Commit 03ed6f2d authored by neelesh thakur's avatar neelesh thakur
Browse files

Merge branch 'hibernate-interpolator-rce-fix' into 'master'

Sanitize untrusted text before using in Hibernate

See merge request !119
parents aa339c66 7567ebd4
Pipeline #71402 failed with stages
in 5 minutes and 7 seconds
......@@ -23,7 +23,7 @@ The following software have components provided under the terms of this license:
- Google HTTP Client Library for Java (from https://repo1.maven.org/maven2/com/google/http-client/google-http-client)
- Gson (from https://repo1.maven.org/maven2/com/google/code/gson/gson)
- Guava InternalFutureFailureAccess and InternalFutures (from https://repo1.maven.org/maven2/com/google/guava/failureaccess)
- Guava: Google Core Libraries for Java (from https://github.com/google/guava)
- Guava: Google Core Libraries for Java (from https://repo1.maven.org/maven2/com/google/guava/guava)
- HPPC Collections (from https://repo1.maven.org/maven2/com/carrotsearch/hppc)
- Hibernate Validator Engine (from https://repo1.maven.org/maven2/org/hibernate/validator/hibernate-validator)
- HttpClient (from http://hc.apache.org/httpcomponents-client)
......@@ -41,7 +41,7 @@ The following software have components provided under the terms of this license:
- Jackson-dataformat-YAML (from https://github.com/FasterXML/jackson-dataformats-text)
- Jackson-module-parameter-names (from https://repo1.maven.org/maven2/com/fasterxml/jackson/module/jackson-module-parameter-names)
- Jakarta Bean Validation API (from https://beanvalidation.org)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Java Servlet API (from http://servlet-spec.java.net)
- Javassist (from http://www.javassist.org/)
- Joda-Time (from https://www.joda.org/joda-time/)
......@@ -76,9 +76,6 @@ The following software have components provided under the terms of this license:
- SnakeYAML (from http://www.snakeyaml.org)
- Spring AOP (from https://github.com/spring-projects/spring-framework)
- Spring Beans (from https://github.com/spring-projects/spring-framework)
- Spring Boot Logging Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-logging)
- Spring Boot Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter)
- Spring Boot Web Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web)
- Spring Commons Logging Bridge (from https://github.com/spring-projects/spring-framework)
- Spring Context (from https://github.com/spring-projects/spring-framework)
- Spring Core (from https://github.com/spring-projects/spring-framework)
......@@ -109,9 +106,12 @@ The following software have components provided under the terms of this license:
- server (from https://github.com/elastic/elasticsearch)
- spring-boot (from https://spring.io/projects/spring-boot)
- spring-boot-autoconfigure (from https://spring.io/projects/spring-boot)
- spring-boot-starter (from https://spring.io/projects/spring-boot)
- spring-boot-starter-json (from https://spring.io/projects/spring-boot)
- spring-boot-starter-logging (from https://spring.io/projects/spring-boot)
- spring-boot-starter-tomcat (from https://spring.io/projects/spring-boot)
- spring-boot-starter-validation (from https://spring.io/projects/spring-boot)
- spring-boot-starter-web (from https://spring.io/projects/spring-boot)
- swagger-annotations (from https://repo1.maven.org/maven2/io/swagger/swagger-annotations)
- swagger-jaxrs (from https://repo1.maven.org/maven2/io/swagger/swagger-jaxrs)
- tomcat-embed-core (from http://tomcat.apache.org/)
......@@ -123,7 +123,7 @@ BSD-2-Clause
The following software have components provided under the terms of this license:
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
- Hamcrest Core (from https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
- Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
- Reflections (from http://github.com/ronmamo/reflections)
......@@ -135,7 +135,7 @@ The following software have components provided under the terms of this license:
- Apache Commons Codec (from https://commons.apache.org/proper/commons-codec/)
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/)
- Hamcrest Core (from https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
- Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
- Lucene Suggest (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-suggest)
......@@ -180,9 +180,9 @@ EPL-1.0
The following software have components provided under the terms of this license:
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
- Logback Classic Module (from http://logback.qos.ch)
- Logback Core Module (from http://logback.qos.ch)
- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Logback Classic Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
- Logback Core Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-core)
- SnakeYAML (from http://www.snakeyaml.org)
========================================================================
......@@ -191,7 +191,7 @@ EPL-2.0
The following software have components provided under the terms of this license:
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
========================================================================
GPL-2.0-only
......@@ -214,7 +214,7 @@ GPL-2.0-with-classpath-exception
The following software have components provided under the terms of this license:
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Java Servlet API (from http://servlet-spec.java.net)
- tomcat-embed-core (from http://tomcat.apache.org/)
......@@ -224,7 +224,7 @@ GPL-3.0-only
The following software have components provided under the terms of this license:
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language Implementation (from https://projects.eclipse.org/projects/ee4j.el)
- Jakarta Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Project Lombok (from https://projectlombok.org)
========================================================================
......@@ -234,8 +234,8 @@ The following software have components provided under the terms of this license:
- Elastic JNA Distribution (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Logback Classic Module (from http://logback.qos.ch)
- Logback Core Module (from http://logback.qos.ch)
- Logback Classic Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
- Logback Core Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-core)
========================================================================
LGPL-2.1-or-later
......@@ -314,7 +314,7 @@ public-domain
========================================================================
The following software have components provided under the terms of this license:
- Guava: Google Core Libraries for Java (from https://github.com/google/guava)
- Guava: Google Core Libraries for Java (from https://repo1.maven.org/maven2/com/google/guava/guava)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Joda-Time (from https://www.joda.org/joda-time/)
- Project Lombok (from https://projectlombok.org)
......
......@@ -18,6 +18,7 @@ import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
import org.apache.commons.lang3.ArrayUtils;
import org.opengroup.osdu.core.common.model.validation.ValidatorUtils;
import org.opengroup.osdu.core.common.model.entitlements.Acl;
import org.opengroup.osdu.core.common.model.storage.validation.ValidationDoc;
......@@ -48,7 +49,7 @@ public class AclValidator implements ConstraintValidator<ValidAcl, Acl> {
for (int i = 0; i < acl.getViewers().length; i++) {
if (acl.getViewers()[i] == null || !acl.getViewers()[i].matches(ValidationDoc.EMAIL_REGEX)) {
context.buildConstraintViolationWithTemplate(
String.format(ValidationDoc.INVALID_GROUP_NAME, acl.getViewers()[i])).addConstraintViolation();
String.format(ValidationDoc.INVALID_GROUP_NAME, ValidatorUtils.escapeString(acl.getViewers()[i]))).addConstraintViolation();
return false;
}
}
......@@ -56,7 +57,7 @@ public class AclValidator implements ConstraintValidator<ValidAcl, Acl> {
for (int i = 0; i < acl.getOwners().length; i++) {
if (acl.getOwners()[i] == null || !acl.getOwners()[i].matches(ValidationDoc.EMAIL_REGEX)) {
context.buildConstraintViolationWithTemplate(
String.format(ValidationDoc.INVALID_GROUP_NAME, acl.getOwners()[i])).addConstraintViolation();
String.format(ValidationDoc.INVALID_GROUP_NAME, ValidatorUtils.escapeString(acl.getOwners()[i]))).addConstraintViolation();
return false;
}
}
......
......@@ -19,6 +19,7 @@ import javax.validation.ConstraintValidatorContext;
import org.apache.commons.lang3.math.NumberUtils;
import org.opengroup.osdu.core.common.model.validation.ValidatorUtils;
import org.opengroup.osdu.core.common.model.storage.Record;
import io.jsonwebtoken.lang.Collections;
......@@ -41,15 +42,15 @@ public class LegalValidator implements ConstraintValidator<ValidLegal, Record> {
String[] tokens = parent.split(":");
if (tokens.length != 4) {
String msg = String.format(ValidationDoc.INVALID_PARENT_RECORD_ID_FORMAT, parent);
String msg = String.format(ValidationDoc.INVALID_PARENT_RECORD_ID_FORMAT, ValidatorUtils.escapeString(parent));
context.buildConstraintViolationWithTemplate(msg).addConstraintViolation();
return false;
}
if (!NumberUtils.isCreatable(tokens[tokens.length - 1])) {
String msg = String.format(ValidationDoc.INVALID_PARENT_RECORD_VERSION_FORMAT, parent);
String msg = String.format(ValidationDoc.INVALID_PARENT_RECORD_VERSION_FORMAT, ValidatorUtils.escapeString(parent));
context.buildConstraintViolationWithTemplate(msg).addConstraintViolation();
return false;
}
......
......@@ -21,6 +21,7 @@ import java.util.Set;
import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
import org.opengroup.osdu.core.common.model.validation.ValidatorUtils;
import org.opengroup.osdu.core.common.model.storage.RecordQuery;
public class BulkQueryValidator implements ConstraintValidator<ValidBulkQuery, RecordQuery> {
......@@ -44,12 +45,12 @@ public class BulkQueryValidator implements ConstraintValidator<ValidBulkQuery, R
Set<String> ids = new HashSet<>();
for (String recordId : recordIds) {
if (ids.contains(recordId)) {
context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.DUPLICATE_RECORD_ID, recordId))
context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.DUPLICATE_RECORD_ID, ValidatorUtils.escapeString(recordId)))
.addConstraintViolation();
return false;
}
if (!recordId.matches(ValidationDoc.RECORD_ID_REGEX) && !recordId.matches(ValidationDoc.RECORD_ID_WITH_VERSION_REGEX)) {
context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.INVALID_RECORD_ID_FORMAT, recordId))
context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.INVALID_RECORD_ID_FORMAT, ValidatorUtils.escapeString(recordId)))
.addConstraintViolation();
return false;
}
......
package org.opengroup.osdu.core.common.model.validation;
import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
public class ValidatorUtils {
public static String escapeString(String message) {
return message.replace("\\","\\\\")
.replace("{","\\{")
.replace("}","\\}")
.replace("$","\\$");
}
}
\ No newline at end of file
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package org.opengroup.osdu.core.common.model.entitlements.validation;
import javax.validation.ConstraintValidatorContext;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.opengroup.osdu.core.common.model.entitlements.Acl;
import static org.junit.Assert.*;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static org.mockito.Mockito.verify;
@RunWith(MockitoJUnitRunner.class)
public class AclValidatorTest {
private static final String[] VALUES = new String[] { "data.email1@dom.dev.cloud.dom-ds.com",
"data.test@dom.dev.cloud.dom-ds.com" };
@Mock
private ConstraintValidatorContext context;
private Acl acl;
private AclValidator sut;
@Before
public void setup() {
this.acl = new Acl();
this.sut = new AclValidator();
ConstraintValidatorContext.ConstraintViolationBuilder builder = mock(ConstraintValidatorContext.ConstraintViolationBuilder.class);
when(this.context.buildConstraintViolationWithTemplate("Invalid group name '\\$\\{2+2\\}'"))
.thenReturn(builder);
}
@Test
public void should_doNothingInInitialize() {
// for coverage purposes. Do nothing method!
this.sut.initialize(null);
}
@Test
public void should_notInterpolate_when_AclOwnerHasExpressionLanguage() {
String[] EXPRESSION_GROUP = new String[] { "${2+2}" };
this.acl.setViewers(VALUES);
this.acl.setOwners(EXPRESSION_GROUP);
assertFalse(this.sut.isValid(this.acl, this.context));
verify(this.context).buildConstraintViolationWithTemplate("Invalid group name '\\$\\{2+2\\}'");
}
@Test
public void should_notInterpolate_when_AclViewerHasExpressionLanguage() {
String[] EXPRESSION_GROUP = new String[] { "${2+2}" };
this.acl.setViewers(EXPRESSION_GROUP);
this.acl.setOwners(VALUES);
assertFalse(this.sut.isValid(this.acl, this.context));
verify(this.context).buildConstraintViolationWithTemplate("Invalid group name '\\$\\{2+2\\}'");
}
}
\ No newline at end of file
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package org.opengroup.osdu.core.common.model.legal.validation;
import javax.validation.ConstraintValidatorContext;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import com.google.common.collect.Sets;
import org.opengroup.osdu.core.common.model.storage.Record;
import org.opengroup.osdu.core.common.model.storage.RecordAncestry;
import org.opengroup.osdu.core.common.model.entitlements.Acl;
import org.opengroup.osdu.core.common.model.legal.Legal;
import org.opengroup.osdu.core.common.model.legal.validation.LegalValidator;
import static org.junit.Assert.*;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.anyString;
@RunWith(MockitoJUnitRunner.class)
public class LegalValidatorTest {
private static final String[] VALUES = new String[] { "data.email1@dom.dev.cloud.dom-ds.com",
"data.test@dom.dev.cloud.dom-ds.com" };
@Mock
private ConstraintValidatorContext context;
private Record record;
private LegalValidator sut;
@Before
public void setup() {
this.record = new Record();
this.sut = new LegalValidator();
ConstraintValidatorContext.ConstraintViolationBuilder builder = mock(ConstraintValidatorContext.ConstraintViolationBuilder.class);
when(this.context.buildConstraintViolationWithTemplate(anyString()))
.thenReturn(builder);
}
@Test
public void should_doNothingInInitialize() {
// for coverage purposes. Do nothing method!
this.sut.initialize(null);
}
@Test
public void should_notInterpolate_when_parentWithoutVersionHasExpressionLanguage() {
Legal legal = new Legal();
legal.setLegaltags(Sets.newHashSet("legal1"));
legal.setOtherRelevantDataCountries(Sets.newHashSet("FRA"));
this.record.setLegal(legal);
RecordAncestry ancestry = new RecordAncestry();
ancestry.setParents(Sets.newHashSet("${2+2}"));
this.record.setAncestry(ancestry);
assertFalse(this.sut.isValid(this.record, this.context));
verify(this.context).buildConstraintViolationWithTemplate("Invalid parent record format: '\\$\\{2+2\\}'. The following format is expected: {record-id}:{record-version}");
}
@Test
public void should_notInterpolate_when_parentWithInvalidVersionHasExpressionLanguage() {
Legal legal = new Legal();
legal.setLegaltags(Sets.newHashSet("legal1"));
legal.setOtherRelevantDataCountries(Sets.newHashSet("FRA"));
this.record.setLegal(legal);
RecordAncestry ancestry = new RecordAncestry();
ancestry.setParents(Sets.newHashSet("${2+2}:abc:def:xyz"));
this.record.setAncestry(ancestry);
assertFalse(this.sut.isValid(this.record, this.context));
verify(this.context).buildConstraintViolationWithTemplate("Invalid parent record version: '\\$\\{2+2\\}:abc:def:xyz'. Record version must be a numeric value");
}
}
\ No newline at end of file
......@@ -30,6 +30,8 @@ import org.opengroup.osdu.core.common.model.storage.RecordQuery;
import static org.junit.Assert.*;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.anyString;
@RunWith(MockitoJUnitRunner.class)
public class BulkQueryValidatorTest {
......@@ -52,6 +54,8 @@ public class BulkQueryValidatorTest {
.thenReturn(builder);
when(this.context.buildConstraintViolationWithTemplate(String.format(ValidationDoc.INVALID_RECORD_ID_FORMAT, invalidFormatRecord)))
.thenReturn(builder);
when(this.context.buildConstraintViolationWithTemplate(anyString()))
.thenReturn(builder);
}
@Test
......@@ -72,7 +76,7 @@ public class BulkQueryValidatorTest {
}
@Test
public void should_retuanFalse_ifWrongFormatRecords() {
public void should_returnFalse_ifWrongFormatRecords() {
RecordQuery recordQuery = new RecordQuery();
List<String> ids = new ArrayList<>();
ids.add(invalidFormatRecord);
......@@ -90,4 +94,15 @@ public class BulkQueryValidatorTest {
assertTrue(this.sut.isValid(recordQuery, this.context));
}
@Test
public void should_notInterpolate_when_recordIdHasExpressionLanguage() {
RecordQuery recordQuery = new RecordQuery();
List<String> ids = new ArrayList<>();
ids.add("${2+2}");
recordQuery.setIds(ids);
assertFalse(this.sut.isValid(recordQuery, this.context));
verify(this.context).buildConstraintViolationWithTemplate("Invalid record format: '\\$\\{2+2\\}'. The following format is expected: {tenant-name}:{object-type}:{unique-identifier} or {tenant-name}:{object-type}:{unique-identifier}:{version}");
}
}
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment