Skip to content

Commit

Permalink
fix(#2971): Improve token generation and URL-enode tokens (#2972)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dominikriemer
dominikriemer authored Jun 28, 2024
1 parent a38a06e commit 4b1d9e7
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 2 deletions.
7 changes: 7 additions & 0 deletions ...ampipes-mail/src/main/java/org/apache/streampipes/mail/template/AbstractMailTemplate.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,10 @@
import org.apache.streampipes.mail.template.part.LogoPart;
import org.apache.streampipes.storage.management.StorageDispatcher;

import com.google.common.base.Charsets;

import java.io.IOException;
import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Map;

Expand Down Expand Up @@ -58,4 +61,8 @@ public String generateTemplate() throws IOException {
configureTemplate(builder);
return builder.generateHtmlTemplate();
}

protected String encodeUrlPart(String content) {
return URLEncoder.encode(content, Charsets.UTF_8);
}
}
2 changes: 1 addition & 1 deletion ...il/src/main/java/org/apache/streampipes/mail/template/AccountActiviationMailTemplate.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,6 @@ protected void configureTemplate(MailTemplateBuilder builder) {
}

private String makeLink() {
return new LinkPart("/#/activate-account?activationCode=" + this.activationCode).generate();
return new LinkPart("/#/activate-account?activationCode=" + encodeUrlPart(this.activationCode)).generate();
}
}
2 changes: 1 addition & 1 deletion ...mail/src/main/java/org/apache/streampipes/mail/template/PasswordRecoveryMailTemplate.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,6 @@ protected void configureTemplate(MailTemplateBuilder builder) {
}

private String makeLink() {
return new LinkPart("/#/set-new-password?recoveryCode=" + this.recoveryCode).generate();
return new LinkPart("/#/set-new-password?recoveryCode=" + encodeUrlPart(this.recoveryCode)).generate();
}
}
12 changes: 12 additions & 0 deletions ...ment/src/main/java/org/apache/streampipes/user/management/util/SecureStringGenerator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,28 @@

package org.apache.streampipes.user.management.util;

import org.apache.commons.text.CharacterPredicate;
import org.apache.commons.text.RandomStringGenerator;

import java.security.SecureRandom;

public class SecureStringGenerator {
public String generateSecureString(int length) {
// filter for characters allowed in URLs
CharacterPredicate includeChars = ch -> (
(ch >= 'a' && ch <= 'z')
|| (ch >= 'A' && ch <= 'Z')
|| (ch >= '0' && ch <= '9')
|| ch == '-' || ch == '_' || ch == '.'
|| ch == '!' || ch == '*' || ch == '(' || ch == ')'
|| ch == ':' || ch == '@' || ch == '='
|| ch == '+' || ch == '$' || ch == ','
);
// allowing all ASCII-characters from decimal id 33 to 125
// see https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html for full list
var pwdGenerator = new RandomStringGenerator.Builder().usingRandom(new SecureRandom()::nextInt)
.withinRange(33, 125)
.filteredBy(includeChars)
.build();
return pwdGenerator.generate(length);
}
Expand Down

0 comments on commit 4b1d9e7

Please sign in to comment.