Cross-site scripting (XSS) in xwiki-platform

@@ -85,4 +85,10 @@ class NestedUserClassFieldIT extends UserClassFieldIT
     class NestedClassEditorIT extends ClassEditorIT
     {
     }
+
+    @Nested
+    @DisplayName("Without script right test")
+    class NestedWithoutScriptRightIT extends WithoutScriptRightIT
+    {
+    }
 }

@@ -58,6 +58,9 @@ class AppsLiveTableIT
     @BeforeAll
     public void setupClass(TestUtils testUtils)
     {
+        testUtils.loginAsSuperAdmin();
+        // The application creator needs script rights in order to execute the scripts generated by the wizard.
+        testUtils.setGlobalRights("", "XWiki." + USERNAME, "script", true);
         testUtils.createUserAndLogin(USERNAME, PASSWORD);
     }
 
@@ -179,6 +182,7 @@ void testActionRights(TestUtils testUtils, TestReference testReference)
             assertTrue(appsLiveTable.canEditApplication(appName));
             assertFalse(appsLiveTable.canDeleteApplication(appName));
         } finally {
+            testUtils.loginAsSuperAdmin();
             // We don't want to keep the rights
             testUtils.deletePage(xwikiPreferences);
         }

@@ -0,0 +1,96 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.appwithinminutes.test.ui;
+
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+import org.xwiki.appwithinminutes.test.po.AppWithinMinutesHomePage;
+import org.xwiki.appwithinminutes.test.po.ApplicationClassEditPage;
+import org.xwiki.appwithinminutes.test.po.ApplicationCreatePage;
+import org.xwiki.appwithinminutes.test.po.ApplicationHomeEditPage;
+import org.xwiki.appwithinminutes.test.po.ApplicationHomePage;
+import org.xwiki.appwithinminutes.test.po.ApplicationsLiveTableElement;
+import org.xwiki.appwithinminutes.test.po.EntryEditPage;
+import org.xwiki.appwithinminutes.test.po.EntryNamePane;
+import org.xwiki.test.docker.junit5.TestReference;
+import org.xwiki.test.docker.junit5.UITest;
+import org.xwiki.test.ui.TestUtils;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * Tests AWM without script right.
+ *
+ * @version $Id$
+ * @since 13.10.11
+ * @since 14.4.8
+ * @since 14.10.1
+ * @since 15.0RC1
+ */
+@UITest
+class WithoutScriptRightIT
+{
+    private static final String USER_NAME = "NoScript";
+
+    private static final String PASSWORD = "password";
+
+    private static final String NO_SCRIPT_ERROR = "You don't have the script right which is necessary to create or "
+        + "edit an application. The application might not work correctly when you continue.";
+
+    @BeforeAll
+    static void beforeAll(TestUtils testUtils)
+    {
+        testUtils.loginAsSuperAdmin();
+        testUtils.createUserAndLogin(USER_NAME, PASSWORD, "");
+    }
+
+    @Order(1)
+    @Test
+    void createApplicationWithoutScriptRight(TestReference testReference)
+    {
+        ApplicationCreatePage appCreatePage = AppWithinMinutesHomePage.gotoPage().clickCreateApplication();
+        String appName = testReference.getLastSpaceReference().getName();
+        appCreatePage.setApplicationName(appName);
+        appCreatePage.waitForApplicationNamePreview();
+        assertTrue(appCreatePage.getContent().contains(NO_SCRIPT_ERROR));
+
+        ApplicationClassEditPage classEditPage = appCreatePage.clickNextStep();
+        classEditPage.addField("Short Text");
+        ApplicationHomeEditPage applicationHomeEditPage = classEditPage.clickNextStep().clickNextStep();
+        assertTrue(applicationHomeEditPage.getContent().contains(NO_SCRIPT_ERROR));
+
+        ApplicationHomePage applicationHomePage = applicationHomeEditPage.clickFinish();
+        // TODO: change to assert rendering errors when https://jira.xwiki.org/browse/XWIKI-20423 has been fixed.
+        assertTrue(applicationHomePage.hasEntriesLiveTable());
+
+        EntryNamePane entryNamePane = applicationHomePage.clickAddNewEntry();
+        entryNamePane.setName("Test entry");
+        EntryEditPage editPage = entryNamePane.clickAdd();
+        // The edit form doesn't work without script right.
+        assertTrue(editPage.hasRenderingError());
+
+        // Without script right, no delete is available.
+        ApplicationsLiveTableElement liveTable = AppWithinMinutesHomePage.gotoPage().getAppsLiveTable();
+        assertTrue(liveTable.isApplicationListed(appName));
+        assertFalse(liveTable.canDeleteApplication(appName));
+    }
+}

@@ -344,10 +344,8 @@ void goBackToFirstStep(TestUtils testUtils, TestReference testReference)
 
     private ApplicationCreatePage goToAppCreatePage(TestUtils testUtils, TestReference testReference)
     {
-        // Register a simple user, login and go to the App Within Minutes home page.
-        String userName = "SimpleUser";
-        String password = "SimplePassword";
-        testUtils.createUserAndLogin(userName, password);
+        // Login and go to the App Within Minutes home page.
+        testUtils.login(USER_NAME, PASSWORD);
         // Make sure the application location exists so that we can select it with the location picker.
         testUtils.createPage(Arrays.asList(getClass().getSimpleName(), testReference.getLastSpaceReference().getName()),
             "WebHome", null, null);

@@ -119,6 +119,12 @@
       <version>${rendering.version}</version>
       <scope>runtime</scope>
     </dependency>
+    <dependency>
+      <groupId>org.xwiki.rendering</groupId>
+      <artifactId>xwiki-rendering-macro-message</artifactId>
+      <version>${rendering.version}</version>
+      <scope>runtime</scope>
+    </dependency>
     <!-- Used to implement drag & drop in the "Structure" (class definition) and  "Presentation" (home page) steps. -->
     <dependency>
       <groupId>org.webjars</groupId>

@@ -143,6 +143,11 @@
         $services.localization.render('platform.appwithinminutes.appNameIsUsedWarning')
       </div>
     #end
+    #if (!$services.security.authorization.hasAccess('script', $xcontext.userReference, $appHomeRef))
+      <div class="box errormessage">
+        $escapetool.xml($services.localization.render('platform.appwithinminutes.appHomePageNoScriptRight'))
+      </div>
+    #end
   #end
 #end
 

@@ -231,7 +231,9 @@
   ## Grant space administration rights only if the space is new. Don't overwrite existing space preferences.
   #set ($spaceHomeRef = $services.model.resolveDocument('', 'default', $spaceRef))
   #set ($spacePrefsRef = $services.model.resolveDocument('WebPreferences', 'explicit', $spaceRef))
-  #if (!$xwiki.exists($spaceHomeRef) && !$xwiki.exists($spacePrefsRef))
+  ## Verify that the current user has script right on the current space home.
+  #set ($hasScript = $services.security.authorization.hasAccess('script',  $xcontext.userReference, $spaceHomeRef))
+  #if ($hasScript && !$xwiki.exists($spaceHomeRef) && !$xwiki.exists($spacePrefsRef))
     #set ($spacePrefsDoc = $xwiki.getDocument($spacePrefsRef))
     #set ($discard = $spacePrefsDoc.use($spacePrefsDoc.getObject('XWiki.XWikiGlobalRights', true)))
     #set ($discard = $spacePrefsDoc.set('allow', 1))
@@ -353,6 +355,10 @@
 {{/velocity}}
 
 {{velocity}}
+#if (!$services.security.authorization.hasAccess('script', $xcontext.userReference, $doc.documentReference))
+  {{error}}{{translation key="platform.appwithinminutes.appHomePageNoScriptRight" /}}{{/error}}
+
+#end
 #if ("$!request.wizard" == 'true')
   {{include reference="AppWithinMinutes.WizardStep" /}}
 #end

@@ -210,6 +210,7 @@ platform.appwithinminutes.appHomePageEditAppLabel=Edit application
 platform.appwithinminutes.appHomePageTranslateAppLabel=Translate application
 platform.appwithinminutes.appHomePageDeleteAppLabel=Delete application
 platform.appwithinminutes.appHomePageMovedWarning=The application might not function correctly because it has been renamed or moved without updating the code. Please edit the application and follow the steps in order to update the code.
+platform.appwithinminutes.appHomePageNoScriptRight=You don't have the script right which is necessary to create or edit an application. The application might not work correctly when you continue.
 AppWithinMinutes.LiveTableClass_description=Description
 AppWithinMinutes.LiveTableClass_columns=Live Table Columns