SONAR-8462 escape param "q" in WS api/rules/repositories"

2 files changed, 19 insertions, 6 deletions

diff --git a/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RepositoriesAction.java b/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RepositoriesAction.java
index e21a44b874a..2a5106c9130 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RepositoriesAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RepositoriesAction.java
@@ -84,7 +84,7 @@ public class RepositoriesAction implements RulesWsAction {
   }
 
   private Collection<RuleRepositoryDto> listMatchingRepositories(@Nullable String query, @Nullable String languageKey) {
-    Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + query + MATCH_ALL, Pattern.CASE_INSENSITIVE);
+    Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + Pattern.quote(query) + MATCH_ALL, Pattern.CASE_INSENSITIVE);
 
     return selectFromDb(languageKey).stream()
       .filter(r -> pattern.matcher(r.getKey()).matches() || pattern.matcher(r.getName()).matches())
diff --git a/server/sonar-server/src/test/java/org/sonar/server/rule/ws/RepositoriesActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/rule/ws/RepositoriesActionTest.java
index d73535d881b..2eb759c4b67 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/rule/ws/RepositoriesActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/rule/ws/RepositoriesActionTest.java
@@ -33,6 +33,7 @@ import static java.util.Arrays.asList;
 
 public class RepositoriesActionTest {
 
+  private static final String EMPTY_JSON_RESPONSE = "{\"repositories\":[]}";
   private WsTester wsTester;
 
   @Rule
@@ -40,11 +41,6 @@ public class RepositoriesActionTest {
 
   @Before
   public void setUp() {
-    wsTester = new WsTester(new RulesWs(new RepositoriesAction(dbTester.getDbClient())));
-  }
-
-  @Test
-  public void should_list_repositories() throws Exception {
     DbSession dbSession = dbTester.getSession();
     RuleRepositoryDto repo1 = new RuleRepositoryDto("xoo", "xoo", "SonarQube");
     RuleRepositoryDto repo2 = new RuleRepositoryDto("squid", "ws", "SonarQube");
@@ -53,15 +49,32 @@ public class RepositoriesActionTest {
     dbSession.commit();
 
     wsTester = new WsTester(new RulesWs(new RepositoriesAction(dbTester.getDbClient())));
+  }
 
+  @Test
+  public void should_list_repositories() throws Exception {
     newRequest().execute().assertJson(this.getClass(), "repositories.json");
     newRequest().setParam("language", "xoo").execute().assertJson(this.getClass(), "repositories_xoo.json");
     newRequest().setParam("language", "ws").execute().assertJson(this.getClass(), "repositories_ws.json");
+  }
+
+  @Test
+  public void filter_repositories_by_name() throws Exception {
     newRequest().setParam("q", "common").execute().assertJson(this.getClass(), "repositories_common.json");
     newRequest().setParam("q", "squid").execute().assertJson(this.getClass(), "repositories_squid.json");
     newRequest().setParam("q", "sonar").execute().assertJson(this.getClass(), "repositories_sonar.json");
   }
 
+  @Test
+  public void do_not_consider_query_as_regexp_when_filtering_repositories_by_name() throws Exception {
+    // invalid regexp : do not fail. Query is not a regexp.
+    newRequest().setParam("q", "[").execute().assertJson(EMPTY_JSON_RESPONSE);
+
+    // this is not the "match all" regexp
+    newRequest().setParam("q", ".*").execute().assertJson(EMPTY_JSON_RESPONSE);
+
+  }
+
   protected TestRequest newRequest() {
     return wsTester.newGetRequest("api/rules", "repositories");
   }