guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jmuehl...@apache.org
Subject [1/2] incubator-guacamole-client git commit: GUACAMOLE-5: Properly validate identifiers before attempting to query.
Date Thu, 28 Jul 2016 04:40:46 GMT
Repository: incubator-guacamole-client
Updated Branches:
  refs/heads/master 0ec42d2b1 -> b1a8a4d85


GUACAMOLE-5: Properly validate identifiers before attempting to query.

Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/f2cd109e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/f2cd109e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/f2cd109e

Branch: refs/heads/master
Commit: f2cd109e3f5082fee747e8c3e81c14cc7d4edde3
Parents: 0ec42d2
Author: Michael Jumper <mjumper@apache.org>
Authored: Wed Jul 27 21:30:49 2016 -0700
Committer: Michael Jumper <mjumper@apache.org>
Committed: Wed Jul 27 21:30:49 2016 -0700

----------------------------------------------------------------------
 .../base/ModeledDirectoryObjectService.java     |  4 ++
 .../guacamole/auth/jdbc/base/ObjectModel.java   | 59 ++++++++++++++++++++
 2 files changed, 63 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/f2cd109e/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
index 6eb615e..4e1c1f5 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
@@ -23,6 +23,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Set;
+import javax.xml.stream.events.Characters;
 import org.apache.guacamole.auth.jdbc.user.AuthenticatedUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
@@ -312,6 +313,9 @@ public abstract class ModeledDirectoryObjectService<InternalType extends
Modeled
     public Collection<InternalType> retrieveObjects(AuthenticatedUser user,
             Collection<String> identifiers) throws GuacamoleException {
 
+        // Ignore invalid identifiers
+        identifiers = ObjectModel.filterIdentifiers(identifiers);
+
         // Do not query if no identifiers given
         if (identifiers.isEmpty())
             return Collections.<InternalType>emptyList();

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/f2cd109e/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ObjectModel.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ObjectModel.java
b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ObjectModel.java
index 06698ac..f77abad 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ObjectModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ObjectModel.java
@@ -19,6 +19,9 @@
 
 package org.apache.guacamole.auth.jdbc.base;
 
+import java.util.ArrayList;
+import java.util.Collection;
+
 /**
  * Object representation of a Guacamole object, such as a user or connection,
  * as represented in the database.
@@ -84,4 +87,60 @@ public abstract class ObjectModel {
         this.objectID = objectID;
     }
 
+    /**
+     * Returns whether the given string is a valid identifier within the JDBC
+     * authentication extension. Invalid identifiers may result in SQL errors
+     * from the underlying database when used in queries.
+     *
+     * @param identifier
+     *     The string to check for validity.
+     *
+     * @return
+     *     true if the given string is a valid identifier, false otherwise.
+     */
+    public static boolean isValidIdentifier(String identifier) {
+
+        // Empty identifiers are invalid
+        if (identifier.isEmpty())
+            return false;
+
+        // Identifier is invalid if any non-numeric characters are present
+        for (int i = 0; i < identifier.length(); i++) {
+            if (!Character.isDigit(identifier.charAt(i)))
+                return false;
+        }
+
+        // Identifier is valid - contains only numeric characters
+        return true;
+
+    }
+
+    /**
+     * Filters the given collection of strings, returning a new collection
+     * containing only those strings which are valid identifiers. If no strings
+     * within the collection are valid identifiers, the returned collection will
+     * simply be empty.
+     *
+     * @param identifiers
+     *     The collection of strings to filter.
+     *
+     * @return
+     *     A new collection containing only the strings within the provided
+     *     collection which are valid identifiers.
+     */
+    public static Collection<String> filterIdentifiers(Collection<String> identifiers)
{
+
+        // Obtain enough space for a full copy of the given identifiers
+        Collection<String> validIdentifiers = new ArrayList<String>(identifiers.size());
+
+        // Add only valid identifiers to the copy
+        for (String identifier : identifiers) {
+            if (ObjectModel.isValidIdentifier(identifier))
+                validIdentifiers.add(identifier);
+        }
+
+        return validIdentifiers;
+
+    }
+
 }


Mime
View raw message