From 4b1d9e736849b017f5de1976a13039feb64c80bd Mon Sep 17 00:00:00 2001
From: Dominik Riemer <dominik.riemer@gmail.com>
Date: Fri, 28 Jun 2024 20:20:44 +0200
Subject: [PATCH] fix(#2971): Improve token generation and URL-enode tokens
 (#2972)

---
 .../mail/template/AbstractMailTemplate.java          |  7 +++++++
 .../template/AccountActiviationMailTemplate.java     |  2 +-
 .../mail/template/PasswordRecoveryMailTemplate.java  |  2 +-
 .../user/management/util/SecureStringGenerator.java  | 12 ++++++++++++
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/AbstractMailTemplate.java b/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/AbstractMailTemplate.java
index d9f58e00f7..1b7d140952 100644
--- a/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/AbstractMailTemplate.java
+++ b/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/AbstractMailTemplate.java
@@ -23,7 +23,10 @@
 import org.apache.streampipes.mail.template.part.LogoPart;
 import org.apache.streampipes.storage.management.StorageDispatcher;
 
+import com.google.common.base.Charsets;
+
 import java.io.IOException;
+import java.net.URLEncoder;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -58,4 +61,8 @@ public String generateTemplate() throws IOException {
     configureTemplate(builder);
     return builder.generateHtmlTemplate();
   }
+
+  protected String encodeUrlPart(String content) {
+    return URLEncoder.encode(content, Charsets.UTF_8);
+  }
 }
diff --git a/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/AccountActiviationMailTemplate.java b/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/AccountActiviationMailTemplate.java
index c9c204559e..945b9fb174 100644
--- a/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/AccountActiviationMailTemplate.java
+++ b/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/AccountActiviationMailTemplate.java
@@ -60,6 +60,6 @@ protected void configureTemplate(MailTemplateBuilder builder) {
   }
 
   private String makeLink() {
-    return new LinkPart("/#/activate-account?activationCode=" + this.activationCode).generate();
+    return new LinkPart("/#/activate-account?activationCode=" + encodeUrlPart(this.activationCode)).generate();
   }
 }
diff --git a/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/PasswordRecoveryMailTemplate.java b/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/PasswordRecoveryMailTemplate.java
index da1d0aa093..190cced8d1 100644
--- a/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/PasswordRecoveryMailTemplate.java
+++ b/streampipes-mail/src/main/java/org/apache/streampipes/mail/template/PasswordRecoveryMailTemplate.java
@@ -60,6 +60,6 @@ protected void configureTemplate(MailTemplateBuilder builder) {
   }
 
   private String makeLink() {
-    return new LinkPart("/#/set-new-password?recoveryCode=" + this.recoveryCode).generate();
+    return new LinkPart("/#/set-new-password?recoveryCode=" + encodeUrlPart(this.recoveryCode)).generate();
   }
 }
diff --git a/streampipes-user-management/src/main/java/org/apache/streampipes/user/management/util/SecureStringGenerator.java b/streampipes-user-management/src/main/java/org/apache/streampipes/user/management/util/SecureStringGenerator.java
index 046f0da2b0..313e694f50 100644
--- a/streampipes-user-management/src/main/java/org/apache/streampipes/user/management/util/SecureStringGenerator.java
+++ b/streampipes-user-management/src/main/java/org/apache/streampipes/user/management/util/SecureStringGenerator.java
@@ -18,16 +18,28 @@
 
 package org.apache.streampipes.user.management.util;
 
+import org.apache.commons.text.CharacterPredicate;
 import org.apache.commons.text.RandomStringGenerator;
 
 import java.security.SecureRandom;
 
 public class SecureStringGenerator {
   public String generateSecureString(int length) {
+    // filter for characters allowed in URLs
+    CharacterPredicate includeChars = ch -> (
+        (ch >= 'a' && ch <= 'z')
+            || (ch >= 'A' && ch <= 'Z')
+            || (ch >= '0' && ch <= '9')
+            || ch == '-' || ch == '_' || ch == '.'
+            || ch == '!' || ch == '*' || ch == '(' || ch == ')'
+            || ch == ':' || ch == '@' || ch == '='
+            || ch == '+' || ch == '$' || ch == ','
+    );
     // allowing all ASCII-characters from decimal id 33 to 125
     // see https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html for full list
     var pwdGenerator = new RandomStringGenerator.Builder().usingRandom(new SecureRandom()::nextInt)
         .withinRange(33, 125)
+        .filteredBy(includeChars)
         .build();
     return pwdGenerator.generate(length);
   }