add a jsonp case

Author: JoyChou93

src/main/java/org/joychou/controller/CORS.java

@@ -57,7 +57,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
         }
         response.setHeader("Access-Control-Allow-Origin", origin);
         response.setHeader("Access-Control-Allow-Credentials", "true");
-        return JSONP.getUserInfo(request);
+        return JSONP.getUserInfo2JsonStr(request);
     }
 
 

src/main/java/org/joychou/controller/jsonp/JSONP.java

@@ -3,10 +3,13 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 
+import com.netflix.ribbon.proxy.annotation.Http;
 import org.joychou.security.SecurityUtil;
 import org.springframework.http.MediaType;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.view.json.MappingJackson2JsonView;
 
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
@@ -27,7 +30,7 @@ public class JSONP {
 
 
     // get current login username
-    public static String getUserInfo(HttpServletRequest request) {
+    public static String getUserInfo2JsonStr(HttpServletRequest request) {
         Principal principal = request.getUserPrincipal();
 
         String username = principal.getName();
@@ -46,7 +49,7 @@ public static String getUserInfo(HttpServletRequest request) {
     @RequestMapping(value = "/referer", produces = "application/javascript")
     private String referer(HttpServletRequest request) {
         String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo(request) + ")";
+        return callback + "(" + getUserInfo2JsonStr(request) + ")";
     }
 
     /**
@@ -64,7 +67,7 @@ private String emptyReferer(HttpServletRequest request) {
         }
 
         String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo(request) + ")";
+        return callback + "(" + getUserInfo2JsonStr(request) + ")";
     }
 
     /**
@@ -77,10 +80,26 @@ private String emptyReferer(HttpServletRequest request) {
      */
     @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE)
     public JSONObject advice(HttpServletRequest request) {
-        return JSON.parseObject(getUserInfo(request));
+        return JSON.parseObject(getUserInfo2JsonStr(request));
+    }
+
 
+    /**
+     * http://localhost:8080/jsonp/mappingJackson2JsonView?callback=test
+     * Reference: https://p0sec.net/index.php/archives/122/ from p0
+     * Affected version:  java-sec-code test case version: 4.3.6
+     *     - Spring Framework 5.0 to 5.0.6
+     *     - Spring Framework 4.1 to 4.3.17
+     */
+    @RequestMapping(value = "/mappingJackson2JsonView", produces = MediaType.APPLICATION_JSON_VALUE)
+    public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
+        ModelAndView view = new ModelAndView(new MappingJackson2JsonView());
+        Principal principal = req.getUserPrincipal();
+        view.addObject("username", principal.getName() );
+        return view;
     }
 
+
     /**
      * Safe code.
      * http://localhost:8080/jsonp/sec?callback=test
@@ -94,7 +113,7 @@ private String safecode(HttpServletRequest request) {
         }
 
         String callback = request.getParameter("callback");
-        return callback + "(" + getUserInfo(request) + ")";
+        return callback + "(" + getUserInfo2JsonStr(request) + ")";
     }
 
 

src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java

@@ -12,4 +12,5 @@ public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice {
     public JSONPAdvice(@Value("${joychou.security.jsonp.callback}") String[] callback) {
         super(callback);  // Can set multiple paramNames
     }
+
 }