This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 83978aa0dbf6a1caab5288d36f11e352b9e09115
Author: Eckman, Barbara <barbara_eck...@cable.comcast.com>
AuthorDate: Mon Sep 25 15:31:51 2023 -0400
RANGER-4234: updated RangerRequestScriptEvaluator to handle double-brackets
in expressions
Signed-off-by: Madhan Neethiraj <mad...@apache.org>
---
agents-common/dev-support/spotbugsIncludeFile.xml | 64 ++++++++++++++++++++++
.../policyengine/RangerRequestScriptEvaluator.java | 25 +++++----
2 files changed, 79 insertions(+), 10 deletions(-)
diff --git a/agents-common/dev-support/spotbugsIncludeFile.xml
b/agents-common/dev-support/spotbugsIncludeFile.xml
new file mode 100644
index 000000000..9a0a9261a
--- /dev/null
+++ b/agents-common/dev-support/spotbugsIncludeFile.xml
@@ -0,0 +1,64 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<FindBugsFilter>
+ <!--
+ For now, lets find only critical bugs from static code analyzer
+ -->
+ <Match>
+ <Priority value="1"/>
+ <Not>
+ <Or>
+ <Bug pattern="DM_DEFAULT_ENCODING" />
+ <Bug pattern="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD" />
+ <Bug pattern="MS_SHOULD_BE_FINAL" />
+ <Bug pattern="RU_INVOKE_RUN" />
+ <Bug pattern="DM_BOXED_PRIMITIVE_FOR_PARSING" />
+ <Bug pattern="NP_BOOLEAN_RETURN_NULL" />
+ <Bug pattern="SE_BAD_FIELD" />
+ <Bug pattern="NP_NULL_ON_SOME_PATH" />
+ <Bug pattern="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE" />
+ <Bug pattern="HE_EQUALS_USE_HASHCODE" />
+ <Bug pattern="RC_REF_COMPARISON" />
+ <Bug pattern="MS_SHOULD_BE_REFACTORED_TO_BE_FINAL" />
+ <Bug pattern="RV_EXCEPTION_NOT_THROWN" />
+ <Bug pattern="DMI_INVOKING_TOSTRING_ON_ARRAY" />
+ <Bug pattern="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT" />
+ <Bug pattern="UC_USELESS_CONDITION" />
+ <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE" />
+ <Bug pattern="MS_MUTABLE_COLLECTION" />
+ <Bug pattern="DM_BOXED_PRIMITIVE_TOSTRING" />
+ <Bug pattern="NP_NULL_PARAM_DEREF" />
+ <Bug pattern="NM_SAME_SIMPLE_NAME_AS_SUPERCLASS" />
+ <Bug pattern="IL_INFINITE_RECURSIVE_LOOP" />
+ <Bug pattern="DMI_RANDOM_USED_ONLY_ONCE" />
+ <Bug pattern="UI_INHERITANCE_UNSAFE_GETRESOURCE" />
+ </Or>
+ </Not>
+ </Match>
+ <!-- TODO: enable each priority one by one
+ <Match>
+ <Priority value="2"/>
+ </Match>
+ <Match>
+ <Priority value="3"/>
+ </Match>
+ <Match>
+ <Priority value="4"/>
+ </Match>
+ -->
+
+</FindBugsFilter>
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
index 7ac20764f..0df8686e3 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
@@ -29,6 +29,7 @@ import org.apache.ranger.plugin.util.MacroProcessor;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerUserStore;
+import org.apache.ranger.plugin.util.JavaScriptEdits;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -57,16 +58,16 @@ public final class RangerRequestScriptEvaluator {
private static final String DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT
= "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
private static final String SCRIPT_SAFE_PREEXEC
= "exit=null;quit=null;";
private static final String SCRIPT_PREEXEC
= SCRIPT_VAR__CTX + "=JSON.parse(" + SCRIPT_VAR__CTX_JSON + ");
J=JSON.stringify;" +
-
SCRIPT_VAR_REQ + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_REQUEST + ";" +
-
SCRIPT_VAR_RES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_RESOURCE + ";" +
-
SCRIPT_VAR_USER + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_ATTRIBUTES +
";" +
-
SCRIPT_VAR_UGNAMES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_GROUPS +
";" +
-
SCRIPT_VAR_UG + "=" + SCRIPT_VAR_REQ + "." +
SCRIPT_FIELD_USER_GROUP_ATTRIBUTES + ";" +
-
SCRIPT_VAR_UGA + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_UGA + ";" +
-
SCRIPT_VAR_URNAMES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_ROLES +
";" +
-
SCRIPT_VAR_TAG + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAG + ";" +
-
SCRIPT_VAR_TAGS + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAGS + ";" +
-
SCRIPT_VAR_TAGNAMES + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAG_NAMES +
";";
+ SCRIPT_VAR_REQ + "=" + SCRIPT_VAR__CTX + "." +
SCRIPT_FIELD_REQUEST + ";" +
+ SCRIPT_VAR_RES + "=" + SCRIPT_VAR_REQ + "." +
SCRIPT_FIELD_RESOURCE + ";" +
+ SCRIPT_VAR_USER + "=" + SCRIPT_VAR_REQ + "." +
SCRIPT_FIELD_USER_ATTRIBUTES + ";" +
+ SCRIPT_VAR_UGNAMES + "=" + SCRIPT_VAR_REQ + "." +
SCRIPT_FIELD_USER_GROUPS + ";" +
+ SCRIPT_VAR_UG + "=" + SCRIPT_VAR_REQ + "." +
SCRIPT_FIELD_USER_GROUP_ATTRIBUTES + ";" +
+ SCRIPT_VAR_UGA + "=" + SCRIPT_VAR_REQ + "." +
SCRIPT_FIELD_UGA + ";" +
+ SCRIPT_VAR_URNAMES + "=" + SCRIPT_VAR_REQ + "." +
SCRIPT_FIELD_USER_ROLES + ";" +
+ SCRIPT_VAR_TAG + "=" + SCRIPT_VAR__CTX + "." +
SCRIPT_FIELD_TAG + ";" +
+ SCRIPT_VAR_TAGS + "=" + SCRIPT_VAR__CTX + "." +
SCRIPT_FIELD_TAGS + ";" +
+ SCRIPT_VAR_TAGNAMES + "=" + SCRIPT_VAR__CTX + "." +
SCRIPT_FIELD_TAG_NAMES + ";";
private static final Pattern JSON_VAR_NAMES_PATTERN =
Pattern.compile(getJsonVarNamesPattern());
private static final Pattern USER_ATTRIBUTES_PATTERN =
Pattern.compile(getUserAttributesPattern());
private static final Pattern GROUP_ATTRIBUTES_PATTERN =
Pattern.compile(getGroupAttributesPattern());
@@ -231,6 +232,10 @@ public final class RangerRequestScriptEvaluator {
script = SCRIPT_POLYFILL_INTERSECTS + script;
}
+ if (JavaScriptEdits.hasDoubleBrackets(script)) {
+ script = JavaScriptEdits.replaceDoubleBrackets(script);
+ }
+
if (LOG.isDebugEnabled()) {
LOG.debug("RangerRequestScriptEvaluator.evaluateScript(): script={" + script +
"}");
}
