Changes to query security and validate inputs

kaiko-ai · Oct 2, 2024 · 92fed32 · 92fed32
1 parent 6489b51
commit 92fed32
Show file tree

Hide file tree

Showing 25 changed files with 375 additions and 275 deletions.
diff --git a/src/main/java/be/cytomine/domain/image/AbstractImage.java b/src/main/java/be/cytomine/domain/image/AbstractImage.java
@@ -26,6 +26,8 @@
 
 import javax.persistence.*;
 import javax.validation.constraints.Min;
+import javax.validation.constraints.Pattern;
+
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@@ -38,6 +40,7 @@ public class AbstractImage extends CytomineDomain {
     @ManyToOne(fetch = FetchType.EAGER)
     private UploadedFile uploadedFile;
 
+    @Pattern(regexp = "^[^\\/:*?'<>|\r\n]+$")
     private String originalFilename;
 
     @Min(1)

diff --git a/src/main/java/be/cytomine/domain/image/ImageInstance.java b/src/main/java/be/cytomine/domain/image/ImageInstance.java
@@ -1,5 +1,19 @@
 package be.cytomine.domain.image;
 
+import java.util.Date;
+import java.util.Optional;
+
+import javax.persistence.Column;
+import javax.persistence.DiscriminatorColumn;
+import javax.persistence.DiscriminatorValue;
+import javax.persistence.Entity;
+import javax.persistence.EntityManager;
+import javax.persistence.FetchType;
+import javax.persistence.ManyToOne;
+import javax.persistence.Table;
+import javax.persistence.UniqueConstraint;
+import javax.validation.constraints.Pattern;
+
 /*
 * Copyright (c) 2009-2022. Authors: see NOTICE file.
 *
@@ -25,10 +39,6 @@
 import lombok.Getter;
 import lombok.Setter;
 
-import javax.persistence.*;
-import java.util.Date;
-import java.util.Optional;
-
 @Entity
 @Getter
 @Setter
@@ -46,6 +56,7 @@ public class ImageInstance extends CytomineDomain {
     @ManyToOne(fetch = FetchType.LAZY)
     private SecUser user; //owner
 
+    @Pattern(regexp = "^[^\\/:*?'<>|\r\n]+$")
     private String instanceFilename;
 
     private Long countImageAnnotations = 0L;

diff --git a/src/main/java/be/cytomine/domain/meta/Tag.java b/src/main/java/be/cytomine/domain/meta/Tag.java
@@ -27,6 +27,7 @@
 import javax.persistence.*;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
 
 @Entity
 @Getter
@@ -35,6 +36,7 @@ public class Tag extends CytomineDomain {
 
     @NotNull
     @NotBlank
+    @Pattern(regexp = "^[\\p{L}0-9]+([\\s-][\\p{L}0-9]+)*$")
     private String name;
 
     @ManyToOne(fetch = FetchType.LAZY)

diff --git a/src/main/java/be/cytomine/domain/ontology/Ontology.java b/src/main/java/be/cytomine/domain/ontology/Ontology.java
@@ -26,6 +26,8 @@
 import javax.persistence.*;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
+
 import java.util.*;
 import java.util.stream.Collectors;
 
@@ -36,6 +38,7 @@ public class Ontology extends CytomineDomain {
 
     @NotNull
     @NotBlank
+    @Pattern(regexp = "^[\\p{L}0-9]+([\\s-][\\p{L}0-9]+)*$")
     @Column(nullable = false, unique = true)
     protected String name;
 

diff --git a/src/main/java/be/cytomine/domain/ontology/Term.java b/src/main/java/be/cytomine/domain/ontology/Term.java
@@ -24,6 +24,8 @@
 import javax.persistence.*;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
+
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
@@ -39,6 +41,7 @@ public class Term extends CytomineDomain {
 
     @NotNull
     @NotBlank
+    @Pattern(regexp = "^[\\p{L}0-9]+([\\s-][\\p{L}0-9]+)*$")
     @Column(nullable = false)
     private String name;
 

diff --git a/src/main/java/be/cytomine/domain/project/Project.java b/src/main/java/be/cytomine/domain/project/Project.java
@@ -27,13 +27,16 @@
 import org.hibernate.annotations.LazyCollectionOption;
 
 import javax.persistence.*;
+import javax.validation.constraints.Pattern;
+
 import java.util.Set;
 
 @Entity
 @Getter
 @Setter
 public class Project extends CytomineDomain {
 
+    @Pattern(regexp = "^[\\p{L}0-9]+([\\s-][\\p{L}0-9]+)*$")
     private String name;
 
     @ManyToOne(fetch = FetchType.EAGER)

diff --git a/src/main/java/be/cytomine/domain/security/SecRole.java b/src/main/java/be/cytomine/domain/security/SecRole.java
@@ -25,6 +25,8 @@
 import javax.persistence.Entity;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
+
 import java.io.Serializable;
 
 @Entity
@@ -35,6 +37,7 @@ public class SecRole extends CytomineDomain implements Serializable {
     @NotNull
     @NotBlank
     @Column(unique = true)
+    @Pattern(regexp = "^[a-zA-Z0-9\\s]+$")
     private String authority;
 
     public static JsonObject getDataFromDomain(CytomineDomain domain) {

diff --git a/src/main/java/be/cytomine/domain/security/SecUser.java b/src/main/java/be/cytomine/domain/security/SecUser.java
@@ -28,6 +28,8 @@
 import javax.persistence.*;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
+
 import java.util.*;
 
 @Entity
@@ -48,7 +50,7 @@ public class SecUser extends CytomineDomain {
     @NotNull
     @NotBlank
     @Column(nullable = false)
-//    @Pattern(regexp = "^[^\\ ].*[^\\ ]\\$") TODO
+    @Pattern(regexp = "^[a-zA-Z0-9\\s]+$")
     protected String username;
 
     @NotNull

diff --git a/src/main/java/be/cytomine/domain/security/User.java b/src/main/java/be/cytomine/domain/security/User.java
@@ -27,6 +27,7 @@
 import javax.validation.constraints.Email;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
 
 @Entity
@@ -43,11 +44,13 @@ public class User extends SecUser {
     @NotNull
     @NotBlank
     @Column(nullable = false)
+    @Pattern(regexp = "^[\\p{L}0-9]+([\\s-][\\p{L}0-9]+)*$")
     protected String firstname;
 
     @NotNull
     @NotBlank
     @Column(nullable = false)
+    @Pattern(regexp = "^[\\p{L}0-9]+([\\s-][\\p{L}0-9]+)*$")
     protected String lastname;
 
     @NotNull

diff --git a/src/main/java/be/cytomine/repository/AlgoAnnotationListing.java b/src/main/java/be/cytomine/repository/AlgoAnnotationListing.java
@@ -18,6 +18,7 @@
 
 import javax.persistence.EntityManager;
 import java.util.LinkedHashMap;
+import java.util.Map;
 import java.util.stream.Collectors;
 
 public class AlgoAnnotationListing extends AnnotationListing {
@@ -111,7 +112,7 @@ LinkedHashMap<String, AvailableColumns> getAvailableColumn() {
      * Generate SQL string for FROM
      * FROM depends on data to print (if image name is aksed, need to join with imageinstance+abstractimage,...)
      */
-    String getFrom() {
+    String getFrom(Map<String, Object> parameters) {
         String from = "FROM algo_annotation a ";
         String where = "WHERE true\n";
 
@@ -163,7 +164,7 @@ String getFrom() {
         return from + "\n" + where;
     }
 
-    String buildExtraRequest() {
+    String buildExtraRequest(Map<String, Object> parameters) {
         return "";
     }