Skip to content

Commit

Permalink
Fix Java regex backtracking issues java:S5852
Browse files Browse the repository at this point in the history
  • Loading branch information
cbosdo committed Oct 11, 2023
1 parent 3979e98 commit 32465f6
Show file tree
Hide file tree
Showing 9 changed files with 40 additions and 38 deletions.
4 changes: 2 additions & 2 deletions java/code/src/com/redhat/rhn/common/security/acl/Acl.java
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ public class Acl {
private static final String ACL_SPLIT_REGEX = "\\s*;\\s*";

/** RegEx to split expressions into multiple statements */
private static final String EXPR_SPLIT_REGEX = "\\s++or\\s++";
private static final String EXPR_SPLIT_REGEX = "\\sor\\s";

/** RegEx to parse statement to grab negation, function call, params */
private static final String STMT_PARSE_REGEX = "^(not +)?(.*)\\((.*)\\)$";
Expand Down Expand Up @@ -393,7 +393,7 @@ public boolean evalAcl(Map<String, Object> context, String acl) {
int statementLen = statements.length;

for (int stmtIdx = 0; stmtIdx < statementLen; ++stmtIdx) {
String statement = statements[stmtIdx];
String statement = statements[stmtIdx].trim();
log.debug("statement[{}]: {}", stmtIdx, statement);

result = evalAclStatement(statement, context);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -185,8 +185,7 @@ protected StreamInfo getStreamInfo(ActionMapping mapping, ActionForm form,
// Read the CSV separator from user preferences
User user = new RequestContext(request).getCurrentUser();
CSVWriter csvWriter = new CSVWriter(new StringWriter(), user.getCsvSeparator());
String[] columns = exportColumns.split("\\s*+,\\s*+");
csvWriter.setColumns(Arrays.asList(columns));
csvWriter.setColumns(Arrays.stream(exportColumns.split(",")).map(c -> c.trim()).collect(Collectors.toList()));

String header = getHeaderText(request, session);
if (header != null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ private Map<String, Map<String, Object>> parseSyncLog(

String lastLine = lines[lines.length - 1];
// Downloading packages
if (lastLine.matches(".*\\d+/\\d+ : .+")) {
if (lastLine.matches("\\D*\\d+/\\d+ : .+")) {
// Example:
// 2016/09/07 14:41:14 +02:00 22/22 : spacewalk-oscap-2.5.3-1.fc24.noarch
String[] lineParts = lastLine.split(" ");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
import java.util.List;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.stream.Collectors;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
Expand Down Expand Up @@ -240,7 +241,8 @@ public static SortedMap<String, String> setUpPowerTypes(HttpServletRequest reque
SortedMap<String, String> types = new TreeMap<>();
String typeString = ConfigDefaults.get().getCobblerPowerTypes();
if (typeString != null) {
List<String> typeNames = Arrays.asList(typeString.split(" *+, *+"));
List<String> typeNames = Arrays.stream(typeString.split(","))
.map(c -> c.trim()).collect(Collectors.toList());
for (String typeName : typeNames) {
types.put(
LocalizationService.getInstance().getPlainText(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
import java.io.Writer;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/**
Expand Down Expand Up @@ -348,14 +349,14 @@ private static Map<String, String> parseEvr(String evr) {
*/
private void addEssentialPackageFiles(long pkgId,
SimpleContentHandler hndlr) throws SAXException {
String regex = ".*bin/.*|^/etc/.*|^/usr/lib.sendmail$|^/lib/cpp$";
List<String> fullPaths = List.of("/usr/lib.sendmail", "/lib/cpp");
Collection<PackageCapabilityDto> files = TaskManager
.getPackageCapabilityDtos(
pkgId,
TaskConstants.TASK_QUERY_REPOMD_GENERATOR_CAPABILITY_FILES);
for (PackageCapabilityDto file : files) {
String path = sanitize(pkgId, file.getName());
if (path.matches(regex)) {
if (path.contains("bin/") || path.startsWith("/etc/") || fullPaths.contains(path)) {
hndlr.addElementWithCharacters("file", path);
}
}
Expand Down
44 changes: 23 additions & 21 deletions java/code/src/com/suse/manager/reactor/utils/RhelUtils.java
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,11 @@ public class RhelUtils {
private RhelUtils() { }

private static final Pattern RHEL_RELEASE_MATCHER =
Pattern.compile("(.+)\\srelease\\s([\\d.]+)\\s*+\\(([^)]++)\\).*+", Pattern.DOTALL);
Pattern.compile("([\\d.]+)\\s*+\\(([^)]++)\\).*+", Pattern.DOTALL);
private static final Pattern ORACLE_RELEASE_MATCHER =
Pattern.compile("(.+)\\srelease\\s([\\d.]+).*", Pattern.DOTALL);
Pattern.compile("([\\d.]+).*", Pattern.DOTALL);
private static final Pattern ALIBABA_RELEASE_MATCHER =
Pattern.compile("(.+)\\srelease\\s([\\d.]+)\\s*+LTS\\s*+\\(([^)]++)\\).*+", Pattern.DOTALL);
Pattern.compile("([\\d.]+)\\s*+LTS\\s*+\\(([^)]++)\\).*+", Pattern.DOTALL);

/**
* Information about RHEL based OSes.
Expand Down Expand Up @@ -170,40 +170,42 @@ public String getRelease() {
* @return the parsed content of the release file
*/
public static Optional<ReleaseFile> parseReleaseFile(String releaseFile) {
String[] parts = releaseFile.split("\\srelease\\s", 2);
if (parts.length != 2) {
return Optional.empty();
}

// We match here data from the system and try to find the product
// how it is named in SCC or sumatoolbox. This requires sometimes
// some changes on the string we parse.
//
// AlmaLinux and AmazonLinux are also matched by the RHEL matcher
Matcher matcher = RHEL_RELEASE_MATCHER.matcher(releaseFile);
Matcher matcher = RHEL_RELEASE_MATCHER.matcher(parts[1]);
if (matcher.matches()) {
String name =
matcher.group(1).replaceAll("(?i)linux", "").replace(" ", "");
String name = parts[0].replaceAll("(?i)linux", "").replace(" ", "");
if (name.startsWith("Alma") || name.startsWith("Amazon") || name.startsWith("Rocky")) {
name = matcher.group(1).replace(" ", "");
name = parts[0].replace(" ", "");
}
String majorVersion = StringUtils.substringBefore(matcher.group(2), ".");
String minorVersion = StringUtils.substringAfter(matcher.group(2), ".");
String release = matcher.group(3);
String majorVersion = StringUtils.substringBefore(matcher.group(1), ".");
String minorVersion = StringUtils.substringAfter(matcher.group(1), ".");
String release = matcher.group(2);
return Optional.of(new ReleaseFile(name, majorVersion, minorVersion, release));
}
else {
Matcher amatcher = ALIBABA_RELEASE_MATCHER.matcher(releaseFile);
Matcher amatcher = ALIBABA_RELEASE_MATCHER.matcher(parts[1]);
if (amatcher.matches()) {
String name =
amatcher.group(1).replaceAll("(?i)linux", "").replace(" ", "");
String majorVersion = StringUtils.substringBefore(amatcher.group(2), ".");
String minorVersion = StringUtils.substringAfter(amatcher.group(2), ".");
String release = amatcher.group(3);
String name = parts[0].replaceAll("(?i)linux", "").replace(" ", "");
String majorVersion = StringUtils.substringBefore(amatcher.group(1), ".");
String minorVersion = StringUtils.substringAfter(amatcher.group(1), ".");
String release = amatcher.group(2);
return Optional.of(new ReleaseFile(name, majorVersion, minorVersion, release));
}
else {
Matcher omatcher = ORACLE_RELEASE_MATCHER.matcher(releaseFile);
Matcher omatcher = ORACLE_RELEASE_MATCHER.matcher(parts[1]);
if (omatcher.matches()) {
String name =
omatcher.group(1).replaceAll("(?i)server", "").replace(" ", "");
String majorVersion = StringUtils.substringBefore(omatcher.group(2), ".");
String minorVersion = StringUtils.substringAfter(omatcher.group(2), ".");
String name = parts[0].replaceAll("(?i)server", "").replace(" ", "");
String majorVersion = StringUtils.substringBefore(omatcher.group(1), ".");
String minorVersion = StringUtils.substringAfter(omatcher.group(1), ".");
return Optional.of(new ReleaseFile(name, majorVersion, minorVersion, ""));
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,10 @@
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

import java.security.SecureRandom;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import java.util.Random;
import java.util.UUID;
import java.util.function.Consumer;

Expand Down Expand Up @@ -442,7 +442,7 @@ public static Channel createExpandedSupportChannel(
suseProd.setRelease(null);
suseProd.setReleaseStage(ReleaseStage.released);
suseProd.setFriendlyName(friendlyName + " " + version);
suseProd.setProductId(new Random().nextInt(999999));
suseProd.setProductId(new SecureRandom().nextInt(999999));
suseProd.setArch(null); // RES products can contain channels with different archs
SUSEProductFactory.save(suseProd);
SUSEProductFactory.getSession().flush();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1698,7 +1698,8 @@ private Map<LocalCall<?>, List<MinionSummary>> scapXccdfEvalAction(

pillar.put("xccdffile", scapActionDetails.getPath());
if (scapActionDetails.getOvalfiles() != null) {
pillar.put("ovalfiles", Arrays.asList(scapActionDetails.getOvalfiles().split("\\s*,\\s*")));
pillar.put("ovalfiles", Arrays.stream(scapActionDetails.getOvalfiles().split(","))
.map(c -> c.trim()).collect(toList()));
}
if (profileMatcher.find()) {
pillar.put("profile", profileMatcher.group(1));
Expand Down
9 changes: 3 additions & 6 deletions java/code/src/com/suse/scc/client/SCCClientUtils.java
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,6 @@
import java.nio.file.attribute.UserPrincipal;
import java.nio.file.attribute.UserPrincipalLookupService;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.zip.GZIPInputStream;

/**
Expand Down Expand Up @@ -147,10 +145,9 @@ public static BufferedReader getLoggingReader(URI requestUri, HttpResponse respo
* @return the filename
*/
public static String getLogFilename(URI uri, String user) {
Pattern pattern = Pattern.compile(".*/(connect|suma)/(.*)");
Matcher matcher = pattern.matcher(uri.toString());
matcher.matches();
String urlFragment = matcher.group(2);
String[] parts = uri.toString().split("/(connect|suma)/");

String urlFragment = parts[1];
String name = user + "_" + urlFragment + (urlFragment.endsWith(".json") ? "" : ".json");

return name.replaceAll("[^a-zA-Z0-9\\._]+", "_");
Expand Down

0 comments on commit 32465f6

Please sign in to comment.