Bug #32973: XSS User profile.

E-mail address validation added.

pom.xml

@@ -69,6 +69,7 @@
 		<commons.io.version>2.4</commons.io.version>
 		<commons.lang.version>2.6</commons.lang.version>
 		<commons.logging.version>1.2</commons.logging.version>
+		<commons.validator.version>1.4.0</commons.validator.version>
 
 		<jstl.version>1.2</jstl.version>
 		<servlet-api.version>2.5</servlet-api.version>
@@ -169,6 +170,12 @@
 			<version>1.10</version>
 		</dependency>
 
+		<dependency>
+			<groupId>commons-validator</groupId>
+			<artifactId>commons-validator</artifactId>
+			<version>${commons.validator.version}</version>
+		</dependency>
+
 		<!-- Logging dependencies -->
 		<dependency>
 			<groupId>org.slf4j</groupId>

src/main/java/org/genesys2/server/service/UserService.java

@@ -64,7 +64,7 @@ public interface UserService {
 	UserWrapper getWrappedById(long userId) throws UserException;
 
 	@PreAuthorize("hasRole('ADMINISTRATOR') || principal.user.id == #userId")
-	User updateData(long userId, String name, String email);
+	User updateData(long userId, String name, String email) throws UserException;
 
 	User getSystemUser(String string);
 

src/main/java/org/genesys2/server/service/impl/UserServiceImpl.java

@@ -29,6 +29,7 @@ import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.commons.validator.routines.EmailValidator;
 import org.genesys2.server.exception.NoUserFoundException;
 import org.genesys2.server.exception.NotUniqueUserException;
 import org.genesys2.server.exception.UserException;
@@ -75,6 +76,8 @@ public class UserServiceImpl implements UserService {
 
 	private final List<UserRole> availableRoles = ListUtils.unmodifiableList(Arrays.asList(UserRole.values()));
 
+	private EmailValidator emailValidator = EmailValidator.getInstance();
+
 	/**
 	 * Set number of milliseconds for user account lockout
 	 */
@@ -250,8 +253,15 @@ public class UserServiceImpl implements UserService {
 
 	@Override
 	@PreAuthorize("hasRole('ADMINISTRATOR') || principal.user.id == #userId")
-	@Transactional(readOnly = false)
-	public User updateData(long userId, String name, String email) {
+	@Transactional(readOnly = false, rollbackFor = NotUniqueUserException.class)
+	public User updateData(long userId, String name, String email) throws UserException {
+		if (!emailValidator.isValid(email)) {
+			throw new UserException();
+		}
+		if (userPersistence.findByEmail(email) != null) {
+			throw new NotUniqueUserException(new Throwable(), email);
+		}
+
 		final User user = userPersistence.findOne(userId);
 		user.setName(name);
 		user.setEmail(email);

src/main/java/org/genesys2/server/servlet/controller/UserProfileController.java

@@ -19,6 +19,7 @@ package org.genesys2.server.servlet.controller;
 import java.util.List;
 
 import org.apache.commons.lang.StringUtils;
+import org.genesys2.server.exception.NotUniqueUserException;
 import org.genesys2.server.exception.UserException;
 import org.genesys2.server.model.impl.User;
 import org.genesys2.server.service.EMailVerificationService;
@@ -36,6 +37,7 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
 @Controller
 @RequestMapping("/profile")
@@ -163,13 +165,21 @@ public class UserProfileController extends BaseController {
 	@RequestMapping(value = "/{uuid:.+}/update", method = { RequestMethod.POST })
 	@PreAuthorize("hasRole('ADMINISTRATOR') || principal.user.uuid == #uuid")
 	public String update(ModelMap model, @PathVariable("uuid") String uuid, @RequestParam("name") String name, @RequestParam("email") String email,
-			@RequestParam("pwd1") String pwd1, @RequestParam("pwd2") String pwd2) {
+			@RequestParam("pwd1") String pwd1, @RequestParam("pwd2") String pwd2, RedirectAttributes redirectAttributes) {
 		final User user = userService.getUserByUuid(uuid);
 		if (user == null) {
 			throw new ResourceNotFoundException();
 		}
 
-		userService.updateData(user.getId(), name, email);
+		try {
+			userService.updateData(user.getId(), name, email);
+		} catch (NotUniqueUserException e) {
+			redirectAttributes.addFlashAttribute("emailError", "User with e-mail address " + e.getEmail() + " already exists");
+			return "redirect:/profile/" + user.getUuid() + "/edit";
+		} catch (UserException e) {
+			redirectAttributes.addFlashAttribute("emailError", "E-mail address is incorrect");
+			return "redirect:/profile/" + user.getUuid() + "/edit";
+		}
 
 		if (StringUtils.isNotBlank(pwd1)) {
 			if (pwd1.equals(pwd2)) {

src/main/java/org/genesys2/server/servlet/controller/admin/UserProfileController.java

@@ -19,6 +19,7 @@ package org.genesys2.server.servlet.controller.admin;
 import java.util.List;
 
 import org.apache.commons.lang.StringUtils;
+import org.genesys2.server.exception.NotUniqueUserException;
 import org.genesys2.server.exception.UserException;
 import org.genesys2.server.model.impl.User;
 import org.genesys2.server.service.EMailVerificationService;
@@ -36,6 +37,7 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
 @Controller("adminUsersController")
 @RequestMapping(UserProfileController.URLBASE)
@@ -153,13 +155,21 @@ public class UserProfileController extends BaseController {
 
 	@RequestMapping(value = "/{uuid:.+}/update", method = { RequestMethod.POST })
 	public String update(ModelMap model, @PathVariable("uuid") String uuid, @RequestParam("name") String name, @RequestParam("email") String email,
-			@RequestParam("pwd1") String pwd1, @RequestParam("pwd2") String pwd2) {
+			@RequestParam("pwd1") String pwd1, @RequestParam("pwd2") String pwd2, RedirectAttributes redirectAttributes) {
 		final User user = userService.getUserByUuid(uuid);
 		if (user == null) {
 			throw new ResourceNotFoundException();
 		}
 
-		userService.updateData(user.getId(), name, email);
+		try {
+			userService.updateData(user.getId(), name, email);
+		} catch (NotUniqueUserException e) {
+			redirectAttributes.addFlashAttribute("emailError", "User with e-mail address " + e.getEmail() + " already exists");
+			return "redirect:" + URLBASE + user.getUuid() + "/edit";
+		} catch (UserException e) {
+			redirectAttributes.addFlashAttribute("emailError", "E-mail address is incorrect");
+			return "redirect:" + URLBASE + user.getUuid() + "/edit";
+		}
 
 		if (StringUtils.isNotBlank(pwd1)) {
 			if (pwd1.equals(pwd2)) {

src/main/java/org/genesys2/server/servlet/controller/rest/UsersController.java

@@ -115,7 +115,13 @@ public class UsersController extends RestController {
             throw new ResourceNotFoundException();
         }
 
-        userService.updateData(user.getId(), userData.getName(), userData.getEmail());
+        try {
+            userService.updateData(user.getId(), userData.getName(), userData.getEmail());
+        } catch (NotUniqueUserException e) {
+            LOG.warn("User with e-mail address " + e.getEmail() + " already exists");
+        } catch (UserException e) {
+            LOG.warn("E-mail address is incorrect");
+        }
 
         if (StringUtils.isNotBlank(userData.getPwd1())) {
             if (userData.getPwd1().equals(userData.getPwd2())) {

src/main/webapp/WEB-INF/jsp/1/admin/users/edit.jsp

@@ -7,6 +7,9 @@
 <title><spring:message code="userprofile.update.title" /></title>
 </head>
 <body>
+	<c:if test="${not empty emailError}">
+		<div class="alert alert-danger">${emailError}</div>
+	</c:if>
 	<form role="form" class="form-horizontal validate" action="<c:url value="/admin/users/${user.uuid}/update" />" method="post">
 		<div class="form-group">
 			<label for="name" class="col-lg-2 control-label"><spring:message code="registration.full-name" /></label>

src/main/webapp/WEB-INF/jsp/user/edit.jsp

@@ -12,6 +12,9 @@
 		<spring:message code="userprofile.update.title" />
 	</h1>
 
+	<c:if test="${not empty emailError}">
+		<div class="alert alert-danger">${emailError}</div>
+	</c:if>
 	<form role="form" class="form-horizontal validate" action="<c:url value="/profile/${user.uuid}/update" />" method="post">
 		<div class="form-group">
 			<label for="name" class="col-lg-2 control-label"><spring:message code="registration.full-name" /></label>