solr/solrj/src/test/org/apache/solr/client/solrj/io/stream/expr/InjectionDefenseTest.java - lucene-solr - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.solr.client.solrj.io.stream.expr;

 import org.junit.Test;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;

 public class InjectionDefenseTest {

   private static final String EXPLOITABLE = "let(a=search(foo,q=\"time_dt:[?$? TO ?$?]\",fl=\"id,time_dt\",sort=\"time_dt asc\"))";
   private static final String NUMBER = "let(a=search(foo,q=\"gallons_f:[?#? TO ?#?]\",fl=\"id,gallons_f,time_dt\",sort=\"time_dt asc\"))";
   private static final String NUMBER_OK = "let(a=search(foo,q=\"gallons_f:[2 TO 3.5]\",fl=\"id,gallons_f,time_dt\",sort=\"time_dt asc\"))";
   private static final String ALLOWED = "let(a=search(foo,q=\"time_dt:[?$? TO ?$?]\",fl=\"id,time_dt\",sort=\"time_dt asc\"), x=?(2)?)";
   private static final String INJECTED = "let(a=search(foo,q=\"time_dt:[2000-01-01T00:00:00Z TO 2020-01-01T00:00:00Z]\",fl=\"id,time_dt\",sort=\"time_dt asc\"), x=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),z=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from race_cars\",sort=\"id asc\"))";

   @Test(expected = InjectedExpressionException.class)
   public void testSafeExpression() {

     InjectionDefense defender = new InjectionDefense(EXPLOITABLE);

     defender.addParameter("2000-01-01T00:00:00Z");
     defender.addParameter("2020-01-01T00:00:00Z]\",fl=\"id\",sort=\"id asc\"), b=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),c=search(foo,q=\"time_dt:[* TO 2020-01-01T00:00:00Z");

     defender.safeExpression();
   }

   @Test(expected = InjectedExpressionException.class)
   public void testSafeString() {

     InjectionDefense defender = new InjectionDefense(EXPLOITABLE);

     defender.addParameter("2000-01-01T00:00:00Z");
     defender.addParameter("2020-01-01T00:00:00Z]\",fl=\"id\",sort=\"id asc\"), b=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),c=search(foo,q=\"time_dt:[* TO 2020-01-01T00:00:00Z");

     defender.safeExpressionString();
   }

   @Test
   public void testExpectedInjectionOfExpressions() {
     InjectionDefense defender = new InjectionDefense(ALLOWED);

     defender.addParameter("2000-01-01T00:00:00Z");
     defender.addParameter("2020-01-01T00:00:00Z");
     defender.addParameter("jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),z=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from race_cars\",sort=\"id asc\")");

     // no exceptions
     assertNotNull(defender.safeExpression());
     assertEquals(INJECTED, defender.safeExpressionString());

   }

   @Test(expected = InjectedExpressionException.class)
   public void testWrongNumberInjected() {
     InjectionDefense defender = new InjectionDefense(ALLOWED);

     defender.addParameter("2000-01-01T00:00:00Z");
     defender.addParameter("2020-01-01T00:00:00Z");
     defender.addParameter("jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\")");

     // no exceptions
     defender.safeExpression();
     assertEquals(INJECTED, defender.safeExpressionString());

   }

   @Test
   public void testBuildExpression() {
     InjectionDefense defender = new InjectionDefense(ALLOWED);

     defender.addParameter("2000-01-01T00:00:00Z");
     defender.addParameter("2020-01-01T00:00:00Z");
     defender.addParameter("jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),z=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from race_cars\",sort=\"id asc\")");

     assertEquals(INJECTED, defender.buildExpression());
   }

   @Test
   public void testInjectNumber() {
     InjectionDefense defender = new InjectionDefense(NUMBER);

     defender.addParameter("2");
     defender.addParameter("3.5");

     assertEquals(NUMBER_OK, defender.buildExpression());
   }

   @Test(expected = NumberFormatException.class)
   public void testInjectAlphaFail() {
     InjectionDefense defender = new InjectionDefense(NUMBER);

     defender.addParameter("a");
     defender.addParameter("3.5");

     defender.buildExpression();

   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.solr.client.solrj.io.stream.expr;

	import org.junit.Test;

	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertNotNull;

	public class InjectionDefenseTest {

	private static final String EXPLOITABLE = "let(a=search(foo,q=\"time_dt:[?$? TO ?$?]\",fl=\"id,time_dt\",sort=\"time_dt asc\"))";
	private static final String NUMBER = "let(a=search(foo,q=\"gallons_f:[?#? TO ?#?]\",fl=\"id,gallons_f,time_dt\",sort=\"time_dt asc\"))";
	private static final String NUMBER_OK = "let(a=search(foo,q=\"gallons_f:[2 TO 3.5]\",fl=\"id,gallons_f,time_dt\",sort=\"time_dt asc\"))";
	private static final String ALLOWED = "let(a=search(foo,q=\"time_dt:[?$? TO ?$?]\",fl=\"id,time_dt\",sort=\"time_dt asc\"), x=?(2)?)";
	private static final String INJECTED = "let(a=search(foo,q=\"time_dt:[2000-01-01T00:00:00Z TO 2020-01-01T00:00:00Z]\",fl=\"id,time_dt\",sort=\"time_dt asc\"), x=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),z=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from race_cars\",sort=\"id asc\"))";

	@Test(expected = InjectedExpressionException.class)
	public void testSafeExpression() {

	InjectionDefense defender = new InjectionDefense(EXPLOITABLE);

	defender.addParameter("2000-01-01T00:00:00Z");
	defender.addParameter("2020-01-01T00:00:00Z]\",fl=\"id\",sort=\"id asc\"), b=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),c=search(foo,q=\"time_dt:[* TO 2020-01-01T00:00:00Z");

	defender.safeExpression();
	}

	@Test(expected = InjectedExpressionException.class)
	public void testSafeString() {

	InjectionDefense defender = new InjectionDefense(EXPLOITABLE);

	defender.addParameter("2000-01-01T00:00:00Z");
	defender.addParameter("2020-01-01T00:00:00Z]\",fl=\"id\",sort=\"id asc\"), b=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),c=search(foo,q=\"time_dt:[* TO 2020-01-01T00:00:00Z");

	defender.safeExpressionString();
	}

	@Test
	public void testExpectedInjectionOfExpressions() {
	InjectionDefense defender = new InjectionDefense(ALLOWED);

	defender.addParameter("2000-01-01T00:00:00Z");
	defender.addParameter("2020-01-01T00:00:00Z");
	defender.addParameter("jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),z=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from race_cars\",sort=\"id asc\")");

	// no exceptions
	assertNotNull(defender.safeExpression());
	assertEquals(INJECTED, defender.safeExpressionString());

	}

	@Test(expected = InjectedExpressionException.class)
	public void testWrongNumberInjected() {
	InjectionDefense defender = new InjectionDefense(ALLOWED);

	defender.addParameter("2000-01-01T00:00:00Z");
	defender.addParameter("2020-01-01T00:00:00Z");
	defender.addParameter("jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\")");

	// no exceptions
	defender.safeExpression();
	assertEquals(INJECTED, defender.safeExpressionString());

	}

	@Test
	public void testBuildExpression() {
	InjectionDefense defender = new InjectionDefense(ALLOWED);

	defender.addParameter("2000-01-01T00:00:00Z");
	defender.addParameter("2020-01-01T00:00:00Z");
	defender.addParameter("jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from users\",sort=\"id asc\"),z=jdbc( connection=\"jdbc:postgresql://localhost:5432/ouchdb\",sql=\"select * from race_cars\",sort=\"id asc\")");

	assertEquals(INJECTED, defender.buildExpression());
	}

	@Test
	public void testInjectNumber() {
	InjectionDefense defender = new InjectionDefense(NUMBER);

	defender.addParameter("2");
	defender.addParameter("3.5");

	assertEquals(NUMBER_OK, defender.buildExpression());
	}

	@Test(expected = NumberFormatException.class)
	public void testInjectAlphaFail() {
	InjectionDefense defender = new InjectionDefense(NUMBER);

	defender.addParameter("a");
	defender.addParameter("3.5");

	defender.buildExpression();

	}
	}