This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 83978aa0dbf6a1caab5288d36f11e352b9e09115 Author: Eckman, Barbara <barbara_eck...@cable.comcast.com> AuthorDate: Mon Sep 25 15:31:51 2023 -0400 RANGER-4234: updated RangerRequestScriptEvaluator to handle double-brackets in expressions Signed-off-by: Madhan Neethiraj <mad...@apache.org> --- agents-common/dev-support/spotbugsIncludeFile.xml | 64 ++++++++++++++++++++++ .../policyengine/RangerRequestScriptEvaluator.java | 25 +++++---- 2 files changed, 79 insertions(+), 10 deletions(-) diff --git a/agents-common/dev-support/spotbugsIncludeFile.xml b/agents-common/dev-support/spotbugsIncludeFile.xml new file mode 100644 index 000000000..9a0a9261a --- /dev/null +++ b/agents-common/dev-support/spotbugsIncludeFile.xml @@ -0,0 +1,64 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<FindBugsFilter> + <!-- + For now, lets find only critical bugs from static code analyzer + --> + <Match> + <Priority value="1"/> + <Not> + <Or> + <Bug pattern="DM_DEFAULT_ENCODING" /> + <Bug pattern="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD" /> + <Bug pattern="MS_SHOULD_BE_FINAL" /> + <Bug pattern="RU_INVOKE_RUN" /> + <Bug pattern="DM_BOXED_PRIMITIVE_FOR_PARSING" /> + <Bug pattern="NP_BOOLEAN_RETURN_NULL" /> + <Bug pattern="SE_BAD_FIELD" /> + <Bug pattern="NP_NULL_ON_SOME_PATH" /> + <Bug pattern="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE" /> + <Bug pattern="HE_EQUALS_USE_HASHCODE" /> + <Bug pattern="RC_REF_COMPARISON" /> + <Bug pattern="MS_SHOULD_BE_REFACTORED_TO_BE_FINAL" /> + <Bug pattern="RV_EXCEPTION_NOT_THROWN" /> + <Bug pattern="DMI_INVOKING_TOSTRING_ON_ARRAY" /> + <Bug pattern="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT" /> + <Bug pattern="UC_USELESS_CONDITION" /> + <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE" /> + <Bug pattern="MS_MUTABLE_COLLECTION" /> + <Bug pattern="DM_BOXED_PRIMITIVE_TOSTRING" /> + <Bug pattern="NP_NULL_PARAM_DEREF" /> + <Bug pattern="NM_SAME_SIMPLE_NAME_AS_SUPERCLASS" /> + <Bug pattern="IL_INFINITE_RECURSIVE_LOOP" /> + <Bug pattern="DMI_RANDOM_USED_ONLY_ONCE" /> + <Bug pattern="UI_INHERITANCE_UNSAFE_GETRESOURCE" /> + </Or> + </Not> + </Match> + <!-- TODO: enable each priority one by one + <Match> + <Priority value="2"/> + </Match> + <Match> + <Priority value="3"/> + </Match> + <Match> + <Priority value="4"/> + </Match> + --> + +</FindBugsFilter> diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java index 7ac20764f..0df8686e3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java @@ -29,6 +29,7 @@ import org.apache.ranger.plugin.util.MacroProcessor; import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.RangerUserStore; +import org.apache.ranger.plugin.util.JavaScriptEdits; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -57,16 +58,16 @@ public final class RangerRequestScriptEvaluator { private static final String DEFAULT_ATLAS_TAG_ATTRIBUTE_DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"; private static final String SCRIPT_SAFE_PREEXEC = "exit=null;quit=null;"; private static final String SCRIPT_PREEXEC = SCRIPT_VAR__CTX + "=JSON.parse(" + SCRIPT_VAR__CTX_JSON + "); J=JSON.stringify;" + - SCRIPT_VAR_REQ + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_REQUEST + ";" + - SCRIPT_VAR_RES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_RESOURCE + ";" + - SCRIPT_VAR_USER + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_ATTRIBUTES + ";" + - SCRIPT_VAR_UGNAMES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_GROUPS + ";" + - SCRIPT_VAR_UG + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_GROUP_ATTRIBUTES + ";" + - SCRIPT_VAR_UGA + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_UGA + ";" + - SCRIPT_VAR_URNAMES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_ROLES + ";" + - SCRIPT_VAR_TAG + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAG + ";" + - SCRIPT_VAR_TAGS + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAGS + ";" + - SCRIPT_VAR_TAGNAMES + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAG_NAMES + ";"; + SCRIPT_VAR_REQ + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_REQUEST + ";" + + SCRIPT_VAR_RES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_RESOURCE + ";" + + SCRIPT_VAR_USER + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_ATTRIBUTES + ";" + + SCRIPT_VAR_UGNAMES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_GROUPS + ";" + + SCRIPT_VAR_UG + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_GROUP_ATTRIBUTES + ";" + + SCRIPT_VAR_UGA + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_UGA + ";" + + SCRIPT_VAR_URNAMES + "=" + SCRIPT_VAR_REQ + "." + SCRIPT_FIELD_USER_ROLES + ";" + + SCRIPT_VAR_TAG + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAG + ";" + + SCRIPT_VAR_TAGS + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAGS + ";" + + SCRIPT_VAR_TAGNAMES + "=" + SCRIPT_VAR__CTX + "." + SCRIPT_FIELD_TAG_NAMES + ";"; private static final Pattern JSON_VAR_NAMES_PATTERN = Pattern.compile(getJsonVarNamesPattern()); private static final Pattern USER_ATTRIBUTES_PATTERN = Pattern.compile(getUserAttributesPattern()); private static final Pattern GROUP_ATTRIBUTES_PATTERN = Pattern.compile(getGroupAttributesPattern()); @@ -231,6 +232,10 @@ public final class RangerRequestScriptEvaluator { script = SCRIPT_POLYFILL_INTERSECTS + script; } + if (JavaScriptEdits.hasDoubleBrackets(script)) { + script = JavaScriptEdits.replaceDoubleBrackets(script); + } + if (LOG.isDebugEnabled()) { LOG.debug("RangerRequestScriptEvaluator.evaluateScript(): script={" + script + "}"); }