Update deps. Update java-http:2.0 with logger changes.

prime-framework · Jul 27, 2023 · 422f979 · 422f979
1 parent bbd5ec5
commit 422f979
Show file tree

Hide file tree

Showing 5 changed files with 115 additions and 43 deletions.
diff --git a/prime-mvc.ipr b/prime-mvc.ipr
@@ -660,43 +660,6 @@
         <option name="EXPR_CASE_THEN_WRAP" value="true" />
         <option name="PRIMARY_KEY_NAME_TEMPLATE" value="{table}_{columns}_pk" />
       </H2CodeStyleSettings>
-      <H2CodeStyleSettings version="6">
-        <option name="USE_GENERAL_STYLE" value="false" />
-        <option name="TYPE_CASE" value="3" />
-        <option name="CUSTOM_TYPE_CASE" value="3" />
-        <option name="ALIAS_CASE" value="4" />
-        <option name="BUILT_IN_CASE" value="0" />
-        <option name="QUERY_TRUE_INDENT" value="false" />
-        <option name="QUERY_ALIGN_ELEMENTS" value="false" />
-        <option name="QUERY_ALIGN_LINE_COMMENTS" value="false" />
-        <option name="INSERT_EL_COMMA" value="2" />
-        <option name="SET_EL_WRAP" value="0" />
-        <option name="SET_EL_COMMA" value="0" />
-        <option name="WITH_EL_WRAP" value="0" />
-        <option name="WITH_EL_COMMA" value="0" />
-        <option name="SELECT_EL_WRAP" value="3" />
-        <option name="SELECT_EL_COMMA" value="2" />
-        <option name="FROM_EL_WRAP" value="2" />
-        <option name="FROM_EL_COMMA" value="2" />
-        <option name="FROM_PLACE_ON" value="10" />
-        <option name="WHERE_EL_WRAP" value="3" />
-        <option name="WHERE_EL_BOUND" value="2" />
-        <option name="ORDER_EL_COMMA" value="2" />
-        <option name="TABLE_OPENING" value="1" />
-        <option name="TABLE_CONTENT" value="2" />
-        <option name="TABLE_CLOSING" value="3" />
-        <option name="TABLE_ALTER_INSTRUCTION_ALIGN" value="false" />
-        <option name="POST_OPT_WRAP_1" value="true" />
-        <option name="POST_OPT_ALIGN" value="false" />
-        <option name="ROUTINE_ARG_COMMA" value="2" />
-        <option name="ROUTINE_ARG_ALIGN_TYPES" value="true" />
-        <option name="IMP_DECLARE_EL_WRAP" value="1" />
-        <option name="IMP_IF_THEN_WRAP_THEN" value="true" />
-        <option name="CORTEGE_SPACE_BEFORE_L_PAREN" value="false" />
-        <option name="EXPR_CASE_WHEN_WRAP" value="false" />
-        <option name="EXPR_CASE_THEN_WRAP" value="true" />
-        <option name="PRIMARY_KEY_NAME_TEMPLATE" value="{table}_{columns}_pk" />
-      </H2CodeStyleSettings>
       <HSQLCodeStyleSettings version="6">
         <option name="USE_GENERAL_STYLE" value="false" />
         <option name="TYPE_CASE" value="3" />

diff --git a/src/main/java/org/primeframework/mvc/parameter/el/Expression.java b/src/main/java/org/primeframework/mvc/parameter/el/Expression.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001-2017, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2001-2023, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -177,9 +177,8 @@ private void next() {
   }
 
   /**
-   * This breaks the expression name down into manageable pieces. These are the individual instances of the Atom inner
-   * class which store the name and the indices (which could be null or any object). This is broken on the '.'
-   * character.
+   * This breaks the expression name down into manageable pieces. These are the individual instances of the Atom inner class which store the name and
+   * the indices (which could be null or any object). This is broken on the '.' character.
    *
    * @param expression The expression string to break down.
    * @return A new ArrayList of PropertyInfo objects.
@@ -259,6 +258,16 @@ private List<String> parse(String expression) throws ExpressionException {
       list.add(new String(buf, 0, position));
     }
 
+    // atom may be null
+    // - The 'class' name is reserved. This will fail anyway, but failing earlier with a better message. This also
+    //   allows us to ignore this expression when allowUnknownParameters is true which will avoid un-necessary
+    //   logging.
+    for (String atom : list) {
+      if ("class".equals(atom)) {
+        throw new InvalidExpressionException("The expression string [" + expression + "] is invalid.");
+      }
+    }
+
     return list;
   }
 

diff --git a/src/test/java/org/example/action/Vanilla.java b/src/test/java/org/example/action/Vanilla.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2023, Inversoft Inc., All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
+ */
+package org.example.action;
+
+import org.primeframework.mvc.action.annotation.Action;
+import org.primeframework.mvc.action.result.annotation.Status;
+
+/**
+ * Standard action, nothing special here.
+ *
+ * @author Daniel DeGroff
+ */
+@Action
+@Status.List({
+    @Status,
+    @Status(code = "error", status = 500)
+})
+public class Vanilla {
+
+  public String get() {
+    return "success";
+  }
+
+
+  public String post() {
+    return "success";
+  }
+}
diff --git a/src/test/java/org/primeframework/mvc/GlobalTest.java b/src/test/java/org/primeframework/mvc/GlobalTest.java
@@ -573,6 +573,25 @@ public void get_fullFormWithAllAttributes() throws Exception {
              .assertBodyFile(Path.of("src/test/resources/html/full-form.html"));
   }
 
+  @Test
+  public void get_fuzzing_invalid_expression() throws Exception {
+    // simulate a production runtime
+    configuration.allowUnknownParameters = true;
+    test.simulate(() -> simulator.test("/vanilla")
+                                 // This is an invalid expression, but unknown parameters are ignored.
+                                 .withParameter("class.method", "foo")
+                                 .get()
+                                 .assertStatusCode(200));
+
+    // simulate dev runtime
+    configuration.allowUnknownParameters = false;
+    test.simulate(() -> simulator.test("/vanilla")
+                                 // This is an invalid expression, an exception will be thrown and return a 500.
+                                 .withParameter("class.method", "foo")
+                                 .get()
+                                 .assertStatusCode(500));
+  }
+
   @Test
   public void get_index() throws Exception {
     test.simulate(() -> simulator.test("/user/")
@@ -1744,6 +1763,25 @@ public void post_freemarker_escape() throws Exception {
                                      .assertElementExists("input[name=listTest2][value=none][checked]"));
   }
 
+  @Test
+  public void post_fuzzing_invalid_expression() throws Exception {
+    // simulate a production runtime
+    configuration.allowUnknownParameters = true;
+    test.simulate(() -> simulator.test("/vanilla")
+                                 // This is an invalid expression, but unknown parameters are ignored.
+                                 .withParameter("class.method", "foo")
+                                 .post()
+                                 .assertStatusCode(200));
+
+    // simulate dev runtime
+    configuration.allowUnknownParameters = false;
+    test.simulate(() -> simulator.test("/vanilla")
+                                 // This is an invalid expression, an exception will be thrown and return a 500.
+                                 .withParameter("class.method", "foo")
+                                 .post()
+                                 .assertStatusCode(500));
+  }
+
   @Test
   public void post_generics() throws Exception {
     test.simulate(() -> simulator.test("/generics")

diff --git a/src/test/java/org/primeframework/mvc/parameter/el/DefaultExpressionEvaluatorTest.java b/src/test/java/org/primeframework/mvc/parameter/el/DefaultExpressionEvaluatorTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001-2019, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2001-2023, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,7 +41,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.testng.annotations.Test;
-import static java.util.Arrays.asList;
 import static org.testng.Assert.assertEquals;
 import static org.testng.Assert.assertFalse;
 import static org.testng.Assert.assertNull;
@@ -278,6 +277,28 @@ public void fieldSettingWithCollectionSingleValue() {
     assertEquals(action.user.name, "Brian");
   }
 
+  @Test
+  public void fuzzing() {
+    // Trying to recreate an exception found in a customer log that looks to be fuzzing.
+    GenericBean bean = new GenericBean();
+
+    // Cannot use class in a setValue expression
+    try {
+      evaluator.setValue("class.method", bean, "foo");
+      fail("Expected an [InvalidExpressionException] exception.");
+    } catch (InvalidExpressionException e) {
+      assertEquals(e.getMessage(), "The expression string [class.method] is invalid.");
+    }
+
+    // Cannot use class in a getValue expression
+    try {
+      evaluator.getValue("class.name", bean);
+      fail("Expected an [InvalidExpressionException] exception.");
+    } catch (InvalidExpressionException e) {
+      assertEquals(e.getMessage(), "The expression string [class.name] is invalid.");
+    }
+  }
+
   @Test
   public void genericInheritanceImplements() {
     GenericBean bean = new GenericBean();