SSF-24 SQL Injection on Measures page

diff --git a/server/sonar-server/src/main/java/org/sonar/server/measure/MeasureFilterFactory.java b/server/sonar-server/src/main/java/org/sonar/server/measure/MeasureFilterFactory.java
index bb6dcdda810598b6d8584fcbd34bd7c62a413b41..d572a320bfada730895cc42bce49debaf63e91c2 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/measure/MeasureFilterFactory.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/measure/MeasureFilterFactory.java
@@ -123,7 +123,7 @@ public class MeasureFilterFactory implements ServerComponent {
     }
   }
 
-  private List<String> sortFieldLabels(){
+  private List<String> sortFieldLabels() {
     return newArrayList(Iterables.transform(Arrays.asList(MeasureFilterSort.Field.values()), new Function<MeasureFilterSort.Field, String>() {
       @Override
       public String apply(@Nullable MeasureFilterSort.Field input) {
@@ -155,22 +155,23 @@ public class MeasureFilterFactory implements ServerComponent {
     if (alertLevels == null || alertLevels.isEmpty()) {
       return null;
     }
-    MeasureFilterCondition condition = null;
-    String metricKey = CoreMetrics.ALERT_STATUS_KEY;
-    String op = "in";
+    final List<String> availableLevels = Lists.transform(Arrays.asList(Metric.Level.values()), new Function<Metric.Level, String>() {
+      @Override
+      public String apply(@Nullable Metric.Level input) {
+        return input != null ? input.name() : null;
+      }
+    });
+
     List<String> alertLevelsUppercase = Lists.transform(alertLevels, new Function<String, String>() {
       @Override
       public String apply(@Nullable String input) {
-        return input != null ? input.toUpperCase() : "";
+        return input != null && availableLevels.contains(input.toUpperCase()) ? input.toUpperCase() : null;
       }
     });
-    String val = "('" + Joiner.on("', '").join(alertLevelsUppercase) + "')";
-    if (!Strings.isNullOrEmpty(metricKey) && !Strings.isNullOrEmpty(op) && !Strings.isNullOrEmpty(val)) {
-      Metric metric = metricFinder.findByKey(metricKey);
-      MeasureFilterCondition.Operator operator = MeasureFilterCondition.Operator.fromCode(op);
-      condition = new MeasureFilterCondition(metric, operator, val);
-    }
-    return condition;
+    String val = "('" + Joiner.on("', '").skipNulls().join(alertLevelsUppercase) + "')";
+    Metric metric = metricFinder.findByKey(CoreMetrics.ALERT_STATUS_KEY);
+    MeasureFilterCondition.Operator operator = MeasureFilterCondition.Operator.fromCode("in");
+    return new MeasureFilterCondition(metric, operator, val);
   }
 
   private List<String> toList(@Nullable Object obj) {

diff --git a/server/sonar-server/src/test/java/org/sonar/server/measure/MeasureFilterFactoryTest.java b/server/sonar-server/src/test/java/org/sonar/server/measure/MeasureFilterFactoryTest.java
index 20cc5872beeeeaa70c916a781b08b0a3cc0f2337..cd2b01ea4a9061f09a92fd904baed0be59e3249e 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/measure/MeasureFilterFactoryTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/measure/MeasureFilterFactoryTest.java
@@ -195,7 +195,7 @@ public class MeasureFilterFactoryTest {
   public void alert_level_condition() {
     MeasureFilterFactory factory = new MeasureFilterFactory(newMetricFinder(), system);
     Map<String, Object> props = ImmutableMap.<String, Object>of(
-      "alertLevels", Arrays.asList("error", "warn")
+      "alertLevels", Arrays.asList("error", "warn", "unknown")
     );
     MeasureFilter filter = factory.create(props);