From 1384ab27cdfea39bfca9ae2d90d415843b6b77fa Mon Sep 17 00:00:00 2001 From: Evgeny Date: Sat, 4 Jan 2025 10:49:47 +0300 Subject: [PATCH 1/3] fix: probably fix cwe-1333 --- .../SearchCriteriaParserImpl.java | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/subscriptions_holder/src/main/java/ru/dankoy/subscriptionsholder/subscriptions_holder/core/service/searchparser/SearchCriteriaParserImpl.java b/subscriptions_holder/src/main/java/ru/dankoy/subscriptionsholder/subscriptions_holder/core/service/searchparser/SearchCriteriaParserImpl.java index 88171f96..ee1604b8 100644 --- a/subscriptions_holder/src/main/java/ru/dankoy/subscriptionsholder/subscriptions_holder/core/service/searchparser/SearchCriteriaParserImpl.java +++ b/subscriptions_holder/src/main/java/ru/dankoy/subscriptionsholder/subscriptions_holder/core/service/searchparser/SearchCriteriaParserImpl.java @@ -13,13 +13,24 @@ public class SearchCriteriaParserImpl implements SearchCriteriaParser { @Override public List parse(String search) { List params = new ArrayList<>(); - if (search != null) { - Pattern pattern = Pattern.compile("(\\w+?)(:|<|>)(\\w+?),"); - Matcher matcher = pattern.matcher(search + ","); - while (matcher.find()) { - params.add(new SearchCriteria(matcher.group(1), matcher.group(2), matcher.group(3))); - } + + if (search == null || !isValidString(search)) { + throw new IllegalArgumentException("Invalid search criteria"); + } + + search = search + ","; + + Pattern pattern = Pattern.compile("(\\w+?)([:<>])(\\w+?),"); + Matcher matcher = pattern.matcher(search); + + while (matcher.find()) { + params.add(new SearchCriteria(matcher.group(1), matcher.group(2), matcher.group(3))); } + return params; } + + private boolean isValidString(String str) { + return str != null && !str.isEmpty() && str.matches("[a-zA-Z0-9][:<>],"); + } } From c933c0c943bbea3d8d4acf97fac1809b5c67dab4 Mon Sep 17 00:00:00 2001 From: Evgeny Date: Sat, 4 Jan 2025 10:57:45 +0300 Subject: [PATCH 2/3] ci: fix check changes --- .github/workflows/check-changes.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/check-changes.yml b/.github/workflows/check-changes.yml index aeb4e383..cf686a3d 100644 --- a/.github/workflows/check-changes.yml +++ b/.github/workflows/check-changes.yml @@ -23,10 +23,17 @@ jobs: id: filter with: filters: | - subscriptions_holder: subscriptions_holder/src - t_coubs_initiator: t_coubs_initiator/src - coub_smart_searcher: coub_smart_searcher/src - kafka_message_producer: kafka_message_producer/src - kafka_message_consumer: kafka_message_consumer/src - telegram_bot: telegram_bot/src - subscriptions_scheduler: subscriptions_scheduler/src + subscriptions_holder: + - 'subscriptions_holder/src/**' + t_coubs_initiator: + - 't_coubs_initiator/src/**' + coub_smart_searcher: + - 'coub_smart_searcher/src/**' + kafka_message_producer: + - 'kafka_message_producer/src/**' + kafka_message_consumer: + - 'kafka_message_consumer/src/**' + telegram_bot: + - 'telegram_bot/src/**' + subscriptions_scheduler: + - 'subscriptions_scheduler/src/**' From 2fb1bb6a3574091a379d71481951bd98bd8c1ec4 Mon Sep 17 00:00:00 2001 From: Evgeny Date: Sat, 4 Jan 2025 11:23:43 +0300 Subject: [PATCH 3/3] refactor: added limit --- .../core/service/searchparser/SearchCriteriaParserImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subscriptions_holder/src/main/java/ru/dankoy/subscriptionsholder/subscriptions_holder/core/service/searchparser/SearchCriteriaParserImpl.java b/subscriptions_holder/src/main/java/ru/dankoy/subscriptionsholder/subscriptions_holder/core/service/searchparser/SearchCriteriaParserImpl.java index ee1604b8..e8d69b22 100644 --- a/subscriptions_holder/src/main/java/ru/dankoy/subscriptionsholder/subscriptions_holder/core/service/searchparser/SearchCriteriaParserImpl.java +++ b/subscriptions_holder/src/main/java/ru/dankoy/subscriptionsholder/subscriptions_holder/core/service/searchparser/SearchCriteriaParserImpl.java @@ -14,7 +14,7 @@ public class SearchCriteriaParserImpl implements SearchCriteriaParser { public List parse(String search) { List params = new ArrayList<>(); - if (search == null || !isValidString(search)) { + if (search == null || !isValidString(search) || search.length() > 1000) { throw new IllegalArgumentException("Invalid search criteria"); }