Merge branch 'hibernate-interpolator-rce-fix' into 'master'

Sanitize untrusted text before using in Hibernate See merge request !119

Merge branch 'hibernate-interpolator-rce-fix' into 'master'
Sanitize untrusted text before using in Hibernate See merge request !119
03ed6f2d · neelesh thakur · aa339c66 · 7567ebd4 · 03ed6f2d · 03ed6f2d
Commit 03ed6f2d authored Oct 12, 2021 by neelesh thakur
--- a/NOTICE
+++ b/NOTICE
@@ -23,7 +23,7 @@ The following software have components provided under the terms of this license:
 - Google HTTP Client Library for Java (from https://repo1.maven.org/maven2/com/google/http-client/google-http-client)
 - Gson (from https://repo1.maven.org/maven2/com/google/code/gson/gson)
 - Guava InternalFutureFailureAccess and InternalFutures (from https://repo1.maven.org/maven2/com/google/guava/failureaccess)
- Guava: Google Core Libraries for Java (from https://github.com/google/guava)
+- Guava: Google Core Libraries for Java (from https://repo1.maven.org/maven2/com/google/guava/guava)
 - HPPC Collections (from https://repo1.maven.org/maven2/com/carrotsearch/hppc)
 - Hibernate Validator Engine (from https://repo1.maven.org/maven2/org/hibernate/validator/hibernate-validator)
 - HttpClient (from http://hc.apache.org/httpcomponents-client)
@@ -41,7 +41,7 @@ The following software have components provided under the terms of this license:
 - Jackson-dataformat-YAML (from https://github.com/FasterXML/jackson-dataformats-text)
 - Jackson-module-parameter-names (from https://repo1.maven.org/maven2/com/fasterxml/jackson/module/jackson-module-parameter-names)
 - Jakarta Bean Validation API (from https://beanvalidation.org)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
+- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Java Servlet API (from http://servlet-spec.java.net)
 - Javassist (from http://www.javassist.org/)
 - Joda-Time (from https://www.joda.org/joda-time/)
@@ -76,9 +76,6 @@ The following software have components provided under the terms of this license:
 - SnakeYAML (from http://www.snakeyaml.org)
 - Spring AOP (from https://github.com/spring-projects/spring-framework)
 - Spring Beans (from https://github.com/spring-projects/spring-framework)
- Spring Boot Logging Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-logging)
- Spring Boot Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter)
- Spring Boot Web Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web)
 - Spring Commons Logging Bridge (from https://github.com/spring-projects/spring-framework)
 - Spring Context (from https://github.com/spring-projects/spring-framework)
 - Spring Core (from https://github.com/spring-projects/spring-framework)
@@ -109,9 +106,12 @@ The following software have components provided under the terms of this license:
 - server (from https://github.com/elastic/elasticsearch)
 - spring-boot (from https://spring.io/projects/spring-boot)
 - spring-boot-autoconfigure (from https://spring.io/projects/spring-boot)
+- spring-boot-starter (from https://spring.io/projects/spring-boot)
 - spring-boot-starter-json (from https://spring.io/projects/spring-boot)
+- spring-boot-starter-logging (from https://spring.io/projects/spring-boot)
 - spring-boot-starter-tomcat (from https://spring.io/projects/spring-boot)
 - spring-boot-starter-validation (from https://spring.io/projects/spring-boot)
+- spring-boot-starter-web (from https://spring.io/projects/spring-boot)
 - swagger-annotations (from https://repo1.maven.org/maven2/io/swagger/swagger-annotations)
 - swagger-jaxrs (from https://repo1.maven.org/maven2/io/swagger/swagger-jaxrs)
 - tomcat-embed-core (from http://tomcat.apache.org/)
@@ -123,7 +123,7 @@ BSD-2-Clause
 The following software have components provided under the terms of this license:

 - Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
+- Hamcrest Core (from https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
 - Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
 - Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
 - Reflections (from http://github.com/ronmamo/reflections)
@@ -135,7 +135,7 @@ The following software have components provided under the terms of this license:

 - Apache Commons Codec (from https://commons.apache.org/proper/commons-codec/)
 - Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
+- Hamcrest Core (from https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
 - Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
 - Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
 - Lucene Suggest (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-suggest)
@@ -180,9 +180,9 @@ EPL-1.0
 The following software have components provided under the terms of this license:

 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
- Logback Classic Module (from http://logback.qos.ch)
- Logback Core Module (from http://logback.qos.ch)
+- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
+- Logback Classic Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
+- Logback Core Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-core)
 - SnakeYAML (from http://www.snakeyaml.org)

 ========================================================================
@@ -191,7 +191,7 @@ EPL-2.0
 The following software have components provided under the terms of this license:

 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
+- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)

 ========================================================================
 GPL-2.0-only
@@ -214,7 +214,7 @@ GPL-2.0-with-classpath-exception
 The following software have components provided under the terms of this license:

 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
+- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Java Servlet API (from http://servlet-spec.java.net)
 - tomcat-embed-core (from http://tomcat.apache.org/)

@@ -224,7 +224,7 @@ GPL-3.0-only
 The following software have components provided under the terms of this license:

 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
+- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
 - Project Lombok (from https://projectlombok.org)

 ========================================================================
@@ -234,8 +234,8 @@ The following software have components provided under the terms of this license:

 - Elastic JNA Distribution (from https://github.com/java-native-access/jna)
 - Javassist (from http://www.javassist.org/)
- Logback Classic Module (from http://logback.qos.ch)
- Logback Core Module (from http://logback.qos.ch)
+- Logback Classic Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
+- Logback Core Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-core)

 ========================================================================
 LGPL-2.1-or-later
@@ -314,7 +314,7 @@ public-domain
 ========================================================================
 The following software have components provided under the terms of this license:

- Guava: Google Core Libraries for Java (from https://github.com/google/guava)
+- Guava: Google Core Libraries for Java (from https://repo1.maven.org/maven2/com/google/guava/guava)
 - HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
 - Joda-Time (from https://www.joda.org/joda-time/)
 - Project Lombok (from https://projectlombok.org)

--- a/src/main/java/org/opengroup/osdu/core/common/model/entitlements/validation/AclValidator.java
+++ b/src/main/java/org/opengroup/osdu/core/common/model/entitlements/validation/AclValidator.java
@@ -18,6 +18,7 @@ import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;

 import org.apache.commons.lang3.ArrayUtils;
+import org.opengroup.osdu.core.common.model.validation.ValidatorUtils;
 import org.opengroup.osdu.core.common.model.entitlements.Acl;
 import org.opengroup.osdu.core.common.model.storage.validation.ValidationDoc;

@@ -48,7 +49,7 @@ public class AclValidator implements ConstraintValidator<ValidAcl, Acl> {
 		for (int i = 0; i < acl.getViewers().length; i++) {
 			if (acl.getViewers()[i] == null || !acl.getViewers()[i].matches(ValidationDoc.EMAIL_REGEX)) {
 				context.buildConstraintViolationWithTemplate(
-						String.format(ValidationDoc.INVALID_GROUP_NAME, acl.getViewers()[i])).addConstraintViolation();
+						String.format(ValidationDoc.INVALID_GROUP_NAME, ValidatorUtils.escapeString(acl.getViewers()[i]))).addConstraintViolation();
 				return false;
 			}
 		}
@@ -56,7 +57,7 @@ public class AclValidator implements ConstraintValidator<ValidAcl, Acl> {
 		for (int i = 0; i < acl.getOwners().length; i++) {
 			if (acl.getOwners()[i] == null || !acl.getOwners()[i].matches(ValidationDoc.EMAIL_REGEX)) {
 				context.buildConstraintViolationWithTemplate(
-						String.format(ValidationDoc.INVALID_GROUP_NAME, acl.getOwners()[i])).addConstraintViolation();
+						String.format(ValidationDoc.INVALID_GROUP_NAME, ValidatorUtils.escapeString(acl.getOwners()[i]))).addConstraintViolation();
 				return false;
 			}
 		}

--- a/src/main/java/org/opengroup/osdu/core/common/model/legal/validation/LegalValidator.java
+++ b/src/main/java/org/opengroup/osdu/core/common/model/legal/validation/LegalValidator.java
@@ -19,6 +19,7 @@ import javax.validation.ConstraintValidatorContext;

 import org.apache.commons.lang3.math.NumberUtils;

+import org.opengroup.osdu.core.common.model.validation.ValidatorUtils;
 import org.opengroup.osdu.core.common.model.storage.Record;

 import io.jsonwebtoken.lang.Collections;
@@ -41,15 +42,15 @@ public class LegalValidator implements ConstraintValidator<ValidLegal, Record> {
 				String[] tokens = parent.split(":");

 				if (tokens.length != 4) {
-					String msg = String.format(ValidationDoc.INVALID_PARENT_RECORD_ID_FORMAT, parent);
-
+					String msg = String.format(ValidationDoc.INVALID_PARENT_RECORD_ID_FORMAT, ValidatorUtils.escapeString(parent));
+					
 					context.buildConstraintViolationWithTemplate(msg).addConstraintViolation();
 					return false;
 				}

 				if (!NumberUtils.isCreatable(tokens[tokens.length - 1])) {
-					String msg = String.format(ValidationDoc.INVALID_PARENT_RECORD_VERSION_FORMAT, parent);
-
+					String msg = String.format(ValidationDoc.INVALID_PARENT_RECORD_VERSION_FORMAT, ValidatorUtils.escapeString(parent));
+					
 					context.buildConstraintViolationWithTemplate(msg).addConstraintViolation();
 					return false;
 				}

--- a/src/main/java/org/opengroup/osdu/core/common/model/storage/validation/BulkQueryValidator.java
+++ b/src/main/java/org/opengroup/osdu/core/common/model/storage/validation/BulkQueryValidator.java
@@ -21,6 +21,7 @@ import java.util.Set;
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;

+import org.opengroup.osdu.core.common.model.validation.ValidatorUtils;
 import org.opengroup.osdu.core.common.model.storage.RecordQuery;

 public class BulkQueryValidator implements ConstraintValidator<ValidBulkQuery, RecordQuery> {
@@ -44,12 +45,12 @@ public class BulkQueryValidator implements ConstraintValidator<ValidBulkQuery, R
        Set<String> ids = new HashSet<>();
        for (String recordId : recordIds) {
            if (ids.contains(recordId)) {
-                context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.DUPLICATE_RECORD_ID, recordId))
+                context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.DUPLICATE_RECORD_ID, ValidatorUtils.escapeString(recordId)))
                        .addConstraintViolation();
                return false;
            }
            if (!recordId.matches(ValidationDoc.RECORD_ID_REGEX) && !recordId.matches(ValidationDoc.RECORD_ID_WITH_VERSION_REGEX)) {
-                context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.INVALID_RECORD_ID_FORMAT, recordId))
+                context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.INVALID_RECORD_ID_FORMAT, ValidatorUtils.escapeString(recordId)))
                        .addConstraintViolation();
                return false;
            }

--- a/src/main/java/org/opengroup/osdu/core/common/model/validation/ValidatorUtils.java
+++ b/src/main/java/org/opengroup/osdu/core/common/model/validation/ValidatorUtils.java
+package org.opengroup.osdu.core.common.model.validation;
+
+import javax.validation.ConstraintValidator;
+import javax.validation.ConstraintValidatorContext;
+
+public class ValidatorUtils {
+  public static String escapeString(String message) {
+    return message.replace("\\","\\\\")
+                    .replace("{","\\{")
+                    .replace("}","\\}")
+                    .replace("$","\\$");
+  }
+}
\ No newline at end of file
--- a/src/test/java/org/opengroup/osdu/core/common/model/entitlements/validation/AclValidatorTest.java
+++ b/src/test/java/org/opengroup/osdu/core/common/model/entitlements/validation/AclValidatorTest.java
+// Copyright 2017-2019, Schlumberger
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.opengroup.osdu.core.common.model.entitlements.validation;
+
+import javax.validation.ConstraintValidatorContext;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+
+import org.opengroup.osdu.core.common.model.entitlements.Acl;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.verify;
+
+
+@RunWith(MockitoJUnitRunner.class)
+public class AclValidatorTest {
+    private static final String[] VALUES = new String[] { "data.email1@dom.dev.cloud.dom-ds.com",
+            "data.test@dom.dev.cloud.dom-ds.com" };
+
+    @Mock
+    private ConstraintValidatorContext context;
+
+    private Acl acl;
+
+    private AclValidator sut;
+
+    @Before
+    public void setup() {
+        this.acl = new Acl();
+        this.sut = new AclValidator();
+
+        ConstraintValidatorContext.ConstraintViolationBuilder builder = mock(ConstraintValidatorContext.ConstraintViolationBuilder.class);
+
+        when(this.context.buildConstraintViolationWithTemplate("Invalid group name '\\$\\{2+2\\}'"))
+                .thenReturn(builder);
+    }
+
+    @Test
+    public void should_doNothingInInitialize() {
+        // for coverage purposes. Do nothing method!
+        this.sut.initialize(null);
+    }
+
+    @Test
+    public void should_notInterpolate_when_AclOwnerHasExpressionLanguage() {
+
+        String[] EXPRESSION_GROUP = new String[] { "${2+2}" };
+
+        this.acl.setViewers(VALUES);
+        this.acl.setOwners(EXPRESSION_GROUP);
+
+        assertFalse(this.sut.isValid(this.acl, this.context));
+        verify(this.context).buildConstraintViolationWithTemplate("Invalid group name '\\$\\{2+2\\}'");
+    }
+
+    @Test
+    public void should_notInterpolate_when_AclViewerHasExpressionLanguage() {
+
+        String[] EXPRESSION_GROUP = new String[] { "${2+2}" };
+
+        this.acl.setViewers(EXPRESSION_GROUP);
+        this.acl.setOwners(VALUES);
+
+        assertFalse(this.sut.isValid(this.acl, this.context));
+        verify(this.context).buildConstraintViolationWithTemplate("Invalid group name '\\$\\{2+2\\}'");
+    }
+}
\ No newline at end of file
--- a/src/test/java/org/opengroup/osdu/core/common/model/legal/validation/LegalValidatorTest.java
+++ b/src/test/java/org/opengroup/osdu/core/common/model/legal/validation/LegalValidatorTest.java
+// Copyright 2017-2019, Schlumberger
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.opengroup.osdu.core.common.model.legal.validation;
+
+import javax.validation.ConstraintValidatorContext;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+
+import com.google.common.collect.Sets;
+
+import org.opengroup.osdu.core.common.model.storage.Record;
+import org.opengroup.osdu.core.common.model.storage.RecordAncestry;
+import org.opengroup.osdu.core.common.model.entitlements.Acl;
+import org.opengroup.osdu.core.common.model.legal.Legal;
+import org.opengroup.osdu.core.common.model.legal.validation.LegalValidator;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.anyString;
+
+
+@RunWith(MockitoJUnitRunner.class)
+public class LegalValidatorTest {
+    private static final String[] VALUES = new String[] { "data.email1@dom.dev.cloud.dom-ds.com",
+            "data.test@dom.dev.cloud.dom-ds.com" };
+
+    @Mock
+    private ConstraintValidatorContext context;
+
+    private Record record;
+
+    private LegalValidator sut;
+
+    @Before
+    public void setup() {
+        this.record = new Record();
+        this.sut = new LegalValidator();
+
+        ConstraintValidatorContext.ConstraintViolationBuilder builder = mock(ConstraintValidatorContext.ConstraintViolationBuilder.class);
+
+        when(this.context.buildConstraintViolationWithTemplate(anyString()))
+                .thenReturn(builder);
+    }
+
+    @Test
+    public void should_doNothingInInitialize() {
+        // for coverage purposes. Do nothing method!
+        this.sut.initialize(null);
+    }
+
+    @Test
+    public void should_notInterpolate_when_parentWithoutVersionHasExpressionLanguage() {
+
+        Legal legal = new Legal();
+        legal.setLegaltags(Sets.newHashSet("legal1"));
+        legal.setOtherRelevantDataCountries(Sets.newHashSet("FRA"));
+        this.record.setLegal(legal);
+
+        RecordAncestry ancestry = new RecordAncestry();
+        ancestry.setParents(Sets.newHashSet("${2+2}"));
+
+        this.record.setAncestry(ancestry);
+
+        assertFalse(this.sut.isValid(this.record, this.context));
+        verify(this.context).buildConstraintViolationWithTemplate("Invalid parent record format: '\\$\\{2+2\\}'. The following format is expected: {record-id}:{record-version}");
+    }
+
+    @Test
+    public void should_notInterpolate_when_parentWithInvalidVersionHasExpressionLanguage() {
+
+        Legal legal = new Legal();
+        legal.setLegaltags(Sets.newHashSet("legal1"));
+        legal.setOtherRelevantDataCountries(Sets.newHashSet("FRA"));
+        this.record.setLegal(legal);
+
+        RecordAncestry ancestry = new RecordAncestry();
+        ancestry.setParents(Sets.newHashSet("${2+2}:abc:def:xyz"));
+
+        this.record.setAncestry(ancestry);
+
+        assertFalse(this.sut.isValid(this.record, this.context));
+        verify(this.context).buildConstraintViolationWithTemplate("Invalid parent record version: '\\$\\{2+2\\}:abc:def:xyz'. Record version must be a numeric value");
+    }
+}
\ No newline at end of file
--- a/src/test/java/org/opengroup/osdu/core/common/model/storage/validation/BulkQueryValidatorTest.java
+++ b/src/test/java/org/opengroup/osdu/core/common/model/storage/validation/BulkQueryValidatorTest.java
@@ -30,6 +30,8 @@ import org.opengroup.osdu.core.common.model.storage.RecordQuery;
 import static org.junit.Assert.*;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.anyString;

 @RunWith(MockitoJUnitRunner.class)
 public class BulkQueryValidatorTest {
@@ -52,6 +54,8 @@ public class BulkQueryValidatorTest {
                .thenReturn(builder);
        when(this.context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.INVALID_RECORD_ID_FORMAT, invalidFormatRecord)))
                .thenReturn(builder);
+        when(this.context.buildConstraintViolationWithTemplate(anyString()))
+                .thenReturn(builder);
    }

    @Test
@@ -72,7 +76,7 @@ public class BulkQueryValidatorTest {
    }

    @Test
-    public void should_retuanFalse_ifWrongFormatRecords() {
+    public void should_returnFalse_ifWrongFormatRecords() {
        RecordQuery recordQuery = new RecordQuery();
        List<String> ids = new ArrayList<>();
        ids.add(invalidFormatRecord);
@@ -90,4 +94,15 @@ public class BulkQueryValidatorTest {

        assertTrue(this.sut.isValid(recordQuery, this.context));
    }
+
+    @Test
+    public void should_notInterpolate_when_recordIdHasExpressionLanguage() {
+        RecordQuery recordQuery = new RecordQuery();
+        List<String> ids = new ArrayList<>();
+        ids.add("${2+2}");
+        recordQuery.setIds(ids);
+    
+        assertFalse(this.sut.isValid(recordQuery, this.context));
+        verify(this.context).buildConstraintViolationWithTemplate("Invalid record format: '\\$\\{2+2\\}'. The following format is expected: {tenant-name}:{object-type}:{unique-identifier} or {tenant-name}:{object-type}:{unique-identifier}:{version}");
+    }
 }
\ No newline at end of file