LPS-144248 Avoid DoS attack

MarinhoFeliphe · brianchandotcom · commit 5d62db9d0100 · 2021-12-21T11:16:18.000-08:00
diff --git a/modules/dxp/apps/portal-workflow/portal-workflow-kaleo-forms-web/src/main/java/com/liferay/portal/workflow/kaleo/forms/web/internal/portlet/KaleoFormsAdminPortlet.java b/modules/dxp/apps/portal-workflow/portal-workflow-kaleo-forms-web/src/main/java/com/liferay/portal/workflow/kaleo/forms/web/internal/portlet/KaleoFormsAdminPortlet.java
@@ -29,6 +29,7 @@
 import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
 import com.liferay.portal.kernel.json.JSONFactoryUtil;
 import com.liferay.portal.kernel.json.JSONObject;
+import com.liferay.portal.kernel.language.LanguageUtil;
 import com.liferay.portal.kernel.log.Log;
 import com.liferay.portal.kernel.log.LogFactoryUtil;
 import com.liferay.portal.kernel.model.WorkflowInstanceLink;
@@ -40,6 +41,8 @@
 import com.liferay.portal.kernel.service.WorkflowInstanceLinkLocalService;
 import com.liferay.portal.kernel.servlet.SessionErrors;
 import com.liferay.portal.kernel.theme.ThemeDisplay;
+import com.liferay.portal.kernel.util.ListUtil;
+import com.liferay.portal.kernel.util.LocaleUtil;
 import com.liferay.portal.kernel.util.MimeTypesUtil;
 import com.liferay.portal.kernel.util.ParamUtil;
 import com.liferay.portal.kernel.util.Validator;
@@ -66,7 +69,10 @@
 
 import java.io.IOException;
 
-import java.util.Enumeration;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 
@@ -377,26 +383,25 @@ protected void saveInPortletSession(
 	 *
 	 * @param  resourceRequest the resource request
 	 * @param  resourceResponse the resource response
-	 * @throws Exception if an exception occurred
 	 */
 	protected void saveInPortletSession(
-			ResourceRequest resourceRequest, ResourceResponse resourceResponse)
-		throws Exception {
+		ResourceRequest resourceRequest, ResourceResponse resourceResponse) {
 
-		Enumeration<String> enumeration = resourceRequest.getParameterNames();
+		Map<String, String[]> parameterMap = resourceRequest.getParameterMap();
 
-		while (enumeration.hasMoreElements()) {
-			String name = enumeration.nextElement();
+		PortletSession portletSession = resourceRequest.getPortletSession();
 
-			if (Objects.equals(name, "doAsUserId")) {
+		for (String parameterName :
+				ListUtil.concat(
+					_getLocalizedParameterNames(), _parameterNames)) {
+
+			if (!parameterMap.containsKey(parameterName)) {
 				continue;
 			}
 
-			PortletSession portletSession = resourceRequest.getPortletSession();
-
-			String value = ParamUtil.getString(resourceRequest, name);
-
-			portletSession.setAttribute(name, value);
+			portletSession.setAttribute(
+				parameterName,
+				ParamUtil.getString(resourceRequest, parameterName));
 		}
 	}
 
@@ -519,9 +524,28 @@ protected void setDisplayContext(
 	@Reference
 	protected StorageEngine storageEngine;
 
+	private List<String> _getLocalizedParameterNames() {
+		List<String> localizedParameters = new ArrayList<>();
+
+		for (Locale availableLocale : LanguageUtil.getAvailableLocales()) {
+			localizedParameters.add(
+				"description" + LocaleUtil.toLanguageId(availableLocale));
+			localizedParameters.add(
+				"name" + LocaleUtil.toLanguageId(availableLocale));
+		}
+
+		return localizedParameters;
+	}
+
 	private static final Log _log = LogFactoryUtil.getLog(
 		KaleoFormsAdminPortlet.class);
 
+	private static final List<String> _parameterNames = Arrays.asList(
+		"backURL", "ddmStructureId", "ddmStructureName", "ddmTemplateId",
+		"historyKey", "kaleoProcessId", "kaleoTaskFormPairsData", "mvcPath",
+		"redirect", "translatedLanguagesDescription", "translatedLanguagesName",
+		"workflowDefinition");
+
 	@Reference
 	private DDLExporterFactory _ddlExporterFactory;
 
