jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From thom...@apache.org
Subject svn commit: r1417488 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/query/ oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/query/
Date Wed, 05 Dec 2012 15:40:05 GMT
Author: thomasm
Date: Wed Dec  5 15:40:04 2012
New Revision: 1417488

URL: http://svn.apache.org/viewvc?rev=1417488&view=rev
Log:
OAK-320 Query: ability to disable/enable literals in queries to protect against code injection

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryEngineImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/SQL2Parser.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/query/QueryTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryEngineImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryEngineImpl.java?rev=1417488&r1=1417487&r2=1417488&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryEngineImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryEngineImpl.java
Wed Dec  5 15:40:04 2012
@@ -42,6 +42,8 @@ public class QueryEngineImpl {
     static final String SQL = "sql";
     static final String XPATH = "xpath";
     static final String JQOM = "JCR-JQOM";
+    
+    static final String NO_LITERALS = "-noLiterals";
 
     private static final Logger LOG = LoggerFactory.getLogger(QueryEngineImpl.class);
 
@@ -54,7 +56,8 @@ public class QueryEngineImpl {
     }
 
     public List<String> getSupportedQueryLanguages() {
-        return Arrays.asList(SQL2, SQL, XPATH, JQOM);
+        return Arrays.asList(SQL2, SQL, XPATH, JQOM,
+                SQL2 + NO_LITERALS, SQL + NO_LITERALS, XPATH + NO_LITERALS);
     }
 
     /**
@@ -75,17 +78,20 @@ public class QueryEngineImpl {
         if (LOG.isDebugEnabled()) {
             LOG.debug(language + ": " + statement);
         }
+        SQL2Parser parser = new SQL2Parser();
+        if (language.endsWith(NO_LITERALS)) {
+            language = language.substring(0, language.length() - NO_LITERALS.length());
+            parser.setAllowNumberLiterals(false);
+            parser.setAllowTextLiterals(false);
+        }
         if (SQL2.equals(language) || JQOM.equals(language)) {
-            SQL2Parser parser = new SQL2Parser();
             q = parser.parse(statement);
         } else if (SQL.equals(language)) {
-            SQL2Parser parser = new SQL2Parser();
             parser.setSupportSQL1(true);
             q = parser.parse(statement);
         } else if (XPATH.equals(language)) {
             XPathToSQL2Converter converter = new XPathToSQL2Converter();
             String sql2 = converter.convert(statement);
-            SQL2Parser parser = new SQL2Parser();
             if (LOG.isDebugEnabled()) {
                 LOG.debug("XPath > SQL2: " + sql2);
             }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/SQL2Parser.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/SQL2Parser.java?rev=1417488&r1=1417487&r2=1417488&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/SQL2Parser.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/SQL2Parser.java
Wed Dec  5 15:40:04 2012
@@ -35,6 +35,8 @@ import org.apache.jackrabbit.oak.query.a
 import org.apache.jackrabbit.oak.query.ast.SourceImpl;
 import org.apache.jackrabbit.oak.query.ast.StaticOperandImpl;
 import org.apache.jackrabbit.oak.spi.query.PropertyValues;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.jcr.PropertyType;
 import java.math.BigDecimal;
@@ -47,6 +49,8 @@ import java.util.HashMap;
  * language (here named SQL-1) is also supported.
  */
 public class SQL2Parser {
+    
+    private static final Logger LOG = LoggerFactory.getLogger(SQL2Parser.class);
 
     // Character types, used during the tokenizer phase
     private static final int CHAR_END = -1, CHAR_VALUE = 2, CHAR_QUOTED = 3;
@@ -1031,13 +1035,18 @@ public class SQL2Parser {
             i++;
         }
         currentToken = "'";
-        checkLiterals(false);
+        if (end != ']') {
+            checkLiterals(false);
+        }
         currentValue = PropertyValues.newString(result);
         parseIndex = i;
         currentTokenType = VALUE;
     }
 
     private void checkLiterals(boolean text) throws ParseException {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Literal used in query: " + statement);
+        }
         if (text && !allowTextLiterals || !text && !allowNumberLiterals)
{
             throw getSyntaxError("bind variable (literals of this type not allowed)");
         }

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/query/QueryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/query/QueryTest.java?rev=1417488&r1=1417487&r2=1417488&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/query/QueryTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/query/QueryTest.java
Wed Dec  5 15:40:04 2012
@@ -21,6 +21,7 @@ package org.apache.jackrabbit.oak.jcr.qu
 import static junit.framework.Assert.assertEquals;
 import static junit.framework.Assert.assertTrue;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.fail;
 
 import java.io.ByteArrayInputStream;
 import java.util.Arrays;
@@ -33,6 +34,7 @@ import javax.jcr.NodeIterator;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.ValueFactory;
+import javax.jcr.query.InvalidQueryException;
 import javax.jcr.query.Query;
 import javax.jcr.query.QueryManager;
 import javax.jcr.query.QueryResult;
@@ -205,6 +207,7 @@ public class QueryTest extends AbstractR
         }
     }
 
+    @SuppressWarnings("deprecation")
     @Test
     public void nodeTypeConstraint() throws Exception {
         Session session = getAdminSession();
@@ -225,4 +228,31 @@ public class QueryTest extends AbstractR
         assertEquals(new HashSet<String>(Arrays.asList("/folder1", "/folder2", "/folder2/folder3")),
                 paths);
     }
+    
+    @Test
+    public void noLiterals() throws RepositoryException {
+        Session session = getAdminSession();
+        ValueFactory vf = session.getValueFactory();
+        QueryManager qm = session.getWorkspace().getQueryManager();
+        
+        // insecure
+        try {
+            Query q = qm.createQuery(
+                    "select text from [nt:base] where password = 'x'", 
+                    Query.JCR_SQL2 + "-noLiterals");
+            q.execute();
+            fail();
+        } catch (InvalidQueryException e) {
+            assertTrue(e.toString(), e.toString().indexOf(
+                    "literals of this type not allowed") > 0);
+        }
+
+        // secure
+        Query q = qm.createQuery(
+                "select text from [nt:base] where password = $p", 
+                Query.JCR_SQL2 + "-noLiterals");
+        q.bindValue("p", vf.createValue("x"));
+        q.execute();
+    }
+
 }



Mime
View raw message