Thanks to visit codestin.com
Credit goes to github.com

Skip to content

bugfix: fix deserialization failure when the XSS filter retrieved the default keyword #7596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
slievrly merged 6 commits into from
Aug 27, 2025
Merged

bugfix: fix deserialization failure when the XSS filter retrieved the default keyword #7596

slievrly merged 6 commits into from
Aug 27, 2025

Conversation

@YvCeung
Copy link
Contributor

@YvCeung YvCeung commented Aug 24, 2025
edited
Loading

Ⅰ. Describe what this PR did

  1. When xsskeyword is not explicitly specified, the default configuration will be used. Previously, the default configuration was a collection, which was converted by String.valueOf() when retrieved through the configuration class, causing deserialization to fail. This change modifies the default format from a List<String> to a String, so that when the project starts and retrieves the default configuration, deserialization will no longer fail.

  2. Modify the logic for obtaining keywords through XSSFilter: Previously, it was entirely specified by the user. If the user's configuration was incorrect or the configuration was overwritten, it might lead to the failure of security protection. After optimization, it ensures that the default xss keywords of the system are consistently effective, and at the same time, the user configuration is retained, but it is merged into the total xss keyword set in an appending manner only

Ⅱ. Does this pull request fix one issue?

fix #7595

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

When the configuration file does not specify the xssKeyWord property, starting the service without any errors indicates that there is no issue.

Ⅴ. Special notes for reviews

@codecov
Copy link

codecov bot commented Aug 24, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 76.47059% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 61.38%. Comparing base (d42f620) to head (91c6837).
⚠️ Report is 1 commits behind head on 2.x.

Files with missing lines Patch % Lines
...ache/seata/server/filter/XSSHttpRequestFilter.java 66.66% 3 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##                2.x    #7596      +/-   ##
============================================
- Coverage     61.40%   61.38%   -0.03%     
  Complexity      658      658              
============================================
  Files          1311     1310       -1     
  Lines         49575    49567       -8     
  Branches       5836     5836              
============================================
- Hits          30443    30425      -18     
- Misses        16412    16416       +4     
- Partials       2720     2726       +6
Files with missing lines Coverage Δ
...ava/org/apache/seata/common/ConfigurationKeys.java 0.00% <ø> (ø)
...pc/netty/http/filter/HttpRequestFilterManager.java 94.11% <100.00%> (-0.62%) ⬇️
...configure/SeataServerEnvironmentPostProcessor.java 100.00% <ø> (ø)
...s/server/filter/ServerHttpFilterXssProperties.java 100.00% <ø> (ø)
...ache/seata/server/filter/XSSHttpRequestFilter.java 68.08% <66.66%> (+1.41%) ⬆️

... and 9 files with indirect coverage changes

Impacted file tree graph

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@YvCeung YvCeung changed the title bugfix:Fixed the issue where deserialization failed when the xss filt… bugfix:Fixed the issue where deserialization failed when the xss filter obtained the default keyword Aug 25, 2025
@YvCeung YvCeung changed the title bugfix:Fixed the issue where deserialization failed when the xss filter obtained the default keyword bugfix:Fixed deserialization failure when the XSS filter retrieved the default keyword. Aug 25, 2025
@funky-eyes funky-eyes changed the title bugfix:Fixed deserialization failure when the XSS filter retrieved the default keyword. bugfix: Fixed deserialization failure when the XSS filter retrieved the default keyword. Aug 26, 2025
@funky-eyes funky-eyes requested a review from slievrly August 26, 2025 01:51
@funky-eyes funky-eyes added this to the 2.6.0 milestone Aug 26, 2025
@funky-eyes funky-eyes added type: bug Category issues or prs related to bug. module/server server module module/seata-spring-autoconfigure-server labels Aug 26, 2025
@YvCeung
Copy link
Contributor Author

YvCeung commented Aug 26, 2025

@slievrly PTAL

@YvCeung
Copy link
Contributor Author

YvCeung commented Aug 26, 2025

tag d2ca733 : Remove the global switch configuration of the filter and the switch configuration of the xss filter, and change it to forced on. The xssFilter only provides users with the ability to add keyword configurations
取消过滤器全局的开关配置以及xss过滤器的开关配置,变更为强制开启,xssFilter仅提供给用户追加风险关键字配置的能力

@YvCeung YvCeung closed this Aug 27, 2025
@YvCeung YvCeung reopened this Aug 27, 2025
slievrly
slievrly reviewed Aug 27, 2025
View reviewed changes
Copy link
Member

@slievrly slievrly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pls review these files:
https://github.com/apache/incubator-seata/blob/2.x/script/config-center/config.txt#L209
https://github.com/apache/incubator-seata/blob/2.x/server/src/main/resources/application.example.yml#L181
https://github.com/apache/incubator-seata/blob/2.x/server/src/main/resources/application.raft.example.yml#L157

@YvCeung
Copy link
Contributor Author

YvCeung commented Aug 27, 2025

Pls review these files: https://github.com/apache/incubator-seata/blob/2.x/script/config-center/config.txt#L209 https://github.com/apache/incubator-seata/blob/2.x/server/src/main/resources/application.example.yml#L181 https://github.com/apache/incubator-seata/blob/2.x/server/src/main/resources/application.raft.example.yml#L157

done

@slievrly slievrly changed the title bugfix: Fixed deserialization failure when the XSS filter retrieved the default keyword. bugfix: fix deserialization failure when the XSS filter retrieved the default keyword Aug 27, 2025
slievrly
slievrly approved these changes Aug 27, 2025
View reviewed changes
Copy link
Member

@slievrly slievrly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@slievrly slievrly merged commit 36dd48e into apache:2.x Aug 27, 2025
13 of 14 checks passed
slievrly pushed a commit to slievrly/fescar that referenced this pull request Oct 21, 2025
@YvCeung
bugfix: fix deserialization failure when the XSS filter retrieved the…
e145391 
… default keyword (apache#7596)
YvCeung added a commit to YvCeung/incubator-seata that referenced this pull request Dec 25, 2025
@YvCeung
bugfix: fix deserialization failure when the XSS filter retrieved the…
70312f2 
… default keyword (apache#7596)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slievrly slievrly slievrly approved these changes

Assignees

No one assigned

Labels

module/seata-spring-autoconfigure-server module/server server module type: bug Category issues or prs related to bug.

Projects

None yet

Milestone

2.6.0

Development

Successfully merging this pull request may close these issues.

'server.http.filter.xss.keywords'. Expected a JSON array like ["<script>", "vbscript:"], but got: [<script>, </script>, javascript:, vbscript:

3 participants

@YvCeung @slievrly @funky-eyes