From 453af2ded25fd525a01f21c14791c32246660171 Mon Sep 17 00:00:00 2001 From: Julien Lancelot Date: Mon, 8 Dec 2014 18:27:03 +0100 Subject: [PATCH] SSF-24 SQL Injection on Measures page --- .../server/measure/MeasureFilterFactory.java | 25 ++++++++++--------- .../measure/MeasureFilterFactoryTest.java | 2 +- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/measure/MeasureFilterFactory.java b/server/sonar-server/src/main/java/org/sonar/server/measure/MeasureFilterFactory.java index bb6dcdda810..d572a320bfa 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/measure/MeasureFilterFactory.java +++ b/server/sonar-server/src/main/java/org/sonar/server/measure/MeasureFilterFactory.java @@ -123,7 +123,7 @@ public class MeasureFilterFactory implements ServerComponent { } } - private List sortFieldLabels(){ + private List sortFieldLabels() { return newArrayList(Iterables.transform(Arrays.asList(MeasureFilterSort.Field.values()), new Function() { @Override public String apply(@Nullable MeasureFilterSort.Field input) { @@ -155,22 +155,23 @@ public class MeasureFilterFactory implements ServerComponent { if (alertLevels == null || alertLevels.isEmpty()) { return null; } - MeasureFilterCondition condition = null; - String metricKey = CoreMetrics.ALERT_STATUS_KEY; - String op = "in"; + final List availableLevels = Lists.transform(Arrays.asList(Metric.Level.values()), new Function() { + @Override + public String apply(@Nullable Metric.Level input) { + return input != null ? input.name() : null; + } + }); + List alertLevelsUppercase = Lists.transform(alertLevels, new Function() { @Override public String apply(@Nullable String input) { - return input != null ? input.toUpperCase() : ""; + return input != null && availableLevels.contains(input.toUpperCase()) ? input.toUpperCase() : null; } }); - String val = "('" + Joiner.on("', '").join(alertLevelsUppercase) + "')"; - if (!Strings.isNullOrEmpty(metricKey) && !Strings.isNullOrEmpty(op) && !Strings.isNullOrEmpty(val)) { - Metric metric = metricFinder.findByKey(metricKey); - MeasureFilterCondition.Operator operator = MeasureFilterCondition.Operator.fromCode(op); - condition = new MeasureFilterCondition(metric, operator, val); - } - return condition; + String val = "('" + Joiner.on("', '").skipNulls().join(alertLevelsUppercase) + "')"; + Metric metric = metricFinder.findByKey(CoreMetrics.ALERT_STATUS_KEY); + MeasureFilterCondition.Operator operator = MeasureFilterCondition.Operator.fromCode("in"); + return new MeasureFilterCondition(metric, operator, val); } private List toList(@Nullable Object obj) { diff --git a/server/sonar-server/src/test/java/org/sonar/server/measure/MeasureFilterFactoryTest.java b/server/sonar-server/src/test/java/org/sonar/server/measure/MeasureFilterFactoryTest.java index 20cc5872bee..cd2b01ea4a9 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/measure/MeasureFilterFactoryTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/measure/MeasureFilterFactoryTest.java @@ -195,7 +195,7 @@ public class MeasureFilterFactoryTest { public void alert_level_condition() { MeasureFilterFactory factory = new MeasureFilterFactory(newMetricFinder(), system); Map props = ImmutableMap.of( - "alertLevels", Arrays.asList("error", "warn") + "alertLevels", Arrays.asList("error", "warn", "unknown") ); MeasureFilter filter = factory.create(props); -- 2.39.5