fix: sanitize error message, escape characters, add nonce, render as innerText [IDE-967] (#273)

DariusZdroba · bastiandoetsch · web-flow · commit f214503c52a5 · 2025-03-25T09:05:50.000+01:00
* fix: sanitize error message, escape characters, add nonce, render errors as innerText

* chore: fix PMD

* fix: use custom escapeHTML function

* fix: PMD

---------

Co-authored-by: Bastian Doetsch &lt;bastian.doetsch@snyk.io&gt;
diff --git a/plugin/META-INF/MANIFEST.MF b/plugin/META-INF/MANIFEST.MF
@@ -31,6 +31,7 @@ Bundle-ActivationPolicy: lazy
 Bundle-ClassPath: .,
  target/dependency/commons-codec-1.17.0.jar,
  target/dependency/commons-lang3-3.12.0.jar,
+ target/dependency/commons-text-1.10.0.jar,
  target/dependency/commons-logging-1.3.4.jar,
  target/dependency/httpclient-4.5.14.jar,
  target/dependency/httpcore-4.4.16.jar,
diff --git a/plugin/build.properties b/plugin/build.properties
@@ -15,6 +15,7 @@ bin.includes = plugin.xml,\
                target/dependency/jackson-annotations-2.16.2.jar,\
                target/dependency/jackson-core-2.16.2.jar,\
                target/dependency/jackson-databind-2.16.2.jar,\
-               target/dependency/javax.inject-1.jar
+               target/dependency/javax.inject-1.jar,\
+               target/dependency/commons-text-1.10.0.jar
 src.includes =src/,\
                icons/
diff --git a/plugin/pom.xml b/plugin/pom.xml
@@ -38,6 +38,12 @@
             <version>3.12.0</version>
             <type>jar</type>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.10.0</version>
+            <type>jar</type>
+        </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpcore</artifactId>
diff --git a/plugin/src/main/java/io/snyk/eclipse/plugin/html/BaseHtmlProvider.java b/plugin/src/main/java/io/snyk/eclipse/plugin/html/BaseHtmlProvider.java
@@ -4,6 +4,7 @@
 import java.util.Map;
 import java.util.Random;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.core.runtime.Platform;
 import org.eclipse.jface.resource.ColorRegistry;
 import org.eclipse.jface.resource.JFaceResources;
@@ -22,7 +23,6 @@ public class BaseHtmlProvider {
 	private final Random random = new Random();
 	private final Map<String, String> colorCache = new HashMap<>();
 	private String nonce = "";
-
 	public String getCss() {
 		return "";
 	}
@@ -132,7 +132,7 @@ public String replaceCssVariables(String html) {
 
 		htmlStyled = htmlStyled.replace("${headerEnd}", "");
 		htmlStyled = htmlStyled.replace("${nonce}", nonce);
-		htmlStyled = htmlStyled.replace("ideNonce", nonce);
+		htmlStyled = htmlStyled.replaceAll("ideNonce", nonce);
 		htmlStyled = htmlStyled.replace("${ideScript}", "");
 
 		return htmlStyled;
@@ -206,16 +206,19 @@ public ITheme getCurrentTheme() {
 		currentTheme = themeManager.getCurrentTheme();
 		return currentTheme;
 	}
-
 	public String getErrorHtml(String errorMessage, String path) {
-		var html = """
+        String escapedErrorMessage = errorMessage == null ? "Unknown error" : StringEscapeUtils.escapeHtml3((errorMessage));
+        String escapedPath = path == null ? "Unknown path" : StringEscapeUtils.escapeHtml3(path);
+		var html = String.format("""
 				<!DOCTYPE html>
 				<html lang="en">
 				<head>
+					<meta http-equiv='Content-Type' content='text/html; charset=unicode' />
 				    <meta charset="UTF-8">
 				    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+				      <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-ideNonce'; style-src 'self' 'nonce-ideNonce';">
 				    <title>Snyk for Eclipse</title>
-				    <style>
+				    <style nonce=ideNonce>
 				        body {
 				        	font-family: var(--default-font);
 				            background-color: var(--background-color);
@@ -236,16 +239,16 @@ public String getErrorHtml(String errorMessage, String path) {
 				            <p><strong>An error occurred:</strong></p>
 				            <p>
 				            <table>
-				            	<tr><td width="150"	>Error message:</td><td>%s</td></tr>
+				            	<tr><td width="150"	>Error message:</td><td id="errorContainer">%s</td></tr>
 				            	<tr></tr>
-				            	<tr><td>Path:</td><td>%s</td></tr>
+				            	<tr><td width="150"	>Path:</td><td id="pathContainer">%s</td></tr>
 				            </table>
 				            </p>
 				        </div>
 				    </div>
 				</body>
 				</html>
-				""".formatted(errorMessage, path);
+				""",escapedErrorMessage, escapedPath);
 		return replaceCssVariables(html);
 	}
 }
diff --git a/target-platform/target-platform.target b/target-platform/target-platform.target
@@ -58,6 +58,12 @@
             <version>3.17.0</version>
             <type>jar</type>
           </dependency>
+          <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.10.0</version>
+            <type>jar</type>
+          </dependency>
           <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-inline</artifactId>
