Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[backend] Fix Regular expression injection #2137

Merged
merged 2 commits into from
Dec 31, 2024
Merged

[backend] Fix Regular expression injection #2137

merged 2 commits into from
Dec 31, 2024

Conversation

RomuDeuxfois
Copy link
Member

@github-actions github-actions bot added the filigran team use to identify PR from the Filigran team label Dec 30, 2024
@codecov Codecov
Copy link

codecov bot commented Dec 31, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 8 lines in your changes missing coverage. Please review.

Project coverage is 35.10%. Comparing base (24a7d24) to head (27351ec).
Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
...main/java/io/openbas/rest/helper/RestBehavior.java 0.00% 5 Missing ⚠️
...n/java/io/openbas/rest/challenge/ChallengeApi.java 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #2137      +/-   ##
============================================
- Coverage     35.12%   35.10%   -0.02%     
  Complexity     1418     1418              
============================================
  Files           535      535              
  Lines         16189    16197       +8     
  Branches       1037     1037              
============================================
  Hits           5686     5686              
- Misses        10209    10217       +8     
  Partials        294      294

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

antoinemzs
antoinemzs reviewed Dec 31, 2024
View reviewed changes
openbas-api/src/main/java/io/openbas/rest/helper/RestBehavior.java Outdated
try {
UUID.fromString(id);
} catch (IllegalArgumentException e) {
throw new IllegalArgumentException("ID invalid : " + id, e);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this cause HTTP 500, where it should be HTTP 400 IMO?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about throwing https://www.baeldung.com/spring-response-status-exception instead, wrapping the original exception?

Copy link
Member Author

@RomuDeuxfois RomuDeuxfois Dec 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right
I can throw an ElementNotFoundException and it will be handled by the RestBehavior class

@ExceptionHandler(ElementNotFoundException.class)
public ResponseEntity handleElementNotFoundException(ElementNotFoundException ex) {
ErrorMessage message = new ErrorMessage("Element not found: " + ex.getMessage());
log.warning("ElementNotFoundException: " + ex.getMessage());
return new ResponseEntity<>(message, HttpStatus.NOT_FOUND);
}

Copy link
Contributor

@antoinemzs antoinemzs Dec 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's for HTTP 404, but perhaps there is a readymade handler for 400 as well?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can use InputValidationException

@ResponseStatus(HttpStatus.BAD_REQUEST)
@ExceptionHandler(InputValidationException.class)
public ValidationErrorBag handleInputValidationExceptions(InputValidationException ex) {
ValidationErrorBag bag = new ValidationErrorBag();
ValidationError errors = new ValidationError();
Map<String, ValidationContent> errorsBag = new HashMap<>();
errorsBag.put(ex.getField(), new ValidationContent(ex.getMessage()));
errors.setChildren(errorsBag);
bag.setErrors(errors);
return bag;
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds like a plan

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made the changes.

@RomuDeuxfois RomuDeuxfois merged commit 15c39f3 into master Dec 31, 2024
7 checks passed
@RomuDeuxfois RomuDeuxfois deleted the issue/1783 branch December 31, 2024 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoinemzs antoinemzs antoinemzs approved these changes

Assignees
No one assigned
Labels
filigran team use to identify PR from the Filigran team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[security] Regular expression injection
2 participants
@RomuDeuxfois @antoinemzs