From 9d7c1a61572a7f8b1df3eea8c5e17e3c8c94f47a Mon Sep 17 00:00:00 2001 From: Corina Olariu Date: Tue, 18 Jun 2024 12:42:59 +0200 Subject: [PATCH] RED-9350- Prohibit access to tenant context in rule execution --- .../src/main/resources/drools/blacklist.txt | 1 + .../management/services/DroolsValidationServiceTest.java | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt b/redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt index b52283ab..f74a3bec 100644 --- a/redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt +++ b/redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt @@ -3,6 +3,7 @@ Runtime. Thread. Class. +TenantContext ProcessBuilder SecurityManager ClassLoader diff --git a/redaction-service-v1/redaction-service-server-v1/src/test/java/com/iqser/red/service/redaction/v1/server/drools/files/management/services/DroolsValidationServiceTest.java b/redaction-service-v1/redaction-service-server-v1/src/test/java/com/iqser/red/service/redaction/v1/server/drools/files/management/services/DroolsValidationServiceTest.java index 09a04a6d..1ccdf4af 100644 --- a/redaction-service-v1/redaction-service-server-v1/src/test/java/com/iqser/red/service/redaction/v1/server/drools/files/management/services/DroolsValidationServiceTest.java +++ b/redaction-service-v1/redaction-service-server-v1/src/test/java/com/iqser/red/service/redaction/v1/server/drools/files/management/services/DroolsValidationServiceTest.java @@ -373,6 +373,11 @@ class DroolsValidationServiceTest { String rulesString = new String(rulesFile.getInputStream().readAllBytes()); + String globalStart = "\nglobal Document document"; + String importTenantContext = "import com.knecon.fforesight.tenantcommons.TenantContext;\n"; + int indexGlobalStart = rulesString.indexOf(globalStart); + rulesString = rulesString.substring(0, indexGlobalStart) + importTenantContext + rulesString.substring(indexGlobalStart); + String evilRule = """ //------------------------------------ All the evil rules ------------------------------------ @@ -383,6 +388,7 @@ class DroolsValidationServiceTest { when $fileAttribute: FileAttribute($label: label, $value: value) $duplicate: FileAttribute(this != $fileAttribute, label == $label, value == $value) + $tenantId: TenantContext.getTenantId(); then retract($duplicate); System.exit(0); @@ -395,6 +401,8 @@ class DroolsValidationServiceTest { .forEach(System.out::println); assertFalse(droolsValidation.isCompiled()); assertEquals(droolsValidation.getBlacklistErrorMessages().size(), 1); + assertEquals(droolsValidation.getBlacklistErrorMessages().get(0).getBlacklistedKeywords().size(), 2); + assertTrue(droolsValidation.getBlacklistErrorMessages().get(0).getBlacklistedKeywords().contains("TenantContext")); } } \ No newline at end of file