Config form values returned by ConnectorType.validateConfig() are not passed through XHTML check

[GoogleCodeExporter]

If any of the form parameter values (password for example) has '&' in it, 
the connector config values will be saved to the 
connectorInstanceName.properties values.

When you try to edit the connector config from GSA, this will fail with XML 
parsing exception.

Have a look at:

http://code.google.com/p/google-enterprise-connector-
sharepoint/issues/detail?id=110

What is the expected output? 
The connector config form should be displayed with the correct values on 
GSA

What do you see instead?
You get XML parsing exception.

What version of the product are you using? 

CM 2.0, SharePoint connector 2.0.2

Please provide any additional information below.

The main problem is no XHTML compliance check is done when the connector 
configuration is saved, but same is checked when it is being displayed for 
editing purposes

Check InstanceMap.resetConfig()

Original issue reported on code.google.com by rakeshs101981@gmail.com on 5 Oct 2009 at 5:40

[GoogleCodeExporter]

This is more severe for password fields as passwords can contain '&' which is 
going to 
fail the XML parsing

Original comment by rakeshs101981@gmail.com on 5 Oct 2009 at 5:44

[GoogleCodeExporter]

I don't understand note about checking InstanceMap.resetConfig().  
In ConnectorManager source code resetConfig is present in one file:

$ find .|grep java$|xargs grep -l resetConfig
./projects/connector-manager/source/java/com/google/enterprise/connector/instant
iator/ConnectorCoordinatorImpl.java

Can you be more precise what you suggest checking, please.

Can you point to where the XHTML check is being made?  
Want to see what happens when this check is removed.

Original comment by p...@google.com on 5 Oct 2009 at 8:59

[GoogleCodeExporter]

InstanceMap is on the 2.0.0 branch

ConnectorCoordinatorImpl is on the /trunk

Basically, 

ServletUtil.filterSensitiveData is called for XML parsing and obfuscation. 
This method needs to wrap values of all HTML textbox and textarea fields in 
CDATA 
before parsing it to a DOM tree
Remove the CDATA declarations added to values of HTML textbox and textarea 
fields in 
the resulting DOM tree before any obfuscation is done

This is where the the config form throws XML parsing exceptions when CM fetches 
the 
populated config form from connector whose password field value has '&' and is 
not 
obfuscated.

Original comment by rakeshs101981@gmail.com on 6 Oct 2009 at 12:22

[GoogleCodeExporter]

The right solution is actually to XML escape the form property values before 
they are 
inserted into the created form.  I don't know how the SharePoint Connector is 
extracting the configured properties but I'll look into adding a utility that 
can help 
with this.  I'll certainly be able to add something to the password property 
processing 
since it's probably using the EncryptedPropertiesPlaceholderConfigurer.

Original comment by mar...@google.com on 29 Oct 2009 at 8:49

• Changed state: Accepted

[GoogleCodeExporter]

Original comment by mar...@google.com on 29 Oct 2009 at 8:50

• Added labels: Milestone-Hotlist_2.4.0, Priority-High, Type-Defect

[GoogleCodeExporter]

Description:
-----------
Add test related to Issue 186 and update JavaDoc for
ConnectorType.getPopulatedConfigForm(). Although not previously documented, the
formSnippet inserted in the ConfigureResponse has to be valid XHTML.  Since the
ConnectorType implementation is putting together the actual formSnippet, it
needs to insure the content going into the form elements is properly escaped.

Flow of control using values of ">bob>&<alice;'

1) SetConnectorConfig is called to send in evil values containing XML
characters.  All XML characters are escaped with predefined entities:

<ConnectorConfig>
  <ConnectorName>ex-tca-03</ConnectorName>
  <ConnectorType>TestConnectorA</ConnectorType>
  <Lang>en</Lang>
  <Update>false</Update>
  <Param  name="Color" value="">bob>&<alice;'"/>
  <Param  name="Password" value="">bob>&<alice;'"/>
  <Param  name="RepositoryFile" value="MockRepositoryEventLog1.txt"/>
  <Param  name="Username" value="">bob>&<alice;'"/>
</ConnectorConfig>

2) Connector Manager extracts the parameters from the request and converts them
   to original form and keeps them in that form:

configMap:
---------
{
 Password=">bob>&<alice;',
 Color=">bob>&<alice;',
 RepositoryFile=MockRepositoryEventLog1.txt,
 googleConnectorName=xml-con-01,
 Username=">bob>&<alice;',
 [...]
}

3) Properties values are stored in the raw form (password is encrypted):

xml-con-01.properties:
---------------------
#Configuration for Connector xml-con-01
#Fri Oct 30 14:14:23 PST 2009
googlePropertiesVersion=2
googleConnectorName=xml-con-01
Username=">bob>&<alice;'
Password=iXEM8Hue0MbrNBG11CkiAw\=\=
Color=">bob>&<alice;'
RepositoryFile=MockRepositoryEventLog1.txt
[...]

4) GetConnectorConfigToEdit is called to get the ConfigureResponse.
ConnectorType will be given configMap with raw values.  Any special XML
characters in the values must be replaced with predefined entities before
inserting them into the form snippet.  After parsing and obfuscating the form
snippet, the Connector Manager will escape any of the original characters needed
to properly display them on the Admin Console.

<CmResponse>
  <StatusId>0</StatusId>
  <ConfigureResponse>
    <FormSnippet><![CDATA[<tr>
<td colspan="1" rowspan="1">Username</td>
<td colspan="1" rowspan="1"><input name="Username" type="text"
value="">bob>&<alice;'"></td>
</tr>
<tr>
<td colspan="1" rowspan="1">Password</td>
<td colspan="1" rowspan="1"><input name="Password" type="password"
value="***************"></td>
</tr>
<tr>
<td colspan="1" rowspan="1">Color</td>
<td colspan="1" rowspan="1"><input name="Color" type="text"
value="">bob>&<alice;'"></td>
</tr>
<tr>
<td colspan="1" rowspan="1">RepositoryFile</td>
<td colspan="1" rowspan="1"><input name="RepositoryFile" type="text"
value="MockRepositoryEventLog1.txt"></td>
</tr>
]]></FormSnippet>
  </ConfigureResponse>
</CmResponse>

Attached file shows files in GSA Admin when Connector is selected for 'Edit'.

Change Log:
----------
  M source/java/com/google/enterprise/connector/spi/XmlUtils.java:
    - Just formatting change left over from previous work.

  M source/java/com/google/enterprise/connector/spi/ConnectorType.java:
    - Updated JavaDoc.

  M source/javatests/com/google/enterprise/connector/servlet/GetConnectorConfigT
oEditTest.java:
    - Added test for evil configData values with XML characters.

  A source/javatests/com/google/enterprise/connector/spi/XmlUtilsTest.java
    - Added test for xmlAppendAttrValue.

Original comment by mar...@google.com on 3 Nov 2009 at 12:42

• Changed state: WontFix
• Added labels: Type-Other
• Removed labels: Type-Defect

Attachments:

• EditConnectorWithEvilXml.png

[GoogleCodeExporter]

Original comment by mar...@google.com on 3 Nov 2009 at 12:44

• Added labels: Milestone-Release_2.4.0
• Removed labels: Milestone-Hotlist_2.4.0

[GoogleCodeExporter]

JavaDoc change made at r2318.

Original comment by mar...@google.com on 3 Nov 2009 at 1:33

[GoogleCodeExporter]

For Connector developers note that the XmlUtils class, which is part of the 
SPI, 
contains:

   XmlUtils.xmlAppendAttr(Sting, String, Appendable)

This method can be used to properly escape 'value' attributes being added to 
the 
formSnippet.

Original comment by mar...@google.com on 18 Dec 2009 at 2:26