From 2d8b4511099529d8f36f89d64b357c51a27c173f Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Thu, 1 Dec 2016 11:47:56 +0100 Subject: [PATCH] SONAR-8461 escape param "q" in WS api/languages/list --- .../sonar/server/language/ws/ListAction.java | 2 +- .../server/language/ws/LanguageWsTest.java | 27 ++++++++++++++++--- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java index 14edaf7d14b..3ea3e29b015 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java @@ -80,7 +80,7 @@ public class ListAction implements RequestHandler { } private Collection listMatchingLanguages(@Nullable String query, int pageSize) { - Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + query + MATCH_ALL, Pattern.CASE_INSENSITIVE); + Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + Pattern.quote(query) + MATCH_ALL, Pattern.CASE_INSENSITIVE); SortedMap languagesByName = Maps.newTreeMap(); for (Language lang : languages.all()) { diff --git a/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java b/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java index 1e58a7a2b70..256cdbdf4bd 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java @@ -39,11 +39,12 @@ public class LanguageWsTest { private static final String CONTROLLER_LANGUAGES = "api/languages"; private static final String ACTION_LIST = "list"; + private static final String EMPTY_JSON_RESPONSE = "{\"languages\": []}"; @Mock private Languages languages; - WsTester tester; + private WsTester tester; @Before public void setUp() { @@ -77,7 +78,7 @@ public class LanguageWsTest { } @Test - public void should_list_languages() throws Exception { + public void list_all_languages() throws Exception { tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST).execute().assertJson(this.getClass(), "list.json"); tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST) @@ -89,7 +90,10 @@ public class LanguageWsTest { tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST) .setParam("ps", "10") .execute().assertJson(this.getClass(), "list.json"); + } + @Test + public void filter_languages_by_key_or_name() throws Exception { tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST) .setParam("q", "ws") .execute().assertJson(this.getClass(), "list_filtered_key.json"); @@ -98,8 +102,25 @@ public class LanguageWsTest { .execute().assertJson(this.getClass(), "list_filtered_name.json"); } + /** + * Potential vulnerability : the query provided by user must + * not be executed as a regexp. + */ + @Test + public void filter_escapes_the_user_query() throws Exception { + // invalid regexp + tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST) + .setParam("q", "[") + .execute().assertJson(EMPTY_JSON_RESPONSE); + + // do not consider param as a regexp + tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST) + .setParam("q", ".*") + .execute().assertJson(EMPTY_JSON_RESPONSE); + } + static abstract class TestLanguage extends AbstractLanguage { - public TestLanguage(String key, String language) { + TestLanguage(String key, String language) { super(key, language); } -- 2.39.5