You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by al...@apache.org on 2023/02/21 06:24:35 UTC

[fineract] branch 1.7.3 updated: FINERACT-1871: Run reports fix for 1.7.x

This is an automated email from the ASF dual-hosted git repository.

aleks pushed a commit to branch 1.7.3
in repository https://gitbox.apache.org/repos/asf/fineract.git


The following commit(s) were added to refs/heads/1.7.3 by this push:
     new 71b73db55 FINERACT-1871: Run reports fix for 1.7.x
71b73db55 is described below

commit 71b73db55007d01589e0fc9e30241486957f10ac
Author: Aleks <al...@apache.org>
AuthorDate: Sun Feb 19 22:59:59 2023 +0100

    FINERACT-1871: Run reports fix for 1.7.x
---
 .../security/utils/SQLInjectionValidator.java      | 42 ++++++++++++----------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
index a8128a485..4a5d3b28a 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
@@ -18,6 +18,7 @@
  */
 package org.apache.fineract.infrastructure.security.utils;
 
+import java.util.List;
 import java.util.StringTokenizer;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -37,10 +38,15 @@ public final class SQLInjectionValidator {
 
     private static final String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% ()0-9*\n\r]*";
 
+    // https://larrysteinle.com/2011/02/20/use-regular-expressions-to-detect-sql-code-injection more examples
+    private static final List<String> INJECTION_PATTERNS = List.of("(?i).*[or|and]\s*[\"']?-1[\"']?\\s*(-*).*",
+            "(?i).*\\s+[\"']?(\\d+)[\"']?\\s*=\\s*[\"']?(\\1)[\"']?\\s*(-*).*");
+
     public static void validateSQLInput(final String sqlSearch) {
         if (StringUtils.isBlank(sqlSearch)) {
             return;
         }
+
         String lowerCaseSQL = sqlSearch.toLowerCase();
         for (String ddl : DDL_COMMANDS) {
             if (lowerCaseSQL.contains(ddl)) {
@@ -63,16 +69,8 @@ public final class SQLInjectionValidator {
         // Removing the space before and after '=' operator
         // String s = " \" OR 1 = 1"; For the cases like this
         boolean injectionFound = false;
-        String inputSqlString = lowerCaseSQL;
-        while (inputSqlString.indexOf(" =") > 0) { // Don't remove space before
-                                                   // = operator
-            inputSqlString = inputSqlString.replaceAll(" =", "=");
-        }
 
-        while (inputSqlString.indexOf("= ") > 0) { // Don't remove space after =
-                                                   // operator
-            inputSqlString = inputSqlString.replaceAll("= ", "=");
-        }
+        String inputSqlString = lowerCaseSQL.replaceAll("\\s*=\\s*", "=");
 
         StringTokenizer tokenizer = new StringTokenizer(inputSqlString, " ");
         while (tokenizer.hasMoreTokens()) {
@@ -118,6 +116,14 @@ public final class SQLInjectionValidator {
             throw new SQLInjectionException();
         }
 
+        for (String injectionPattern : INJECTION_PATTERNS) {
+            Pattern pattern = Pattern.compile(injectionPattern);
+            Matcher matcher = pattern.matcher(sqlSearch);
+            if (matcher.matches()) {
+                throw new SQLInjectionException();
+            }
+        }
+
         Pattern pattern = Pattern.compile(SQL_PATTERN);
         Matcher matcher = pattern.matcher(sqlSearch);
         if (!matcher.matches()) {
@@ -145,16 +151,8 @@ public final class SQLInjectionValidator {
         // Removing the space before and after '=' operator
         // String s = " \" OR 1 = 1"; For the cases like this
         boolean injectionFound = false;
-        String inputSqlString = lowerCaseSQL;
-        while (inputSqlString.indexOf(" =") > 0) { // Don't remove space before
-                                                   // = operator
-            inputSqlString = inputSqlString.replaceAll(" =", "=");
-        }
 
-        while (inputSqlString.indexOf("= ") > 0) { // Don't remove space after =
-                                                   // operator
-            inputSqlString = inputSqlString.replaceAll("= ", "=");
-        }
+        String inputSqlString = lowerCaseSQL.replaceAll("\\s*=\\s*", "=");
 
         StringTokenizer tokenizer = new StringTokenizer(inputSqlString, " ");
         while (tokenizer.hasMoreTokens()) {
@@ -200,6 +198,14 @@ public final class SQLInjectionValidator {
             throw new SQLInjectionException();
         }
 
+        for (String injectionPattern : INJECTION_PATTERNS) {
+            Pattern pattern = Pattern.compile(injectionPattern);
+            Matcher matcher = pattern.matcher(sqlSearch);
+            if (matcher.matches()) {
+                throw new SQLInjectionException();
+            }
+        }
+
         Pattern pattern = Pattern.compile(SQL_PATTERN);
         Matcher matcher = pattern.matcher(sqlSearch);
         if (!matcher.matches()) {