solr/solrj/src/java/org/apache/solr/client/solrj/io/stream/expr/InjectionDefense.java - lucene-solr - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.solr.client.solrj.io.stream.expr;

 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

 /**
  * A class with which to safely build a streaming expression. Three types of parameters
  * (String, Numeric, Expression) are accepted and minimally type checked. All parameters
  * are positional (unnamed) so the order in which parameters are added must correspond to
  * the order of the parameters in the supplied expression string.<br><br>
  *
  * <p>Specifically, this class verifies that the parameter substitutions do not inject
  * additional expressions, and that the parameters are strings, valid numbers or valid
  * expressions producing the expected number of sub-expressions. The idea is not to provide
  * full type safety but rather to heuristically prevent the injection of malicious
  * expressions. The template expression and the parameters supplied must not contain
  * comments since injection of  comments could be used to hide one or more of the expected
  * expressions. Use {@link #stripComments(String)} to remove comments.<br><br>
  *
  * <p>Valid patterns for parameters are:
  * <ul>
  * <li>?$? for strings</li>
  * <li>?#? for numeric parameters in integer or decimal format (no exponents)</li>
  * <li>?(n)? for expressions producing n sub-expressions (minimum n=1)</li>
  * </ul>
  *
  * @since 8.0.0
  */

 public class InjectionDefense {

   private static final Pattern STRING_PARAM = Pattern.compile("\\?\\$\\?");
   private static final Pattern NUMBER_PARAM = Pattern.compile("\\?#\\?");
   private static final Pattern EXPRESSION_PARAM = Pattern.compile("\\?\\(\\d+\\)\\?");
   private static final Pattern EXPRESSION_COUNT = Pattern.compile("\\d+");
   private static final Pattern ANY_PARAM = Pattern.compile("\\?(?:[$#]|(?:\\(\\d+\\)))\\?");
   private static final Pattern INT_OR_FLOAT = Pattern.compile("-?\\d+(?:\\.\\d+)?");

   private String exprString;
   private int expressionCount;
   private List<String> params = new ArrayList<>();

   @SuppressWarnings("WeakerAccess")
   public InjectionDefense(String exprString) {
     this.exprString = exprString;
     checkExpression(exprString);
   }

   @SuppressWarnings("WeakerAccess")
   public static String stripComments(String exprString) {
     return StreamExpressionParser.stripComments(exprString);
   }

   public void addParameter(String param) {
     params.add(param);
   }

   /**
    * Provides an expression that is guaranteed to have the expected number of sub-expressions
    *
    * @return An expression object that should be safe from injection of additional expressions
    */
   @SuppressWarnings("WeakerAccess")
   public StreamExpression safeExpression() {
     String exprStr = buildExpression();
     StreamExpression parsed = StreamExpressionParser.parse(exprStr);
     int actual = countExpressions(parsed);
     if (actual != expressionCount) {
       throw new InjectedExpressionException("Expected Expression count ("+expressionCount+") does not match actual final " +
           "expression count ("+actual+")! (possible injection attack?)");
     } else {
       return parsed;
     }
   }

   /**
    * Provides a string that is guaranteed to parse to a legal expression and to have the expected
    * number of sub-expressions.
    *
    * @return A string that should be safe from injection of additional expressions.
    */
   @SuppressWarnings("WeakerAccess")
   public String safeExpressionString() {
     String exprStr = buildExpression();
     StreamExpression parsed = StreamExpressionParser.parse(exprStr);
     if (countExpressions(parsed) != expressionCount) {
       throw new InjectedExpressionException("Expected Expression count does not match Actual final " +
           "expression count! (possible injection attack?)");
     } else {
       return exprStr;
     }

   }

   String buildExpression() {
     Matcher anyParam = ANY_PARAM.matcher(exprString);
     StringBuffer buff = new StringBuffer();
     int pIdx = 0;
     while (anyParam.find()) {
       String found = anyParam.group();
       String p = params.get(pIdx++);
       if (found.contains("#")) {
         if (!INT_OR_FLOAT.matcher(p).matches()) {
           throw new NumberFormatException("Argument " + pIdx + " (" + p + ") is not numeric!");
         }
       }
       anyParam.appendReplacement(buff, p);
     }
     anyParam.appendTail(buff);

     // strip comments may add '\n' at the end so trim()
     String result = buff.toString().trim();
     String noComments = stripComments(result).trim();
     if (!result.equals(noComments)) {
       throw new IllegalStateException("Comments are not allowed in prepared expressions for security reasons " +
           "please pre-process stripComments() first. If there were no comments, then they have been injected by " +
           "a parameter value.");
     }
     return buff.toString().trim();
   }

   /**
    * Perform some initial checks and establish the expected number of expressions
    *
    * @param exprString the expression to check.
    */
   private void checkExpression(String exprString) {
     exprString = STRING_PARAM.matcher(exprString).replaceAll("foo");
     exprString = NUMBER_PARAM.matcher(exprString).replaceAll("0");
     Matcher eMatcher = EXPRESSION_PARAM.matcher(exprString);
     StringBuffer temp = new StringBuffer();
     while (eMatcher.find()) {
       Matcher counter = EXPRESSION_COUNT.matcher(eMatcher.group());
       eMatcher.appendReplacement(temp, "noop()");
       if (counter.find()) {
         Integer subExprCount = Integer.valueOf(counter.group());
         if (subExprCount < 1) {
           throw new IllegalStateException("Expression Param must contribute at least 1 expression!" +
               " ?(1)? is the minimum allowed ");
         }
         expressionCount += (subExprCount - 1); // the noop() we insert will get counted later.
       }
     }
     eMatcher.appendTail(temp);
     exprString = temp.toString();

     StreamExpression parsed = StreamExpressionParser.parse(exprString);
     if (parsed != null) {
       expressionCount += countExpressions(parsed);
     } else {
       throw new IllegalStateException("Invalid expression (parse returned null):" + exprString);
     }
   }

   private int countExpressions(StreamExpression expression) {
     int result = 0;
     List<StreamExpressionParameter> exprToCheck = new ArrayList<>();
     exprToCheck.add(expression);
     while (exprToCheck.size() > 0) {
       StreamExpressionParameter remove = exprToCheck.remove(0);
       if (remove instanceof StreamExpressionNamedParameter) {
         remove = ((StreamExpressionNamedParameter) remove).getParameter();
       }
       if (remove instanceof StreamExpression) {
         result++;
         for (StreamExpressionParameter parameter : ((StreamExpression) remove).getParameters()) {
           if (parameter instanceof StreamExpressionNamedParameter) {
             parameter = ((StreamExpressionNamedParameter) parameter).getParameter();
           }
           if (parameter instanceof StreamExpression) {
             exprToCheck.add(parameter);
           }
         }
       }
     }
     return result;
   }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.solr.client.solrj.io.stream.expr;

	import java.util.ArrayList;
	import java.util.List;
	import java.util.regex.Matcher;
	import java.util.regex.Pattern;

	/**
	* A class with which to safely build a streaming expression. Three types of parameters
	* (String, Numeric, Expression) are accepted and minimally type checked. All parameters
	* are positional (unnamed) so the order in which parameters are added must correspond to
	* the order of the parameters in the supplied expression string.<br><br>
	*
	* <p>Specifically, this class verifies that the parameter substitutions do not inject
	* additional expressions, and that the parameters are strings, valid numbers or valid
	* expressions producing the expected number of sub-expressions. The idea is not to provide
	* full type safety but rather to heuristically prevent the injection of malicious
	* expressions. The template expression and the parameters supplied must not contain
	* comments since injection of comments could be used to hide one or more of the expected
	* expressions. Use {@link #stripComments(String)} to remove comments.<br><br>
	*
	* <p>Valid patterns for parameters are:
	* <ul>
	* <li>?$? for strings</li>
	* <li>?#? for numeric parameters in integer or decimal format (no exponents)</li>
	* <li>?(n)? for expressions producing n sub-expressions (minimum n=1)</li>
	* </ul>
	*
	* @since 8.0.0
	*/

	public class InjectionDefense {

	private static final Pattern STRING_PARAM = Pattern.compile("\\?\\$\\?");
	private static final Pattern NUMBER_PARAM = Pattern.compile("\\?#\\?");
	private static final Pattern EXPRESSION_PARAM = Pattern.compile("\\?\\(\\d+\\)\\?");
	private static final Pattern EXPRESSION_COUNT = Pattern.compile("\\d+");
	private static final Pattern ANY_PARAM = Pattern.compile("\\?(?:[$#]\|(?:\\(\\d+\\)))\\?");
	private static final Pattern INT_OR_FLOAT = Pattern.compile("-?\\d+(?:\\.\\d+)?");

	private String exprString;
	private int expressionCount;
	private List<String> params = new ArrayList<>();

	@SuppressWarnings("WeakerAccess")
	public InjectionDefense(String exprString) {
	this.exprString = exprString;
	checkExpression(exprString);
	}

	@SuppressWarnings("WeakerAccess")
	public static String stripComments(String exprString) {
	return StreamExpressionParser.stripComments(exprString);
	}

	public void addParameter(String param) {
	params.add(param);
	}

	/**
	* Provides an expression that is guaranteed to have the expected number of sub-expressions
	*
	* @return An expression object that should be safe from injection of additional expressions
	*/
	@SuppressWarnings("WeakerAccess")
	public StreamExpression safeExpression() {
	String exprStr = buildExpression();
	StreamExpression parsed = StreamExpressionParser.parse(exprStr);
	int actual = countExpressions(parsed);
	if (actual != expressionCount) {
	throw new InjectedExpressionException("Expected Expression count ("+expressionCount+") does not match actual final " +
	"expression count ("+actual+")! (possible injection attack?)");
	} else {
	return parsed;
	}
	}

	/**
	* Provides a string that is guaranteed to parse to a legal expression and to have the expected
	* number of sub-expressions.
	*
	* @return A string that should be safe from injection of additional expressions.
	*/
	@SuppressWarnings("WeakerAccess")
	public String safeExpressionString() {
	String exprStr = buildExpression();
	StreamExpression parsed = StreamExpressionParser.parse(exprStr);
	if (countExpressions(parsed) != expressionCount) {
	throw new InjectedExpressionException("Expected Expression count does not match Actual final " +
	"expression count! (possible injection attack?)");
	} else {
	return exprStr;
	}

	}

	String buildExpression() {
	Matcher anyParam = ANY_PARAM.matcher(exprString);
	StringBuffer buff = new StringBuffer();
	int pIdx = 0;
	while (anyParam.find()) {
	String found = anyParam.group();
	String p = params.get(pIdx++);
	if (found.contains("#")) {
	if (!INT_OR_FLOAT.matcher(p).matches()) {
	throw new NumberFormatException("Argument " + pIdx + " (" + p + ") is not numeric!");
	}
	}
	anyParam.appendReplacement(buff, p);
	}
	anyParam.appendTail(buff);

	// strip comments may add '\n' at the end so trim()
	String result = buff.toString().trim();
	String noComments = stripComments(result).trim();
	if (!result.equals(noComments)) {
	throw new IllegalStateException("Comments are not allowed in prepared expressions for security reasons " +
	"please pre-process stripComments() first. If there were no comments, then they have been injected by " +
	"a parameter value.");
	}
	return buff.toString().trim();
	}

	/**
	* Perform some initial checks and establish the expected number of expressions
	*
	* @param exprString the expression to check.
	*/
	private void checkExpression(String exprString) {
	exprString = STRING_PARAM.matcher(exprString).replaceAll("foo");
	exprString = NUMBER_PARAM.matcher(exprString).replaceAll("0");
	Matcher eMatcher = EXPRESSION_PARAM.matcher(exprString);
	StringBuffer temp = new StringBuffer();
	while (eMatcher.find()) {
	Matcher counter = EXPRESSION_COUNT.matcher(eMatcher.group());
	eMatcher.appendReplacement(temp, "noop()");
	if (counter.find()) {
	Integer subExprCount = Integer.valueOf(counter.group());
	if (subExprCount < 1) {
	throw new IllegalStateException("Expression Param must contribute at least 1 expression!" +
	" ?(1)? is the minimum allowed ");
	}
	expressionCount += (subExprCount - 1); // the noop() we insert will get counted later.
	}
	}
	eMatcher.appendTail(temp);
	exprString = temp.toString();

	StreamExpression parsed = StreamExpressionParser.parse(exprString);
	if (parsed != null) {
	expressionCount += countExpressions(parsed);
	} else {
	throw new IllegalStateException("Invalid expression (parse returned null):" + exprString);
	}
	}

	private int countExpressions(StreamExpression expression) {
	int result = 0;
	List<StreamExpressionParameter> exprToCheck = new ArrayList<>();
	exprToCheck.add(expression);
	while (exprToCheck.size() > 0) {
	StreamExpressionParameter remove = exprToCheck.remove(0);
	if (remove instanceof StreamExpressionNamedParameter) {
	remove = ((StreamExpressionNamedParameter) remove).getParameter();
	}
	if (remove instanceof StreamExpression) {
	result++;
	for (StreamExpressionParameter parameter : ((StreamExpression) remove).getParameters()) {
	if (parameter instanceof StreamExpressionNamedParameter) {
	parameter = ((StreamExpressionNamedParameter) parameter).getParameter();
	}
	if (parameter instanceof StreamExpression) {
	exprToCheck.add(parameter);
	}
	}
	}
	}
	return result;
	}

	}