This is an automated email from the ASF dual-hosted git repository.
adamsaghy pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git
The following commit(s) were added to refs/heads/develop by this push:
new 24cee73dc0 FINERACT-2181: modified inject-comment sql validation
pattern to not match single dashes
24cee73dc0 is described below
commit 24cee73dc06dba85392a7637fa15bb8e9282069e
Author: mark.vituska <[email protected]>
AuthorDate: Tue Mar 4 16:19:39 2025 +0100
FINERACT-2181: modified inject-comment sql validation pattern to not match
single dashes
---
.../src/main/resources/application.properties | 2 +-
.../dataqueries/service/SqlValidatorTest.java | 48 ++++++++++++++++++++++
.../src/test/resources/application-test.properties | 2 +-
3 files changed, 50 insertions(+), 2 deletions(-)
diff --git a/fineract-provider/src/main/resources/application.properties
b/fineract-provider/src/main/resources/application.properties
index 93934d9ab4..9f264f1ae5 100644
--- a/fineract-provider/src/main/resources/application.properties
+++ b/fineract-provider/src/main/resources/application.properties
@@ -220,7 +220,7 @@
fineract.sql-validation.patterns[6].pattern=(?i).*[;]+\\s*(create|drop|alter|tru
# inject-comment
fineract.sql-validation.patterns[7].name=inject-comment
-fineract.sql-validation.patterns[7].pattern=(?i).*\\s+(-|/\\*|#|\\(\\{)++.*
+fineract.sql-validation.patterns[7].pattern=(?i).*\\s+(--|/\\*|#|\\(\\{)++.*
# main
fineract.sql-validation.profiles[0].name=main
diff --git
a/fineract-provider/src/test/java/org/apache/fineract/infrastructure/dataqueries/service/SqlValidatorTest.java
b/fineract-provider/src/test/java/org/apache/fineract/infrastructure/dataqueries/service/SqlValidatorTest.java
new file mode 100644
index 0000000000..de52837b2f
--- /dev/null
+++
b/fineract-provider/src/test/java/org/apache/fineract/infrastructure/dataqueries/service/SqlValidatorTest.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.fineract.infrastructure.dataqueries.service;
+
+import org.apache.fineract.TestConfiguration;
+import
org.apache.fineract.infrastructure.security.exception.SqlValidationException;
+import org.apache.fineract.infrastructure.security.service.SqlValidator;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.ContextConfiguration;
+
+@SpringBootTest
+@ContextConfiguration(classes = TestConfiguration.class)
+public class SqlValidatorTest {
+
+ @Autowired
+ private SqlValidator sqlValidator;
+
+ @Test
+ public void testSingleDashInParameterName() {
+ final String paramToValidate = "Loan Report - Active";
+ Assertions.assertDoesNotThrow(() ->
sqlValidator.validate(paramToValidate));
+ }
+
+ @Test
+ public void testCommentInjectionAttempt() {
+ final String paramToValidate = "Loan Report -- Active";
+ Assertions.assertThrows(SqlValidationException.class, () ->
sqlValidator.validate(paramToValidate));
+ }
+}
diff --git a/fineract-provider/src/test/resources/application-test.properties
b/fineract-provider/src/test/resources/application-test.properties
index 3f9cba12b9..6a6435058a 100644
--- a/fineract-provider/src/test/resources/application-test.properties
+++ b/fineract-provider/src/test/resources/application-test.properties
@@ -137,7 +137,7 @@
fineract.sql-validation.patterns[6].pattern=(?i).*[;]+\\s*(create|drop|alter|tru
# inject-comment
fineract.sql-validation.patterns[7].name=inject-comment
-fineract.sql-validation.patterns[7].pattern=(?i).*\\s+(-|/\\*|#|\\(\\{)++.*
+fineract.sql-validation.patterns[7].pattern=(?i).*\\s+(--|/\\*|#|\\(\\{)++.*
# main
fineract.sql-validation.profiles[0].name=main
