norman/api/writer/html.go

package writer

import (
	"encoding/json"
	"fmt"
	"strings"

	"github.com/rancher/norman/api/builtin"
	"github.com/rancher/norman/types"
)

const (
	JSURL          = "https://releases.rancher.com/api-ui/%API_UI_VERSION%/ui.min.js"
	CSSURL         = "https://releases.rancher.com/api-ui/%API_UI_VERSION%/ui.min.css"
	DefaultVersion = "1.1.11"
)

var (
	start = `
<!DOCTYPE html>
<!-- If you are reading this, there is a good chance you would prefer sending an
"Accept: application/json" header and receiving actual JSON responses. -->
<link rel="stylesheet" type="text/css" href="%CSSURL%" />
<script src="%JSURL%"></script>
<script>
var user = "admin";
var curlUser='${CATTLE_ACCESS_KEY}:${CATTLE_SECRET_KEY}';
var schemas=%SCHEMAS%;
var data =
`
	end = []byte(`</script>
`)
)

type StringGetter func() string

type HTMLResponseWriter struct {
	EncodingResponseWriter
	CSSURL       StringGetter
	JSURL        StringGetter
	APIUIVersion StringGetter
}

func (h *HTMLResponseWriter) start(apiContext *types.APIContext, code int, obj interface{}) {
	_ = AddCommonResponseHeader(apiContext)
	apiContext.Response.Header().Set("content-type", "text/html")
	apiContext.Response.Header().Set("X-Frame-Options", "SAMEORIGIN")
	apiContext.Response.WriteHeader(code)
}

func (h *HTMLResponseWriter) Write(apiContext *types.APIContext, code int, obj interface{}) {
	h.start(apiContext, code, obj)
	schemaSchema := apiContext.Schemas.Schema(&builtin.Version, "schema")
	headerString := start
	if schemaSchema != nil {
		headerString = strings.Replace(headerString, "%SCHEMAS%", jsonEncodeURL(apiContext.URLBuilder.Collection(schemaSchema, apiContext.Version)), 1)
	}
	var jsurl, cssurl string
	if h.CSSURL != nil && h.JSURL != nil && h.CSSURL() != "" && h.JSURL() != "" {
		jsurl = h.JSURL()
		cssurl = h.CSSURL()
	} else if h.APIUIVersion != nil && h.APIUIVersion() != "" {
		jsurl = strings.Replace(JSURL, "%API_UI_VERSION%", h.APIUIVersion(), 1)
		cssurl = strings.Replace(CSSURL, "%API_UI_VERSION%", h.APIUIVersion(), 1)
	} else {
		jsurl = strings.Replace(JSURL, "%API_UI_VERSION%", DefaultVersion, 1)
		cssurl = strings.Replace(CSSURL, "%API_UI_VERSION%", DefaultVersion, 1)
	}

	// jsurl and cssurl are added to the document as attributes not entities which requires special encoding.
	jsurl, _ = encodeAttribute(jsurl)
	cssurl, _ = encodeAttribute(cssurl)

	headerString = strings.Replace(headerString, "%JSURL%", jsurl, 1)
	headerString = strings.Replace(headerString, "%CSSURL%", cssurl, 1)

	_, _ = apiContext.Response.Write([]byte(headerString))
	_ = h.Body(apiContext, apiContext.Response, obj)
	if schemaSchema != nil {
		_, _ = apiContext.Response.Write(end)
	}
}

func jsonEncodeURL(str string) string {
	data, _ := json.Marshal(str)
	return string(data)
}

// encodeAttribute encodes all characters with the HTML Entity &#xHH; format, including spaces, where HH represents the hexadecimal value of the character in Unicode.
// For example, A becomes &#x41;. All alphanumeric characters (letters A to Z, a to z, and digits 0 to 9) remain unencoded.
// more info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary
func encodeAttribute(raw string) (string, error) {
	var builder strings.Builder
	for _, r := range raw {
		if ('A' <= r && r <= 'Z') || ('a' <= r && r <= 'z') || ('0' <= r && r <= '9') {
			_, err := builder.WriteRune(r)
			if err != nil {
				return "", fmt.Errorf("failed to write: %w", err)
			}
		} else {
			// encode non-alphanumeric rune to hex.
			_, err := fmt.Fprintf(&builder, "&#x%X;", r)
			if err != nil {
				return "", fmt.Errorf("failed to write: %w", err)
			}
		}
	}
	return builder.String(), nil
}
More initial dev 2017-11-11 04:44:02 +00:00			`package writer`

			`import (`
JSON encode schemas URL passed to html template 2021-02-02 22:03:33 +00:00			`"encoding/json"`
[2.8] Fixes (#471) [v2.8.s3] Html escaping [2.8] Bump API-UI version --------- Co-authored-by: Kevin Joiner <10265309+KevinJoiner@users.noreply.github.com> Co-authored-by: pdellamore <pietro.dellamore@suse.com> 2024-02-05 15:46:41 +00:00			`"fmt"`
More initial dev 2017-11-11 04:44:02 +00:00			`"strings"`

Subcontext and mapping updates 2017-11-21 20:46:30 +00:00			`"github.com/rancher/norman/api/builtin"`
More initial dev 2017-11-11 04:44:02 +00:00			`"github.com/rancher/norman/types"`
			`)`

Dynamically response the JS and CSS of API UI 2018-10-27 04:57:54 +00:00			`const (`
			`JSURL = "https://releases.rancher.com/api-ui/%API_UI_VERSION%/ui.min.js"`
			`CSSURL = "https://releases.rancher.com/api-ui/%API_UI_VERSION%/ui.min.css"`
[2.8] Fixes (#471) [v2.8.s3] Html escaping [2.8] Bump API-UI version --------- Co-authored-by: Kevin Joiner <10265309+KevinJoiner@users.noreply.github.com> Co-authored-by: pdellamore <pietro.dellamore@suse.com> 2024-02-05 15:46:41 +00:00			`DefaultVersion = "1.1.11"`
Dynamically response the JS and CSS of API UI 2018-10-27 04:57:54 +00:00			`)`

More initial dev 2017-11-11 04:44:02 +00:00			`var (`
			start = `
			`<!DOCTYPE html>`
			`<!-- If you are reading this, there is a good chance you would prefer sending an`
			`"Accept: application/json" header and receiving actual JSON responses. -->`
Dynamically response the JS and CSS of API UI 2018-10-27 04:57:54 +00:00			`<link rel="stylesheet" type="text/css" href="%CSSURL%" />`
			`<script src="%JSURL%"></script>`
More initial dev 2017-11-11 04:44:02 +00:00			`<script>`
			`var user = "admin";`
			`var curlUser='${CATTLE_ACCESS_KEY}:${CATTLE_SECRET_KEY}';`
JSON encode schemas URL passed to html template 2021-02-02 22:03:33 +00:00			`var schemas=%SCHEMAS%;`
More initial dev 2017-11-11 04:44:02 +00:00			`var data =`
			`
			end = []byte(`</script>
			`)
			`)`

Dynamically response the JS and CSS of API UI 2018-10-27 04:57:54 +00:00			`type StringGetter func() string`

More initial dev 2017-11-11 04:44:02 +00:00			`type HTMLResponseWriter struct {`
add yaml support 2018-05-24 17:28:05 +00:00			`EncodingResponseWriter`
Dynamically response the JS and CSS of API UI 2018-10-27 04:57:54 +00:00			`CSSURL StringGetter`
			`JSURL StringGetter`
			`APIUIVersion StringGetter`
More initial dev 2017-11-11 04:44:02 +00:00			`}`

			`func (h HTMLResponseWriter) start(apiContext types.APIContext, code int, obj interface{}) {`
Fix golangci-lint issues As part of updating dapper files, golangci-lint was set to be used. This caused a lot of lint issues to crop up, which this fixes. 2022-07-11 22:38:47 +00:00			`_ = AddCommonResponseHeader(apiContext)`
More initial dev 2017-11-11 04:44:02 +00:00			`apiContext.Response.Header().Set("content-type", "text/html")`
Set x-frame-options to sameorigin 2021-04-23 00:08:42 +00:00			`apiContext.Response.Header().Set("X-Frame-Options", "SAMEORIGIN")`
More initial dev 2017-11-11 04:44:02 +00:00			`apiContext.Response.WriteHeader(code)`
			`}`

			`func (h HTMLResponseWriter) Write(apiContext types.APIContext, code int, obj interface{}) {`
			`h.start(apiContext, code, obj)`
Subcontext and mapping updates 2017-11-21 20:46:30 +00:00			`schemaSchema := apiContext.Schemas.Schema(&builtin.Version, "schema")`
Dynamically response the JS and CSS of API UI 2018-10-27 04:57:54 +00:00			`headerString := start`
More initial dev 2017-11-11 04:44:02 +00:00			`if schemaSchema != nil {`
JSON encode schemas URL passed to html template 2021-02-02 22:03:33 +00:00			`headerString = strings.Replace(headerString, "%SCHEMAS%", jsonEncodeURL(apiContext.URLBuilder.Collection(schemaSchema, apiContext.Version)), 1)`
More initial dev 2017-11-11 04:44:02 +00:00			`}`
Dynamically response the JS and CSS of API UI 2018-10-27 04:57:54 +00:00			`var jsurl, cssurl string`
			`if h.CSSURL != nil && h.JSURL != nil && h.CSSURL() != "" && h.JSURL() != "" {`
			`jsurl = h.JSURL()`
			`cssurl = h.CSSURL()`
			`} else if h.APIUIVersion != nil && h.APIUIVersion() != "" {`
			`jsurl = strings.Replace(JSURL, "%API_UI_VERSION%", h.APIUIVersion(), 1)`
			`cssurl = strings.Replace(CSSURL, "%API_UI_VERSION%", h.APIUIVersion(), 1)`
			`} else {`
			`jsurl = strings.Replace(JSURL, "%API_UI_VERSION%", DefaultVersion, 1)`
			`cssurl = strings.Replace(CSSURL, "%API_UI_VERSION%", DefaultVersion, 1)`
			`}`
[2.8] Fixes (#471) [v2.8.s3] Html escaping [2.8] Bump API-UI version --------- Co-authored-by: Kevin Joiner <10265309+KevinJoiner@users.noreply.github.com> Co-authored-by: pdellamore <pietro.dellamore@suse.com> 2024-02-05 15:46:41 +00:00
			`// jsurl and cssurl are added to the document as attributes not entities which requires special encoding.`
			`jsurl, _ = encodeAttribute(jsurl)`
			`cssurl, _ = encodeAttribute(cssurl)`

Dynamically response the JS and CSS of API UI 2018-10-27 04:57:54 +00:00			`headerString = strings.Replace(headerString, "%JSURL%", jsurl, 1)`
			`headerString = strings.Replace(headerString, "%CSSURL%", cssurl, 1)`

Fix golangci-lint issues As part of updating dapper files, golangci-lint was set to be used. This caused a lot of lint issues to crop up, which this fixes. 2022-07-11 22:38:47 +00:00			`_, _ = apiContext.Response.Write([]byte(headerString))`
			`_ = h.Body(apiContext, apiContext.Response, obj)`
More initial dev 2017-11-11 04:44:02 +00:00			`if schemaSchema != nil {`
Fix golangci-lint issues As part of updating dapper files, golangci-lint was set to be used. This caused a lot of lint issues to crop up, which this fixes. 2022-07-11 22:38:47 +00:00			`_, _ = apiContext.Response.Write(end)`
More initial dev 2017-11-11 04:44:02 +00:00			`}`
			`}`
JSON encode schemas URL passed to html template 2021-02-02 22:03:33 +00:00
			`func jsonEncodeURL(str string) string {`
			`data, _ := json.Marshal(str)`
			`return string(data)`
			`}`
[2.8] Fixes (#471) [v2.8.s3] Html escaping [2.8] Bump API-UI version --------- Co-authored-by: Kevin Joiner <10265309+KevinJoiner@users.noreply.github.com> Co-authored-by: pdellamore <pietro.dellamore@suse.com> 2024-02-05 15:46:41 +00:00
			`// encodeAttribute encodes all characters with the HTML Entity &#xHH; format, including spaces, where HH represents the hexadecimal value of the character in Unicode.`
			`// For example, A becomes A. All alphanumeric characters (letters A to Z, a to z, and digits 0 to 9) remain unencoded.`
			`// more info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary`
			`func encodeAttribute(raw string) (string, error) {`
			`var builder strings.Builder`
			`for _, r := range raw {`
			`if ('A' <= r && r <= 'Z') \|\| ('a' <= r && r <= 'z') \|\| ('0' <= r && r <= '9') {`
			`_, err := builder.WriteRune(r)`
			`if err != nil {`
			`return "", fmt.Errorf("failed to write: %w", err)`
			`}`
			`} else {`
			`// encode non-alphanumeric rune to hex.`
			`_, err := fmt.Fprintf(&builder, "&#x%X;", r)`
			`if err != nil {`
			`return "", fmt.Errorf("failed to write: %w", err)`
			`}`
			`}`
			`}`
			`return builder.String(), nil`
			`}`