This is an automated email from the ASF dual-hosted git repository.
vorburger pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git
The following commit(s) were added to refs/heads/develop by this push:
new 37b8219 FINERACT-1006 Fixes: NullPointerException at
SQLInjectionValidator
37b8219 is described below
commit 37b8219a03827e45d24a890bf9fe8dd39b40e1f9
Author: Manthan Surkar <[email protected]>
AuthorDate: Tue Jul 14 03:52:09 2020 +0530
FINERACT-1006 Fixes: NullPointerException at SQLInjectionValidator
---
.../fineract/infrastructure/security/utils/ColumnValidator.java | 4 ++++
.../infrastructure/security/utils/SQLInjectionValidator.java | 7 +++++++
2 files changed, 11 insertions(+)
diff --git
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
index 18a563b..18d833a 100644
---
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
+++
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
@@ -29,6 +29,7 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import org.apache.commons.lang3.StringUtils;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -91,6 +92,9 @@ public class ColumnValidator {
public void validateSqlInjection(String schema, String... conditions) {
for (String condition : conditions) {
+ if (StringUtils.isBlank(condition)) {
+ continue;
+ }
SQLInjectionValidator.validateSQLInput(condition);
List<String> operator = new ArrayList<>(Arrays.asList("=", ">",
"<", "> =", "< =", "! =", "!=", ">=", "<="));
condition = condition.trim().replace("( ", "(").replace(" )",
")").toLowerCase();
diff --git
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
index 60ff8e3..ce0c85d 100644
---
a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
+++
b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
@@ -21,6 +21,7 @@ package org.apache.fineract.infrastructure.security.utils;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import org.apache.commons.lang3.StringUtils;
public class SQLInjectionValidator {
@@ -33,6 +34,9 @@ public class SQLInjectionValidator {
private static final String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`%
()0-9*\n\r]*";
public static final void validateSQLInput(final String sqlSearch) {
+ if (StringUtils.isBlank(sqlSearch)) {
+ return;
+ }
String lowerCaseSQL = sqlSearch.toLowerCase();
for (String ddl : DDL_COMMANDS) {
if (lowerCaseSQL.contains(ddl)) {
@@ -118,6 +122,9 @@ public class SQLInjectionValidator {
}
public static final void validateAdhocQuery(final String sqlSearch) {
+ if (StringUtils.isBlank(sqlSearch)) {
+ return;
+ }
String lowerCaseSQL = sqlSearch.toLowerCase().trim();
for (String ddl : DDL_COMMANDS) {
if (lowerCaseSQL.startsWith(ddl)) {
