Fix #35524: fix XSS from config file

Author: LEDfan

pom.xml

@@ -40,6 +40,7 @@
         <jakarta-json-api.version>2.1.3</jakarta-json-api.version>
         <glassfish-jakarta-json.version>2.0.1</glassfish-jakarta-json.version>
         <guava-version>33.4.8-jre</guava-version>
+        <jsoup.version>1.21.2</jsoup.version>
         <!-- Plugin versions -->
         <maven.license-plugin.version>4.6</maven.license-plugin.version>
         <maven.build-helper-maven.plugin.version>3.6.0</maven.build-helper-maven.plugin.version>
@@ -360,6 +361,11 @@
             <artifactId>fontawesome</artifactId>
             <version>${fontawesome.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>${jsoup.version}</version>
+        </dependency>
 
         <!-- Amazon Base libraries-->
         <dependency>

src/main/java/eu/openanalytics/containerproxy/model/spec/ParameterDefinition.java

@@ -20,6 +20,7 @@
  */
 package eu.openanalytics.containerproxy.model.spec;
 
+import eu.openanalytics.containerproxy.util.CleanHtml;
 import org.apache.commons.collections4.BidiMap;
 import org.apache.commons.collections4.bidimap.DualHashBidiMap;
 
@@ -39,7 +40,7 @@ public class ParameterDefinition {
     public ParameterDefinition(String id, String displayName, String description, List<ValueName> valueNames, String defaultValue) {
         this.id = id;
         this.displayName = displayName;
-        this.description = description;
+        this.description = CleanHtml.clean(description);
         this.defaultValue = defaultValue;
         this.valueNames = new DualHashBidiMap<>();
         if (valueNames != null) {

src/main/java/eu/openanalytics/containerproxy/model/spec/ProxySpec.java

@@ -26,6 +26,7 @@
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
 import eu.openanalytics.containerproxy.spec.expression.SpelField;
+import eu.openanalytics.containerproxy.util.CleanHtml;
 import lombok.AccessLevel;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
@@ -159,4 +160,18 @@ public ProxySpec finalResolve(SpecExpressionResolver resolver, SpecExpressionCon
             )
             .build();
     }
+
+    public void setDescription(String description) {
+        this.description = CleanHtml.clean(description);
+    }
+
+    public static class ProxySpecBuilder {
+
+        public ProxySpecBuilder description(String description) {
+            this.description = CleanHtml.clean(description);
+            return this;
+        }
+
+    }
+
 }

src/main/java/eu/openanalytics/containerproxy/util/CleanHtml.java

@@ -0,0 +1,35 @@
+/*
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2025 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.util;
+
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Safelist;
+
+public class CleanHtml {
+
+    public static String clean(String html) {
+        if (html == null) {
+            return null;
+        }
+        return Jsoup.clean(html, Safelist.basic());
+    }
+
+}

src/test/java/eu/openanalytics/containerproxy/test/proxy/TestIntegrationProxySharing.java

@@ -302,16 +302,16 @@ public void testConfigChange(String backend, Map<String, String> properties) {
                     waitUntilDelegateProxyIsToRemove(proxySharingScaler, proxy.getTargetId());
                     DelegateProxy delegateProxy = delegateProxyStore.getDelegateProxy(proxy.getTargetId());
                     Assertions.assertEquals(DelegateProxyStatus.ToRemove, delegateProxy.getDelegateProxyStatus());
-                    Assertions.assertEquals("ad6af20f8aedf92add768e80144f6d9a5b8d8f6c", delegateProxy.getProxySpecHash());
+                    Assertions.assertEquals("347774a74415bed95752b7cd35d5c18f31094874", delegateProxy.getProxySpecHash());
 
                     // a DelegateProxy with new config should exist in DelegateProxyStore
                     waitUntilNumberOfDelegateProxies(inst, 3, 1, 0, 2);
                     Optional<DelegateProxy> newDelegateProxy = delegateProxyStore.getAllDelegateProxies().stream()
-                        .filter(it -> !it.getProxySpecHash().equals("ad6af20f8aedf92add768e80144f6d9a5b8d8f6c"))
+                        .filter(it -> !it.getProxySpecHash().equals("347774a74415bed95752b7cd35d5c18f31094874"))
                         .findFirst();
                     Assertions.assertTrue(newDelegateProxy.isPresent());
                     Assertions.assertEquals(DelegateProxyStatus.Available, newDelegateProxy.get().getDelegateProxyStatus());
-                    Assertions.assertEquals("07a0e545cb66bb58afabe9e57d501fdffc81a5fb", newDelegateProxy.get().getProxySpecHash());
+                    Assertions.assertEquals("9662ccd14ac5bbbdacf0283d3de0370f50131498", newDelegateProxy.get().getProxySpecHash());
 
                     // stop running app
                     inst.client.stopProxy(oldAppId);
@@ -322,7 +322,7 @@ public void testConfigChange(String backend, Map<String, String> properties) {
                     waitUntilNumberOfDelegateProxies(inst, 1, 1);
                     DelegateProxy newDelegateProxy3 = delegateProxyStore.getAllDelegateProxies().stream().findFirst().get();
                     Assertions.assertEquals(newDelegateProxy.get().getProxy().getId(), newDelegateProxy3.getProxy().getId());
-                    Assertions.assertEquals("07a0e545cb66bb58afabe9e57d501fdffc81a5fb", newDelegateProxy3.getProxySpecHash());
+                    Assertions.assertEquals("9662ccd14ac5bbbdacf0283d3de0370f50131498", newDelegateProxy3.getProxySpecHash());
                 }
             }
         }