From 6d984307d485e7ba603f299ac0ca1ab20fd53b73 Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@sonarsource.com>
Date: Thu, 1 Dec 2016 11:47:56 +0100
Subject: SONAR-8461 WS api/languages/list does escape the parameter "q"

---
 .../org/sonar/server/language/ws/ListAction.java   |  2 +-
 .../sonar/server/language/ws/LanguageWsTest.java   | 27 +++++++++++++++++++---
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java
index 14edaf7d14b..3ea3e29b015 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/language/ws/ListAction.java
@@ -80,7 +80,7 @@ public class ListAction implements RequestHandler {
   }
 
   private Collection<Language> listMatchingLanguages(@Nullable String query, int pageSize) {
-    Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + query + MATCH_ALL, Pattern.CASE_INSENSITIVE);
+    Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + Pattern.quote(query) + MATCH_ALL, Pattern.CASE_INSENSITIVE);
 
     SortedMap<String, Language> languagesByName = Maps.newTreeMap();
     for (Language lang : languages.all()) {
diff --git a/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java b/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java
index 1e58a7a2b70..256cdbdf4bd 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/language/ws/LanguageWsTest.java
@@ -39,11 +39,12 @@ public class LanguageWsTest {
 
   private static final String CONTROLLER_LANGUAGES = "api/languages";
   private static final String ACTION_LIST = "list";
+  private static final String EMPTY_JSON_RESPONSE = "{\"languages\": []}";
 
   @Mock
   private Languages languages;
 
-  WsTester tester;
+  private WsTester tester;
 
   @Before
   public void setUp() {
@@ -77,7 +78,7 @@ public class LanguageWsTest {
   }
 
   @Test
-  public void should_list_languages() throws Exception {
+  public void list_all_languages() throws Exception {
     tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST).execute().assertJson(this.getClass(), "list.json");
 
     tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
@@ -89,7 +90,10 @@ public class LanguageWsTest {
     tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
       .setParam("ps", "10")
       .execute().assertJson(this.getClass(), "list.json");
+  }
 
+  @Test
+  public void filter_languages_by_key_or_name() throws Exception {
     tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
       .setParam("q", "ws")
       .execute().assertJson(this.getClass(), "list_filtered_key.json");
@@ -98,8 +102,25 @@ public class LanguageWsTest {
       .execute().assertJson(this.getClass(), "list_filtered_name.json");
   }
 
+  /**
+   * Potential vulnerability : the query provided by user must
+   * not be executed as a regexp.
+   */
+  @Test
+  public void filter_escapes_the_user_query() throws Exception {
+    // invalid regexp
+    tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
+      .setParam("q", "[")
+      .execute().assertJson(EMPTY_JSON_RESPONSE);
+
+    // do not consider param as a regexp
+    tester.newGetRequest(CONTROLLER_LANGUAGES, ACTION_LIST)
+      .setParam("q", ".*")
+      .execute().assertJson(EMPTY_JSON_RESPONSE);
+  }
+
   static abstract class TestLanguage extends AbstractLanguage {
-    public TestLanguage(String key, String language) {
+    TestLanguage(String key, String language) {
       super(key, language);
     }
 
-- 
cgit v1.2.3


From 7248ea81e7ae41c3d386c424c946a7499eb9acd4 Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@sonarsource.com>
Date: Thu, 1 Dec 2016 14:09:58 +0100
Subject: SONAR-8462 WS api/rules/repositories does not escape the parameter
 "q"

---
 .../sonar/server/rule/ws/RepositoriesAction.java   |  2 +-
 .../server/rule/ws/RepositoriesActionTest.java     | 25 +++++++++++++++++++---
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RepositoriesAction.java b/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RepositoriesAction.java
index ac06c0aea8b..4aec9bb14e0 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RepositoriesAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/rule/ws/RepositoriesAction.java
@@ -84,7 +84,7 @@ public class RepositoriesAction implements RulesWsAction {
   }
 
   private Collection<Repo> listMatchingRepositories(@Nullable String query, @Nullable String languageKey, int pageSize) {
-    Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + query + MATCH_ALL, Pattern.CASE_INSENSITIVE);
+    Pattern pattern = Pattern.compile(query == null ? MATCH_ALL : MATCH_ALL + Pattern.quote(query) + MATCH_ALL, Pattern.CASE_INSENSITIVE);
 
     SortedMap<String, Repo> reposByName = Maps.newTreeMap();
     Collection<Repo> repos = listRepositories(languageKey);
diff --git a/server/sonar-server/src/test/java/org/sonar/server/rule/ws/RepositoriesActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/rule/ws/RepositoriesActionTest.java
index 34d9fd65dd1..ee4aad71f38 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/rule/ws/RepositoriesActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/rule/ws/RepositoriesActionTest.java
@@ -35,6 +35,7 @@ import static org.mockito.Mockito.when;
 @RunWith(MockitoJUnitRunner.class)
 public class RepositoriesActionTest {
 
+  private static final String EMPTY_JSON_RESPONSE = "{\"repositories\":[]}";
   private WsTester tester;
 
   @Mock
@@ -65,18 +66,36 @@ public class RepositoriesActionTest {
   }
 
   @Test
-  public void should_list_repositories() throws Exception {
+  public void list_repositories() throws Exception {
     tester = new WsTester(new RulesWs(new RepositoriesAction(repositories)));
 
     newRequest().execute().assertJson(this.getClass(), "repositories.json");
     newRequest().setParam("language", "xoo").execute().assertJson(this.getClass(), "repositories_xoo.json");
     newRequest().setParam("language", "ws").execute().assertJson(this.getClass(), "repositories_ws.json");
+    newRequest().setParam("ps", "4").execute().assertJson(this.getClass(), "repositories.json");
+    newRequest().setParam("ps", "100").execute().assertJson(this.getClass(), "repositories.json");
+  }
+
+  @Test
+  public void filter_repositories_by_name() throws Exception {
+    tester = new WsTester(new RulesWs(new RepositoriesAction(repositories)));
+
     newRequest().setParam("q", "common").execute().assertJson(this.getClass(), "repositories_common.json");
     newRequest().setParam("q", "squid").execute().assertJson(this.getClass(), "repositories_squid.json");
     newRequest().setParam("q", "sonar").execute().assertJson(this.getClass(), "repositories_sonar.json");
     newRequest().setParam("q", "sonar").setParam("ps", "2").execute().assertJson(this.getClass(), "repositories_limited.json");
-    newRequest().setParam("ps", "4").execute().assertJson(this.getClass(), "repositories.json");
-    newRequest().setParam("ps", "100").execute().assertJson(this.getClass(), "repositories.json");
+  }
+
+  @Test
+  public void do_not_consider_query_as_regexp_when_filtering_repositories_by_name() throws Exception {
+    tester = new WsTester(new RulesWs(new RepositoriesAction(repositories)));
+
+    // invalid regexp : do not fail. Query is not a regexp.
+    newRequest().setParam("q", "[").execute().assertJson(EMPTY_JSON_RESPONSE);
+
+    // this is not the "match all" regexp
+    newRequest().setParam("q", ".*").execute().assertJson(EMPTY_JSON_RESPONSE);
+
   }
 
   protected TestRequest newRequest() {
-- 
cgit v1.2.3


From 46dc0f0590c60abfe479c95f17f11b552ad070a9 Mon Sep 17 00:00:00 2001
From: Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Date: Mon, 5 Dec 2016 17:33:36 +0100
Subject: SONAR-8447 avoid select to key ce_activity.is_key up to date

---
 sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java b/sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java
index 91f155ee3ca..3893059b645 100644
--- a/sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java
+++ b/sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java
@@ -23,7 +23,6 @@ import com.google.common.base.Optional;
 import java.util.Collections;
 import java.util.List;
 import javax.annotation.Nullable;
-import org.apache.ibatis.session.RowBounds;
 import org.sonar.api.utils.System2;
 import org.sonar.db.Dao;
 import org.sonar.db.DbSession;
@@ -43,15 +42,13 @@ public class CeActivityDao implements Dao {
   public void insert(DbSession dbSession, CeActivityDto dto) {
     dto.setCreatedAt(system2.now());
     dto.setUpdatedAt(system2.now());
-    dto.setIsLast(false);
-    mapper(dbSession).insert(dto);
+    dto.setIsLast(dto.getStatus() != CeActivityDto.Status.CANCELED);
 
-    List<String> uuids = mapper(dbSession).selectUuidsOfRecentlyCreatedByIsLastKey(dto.getIsLastKey(), new RowBounds(0, 1));
-    // should never be empty, as a row was just inserted!
-    if (!uuids.isEmpty()) {
-      mapper(dbSession).updateIsLastToFalseForLastKey(dto.getIsLastKey(), dto.getUpdatedAt());
-      mapper(dbSession).updateIsLastToTrueForUuid(uuids.get(0), dto.getUpdatedAt());
+    CeActivityMapper ceActivityMapper = mapper(dbSession);
+    if (dto.getIsLast()) {
+      ceActivityMapper.updateIsLastToFalseForLastKey(dto.getIsLastKey(), dto.getUpdatedAt());
     }
+    ceActivityMapper.insert(dto);
   }
 
   public List<CeActivityDto> selectOlderThan(DbSession dbSession, long beforeDate) {
-- 
cgit v1.2.3


From af4e544bb6bc2572ddcc37c8597c34b6dd5a35b0 Mon Sep 17 00:00:00 2001
From: Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Date: Mon, 5 Dec 2016 17:35:35 +0100
Subject: SONAR-8442 do not do a select to keep ce_activity.is_key up to date

---
 sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java | 13 +++++--------
 .../src/main/java/org/sonar/db/ce/CeActivityMapper.java   |  5 -----
 .../main/resources/org/sonar/db/ce/CeActivityMapper.xml   | 15 ---------------
 3 files changed, 5 insertions(+), 28 deletions(-)

diff --git a/sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java b/sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java
index 5a7cada22da..ec07a732ff8 100644
--- a/sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java
+++ b/sonar-db/src/main/java/org/sonar/db/ce/CeActivityDao.java
@@ -24,7 +24,6 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import javax.annotation.Nullable;
-import org.apache.ibatis.session.RowBounds;
 import org.sonar.api.utils.System2;
 import org.sonar.db.Dao;
 import org.sonar.db.DbSession;
@@ -46,15 +45,13 @@ public class CeActivityDao implements Dao {
   public void insert(DbSession dbSession, CeActivityDto dto) {
     dto.setCreatedAt(system2.now());
     dto.setUpdatedAt(system2.now());
-    dto.setIsLast(false);
-    mapper(dbSession).insert(dto);
+    dto.setIsLast(dto.getStatus() != CeActivityDto.Status.CANCELED);
 
-    List<String> uuids = mapper(dbSession).selectUuidsOfRecentlyCreatedByIsLastKey(dto.getIsLastKey(), new RowBounds(0, 1));
-    // should never be empty, as a row was just inserted!
-    if (!uuids.isEmpty()) {
-      mapper(dbSession).updateIsLastToFalseForLastKey(dto.getIsLastKey(), dto.getUpdatedAt());
-      mapper(dbSession).updateIsLastToTrueForUuid(uuids.get(0), dto.getUpdatedAt());
+    CeActivityMapper ceActivityMapper = mapper(dbSession);
+    if (dto.getIsLast()) {
+      ceActivityMapper.updateIsLastToFalseForLastKey(dto.getIsLastKey(), dto.getUpdatedAt());
     }
+    ceActivityMapper.insert(dto);
   }
 
   public List<CeActivityDto> selectOlderThan(DbSession dbSession, long beforeDate) {
diff --git a/sonar-db/src/main/java/org/sonar/db/ce/CeActivityMapper.java b/sonar-db/src/main/java/org/sonar/db/ce/CeActivityMapper.java
index ea5d9e9c885..07015f5335f 100644
--- a/sonar-db/src/main/java/org/sonar/db/ce/CeActivityMapper.java
+++ b/sonar-db/src/main/java/org/sonar/db/ce/CeActivityMapper.java
@@ -23,12 +23,9 @@ import java.util.List;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
 import org.apache.ibatis.annotations.Param;
-import org.apache.ibatis.session.RowBounds;
 
 public interface CeActivityMapper {
 
-  List<String> selectUuidsOfRecentlyCreatedByIsLastKey(@Param("isLastKey") String isLastKey, RowBounds rowBounds);
-
   @CheckForNull
   CeActivityDto selectByUuid(@Param("uuid") String uuid);
 
@@ -44,7 +41,5 @@ public interface CeActivityMapper {
 
   void updateIsLastToFalseForLastKey(@Param("isLastKey") String isLastKey, @Param("updatedAt") long updatedAt);
 
-  void updateIsLastToTrueForUuid(@Param("uuid") String uuid, @Param("updatedAt") long updatedAt);
-
   void deleteByUuids(@Param("uuids") List<String> uuids);
 }
diff --git a/sonar-db/src/main/resources/org/sonar/db/ce/CeActivityMapper.xml b/sonar-db/src/main/resources/org/sonar/db/ce/CeActivityMapper.xml
index c0281f1b9d9..c4226b8efb2 100644
--- a/sonar-db/src/main/resources/org/sonar/db/ce/CeActivityMapper.xml
+++ b/sonar-db/src/main/resources/org/sonar/db/ce/CeActivityMapper.xml
@@ -44,14 +44,6 @@
     where ca.uuid=#{uuid}
   </select>
 
-  <select id="selectUuidsOfRecentlyCreatedByIsLastKey" parameterType="String" resultType="String">
-    select uuid
-    from ce_activity
-    where is_last_key=#{isLastKey}
-      and status &lt;&gt; 'CANCELED'
-    order by id desc
-  </select>
-
   <select id="selectByQuery" parameterType="map" resultType="org.sonar.db.ce.CeActivityDto">
     SELECT
     <include refid="columns"/>
@@ -181,13 +173,6 @@
     where is_last=${_true} and is_last_key=#{isLastKey}
   </update>
 
-  <update id="updateIsLastToTrueForUuid" parameterType="map">
-    update ce_activity
-    set is_last=${_true},
-    updated_at=#{updatedAt,jdbcType=BIGINT}
-    where uuid=#{uuid}
-  </update>
-
   <delete id="deleteByUuids" parameterType="string">
     delete
       from ce_activity
-- 
cgit v1.2.3


From aea44b9d8f223e201b5a4a2f0d85206880e76de5 Mon Sep 17 00:00:00 2001
From: Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Date: Mon, 5 Dec 2016 13:48:22 +0100
Subject: SONAR-8332 fix broken thread safety of UUID generation

---
 .../org/sonar/core/util/UuidGeneratorImpl.java     | 18 ++++---
 .../org/sonar/core/util/UuidGeneratorImplTest.java | 61 +++++++++++++++++++++-
 2 files changed, 71 insertions(+), 8 deletions(-)

diff --git a/sonar-core/src/main/java/org/sonar/core/util/UuidGeneratorImpl.java b/sonar-core/src/main/java/org/sonar/core/util/UuidGeneratorImpl.java
index f76adf7e0cc..2b3b13d7f92 100644
--- a/sonar-core/src/main/java/org/sonar/core/util/UuidGeneratorImpl.java
+++ b/sonar-core/src/main/java/org/sonar/core/util/UuidGeneratorImpl.java
@@ -38,7 +38,6 @@ public final class UuidGeneratorImpl implements UuidGenerator {
   }
 
   private static class UuidGeneratorBase {
-    private final byte[] buffer = new byte[15];
     // We only use bottom 3 bytes for the sequence number. Paranoia: init with random int so that if JVM/OS/machine goes down, clock slips
     // backwards, and JVM comes back up, we are less likely to be on the same sequenceNumber at the same time:
     private final AtomicInteger sequenceNumber = new AtomicInteger(new SecureRandom().nextInt());
@@ -46,7 +45,7 @@ public final class UuidGeneratorImpl implements UuidGenerator {
     // Used to ensure clock moves forward
     private long lastTimestamp = 0L;
 
-    void initBase(int sequenceId) {
+    void initBase(byte[] buffer, int sequenceId) {
       long timestamp = System.currentTimeMillis();
 
       synchronized (this) {
@@ -70,7 +69,7 @@ public final class UuidGeneratorImpl implements UuidGenerator {
       System.arraycopy(secureMungedAddress, 0, buffer, 6, secureMungedAddress.length);
     }
 
-    protected byte[] generate(int increment) {
+    protected byte[] generate(byte[] buffer, int increment) {
       // Sequence number adds 3 bytes
       putLong(buffer, increment, 12, 3);
 
@@ -93,21 +92,26 @@ public final class UuidGeneratorImpl implements UuidGenerator {
 
     @Override
     public byte[] get() {
+      byte[] buffer = new byte[15];
       int sequenceId = getSequenceId();
-      initBase(sequenceId);
-      return super.generate(sequenceId);
+      initBase(buffer, sequenceId);
+      return super.generate(buffer, sequenceId);
     }
   }
 
   private static class FixedBasedUuidGenerator extends UuidGeneratorBase implements WithFixedBase {
+    private final byte[] base = new byte[15];
+
     FixedBasedUuidGenerator() {
       int sequenceId = getSequenceId();
-      initBase(sequenceId);
+      initBase(base, sequenceId);
     }
 
     @Override
     public byte[] generate(int increment) {
-      return super.generate(increment);
+      byte[] buffer = new byte[15];
+      System.arraycopy(base, 0, buffer, 0, buffer.length);
+      return super.generate(buffer, increment);
     }
   }
 }
diff --git a/sonar-core/src/test/java/org/sonar/core/util/UuidGeneratorImplTest.java b/sonar-core/src/test/java/org/sonar/core/util/UuidGeneratorImplTest.java
index 21200b0aa40..175aec720c6 100644
--- a/sonar-core/src/test/java/org/sonar/core/util/UuidGeneratorImplTest.java
+++ b/sonar-core/src/test/java/org/sonar/core/util/UuidGeneratorImplTest.java
@@ -19,10 +19,13 @@
  */
 package org.sonar.core.util;
 
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Set;
+import java.util.concurrent.atomic.AtomicInteger;
 import org.junit.Test;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -31,7 +34,7 @@ public class UuidGeneratorImplTest {
   private UuidGeneratorImpl underTest = new UuidGeneratorImpl();
 
   @Test
-  public void generate_returns_unique_values_without_common_initial_letter_given_more_than_one_milisecond_between_generate_calls() throws InterruptedException {
+  public void generate_returns_unique_values_without_common_initial_letter_given_more_than_one_millisecond_between_generate_calls() throws InterruptedException {
     Base64.Encoder encoder = Base64.getEncoder();
     int count = 30;
     Set<String> uuids = new HashSet<>(count);
@@ -49,6 +52,33 @@ public class UuidGeneratorImplTest {
     }
   }
 
+  @Test
+  public void generate_concurrent_test() throws InterruptedException {
+    int rounds = 500;
+    List<byte[]> uuids1 = new ArrayList<>(rounds);
+    List<byte[]> uuids2 = new ArrayList<>(rounds);
+    Thread t1 = new Thread(() -> {
+      for (int i = 0; i < rounds; i++) {
+        uuids1.add(underTest.generate());
+      }
+    });
+    Thread t2 = new Thread(() -> {
+      for (int i = 0; i < rounds; i++) {
+        uuids2.add(underTest.generate());
+      }
+    });
+    t1.start();
+    t2.start();
+    t1.join();
+    t2.join();
+
+    Base64.Encoder encoder = Base64.getEncoder();
+    Set<String> uuids = new HashSet<>(rounds * 2);
+    uuids1.forEach(bytes -> uuids.add(encoder.encodeToString(bytes)));
+    uuids2.forEach(bytes -> uuids.add(encoder.encodeToString(bytes)));
+    assertThat(uuids).hasSize(rounds * 2);
+  }
+
   @Test
   public void generate_from_FixedBase_returns_unique_values_where_only_last_4_later_letter_change() {
     Base64.Encoder encoder = Base64.getEncoder();
@@ -68,4 +98,33 @@ public class UuidGeneratorImplTest {
       assertThat(iterator.next()).startsWith(base);
     }
   }
+
+  @Test
+  public void generate_from_FixedBase_concurrent_test() throws InterruptedException {
+    UuidGenerator.WithFixedBase withFixedBase = underTest.withFixedBase();
+    int rounds = 500;
+    List<byte[]> uuids1 = new ArrayList<>(rounds);
+    List<byte[]> uuids2 = new ArrayList<>(rounds);
+    AtomicInteger cnt = new AtomicInteger();
+    Thread t1 = new Thread(() -> {
+      for (int i = 0; i < rounds; i++) {
+        uuids1.add(withFixedBase.generate(cnt.getAndIncrement()));
+      }
+    });
+    Thread t2 = new Thread(() -> {
+      for (int i = 0; i < rounds; i++) {
+        uuids2.add(withFixedBase.generate(cnt.getAndIncrement()));
+      }
+    });
+    t1.start();
+    t2.start();
+    t1.join();
+    t2.join();
+
+    Base64.Encoder encoder = Base64.getEncoder();
+    Set<String> uuids = new HashSet<>(rounds * 2);
+    uuids1.forEach(bytes -> uuids.add(encoder.encodeToString(bytes)));
+    uuids2.forEach(bytes -> uuids.add(encoder.encodeToString(bytes)));
+    assertThat(uuids).hasSize(rounds * 2);
+  }
 }
-- 
cgit v1.2.3