You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by al...@apache.org on 2023/02/19 21:02:54 UTC
[fineract] branch 1.8.4 updated: FINERACT-1870: Run reports fix for 1.8.x
This is an automated email from the ASF dual-hosted git repository.
aleks pushed a commit to branch 1.8.4
in repository https://gitbox.apache.org/repos/asf/fineract.git
The following commit(s) were added to refs/heads/1.8.4 by this push:
new 7a37a47b3 FINERACT-1870: Run reports fix for 1.8.x
7a37a47b3 is described below
commit 7a37a47b39cc892d7ad6f56e2c46756cf0c7549c
Author: Aleks <al...@apache.org>
AuthorDate: Thu Jan 26 15:02:52 2023 +0100
FINERACT-1870: Run reports fix for 1.8.x
---
.../security/utils/SQLInjectionValidator.java | 50 ++++++++++++++--------
1 file changed, 32 insertions(+), 18 deletions(-)
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
index a8128a485..5cd4bb386 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
@@ -18,6 +18,7 @@
*/
package org.apache.fineract.infrastructure.security.utils;
+import java.util.List;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -37,10 +38,17 @@ public final class SQLInjectionValidator {
private static final String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% ()0-9*\n\r]*";
+ // TODO: see here https://rails-sqli.org for and
+ // https://larrysteinle.com/2011/02/20/use-regular-expressions-to-detect-sql-code-injection more examples
+ private static final List<String> INJECTION_PATTERNS = List.of("(?i).*[or|and]\s*[\"']?-1[\"']?\\s*(-*).*",
+ "(?i).*\\s+[\"']?(\\d+)[\"']?\\s*=\\s*[\"']?(\\1)[\"']?\\s*(-*).*");
+
public static void validateSQLInput(final String sqlSearch) {
if (StringUtils.isBlank(sqlSearch)) {
return;
}
+
+ // TODO: this should be replaced by INJECTION_PATTERNS
String lowerCaseSQL = sqlSearch.toLowerCase();
for (String ddl : DDL_COMMANDS) {
if (lowerCaseSQL.contains(ddl)) {
@@ -48,12 +56,14 @@ public final class SQLInjectionValidator {
}
}
+ // TODO: this should be replaced by INJECTION_PATTERNS
for (String dml : DML_COMMANDS) {
if (lowerCaseSQL.contains(dml)) {
throw new SQLInjectionException();
}
}
+ // TODO: this should be replaced by INJECTION_PATTERNS
for (String comments : COMMENTS) {
if (lowerCaseSQL.contains(comments)) {
throw new SQLInjectionException();
@@ -63,17 +73,10 @@ public final class SQLInjectionValidator {
// Removing the space before and after '=' operator
// String s = " \" OR 1 = 1"; For the cases like this
boolean injectionFound = false;
- String inputSqlString = lowerCaseSQL;
- while (inputSqlString.indexOf(" =") > 0) { // Don't remove space before
- // = operator
- inputSqlString = inputSqlString.replaceAll(" =", "=");
- }
- while (inputSqlString.indexOf("= ") > 0) { // Don't remove space after =
- // operator
- inputSqlString = inputSqlString.replaceAll("= ", "=");
- }
+ String inputSqlString = lowerCaseSQL.replaceAll("\\s*=\\s*", "=");
+ // TODO: this should be replaced by INJECTION_PATTERNS
StringTokenizer tokenizer = new StringTokenizer(inputSqlString, " ");
while (tokenizer.hasMoreTokens()) {
String token = tokenizer.nextToken().trim();
@@ -118,6 +121,14 @@ public final class SQLInjectionValidator {
throw new SQLInjectionException();
}
+ for (String injectionPattern : INJECTION_PATTERNS) {
+ Pattern pattern = Pattern.compile(injectionPattern);
+ Matcher matcher = pattern.matcher(sqlSearch);
+ if (matcher.matches()) {
+ throw new SQLInjectionException();
+ }
+ }
+
Pattern pattern = Pattern.compile(SQL_PATTERN);
Matcher matcher = pattern.matcher(sqlSearch);
if (!matcher.matches()) {
@@ -129,6 +140,8 @@ public final class SQLInjectionValidator {
if (StringUtils.isBlank(sqlSearch)) {
return;
}
+
+ // TODO: this should be replaced by INJECTION_PATTERNS
String lowerCaseSQL = sqlSearch.toLowerCase().trim();
for (String ddl : DDL_COMMANDS) {
if (lowerCaseSQL.startsWith(ddl)) {
@@ -136,6 +149,7 @@ public final class SQLInjectionValidator {
}
}
+ // TODO: this should be replaced by INJECTION_PATTERNS
for (String comments : COMMENTS) {
if (lowerCaseSQL.contains(comments)) {
throw new SQLInjectionException();
@@ -145,16 +159,8 @@ public final class SQLInjectionValidator {
// Removing the space before and after '=' operator
// String s = " \" OR 1 = 1"; For the cases like this
boolean injectionFound = false;
- String inputSqlString = lowerCaseSQL;
- while (inputSqlString.indexOf(" =") > 0) { // Don't remove space before
- // = operator
- inputSqlString = inputSqlString.replaceAll(" =", "=");
- }
- while (inputSqlString.indexOf("= ") > 0) { // Don't remove space after =
- // operator
- inputSqlString = inputSqlString.replaceAll("= ", "=");
- }
+ String inputSqlString = lowerCaseSQL.replaceAll("\\s*=\\s*", "=");
StringTokenizer tokenizer = new StringTokenizer(inputSqlString, " ");
while (tokenizer.hasMoreTokens()) {
@@ -200,6 +206,14 @@ public final class SQLInjectionValidator {
throw new SQLInjectionException();
}
+ for (String injectionPattern : INJECTION_PATTERNS) {
+ Pattern pattern = Pattern.compile(injectionPattern);
+ Matcher matcher = pattern.matcher(sqlSearch);
+ if (matcher.matches()) {
+ throw new SQLInjectionException();
+ }
+ }
+
Pattern pattern = Pattern.compile(SQL_PATTERN);
Matcher matcher = pattern.matcher(sqlSearch);
if (!matcher.matches()) {