fineract-core/src/main/java/org/apache/fineract/infrastructure/security/utils/DefaultSqlValidator.java - fineract - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements. See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership. The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.fineract.infrastructure.security.utils;

 import jakarta.annotation.PostConstruct;
 import java.util.Comparator;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.fineract.infrastructure.core.config.FineractProperties;
 import org.apache.fineract.infrastructure.security.exception.SqlValidationException;
 import org.apache.fineract.infrastructure.security.service.SqlValidator;
 import org.springframework.stereotype.Component;

 @Slf4j
 @RequiredArgsConstructor
 @Component
 public class DefaultSqlValidator implements SqlValidator {

     private final FineractProperties properties;

     private Map<String, Pattern> patterns = new LinkedHashMap<>();
     private Map<String, FineractProperties.FineractSqlValidationProfileProperties> profiles = new LinkedHashMap<>();

     private static final String MAIN_PROFILE = "main";

     @PostConstruct
     public void init() {
         properties.getSqlValidation().getPatterns().forEach(pattern -> {
             log.info("Setup SQL validation pattern: {}", pattern.getName());

             patterns.put(pattern.getName(), Pattern.compile(pattern.getPattern(), Pattern.DOTALL));
         });
         properties.getSqlValidation().getProfiles().forEach(profile -> {
             log.info("Setup SQL validation profile: {}", profile.getName());

             profile.getPatternRefs()
                     .sort(Comparator.comparing(FineractProperties.FineractSqlValidationPatternReferenceProperties::getOrder));

             profiles.put(profile.getName(), profile);
         });

         // consistency checks

         if (!profiles.containsKey(MAIN_PROFILE)) {
             throw new IllegalStateException(
                     "SQL validation profile 'main' missing. This validation profile is the default fallback and has to be provided. NOTE: YOU CANNOT DISABLE SQL VALIDATION!!!");
         }

         // the default profile needs at least one pattern reference
         if (profiles.get(MAIN_PROFILE).getPatternRefs().isEmpty()) {
             throw new IllegalStateException(
                     "SQL Validation pattern references in profile 'main' are empty. Please make sure there is at least one reference available. NOTE: YOU CANNOT DISABLE SQL VALIDATION!!!");
         }

         // the default profile needs to be enabled
         profiles.get(MAIN_PROFILE).setEnabled(true);
     }

     @Override
     public void validate(final String statement) throws SqlValidationException {
         validate(MAIN_PROFILE, statement);
     }

     @Override
     public void validate(final String profile, final String statement) throws SqlValidationException {
         if (StringUtils.isBlank(statement)) {
             return;
         }

         for (var ref : profiles.getOrDefault(profile, profiles.get(MAIN_PROFILE)).getPatternRefs()) {
             Matcher matcher = patterns.get(ref.getName()).matcher(statement);

             if (matcher.matches()) {
                 log.warn("SQL validation error: >> {} <<", statement);
                 throw new SqlValidationException(String.format("invalid SQL statement (detected '%s' pattern)", ref.getName()));
             }
         }
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.fineract.infrastructure.security.utils;

	import jakarta.annotation.PostConstruct;
	import java.util.Comparator;
	import java.util.LinkedHashMap;
	import java.util.Map;
	import java.util.regex.Matcher;
	import java.util.regex.Pattern;
	import lombok.RequiredArgsConstructor;
	import lombok.extern.slf4j.Slf4j;
	import org.apache.commons.lang3.StringUtils;
	import org.apache.fineract.infrastructure.core.config.FineractProperties;
	import org.apache.fineract.infrastructure.security.exception.SqlValidationException;
	import org.apache.fineract.infrastructure.security.service.SqlValidator;
	import org.springframework.stereotype.Component;

	@Slf4j
	@RequiredArgsConstructor
	@Component
	public class DefaultSqlValidator implements SqlValidator {

	private final FineractProperties properties;

	private Map<String, Pattern> patterns = new LinkedHashMap<>();
	private Map<String, FineractProperties.FineractSqlValidationProfileProperties> profiles = new LinkedHashMap<>();

	private static final String MAIN_PROFILE = "main";

	@PostConstruct
	public void init() {
	properties.getSqlValidation().getPatterns().forEach(pattern -> {
	log.info("Setup SQL validation pattern: {}", pattern.getName());

	patterns.put(pattern.getName(), Pattern.compile(pattern.getPattern(), Pattern.DOTALL));
	});
	properties.getSqlValidation().getProfiles().forEach(profile -> {
	log.info("Setup SQL validation profile: {}", profile.getName());

	profile.getPatternRefs()
	.sort(Comparator.comparing(FineractProperties.FineractSqlValidationPatternReferenceProperties::getOrder));

	profiles.put(profile.getName(), profile);
	});

	// consistency checks

	if (!profiles.containsKey(MAIN_PROFILE)) {
	throw new IllegalStateException(
	"SQL validation profile 'main' missing. This validation profile is the default fallback and has to be provided. NOTE: YOU CANNOT DISABLE SQL VALIDATION!!!");
	}

	// the default profile needs at least one pattern reference
	if (profiles.get(MAIN_PROFILE).getPatternRefs().isEmpty()) {
	throw new IllegalStateException(
	"SQL Validation pattern references in profile 'main' are empty. Please make sure there is at least one reference available. NOTE: YOU CANNOT DISABLE SQL VALIDATION!!!");
	}

	// the default profile needs to be enabled
	profiles.get(MAIN_PROFILE).setEnabled(true);
	}

	@Override
	public void validate(final String statement) throws SqlValidationException {
	validate(MAIN_PROFILE, statement);
	}

	@Override
	public void validate(final String profile, final String statement) throws SqlValidationException {
	if (StringUtils.isBlank(statement)) {
	return;
	}

	for (var ref : profiles.getOrDefault(profile, profiles.get(MAIN_PROFILE)).getPatternRefs()) {
	Matcher matcher = patterns.get(ref.getName()).matcher(statement);

	if (matcher.matches()) {
	log.warn("SQL validation error: >> {} <<", statement);
	throw new SqlValidationException(String.format("invalid SQL statement (detected '%s' pattern)", ref.getName()));
	}
	}
	}
	}