XWIKI-23433: Provide frontend check of links (#4645)

  * Add new properties to enable or not frontend link checks and
    whitelist of links
  * Provide script services to access the data from the configuration
  * Add new mechanism allowing to check links when clicking on them
    based on the configuration
  * Apply suggestions from code review
  * Fix naming of allowed urls
  * Provide integration test
  * Add proper since information

---------

Co-authored-by: Michael Hamann <michael.hamann@xwiki.com>
Co-authored-by: Manuel Leduc <manuel.leduc@xwiki.com>
(cherry picked from commit 7b5a4f8)

Author: 3 people

xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/javascript.vm

@@ -299,6 +299,15 @@ $xwiki.jsfx.use("flamingo$jsExtension", {'forceSkinAction' : true, 'language' :
     'wysiwyg': true
   })##
 #end
+#if ($services.security.url.isFrontendUrlCheckEnabled())
+<script type="application/json" id="trusted-domains-configuration">
+{
+  "trustedDomains": $jsontool.serialize($services.security.url.getTrustedDomains()),
+  "allowedUrls": $jsontool.serialize($services.security.url.getAllowedFrontendUrls())
+}
+</script>
+  $xwiki.jsfx.use('uicomponents/link/link-protection.js')##
+#end
 ##
 ## Hooks for inserting JavaScript skin extensions
 ##

xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-test/xwiki-platform-flamingo-skin-test-docker/src/test/it/org/xwiki/flamingo/test/docker/NavigationIT.java

@@ -27,6 +27,9 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Order;
 import org.junit.jupiter.api.Test;
+import org.openqa.selenium.Alert;
+import org.openqa.selenium.By;
+import org.openqa.selenium.NoAlertPresentException;
 import org.xwiki.administration.test.po.AdministrationPage;
 import org.xwiki.flamingo.skin.test.po.AttachmentsPane;
 import org.xwiki.flamingo.skin.test.po.AttachmentsViewPage;
@@ -35,6 +38,7 @@
 import org.xwiki.test.docker.junit5.TestReference;
 import org.xwiki.test.docker.junit5.UITest;
 import org.xwiki.test.ui.TestUtils;
+import org.xwiki.test.ui.XWikiWebDriver;
 import org.xwiki.test.ui.po.CommentsTab;
 import org.xwiki.test.ui.po.HistoryPane;
 import org.xwiki.test.ui.po.InformationPane;
@@ -43,14 +47,18 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  * Tests related to navigation in the wiki.
  * 
  * @since 11.10
  * @version $Id$
  */
-@UITest
+@UITest(properties = {
+    "xwikiPropertiesAdditionalProperties=url.trustedDomains=www.xwiki.org,extensions.xwiki.org\n"
+        + "url.allowedFrontendUrls=https://github.com/xwiki/xwiki-platform,https://github.com/xwiki/"
+})
 public class NavigationIT
 {
     @BeforeAll
@@ -206,4 +214,87 @@ public void simpleBinUrlDoesNotThrowException(TestUtils testUtils)
         ViewPage viewPage = new ViewPage();
         assertEquals("XWiki - Main - Main", viewPage.getPageTitle());
     }
+
+    @Order(5)
+    @Test
+    void navigationToExternalPages(TestUtils testUtils, TestReference testReference) throws Exception
+    {
+        String pageContent = """
+            [[Internal link>>doc:Navigation.Test]]
+            [[Google external>>https://www.google.com]]
+            [[XWiki.org external>>https://www.xwiki.org]]
+            [[Contrib xwiki>>https://contrib.xwiki.org]]
+            [[Extensions xwiki>>https://extensions.xwiki.org]]
+            [[Specific extensions pages>>https://extensions.xwiki.org/bin/view/WebHome]]
+            [[Github commons>>https://github.com/xwiki/xwiki-commons]]
+            [[Github XWiki>>https://github.com/xwiki/]]
+            [[Github platform>>https://github.com/xwiki/xwiki-platform]]
+            """;
+        testUtils.rest().savePage(testReference, pageContent, "Test link navigation");
+        testUtils.rest().savePage(new DocumentReference("xwiki", "Navigation", "Test"), "Test navigation internal "
+            + "link", "Navigation test page");
+
+        XWikiWebDriver driver = testUtils.getDriver();
+        testUtils.gotoPage(testReference);
+        driver.findElementWithoutWaiting(By.linkText("Google external")).click();
+        Alert alert = driver.switchTo().alert();
+        assertEquals("You are about to leave the domain \"host.testcontainers.internal\" to follow a link "
+            + "to \"www.google.com\". Are you sure you want to continue?", alert.getText());
+        alert.dismiss();
+
+        driver.findElementWithoutWaiting(By.linkText("Internal link")).click();
+        ViewPage viewPage = new ViewPage();
+        assertEquals("Test navigation internal link", viewPage.getContent());
+
+        testUtils.gotoPage(testReference);
+        driver.findElementWithoutWaiting(By.linkText("XWiki.org external")).click();
+        try {
+            driver.switchTo().alert();
+            fail("No alert should be present");
+        } catch (NoAlertPresentException e) {
+        }
+
+        testUtils.gotoPage(testReference);
+        driver.findElementWithoutWaiting(By.linkText("Contrib xwiki")).click();
+        alert = driver.switchTo().alert();
+        assertEquals("You are about to leave the domain \"host.testcontainers.internal\" to follow a link "
+            + "to \"contrib.xwiki.org\". Are you sure you want to continue?", alert.getText());
+        alert.dismiss();
+
+        driver.findElementWithoutWaiting(By.linkText("Extensions xwiki")).click();
+        try {
+            driver.switchTo().alert();
+            fail("No alert should be present");
+        } catch (NoAlertPresentException e) {
+        }
+
+        testUtils.gotoPage(testReference);
+        driver.findElementWithoutWaiting(By.linkText("Specific extensions pages")).click();
+        try {
+            driver.switchTo().alert();
+            fail("No alert should be present");
+        } catch (NoAlertPresentException e) {
+        }
+
+        testUtils.gotoPage(testReference);
+        driver.findElementWithoutWaiting(By.linkText("Github commons")).click();
+        assertEquals("You are about to leave the domain \"host.testcontainers.internal\" to follow a link "
+            + "to \"github.com\". Are you sure you want to continue?", alert.getText());
+        alert.dismiss();
+
+        driver.findElementWithoutWaiting(By.linkText("Github XWiki")).click();
+        try {
+            driver.switchTo().alert();
+            fail("No alert should be present");
+        } catch (NoAlertPresentException e) {
+        }
+
+        testUtils.gotoPage(testReference);
+        driver.findElementWithoutWaiting(By.linkText("Github platform")).click();
+        try {
+            driver.switchTo().alert();
+            fail("No alert should be present");
+        } catch (NoAlertPresentException e) {
+        }
+    }
 }

xwiki-platform-core/xwiki-platform-url/xwiki-platform-url-api/src/main/java/org/xwiki/url/URLConfiguration.java

@@ -19,10 +19,10 @@
  */
 package org.xwiki.url;
 
-import java.util.Collections;
 import java.util.List;
 
 import org.xwiki.component.annotation.Role;
+import org.xwiki.stability.Unstable;
 
 /**
  * Configuration options for the URL module.
@@ -60,7 +60,7 @@ default boolean useResourceLastModificationDate()
      */
     default List<String> getTrustedDomains()
     {
-        return Collections.emptyList();
+        return List.of();
     }
 
     /**
@@ -88,4 +88,34 @@ default List<String> getTrustedSchemes()
     {
         return List.of("http", "https", "ftp");
     }
+
+    /**
+     * @return {@code true} if checks should be done in the frontend when clicking on a link to validate it's driving
+     * to an authorized domain. This is independent from {@link #isTrustedDomainsEnabled()} which aims at enabling
+     * checks server side only.
+     * @since 17.9.0RC1
+     * @since 17.4.6
+     * @since 16.10.13
+     */
+    @Unstable
+    default boolean isFrontendUrlCheckEnabled()
+    {
+        return true;
+    }
+
+    /**
+     * Define a list of allowed frontend URLs: in case the {@link #isFrontendUrlCheckEnabled()} is enabled, then
+     * this list can be used to allow specific URLs without asking confirmation from the user, while avoiding to add
+     * an entire domain in the list of trusted domains.
+     *
+     * @return the list of allowed frontend URLs
+     * @since 17.9.0RC1
+     * @since 17.4.6
+     * @since 16.10.13
+     */
+    @Unstable
+    default List<String> getAllowedFrontendUrls()
+    {
+        return List.of();
+    }
 }

xwiki-platform-core/xwiki-platform-url/xwiki-platform-url-api/src/main/java/org/xwiki/url/script/URLSecurityScriptService.java

@@ -21,6 +21,7 @@
 
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.util.List;
 
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -29,6 +30,8 @@
 import org.slf4j.Logger;
 import org.xwiki.component.annotation.Component;
 import org.xwiki.script.service.ScriptService;
+import org.xwiki.stability.Unstable;
+import org.xwiki.url.URLConfiguration;
 import org.xwiki.url.URLSecurityManager;
 
 /**
@@ -46,6 +49,9 @@ public class URLSecurityScriptService implements ScriptService
     @Inject
     private URLSecurityManager urlSecurityManager;
 
+    @Inject
+    private URLConfiguration urlConfiguration;
+
     @Inject
     private Logger logger;
 
@@ -71,4 +77,40 @@ public URI parseToSafeURI(String uriRepresentation) throws URISyntaxException, S
             return null;
         }
     }
+
+    /**
+     * @return the list of trusted domains.
+     * @since 17.9.0RC1
+     * @since 17.4.6
+     * @since 16.10.13
+     */
+    @Unstable
+    public List<String> getTrustedDomains()
+    {
+        return this.urlConfiguration.getTrustedDomains();
+    }
+
+    /**
+     * @return {@code true} if the mechanism to enforce URLs check on frontend is enabled.
+     * @since 17.9.0RC1
+     * @since 17.4.6
+     * @since 16.10.13
+     */
+    @Unstable
+    public boolean isFrontendUrlCheckEnabled()
+    {
+        return this.urlConfiguration.isFrontendUrlCheckEnabled();
+    }
+
+    /**
+     * @return the list of URLs that are allowed to avoid asking confirmation to users when accessing them.
+     * @since 17.9.0RC1
+     * @since 17.4.6
+     * @since 16.10.13
+     */
+    @Unstable
+    public List<String> getAllowedFrontendUrls()
+    {
+        return this.urlConfiguration.getAllowedFrontendUrls();
+    }
 }

xwiki-platform-core/xwiki-platform-url/xwiki-platform-url-api/src/main/resources/ApplicationResources.properties

@@ -0,0 +1,21 @@
+# ---------------------------------------------------------------------------
+# See the NOTICE file distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this software; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+# 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+# ---------------------------------------------------------------------------
+url.api.followLinkConfirmationText=You are about to leave the domain "{0}" to follow a link to "{1}". Are you sure \
+  you want to continue?

xwiki-platform-core/xwiki-platform-url/xwiki-platform-url-default/src/main/java/org/xwiki/url/internal/DefaultURLConfiguration.java

@@ -19,7 +19,6 @@
  */
 package org.xwiki.url.internal;
 
-import java.util.Collections;
 import java.util.List;
 
 import javax.inject.Inject;
@@ -67,7 +66,7 @@ public boolean useResourceLastModificationDate()
     @Override
     public List<String> getTrustedDomains()
     {
-        return this.configuration.get().getProperty(PREFIX + "trustedDomains", Collections.emptyList());
+        return this.configuration.get().getProperty(PREFIX + "trustedDomains", List.of());
     }
 
     @Override
@@ -81,4 +80,16 @@ public List<String> getTrustedSchemes()
     {
         return this.configuration.get().getProperty(PREFIX + "trustedSchemes", List.of("http", "https", "ftp"));
     }
+
+    @Override
+    public boolean isFrontendUrlCheckEnabled()
+    {
+        return this.configuration.get().getProperty(PREFIX + "frontendUrlCheckEnabled", true);
+    }
+
+    @Override
+    public List<String> getAllowedFrontendUrls()
+    {
+        return this.configuration.get().getProperty(PREFIX + "allowedFrontendUrls", List.of());
+    }
 }