667. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 10/12/2018 4:04:42 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

667.1 Files compared

# Location File Last Modified
1 Vetlink 2.0.zip\Vetlink 2.0\vetlink-services.zip\vetlink-services\VetLinkServices\src\test\java\gov\va\vamf\vetlink\bean\annotation XSSValidatorTest.java Fri Jun 22 18:42:52 2018 UTC
2 Vetlink 2.0.zip\Vetlink 2.0\vetlink-services.zip\vetlink-services\VetLinkServices\src\test\java\gov\va\vamf\vetlink\bean\annotation XSSValidatorTest.java Thu Oct 11 20:19:15 2018 UTC

667.2 Comparison summary

Description Between
Files 1 and 2
Text Blocks Lines
Unchanged 4 218
Changed 3 28
Inserted 0 0
Removed 0 0

667.3 Comparison options

Whitespace
Character case Differences in character case are significant
Line endings Differences in line endings (CR and LF characters) are ignored
CR/LF characters Not shown in the comparison detail

667.4 Active regular expressions

No regular expressions were active.

667.5 Comparison detail

  1   package go v.va.vamf. vetlink.be an.annotat ion;
  2  
  3   import gov .va.vamf.x ss.validat ion.XSSVal idator;
  4   import org .jsoup.Jso up;
  5   import org .jsoup.nod es.Documen t;
  6   import org .jsoup.nod es.Node;
  7   import org .jsoup.par ser.Parser ;
  8   import org .junit.Tes t;
  9  
  10   import jav a.io.Buffe redReader;
  11   import jav a.io.IOExc eption;
  12   import jav a.io.Input StreamRead er;
  13   import jav a.util.Ite rator;
  14  
  15   import sta tic org.ju nit.Assert .assertFal se;
  16   import sta tic org.ju nit.Assert .assertTru e;
  17  
  18   public cla ss XSSVali datorTest  {
  19  
  20  
  21       privat e XSSValid ator valid ator = new  XSSValida tor();
  22  
  23       @Test
  24       public  void vali dateString Input() {
  25           as sertFalse( validator. hasXSSInje ction("6 >  7"));
  26       }
  27  
  28       @Test
  29       public  void vali dateXSSInp ut() {
  30           as sertTrue(v alidator.h asXSSInjec tion("test &<script>a lert(1)</s cript>"));
  31       }
  32  
  33       @Test
  34       public  void vali dateXMLInp ut() {
  35           as sertFalse( validator. hasXSSInje ction("<ul ><li>123</ li></ul>") );
  36       }
  37  
  38       /**
  39        * Val idate that  we throw  errors whe n processi ng the OWA SP 'XSS Fi lter Evasi on Cheat S heet'
  40        * @th rows IOExc eption Can not find t he XSSTest s.txt file
  41        */
  42       @Test
  43       public  void vali dateOwaspX ssTests()  throws IOE xception {
  44           Bu fferedRead er reader  = new Buff eredReader (new Input StreamRead er(getClas s().getRes ourceAsStr eam("/XSST est.txt")) );
  45           va lidator =  new XSSVal idator();
  46           St ring descr iption = " Unknown Te st";
  47           in t lineCoun t = 0;
  48           bo olean test Passed = t rue;
  49           wh ile(reader .ready()){
  50                String n extLine =  reader.rea dLine().tr im();
  51                lineCoun t++;
  52                if(nextL ine.isEmpt y()) conti nue;
  53  
  54                if(nextL ine.starts With("#")) {
  55                    desc ription =  nextLine;
  56                }else{
  57                    if(! validator. hasXSSInje ction(next Line)){
  58                         String out put = getF ragmentAsD ocument(ne xtLine).bo dy().html( );
  59                         if(output. isEmpty()) {
  60                             System .err.forma t("\n\tWar ning- Sani tized outp ut\n");
  61                             System .err.forma t("\tTest:  %s\n", de scription. substring( 1));
  62                             System .err.forma t("\tLine:   %d\n", l ineCount);
  63                             System .err.forma t("\tTest:   %s\n", n extLine);
  64                         }else{
  65                             testPa ssed = fal se;
  66                             System .err.forma t("\n\tFai lure: %s\n ", descrip tion.subst ring(1));
  67                             System .err.forma t("\tLine:   %d\n", l ineCount);
  68                             System .err.forma t("\tTest:   %s\n", n extLine);
  69                             System .err.forma t("\tJsoup : %s\n", o utput);
  70                         }
  71                    }
  72                }
  73           }
  74           if (!testPass ed){
  75                throw ne w Assertio nError("On e or more  OWASP XSS  Evasion Te st failure s.");
  76           }
  77       }
  78  
  79       privat e Document  getFragme ntAsDocume nt(CharSeq uence valu e) {
  80           Do cument fra gment = Js oup.parse( value.toSt ring(), "" , Parser.x mlParser() );
  81           Do cument doc ument = Do cument.cre ateShell(" ");
  82           It erator nod es = fragm ent.childr en().itera tor();
  83  
  84           wh ile(nodes. hasNext())  {
  85                document .body().ap pendChild( (Node)node s.next());
  86           }
  87           re turn docum ent;
  88       }
  89  
  90  
  91  
  92       @Test
  93       public  void inva lidJsonVal idator(){
  94           St ring json  ="{\"age\" :\"80\",\" dateOfBirt h\":\"Apr  07, 1935\" ,\"display Name\":\"E IGHT, PATI ENT\",\"fi rstName\": \"PATIENT\ ",\"gender \":\"MALE\ ",\"inpati ent\":true ,\"lastNam e\":\"EIG"  +
  95                    "HT\ ",\"patien tAssigning Authority\ ":\"dfn-52 3\",\"pati entId\":\" 3\",\"ssn\ ":\"666-00 -0008\",\" object-typ e\":\"Pati ent\",\"pa tientIdent ifier\":{\ "uniqueId\ ":\"3\",\" assignin"  +
  96                    "gAu thority\": \"dfn-523\ "},\"textM essagingAl lowed\":fa lse,\"serv iceConnect ed\":true, \"sensitiv e\":false, \"wardLoca tion\":\"7 A GEN MED\ ",\"roombe d\":\"735\ ",\"locati onIEN\":\" " +
  97                      "158\",\"c wad\":\"CA D\",\"icn\ ":\"<scrip t>alert('1 ')</script >\",\"serv iceConnect edPercent\ ":\"0\",\" admittedDa teTime\":\ "05/07/201 4 15:22:54 \",\"self\ ":{\"href\ ":\"http:/ / IP        /PatientVi ewerSe" +
  98                      "rvices/re st/patient /dfn-523/3 \",\"rel\" :\"self\", \"object-t ype\":\"At omLink\"}, \"patient- identifier s\":{\"hre f\":\"http :// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 52" +
  99                      "3/3/ident ifiers\",\ "title\":\ "patient-i dentifiers \",\"rel\" :\"related \",\"objec t-type\":\ "AtomLink\ "},\"patie nt-demogra phics\":{\ "href\":\" http:// IP        /PatientVi ewerServ"  +
  100                    "ice s/rest/pat ient/dfn-5 23/3/demog raphics/sc ope/longit udinal\",\ "title\":\ "patient-d emographic s\",\"rel\ ":\"relate d\",\"obje ct-type\": \"AtomLink \"},\"pati ent-demogr aphics-lon gitudinal\ "" +
  101                      ":{\"href\ ":\"http:/ / IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/demo graphics/s cope/longi tudinal\", \"title\": \"patient- demographi cs-longitu dinal\",\" rel\":\"re lated\",\" object-typ e\"" +
  102                      ":\"AtomLi nk\"},\"pa tient-demo graphics-o perational \":{\"href \":\"http: // IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/demo graphics/s cope/opera tional\",\ "title\":\ "patient-d emographic s-operatio nal\"" +
  103                      ",\"rel\": \"related\ ",\"object -type\":\" AtomLink\" },\"patien t-preferen ce\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/pref erence\",\ "title\":\ "patient-p reference\ ",\"rel\": \"related\ "" +
  104                      ",\"object -type\":\" AtomLink\" },\"patien t-image\": {\"href\": \"http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/pati ent-image\ ",\"title\ ":\"patien t-image\", \"rel\":\" related\", \"object-t ype\":\"At omLink\"}, \"" +
  105                      "patient-c alendar-ev ents\":{\" href\":\"h ttp:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/cale ndar/calen darEvent\" ,\"title\" :\"patient -calendar- events\",\ "rel\":\"r elated\",\ "object-ty pe\":\"Ato mLink\"},\ "patient-c alendar-pu blickey\""  +
  106                      ":{\"href\ ":\"http:/ / IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/cale ndar/key\" ,\"title\" :\"patient -calendar- publickey\ ",\"rel\": \"related\ ",\"object -type\":\" AtomLink\" },\"patien t-appointm ents-past\ "" +
  107                      ":{\"href\ ":\"http:/ / IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/p ast\",\"ti tle\":\"pa tient-appo intments-p ast\",\"re l\":\"rela ted\",\"ob ject-type\ ":\"AtomLi nk\"},\"pa tient-appo intments-f uture\":{\ "href\":\" http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/f uture\",\" title\":\" patient-ap pointments -future\", \"rel\":\" related\", \"object-t ype\":\"At omLink\"}, \"patient- appointmen ts\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/s cope/longi tudinal\", \"title\": \"patient- appointmen ts\",\"rel \":\"relat ed\",\"obj ect-type\" :\"AtomLin k\"},\"pat ient-appoi ntments-lo ngitudinal \":{\"href \":\"http: // IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/s cope/longi tudinal\", \"title\": \"patient- appointmen ts-longitu dinal\",\" rel\":\"re lated\",\" object-typ e\":\"Atom Link\"},\" patient-ap pointments -operation al\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/s cope/opera tional\",\ "title\":\ "patient-a ppointment s-operatio nal\",\"re l\":\"rela ted\",\"ob ject-type\ ":\"AtomLi nk\"},\"pa tient-appo intments-m ental-heal th\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/m ental-heal th/scope/l ongitudina l\",\"titl e\":\"pati ent-appoin tments-men tal-health \",\"rel\" :\"related \",\"objec t-type\":\ "AtomLink\ "},\"patie nt-appoint ments-ment al-health- longitudin al\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/m ental-heal th/scope/l ongitudina l\",\"titl e\":\"pati ent-appoin tments-men tal-health -longitudi nal\",\"re l\":\"rela ted\",\"ob ject-type\ ":\"AtomLi nk\"},\"pa tient-appo intments-m ental-heal th-operati onal\":{\" href\":\"h ttp:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/m ental-heal th/scope/o perational \",\"title \":\"patie nt-appoint ments-ment al-health- operationa l\",\"rel\ ":\"relate d\",\"obje ct-type\": \"AtomLink \"},\"pati ent-proble ms\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/prob lems/scope /longitudi nal\",\"ti tle\":\"pa tient-prob lems\",\"r el\":\"rel ated\",\"o bject-type \":\"AtomL ink\"},\"p atient-pro blems-long itudinal\" :{\"href\" :\"http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/prob lems/scope /longitudi nal\",\"ti tle\":\"pa tient-prob lems-longi tudinal\", \"rel\":\" related\", \"object-t ype\":\"At omLink\"}, \"patient- problems-o perational \":{\"href \":\"http: // IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/prob lems/scope /operation al\"}";
  108  
  109           as sertTrue(v alidator.h asXSSInjec tion(json) );
  110  
  111       }
  112       @Test
  113       public  void vali dJsonValid ator(){
  114           St ring json  ="{\"age\" :\"80\",\" dateOfBirt h\":\"Apr  07, 1935\" ,\"display Name\":\"E IGHT, PATI ENT\",\"fi rstName\": \"PATIENT\ ",\"gender \":\"MALE\ ",\"inpati ent\":true ,\"lastNam e\":\"EIG"  +
  115                    "HT\ ",\"patien tAssigning Authority\ ":\"dfn-52 3\",\"pati entId\":\" 3\",\"ssn\ ":\"666-00 -0008\",\" object-typ e\":\"Pati ent\",\"pa tientIdent ifier\":{\ "uniqueId\ ":\"3\",\" assignin"  +
  116                    "gAu thority\": \"dfn-523\ "},\"textM essagingAl lowed\":fa lse,\"serv iceConnect ed\":true, \"sensitiv e\":false, \"wardLoca tion\":\"7 A GEN MED\ ",\"roombe d\":\"735\ ",\"locati onIEN\":\" " +
  117                      "158\",\"c wad\":\"CA D\",\"icn\ ":\"1234\" ,\"service ConnectedP ercent\":\ "0\",\"adm ittedDateT ime\":\"05 /07/2014 1 5:22:54\", \"self\":{ \"href\":\ "http:// IP        /PatientVi ewerSe" +
  118                      "rvices/re st/patient /dfn-523/3 \",\"rel\" :\"self\", \"object-t ype\":\"At omLink\"}, \"patient- identifier s\":{\"hre f\":\"http :// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 52" +
  119                      "3/3/ident ifiers\",\ "title\":\ "patient-i dentifiers \",\"rel\" :\"related \",\"objec t-type\":\ "AtomLink\ "},\"patie nt-demogra phics\":{\ "href\":\" http:// IP        /PatientVi ewerServ"  +
  120                      "ices/rest /patient/d fn-523/3/d emographic s/scope/lo ngitudinal \",\"title \":\"patie nt-demogra phics\",\" rel\":\"re lated\",\" object-typ e\":\"Atom Link\"},\" patient-de mographics -longitudi nal\":{\"h ref\":\"ht tp:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/demo graphics/s cope/longi tudinal\", \"title\": \"patient- demographi cs-longitu dinal\",\" rel\":\"re lated\",\" object-typ e\":\"Atom Link\"},\" patient-de mographics -operation al\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/demo graphics/s cope/opera tional\",\ "title\":\ "patient-d emographic s-operatio nal\",\"re l\":\"rela ted\",\"ob ject-type\ ":\"AtomLi nk\"},\"pa tient-pref erence\":{ \"href\":\ "http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/pref erence\",\ "title\":\ "patient-p reference\ ",\"rel\": \"related\ ",\"object -type\":\" AtomLink\" },\"patien t-image\": {\"href\": \"http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/pati ent-image\ ",\"title\ ":\"patien t-image\", \"rel\":\" related\", \"object-t ype\":\"At omLink\"}, \"patient- calendar-e vents\":{\ "href\":\" http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/cale ndar/calen darEvent\" ,\"title\" :\"patient -calendar- events\",\ "rel\":\"r elated\",\ "object-ty pe\":\"Ato mLink\"},\ "patient-c alendar-pu blickey\": {\"href\": \"http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/cale ndar/key\" ,\"title\" :\"patient -calendar- publickey\ ",\"rel\": \"related\ ",\"object -type\":\" AtomLink\" },\"patien t-appointm ents-past\ ":{\"href\ ":\"http:/ / IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/p ast\",\"ti tle\":\"pa tient-appo intments-p ast\",\"re l\":\"rela ted\",\"ob ject-type\ ":\"AtomLi nk\"},\"pa tient-appo intments-f uture\":{\ "href\":\" http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/f uture\",\" title\":\" patient-ap pointments -future\", \"rel\":\" related\", \"object-t ype\":\"At omLink\"}, \"patient- appointmen ts\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/s cope/longi tudinal\", \"title\": \"patient- appointmen ts\",\"rel \":\"relat ed\",\"obj ect-type\" :\"AtomLin k\"},\"pat ient-appoi ntments-lo ngitudinal \":{\"href \":\"http: // IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/s cope/longi tudinal\", \"title\": \"patient- appointmen ts-longitu dinal\",\" rel\":\"re lated\",\" object-typ e\":\"Atom Link\"},\" patient-ap pointments -operation al\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/s cope/opera tional\",\ "title\":\ "patient-a ppointment s-operatio nal\",\"re l\":\"rela ted\",\"ob ject-type\ ":\"AtomLi nk\"},\"pa tient-appo intments-m ental-heal th\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/m ental-heal th/scope/l ongitudina l\",\"titl e\":\"pati ent-appoin tments-men tal-health \",\"rel\" :\"related \",\"objec t-type\":\ "AtomLink\ "},\"patie nt-appoint ments-ment al-health- longitudin al\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/m ental-heal th/scope/l ongitudina l\",\"titl e\":\"pati ent-appoin tments-men tal-health -longitudi nal\",\"re l\":\"rela ted\",\"ob ject-type\ ":\"AtomLi nk\"},\"pa tient-appo intments-m ental-heal th-operati onal\":{\" href\":\"h ttp:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/appo intments/m ental-heal th/scope/o perational \",\"title \":\"patie nt-appoint ments-ment al-health- operationa l\",\"rel\ ":\"relate d\",\"obje ct-type\": \"AtomLink \"},\"pati ent-proble ms\":{\"hr ef\":\"htt p:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/prob lems/scope /longitudi nal\",\"ti tle\":\"pa tient-prob lems\",\"r el\":\"rel ated\",\"o bject-type \":\"AtomL ink\"},\"p atient-pro blems-long itudinal\" :{\"href\" :\"http:// IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/prob lems/scope /longitudi nal\",\"ti tle\":\"pa tient-prob lems-longi tudinal\", \"rel\":\" related\", \"object-t ype\":\"At omLink\"}, \"patient- problems-o perational \":{\"href \":\"http: // IP        /PatientVi ewerServic es/rest/pa tient/dfn- 523/3/prob lems/scope /operation al\"}";
  121           as sertFalse( validator. hasXSSInje ction(json ));
  122       }
  123   }

Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.