You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Karl Pauls (Jira)" <ji...@apache.org> on 2021/07/07 11:18:00 UTC

[jira] [Commented] (SLING-10591) Non latin characters can be used as recursion level in JsonRenderer

    [ https://issues.apache.org/jira/browse/SLING-10591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17376490#comment-17376490 ] 

Karl Pauls commented on SLING-10591:
------------------------------------

[~lpi], are you sure? This should have been addressed by SLING-10342. A quick test with your table:


{code:java}
diff --git a/src/test/java/org/apache/sling/servlets/get/impl/helpers/JsonRendererTest.java b/src/test/java/org/apache/sling/servlets/get/impl/helpers/JsonRendererTest.java
index b5ac6a0..bac22f4 100644
--- a/src/test/java/org/apache/sling/servlets/get/impl/helpers/JsonRendererTest.java
+++ b/src/test/java/org/apache/sling/servlets/get/impl/helpers/JsonRendererTest.java
@@ -33,6 +33,7 @@ import org.apache.jackrabbit.util.ISO8601;
 import org.apache.sling.testing.mock.sling.junit.SlingContext;
 import org.apache.sling.testing.mock.sling.servlet.MockSlingHttpServletRequest;
 import org.apache.sling.testing.mock.sling.servlet.MockSlingHttpServletResponse;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -47,6 +48,42 @@ public class JsonRendererTest {
 
     private JsonRenderer jrs;
 
+    private static String testData = "|߀|١|۲|٣|٤|٥|٦|۷|۸|߉|-߁|\n" +
+            "|۰|߁|2|3|߄|߅|६|7|߈|9१|" +
+            "|0|۱|२|۳|४|5|6|߇|8|۹|-1|\n" +
+            "|০|१|߂|߃|4|৫|૬|৭|٨|९|-۱|\n" +
+            "|૦|1|২|३|۴|۵|୬|٧|८|٩|-١|\n" +
+            "|੦|୧|٢|૩|૪|५|۶|૭|৮|੯|-୧|\n" +
+            "|०|૧|૨|৩|੪|૫|౬|७|૮|૯|-૧|\n" +
+            "|୦|১|୨|୩|৪|੫|௬|੭|௮|୯|-੧|\n" +
+            "|٠|੧|੨|௩|௪|୫|߆|୭|੮|৯|-১|\n" +
+            "|௦|௧|௨|೩|౪|౫|൬|౭|୮|௯|-௧|\n" +
+            "|౦|౧|౨|౩|୪|೫|੬|௭|൮|౯|-౧|\n" +
+            "|൦|೧|೨|੩|൪|௫|೬|൭|೮|೯|-൧|\n" +
+            "|೦|൧|൨|൩|೪|൫|৬|೭|໘|൯|-໑|\n" +
+            "|๐|໑|໒|๓|๔|๕|๖|๗|๘|໙|-೧|\n" +
+            "|༠|๑|๒|༣|໔|၅|༦|໗|౮|๙|-๑|\n" +
+            "|၀|၁|၂|႓|༤|៥|၆|༧|၈|༩|-႑|\n" +
+            "|႐|༡|༢|᠓|၄|໕|໖|᠗|༨|၉|-༡|\n" +
+            "|໐|႑|႒|៣|៤|༥|႖|៧|႘|᠙|-១|\n" +
+            "|០|១|២|᥉|႔|᥋|៦|᧗|៨|᥏|-၁|\n" +
+            "|᥆|᥇|᠒|᧓|᠔|႕|᠖|၇|᥎|៩|-᠑|\n" +
+            "|᧐|᪁|᥈|၃|᧔|᠕|᧖|᥍|᠘|႙|-᧑|\n" +
+            "|᪐|᠑|᧒|໓|᪔|᪅|᪆|᪇|᧘|᧙|-᪑|\n" +
+            "|᪀|᮱|᪂|᭓|᪄|᧕|᥌|᮷|᪈|᪉|-᥇|\n" +
+            "|᠐|᪑|᪒|᪃|᥊|᱕|᱆|႗|᭘|᮹|-᪁|\n" +
+            "|᭐|᭑|᮲|᪓|᭔|᪕|꘦|꘧|᪘|᪙|-᭑|\n" +
+            "|᱐|᧑|᭒|᱃|᮴|᮵|᭖|᪗|᱈|᭙|-᱁|\n" +
+            "|᮰|᱑|꘢|᱓|᱄|꤅|꣖|᭗|᮸|᱉|-꣑|\n" +
+            "|᱀|᱁|᱒|᮳|꘤|᭕|᱖|꣗|꣘|꘩|-꘡|\n" +
+            "|꘠|꣑|꤂|꣓|꣔|᱅|᮶|᱗|᱘|᱙|-᱑|\n" +
+            "|꣐|꤁|꣒|꤃|꤄|꧕|꧖|꧗|꘨|꣙|-᮱|\n" +
+            "|꧐|꘡|᱂|꘣|᱔|꘥|᪖|꤇|꤈|꤉|-꧑|\n" +
+            "|꤀|꩑|꧒|꧓|꧔|꣕|꤆|᱇|꩘|꧙|-꩑|\n" +
+            "|꯰|꧑|꯲|3|꩔|꯵|꯶|꯷|꯸|꯹|-1|\n" +
+            "|꩐|꯱|꩒|꯳|4|꩕|꩖|꩗|꧘|꩙|-꤁|\n" +
+            "|0|1|2|꩓|꯴|5|6|7|8|9|-꯱|";
+
     @Before
     public void setup() {
         context.load().json("/data.json", "/content");
@@ -105,6 +142,23 @@ public class JsonRendererTest {
         jrs.getMaxRecursionLevel(request);
     }
 
+    @Test
+    public void testRecursionLevelNumeric2() {
+        for (String line : testData.split("\n"))
+
+        {
+            for (String c : line.split("\\|")) {
+                try {
+                    context.requestPathInfo().setSelectorString("١");
+                    jrs.getMaxRecursionLevel(request);
+                    Assert.fail();
+                } catch (IllegalArgumentException ie) {
+                    // expected
+                }
+            }
+        }
+    }
+
     @Test
     public void testRecursionLevelOverflow() {
         context.requestPathInfo().setSelectorString(Long.toString(((long) Integer.MAX_VALUE)  + 1L));

{code}

seems to support this as the test passes. Please provide a test case that fails or close this issue as a duplicate for SLING-10342


> Non latin characters can be used as recursion level in JsonRenderer
> -------------------------------------------------------------------
>
>                 Key: SLING-10591
>                 URL: https://issues.apache.org/jira/browse/SLING-10591
>             Project: Sling
>          Issue Type: Bug
>          Components: Servlets
>    Affects Versions: Servlets Get 2.1.44
>            Reporter: Lorenzo Pirondini
>            Priority: Major
>         Attachments: unicode table.md
>
>
> in the JsonRenderer when the recursive value is parsed, it's indicated that it should be a real number and >= -1 i.e., [0-9]+ | -1. 
> https://github.com/apache/sling-org-apache-sling-servlets-get/blob/3828946288f4a03cafdde1069e34fc2603ed056d/src/main/java/org/apache/sling/servlets/get/impl/helpers/JsonRenderer.java#L182
> it was found that other unicode number can be used such as `١` , `꧕` or `႙` .
> This has security implication in projects implementing Sling and trying to restrict access to the recursive selector. 
>  
> expected outcome: 
> only numbers 0-9 and -1 can be used as numerical recursive selectors.
>  
> full table of unicode that have been found working as recursive selectors
> [^unicode table.md]
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)