SONAR-8461 WS api/languages/list does escape the parameter "q"

2 files changed, 25 insertions, 4 deletions

diff --git a/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java
index 14edaf7d14b..3ea3e29b015 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java
@@ -80,7 +80,7 @@ public class ListAction implements RequestHandler {
   }
 
   private Collection<Language> listMatchingLanguages(@Nullable String query, int pageSize) {
-    Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + query + MATCH_ALL, Pattern.CASE_INSENSITIVE);
+    Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + Pattern.quote(query) + MATCH_ALL, Pattern.CASE_INSENSITIVE);
 
     SortedMap<String, Language> languagesByName = Maps.newTreeMap();
     for (Language lang : languages.all()) {
diff --git a/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java b/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java
index 1e58a7a2b70..256cdbdf4bd 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java
@@ -39,11 +39,12 @@ public class LanguageWsTest {
 
   private static final String CONTROLLER_LANGUAGES = "api/languages";
   private static final String ACTION_LIST = "list";
+  private static final String EMPTY_JSON_RESPONSE = "{\"languages\": []}";
 
   @Mock
   private Languages languages;
 
-  WsTester tester;
+  private WsTester tester;
 
   @Before
   public void setUp() {
@@ -77,7 +78,7 @@ public class LanguageWsTest {
   }
 
   @Test
-  public void should_list_languages() throws Exception {
+  public void list_all_languages() throws Exception {
     tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST).execute().assertJson(this.getClass(), "list.json");
 
     tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
@@ -89,7 +90,10 @@ public class LanguageWsTest {
     tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
       .setParam("ps", "10")
       .execute().assertJson(this.getClass(), "list.json");
+  }
 
+  @Test
+  public void filter_languages_by_key_or_name() throws Exception {
     tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
       .setParam("q", "ws")
       .execute().assertJson(this.getClass(), "list_filtered_key.json");
@@ -98,8 +102,25 @@ public class LanguageWsTest {
       .execute().assertJson(this.getClass(), "list_filtered_name.json");
   }
 
+  /**
+   * Potential vulnerability : the query provided by user must
+   * not be executed as a regexp.
+   */
+  @Test
+  public void filter_escapes_the_user_query() throws Exception {
+    // invalid regexp
+    tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
+      .setParam("q", "[")
+      .execute().assertJson(EMPTY_JSON_RESPONSE);
+
+    // do not consider param as a regexp
+    tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
+      .setParam("q", ".*")
+      .execute().assertJson(EMPTY_JSON_RESPONSE);
+  }
+
   static abstract class TestLanguage extends AbstractLanguage {
-    public TestLanguage(String key, String language) {
+    TestLanguage(String key, String language) {
       super(key, language);
     }