You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@usergrid.apache.org by sn...@apache.org on 2015/07/30 20:44:48 UTC
[25/35] incubator-usergrid git commit: Not using PathParam regexp
because Jersey applies the regexp on the URI encoded param rather than the
decoded param
Not using PathParam regexp because Jersey applies the regexp on the URI encoded param rather than the decoded param
Project: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/commit/59b15d2e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/tree/59b15d2e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/diff/59b15d2e
Branch: refs/heads/ug2-doc-update
Commit: 59b15d2e165669781453f63f2b020e819c4c4fd2
Parents: e4c4dbd
Author: arun.ram <ar...@spartasystems.com>
Authored: Thu Jul 9 17:40:29 2015 -0400
Committer: arun.ram <ar...@spartasystems.com>
Committed: Thu Jul 9 17:40:29 2015 -0400
----------------------------------------------------------------------
.../usergrid/rest/AbstractContextResource.java | 67 ++++++++++----------
.../organizations/OrganizationResource.java | 13 ++--
2 files changed, 42 insertions(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/59b15d2e/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
index c415a2c..233b17a 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/AbstractContextResource.java
@@ -18,6 +18,7 @@ package org.apache.usergrid.rest;
import java.util.List;
+import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Context;
@@ -48,6 +49,7 @@ import static org.apache.commons.lang.StringUtils.removeEnd;
public abstract class AbstractContextResource {
+ private static final Pattern SECURE_PARAMETER_PATTERN = Pattern.compile("[A-Za-z0-9\\-\\._~]+");
protected AbstractContextResource parent;
@Context
@@ -89,77 +91,78 @@ public abstract class AbstractContextResource {
@Autowired
protected TokenService tokens;
-
public AbstractContextResource() {
}
-
public AbstractContextResource getParent() {
return parent;
}
-
- public void setParent( AbstractContextResource parent ) {
+ public void setParent(AbstractContextResource parent) {
this.parent = parent;
}
-
- public <T extends AbstractContextResource> T getSubResource( Class<T> t ) {
- T subResource = resourceContext.getResource( t );
- subResource.setParent( this );
+ public <T extends AbstractContextResource> T getSubResource(Class<T> t) {
+ T subResource = resourceContext.getResource(t);
+ subResource.setParent(this);
return subResource;
}
-
- public PathSegment getFirstPathSegment( String name ) {
- if ( name == null ) {
+ public PathSegment getFirstPathSegment(String name) {
+ if (name == null) {
return null;
}
List<PathSegment> segments = uriInfo.getPathSegments();
- for ( PathSegment segment : segments ) {
- if ( name.equals( segment.getPath() ) ) {
+ for (PathSegment segment : segments) {
+ if (name.equals(segment.getPath())) {
return segment;
}
}
return null;
}
-
public boolean useReCaptcha() {
- return isNotBlank( properties.getRecaptchaPublic() ) && isNotBlank( properties.getRecaptchaPrivate() );
+ return isNotBlank(properties.getRecaptchaPublic()) && isNotBlank(properties.getRecaptchaPrivate());
}
-
public String getReCaptchaHtml() {
- if ( !useReCaptcha() ) {
+ if (!useReCaptcha()) {
return "";
}
ReCaptcha c = ReCaptchaFactory
- .newSecureReCaptcha( properties.getRecaptchaPublic(), properties.getRecaptchaPrivate(), false );
- return c.createRecaptchaHtml( null, null );
+ .newSecureReCaptcha(properties.getRecaptchaPublic(), properties.getRecaptchaPrivate(), false);
+ return c.createRecaptchaHtml(null, null);
}
-
- public void sendRedirect( String location ) {
- if ( isNotBlank( location ) ) {
- throw new RedirectionException( location );
+ public void sendRedirect(String location) {
+ if (isNotBlank(location)) {
+ throw new RedirectionException(location);
}
}
-
- public Viewable handleViewable( String template, Object model ) {
- String template_property = "usergrid.view" + removeEnd( this.getClass().getName().toLowerCase(), "resource" )
- .substring( AbstractContextResource.class.getPackage().getName().length() ) + "." + template
+ public Viewable handleViewable(String template, Object model) {
+ String template_property = "usergrid.view" + removeEnd(this.getClass().getName().toLowerCase(), "resource")
+ .substring(AbstractContextResource.class.getPackage().getName().length()) + "." + template
.toLowerCase();
- String redirect_url = properties.getProperty( template_property );
- if ( isNotBlank( redirect_url ) ) {
- sendRedirect( redirect_url );
+ String redirect_url = properties.getProperty(template_property);
+ if (isNotBlank(redirect_url)) {
+ sendRedirect(redirect_url);
}
- return new Viewable( template, model, this.getClass() );
+ return new Viewable(template, model, this.getClass());
}
-
protected ApiResponse createApiResponse() {
return new ApiResponse( properties );
}
+
+ /**
+ * Checks if the given parameter contains only unreserved characters (as per RFC3986)
+ * This ensures that characters like < > which could be used by malicious scripts
+ * are not included.
+ * @param parameter the parameter to be tested
+ * @return true if safe to use, false otherwise
+ */
+ protected boolean isSafe(String parameter) {
+ return SECURE_PARAMETER_PATTERN.matcher(parameter).matches();
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/59b15d2e/stack/rest/src/main/java/org/apache/usergrid/rest/organizations/OrganizationResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/organizations/OrganizationResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/organizations/OrganizationResource.java
index b7acf16..b07306c 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/organizations/OrganizationResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/organizations/OrganizationResource.java
@@ -125,14 +125,15 @@ public class OrganizationResource extends AbstractContextResource {
}
- @Path("{applicationName: [^<>/]+}")
+ @Path("{applicationName}")
public ApplicationResource getApplicationByName( @PathParam("applicationName") String applicationName )
throws Exception {
-
if ( "options".equalsIgnoreCase( request.getMethod() ) ) {
throw new NoOpException();
}
-
+ if (!isSafe(applicationName)) {
+ throw new IllegalArgumentException("Invalid application name");
+ }
String orgAppName = PathingUtils.assembleAppName( organizationName, applicationName );
UUID applicationId = emf.lookupApplication( orgAppName );
if ( applicationId == null ) {
@@ -143,21 +144,21 @@ public class OrganizationResource extends AbstractContextResource {
}
- @Path("applications/{applicationName: [^<>/]+}")
+ @Path("applications/{applicationName}")
public ApplicationResource getApplicationByName2( @PathParam("applicationName") String applicationName )
throws Exception {
return getApplicationByName( applicationName );
}
- @Path("apps/{applicationName: [^<>/]+}")
+ @Path("apps/{applicationName}")
public ApplicationResource getApplicationByName3( @PathParam("applicationName") String applicationName )
throws Exception {
return getApplicationByName( applicationName );
}
- @Path("a/{applicationName: [^<>/]+}")
+ @Path("a/{applicationName}")
public ApplicationResource getApplicationByName4( @PathParam("applicationName") String applicationName )
throws Exception {
return getApplicationByName( applicationName );