +44,18 @@ public GetSource() {
 	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
 	 */
 	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		
+
 		SourceExtractor extractor = new SourceExtractor();
 		extractor.addMimeTypes(MimeType.mimeTypes);
 		response.setCharacterEncoding("UTF-8");
-		
+
 		try {
 			String stringURL = request.getParameter("url");
 			String content = "";
-			
+
 			URL ontologyURL = new URL(stringURL);
 			content = extractor.exec(ontologyURL);
-			
+
 			response.setContentType("text/plain");
 			PrintWriter out = response.getWriter();
 			out.println(content);
@@ -65,7 +67,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
 	}
 
 	private String getErrorPage(Exception e) {
-		return 
+		return
 			"<html>" +
 				"<head><title>LODE error</title></head>" +
 				"<body>" +
@@ -73,7 +75,7 @@ private String getErrorPage(Exception e) {
 					"LODE: get source error" +
 					"</h2>" +
 					"<p><strong>Reason: </strong>" +
-					e.getMessage() +
+					Encode.forHtml(e.getMessage()) +
 					"</p>" +
 				"</body>" +
 			"</html>";
diff --git a/src/main/java/it/essepuntato/lode/LodeServlet.java b/src/main/java/it/essepuntato/lode/LodeServlet.java
index 93127c8..99459c8 100644
--- a/src/main/java/it/essepuntato/lode/LodeServlet.java
+++ b/src/main/java/it/essepuntato/lode/LodeServlet.java
@@ -1,10 +1,10 @@
-/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *      
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
  * Copyright (c) 2010-2013, Silvio Peroni <essepuntato@gmail.com>
- * 
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
- * 
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
@@ -86,6 +86,8 @@
 import com.clarkparsia.pellet.owlapiv3.PelletReasoner;
 import com.clarkparsia.pellet.owlapiv3.PelletReasonerFactory;
 
+import org.owasp.encoder.Encode;
+
 /**
  * Servlet implementation class LodeServlet
  */
@@ -191,19 +193,19 @@ private void resolvePaths(HttpServletRequest request) {
 	 * considerImportedOntologies, boolean considerImportedClosure, boolean
 	 * useReasoner) throws OWLOntologyCreationException,
 	 * OWLOntologyStorageException, URISyntaxException { String result = content;
-	 * 
+	 *
 	 * if (useOWLAPI) {
-	 * 
+	 *
 	 * List<String> removed = new ArrayList<String>(); if (!considerImportedClosure
 	 * && !considerImportedOntologies) { result = removeImportedAxioms(result,
 	 * removed); }
-	 * 
-	 * 
+	 *
+	 *
 	 * OWLOntologyManager manager = OWLManager.createOWLOntologyManager();
-	 * 
+	 *
 	 * OWLOntology ontology = manager.loadOntologyFromOntologyDocument( new
 	 * StringDocumentSource(result));
-	 * 
+	 *
 	 * if (considerImportedClosure || considerImportedOntologies) { Set<OWLOntology>
 	 * setOfImportedOntologies = new HashSet<OWLOntology>(); if
 	 * (considerImportedOntologies) {
@@ -211,18 +213,18 @@ private void resolvePaths(HttpServletRequest request) {
 	 * setOfImportedOntologies.addAll(ontology.getImportsClosure()); } for
 	 * (OWLOntology importedOntology : setOfImportedOntologies) {
 	 * manager.addAxioms(ontology, importedOntology.getAxioms()); } }
-	 * 
+	 *
 	 * if (useReasoner) { ontology = parseWithReasoner(manager, ontology); }
-	 * 
+	 *
 	 * StringDocumentTarget parsedOntology = new StringDocumentTarget();
-	 * 
+	 *
 	 * manager.saveOntology(ontology, new RDFXMLOntologyFormat(), parsedOntology);
 	 * result = parsedOntology.toString();
-	 * 
+	 *
 	 * if (!removed.isEmpty() && !considerImportedClosure &&
 	 * !considerImportedOntologies) { result = addImportedAxioms(result, removed); }
 	 * }
-	 * 
+	 *
 	 * return result; }
 	 */
 
@@ -311,29 +313,29 @@ private String addImportedAxioms(String result, List<String> removed) {
 	 * DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); try {
 	 * DocumentBuilder builder = factory.newDocumentBuilder(); Document document =
 	 * builder.parse(new ByteArrayInputStream(result.getBytes()));
-	 * 
+	 *
 	 * NodeList ontologies =
 	 * document.getElementsByTagNameNS("http://www.w3.org/2002/07/owl#",
 	 * "Ontology"); for (int i = 0; i < ontologies.getLength() ; i++) { Element
 	 * ontology = (Element) ontologies.item(i);
-	 * 
+	 *
 	 * NodeList children = ontology.getChildNodes(); List<Element> removed = new
 	 * ArrayList<Element>(); for (int j = 0; j < children.getLength(); j++) { Node
 	 * child = children.item(j);
-	 * 
+	 *
 	 * if ( child.getNodeType() == Node.ELEMENT_NODE &&
 	 * child.getNamespaceURI().equals("http://www.w3.org/2002/07/owl#") &&
 	 * child.getLocalName().equals("imports")) { removed.add((Element) child); } }
-	 * 
+	 *
 	 * for (Element toBeRemoved : removed) {
 	 * removedImport.add(toBeRemoved.getAttributeNS(
 	 * "http://www.w3.org/1999/02/22-rdf-syntax-ns#", "resource"));
 	 * ontology.removeChild(toBeRemoved); } }
-	 * 
+	 *
 	 * Transformer transformer = TransformerFactory.newInstance().newTransformer();
 	 * StreamResult output = new StreamResult(new StringWriter()); DOMSource source
 	 * = new DOMSource(document); transformer.transform(source, output);
-	 * 
+	 *
 	 * return output.getWriter().toString(); } catch (ParserConfigurationException
 	 * e) { return result; } catch (SAXException e) { return result; } catch
 	 * (IOException e) { return result; } catch (TransformerConfigurationException
@@ -445,7 +447,7 @@ private void applyAnnotations(OWLEntity aEntity,
 
 	private String getErrorPage(Exception e) {
 		return "<html>" + "<head><title>LODE error</title></head>" + "<body>" + "<h2>" + "LODE error" + "</h2>"
-				+ "<p><strong>Reason: </strong>" + e.getMessage() + "</p>" + "</body>" + "</html>";
+				+ "<p><strong>Reason: </strong>" + Encode.forHtml(e.getMessage()) + "</p>" + "</body>" + "</html>";
 	}
 
 	private String applyXSLTTransformation(String source, String ontologyUrl, String lang) throws TransformerException {
diff --git a/src/main/resources/jetty/jetty.xml b/src/main/resources/jetty/jetty.xml
new file mode 100644
index 0000000..bdcddae
--- /dev/null
+++ b/src/main/resources/jetty/jetty.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
+
+<!-- =============================================================== -->
+<!-- Configure the Jetty Server                                      -->
+<!--                                                                 -->
+<!-- Documentation of this file format can be found at:              -->
+<!-- http://wiki.eclipse.org/Jetty/Reference/jetty.xml_syntax        -->
+<!--                                                                 -->
+<!-- Additional configuration files are available in $JETTY_HOME/etc -->
+<!-- and can be mixed in.  For example:                              -->
+<!--   java -jar start.jar etc/jetty-ssl.xml                         -->
+<!--                                                                 -->
+<!-- See start.ini file for the default configuraton files           -->
+<!-- =============================================================== -->
+
+
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+
+    <!-- =========================================================== -->
+    <!-- Server Thread Pool                                          -->
+    <!-- =========================================================== -->
+    <Set name="ThreadPool">
+      <!-- Default queued blocking threadpool -->
+      <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
+        <Set name="minThreads">10</Set>
+        <Set name="maxThreads">200</Set>
+        <Set name="detailedDump">false</Set>
+      </New>
+    </Set>
+
+    <!-- =========================================================== -->
+    <!-- Set handler Collection Structure                            -->
+    <!-- =========================================================== -->
+    <Set name="handler">
+      <New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
+        <Set name="handlers">
+         <Array type="org.eclipse.jetty.server.Handler">
+           <Item>
+             <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
+           </Item>
+           <Item>
+             <New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler"/>
+           </Item>
+         </Array>
+        </Set>
+      </New>
+    </Set>
+
+    <Ref id="DefaultHandler">
+      <Set name="showContexts">false</Set>
+    </Ref>
+
+    <!-- =========================================================== -->
+    <!-- extra options                                               -->
+    <!-- =========================================================== -->
+    <Set name="stopAtShutdown">true</Set>
+    <Set name="sendServerVersion">false</Set>
+    <Set name="sendDateHeader">true</Set>
+    <Set name="gracefulShutdown">1000</Set>
+    <Set name="dumpAfterStart">false</Set>
+    <Set name="dumpBeforeStop">false</Set>
+
+</Configure>
diff --git a/src/main/resources/jetty/override-web.xml b/src/main/resources/jetty/override-web.xml
new file mode 100644
index 0000000..180fc17
--- /dev/null
+++ b/src/main/resources/jetty/override-web.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+	id="WebApp_ID" version="2.5">
+	<context-param>
+		<param-name>org.eclipse.jetty.servlet.Default.dirAllowed</param-name>
+		<param-value>false</param-value>
+	</context-param>
+</web-app>