From d431d31a66ce9b1975a42ed464dc06b127aeef8e Mon Sep 17 00:00:00 2001
From: Maverick Studer <maverick.studer@knecon.com>
Date: Wed, 22 May 2024 10:58:16 +0200
Subject: [PATCH] RED-9016: Leaks regarding the blacklist: Keyword protection
 insufficient

---
 .../v1/server/service/drools/DroolsValidationService.java  | 6 ++++--
 .../src/main/resources/drools/blacklist.txt                | 7 ++++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/redaction-service-v1/redaction-service-server-v1/src/main/java/com/iqser/red/service/redaction/v1/server/service/drools/DroolsValidationService.java b/redaction-service-v1/redaction-service-server-v1/src/main/java/com/iqser/red/service/redaction/v1/server/service/drools/DroolsValidationService.java
index 392dfab9..751c0fcb 100644
--- a/redaction-service-v1/redaction-service-server-v1/src/main/java/com/iqser/red/service/redaction/v1/server/service/drools/DroolsValidationService.java
+++ b/redaction-service-v1/redaction-service-server-v1/src/main/java/com/iqser/red/service/redaction/v1/server/service/drools/DroolsValidationService.java
@@ -9,6 +9,7 @@ import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import org.apache.commons.lang3.StringUtils;
 import org.drools.drl.parser.DroolsParserException;
 import org.kie.api.builder.KieBuilder;
 import org.kie.api.builder.Message;
@@ -232,11 +233,12 @@ public class DroolsValidationService {
             for (RuleClass ruleClass : ruleFileBluePrint.getRuleClasses()) {
                 for (RuleUnit ruleUnit : ruleClass.ruleUnits()) {
                     for (BasicRule basicRule : ruleUnit.rules()) {
-                        List<SearchImplementation.MatchPosition> matches = blacklistedKeywordSearchImplementation.getMatches(basicRule.getCode());
+                        String sanitizedRuleText = StringUtils.deleteWhitespace(basicRule.getCode());
+                        List<SearchImplementation.MatchPosition> matches = blacklistedKeywordSearchImplementation.getMatches(sanitizedRuleText);
 
                         if (!matches.isEmpty()) {
                             List<String> foundBlacklistedKeywords = matches.stream()
-                                    .map(m -> basicRule.getCode().substring(m.startIndex(), m.endIndex()))
+                                    .map(m -> sanitizedRuleText.substring(m.startIndex(), m.endIndex()))
                                     .distinct()
                                     .toList();
                             blacklistErrorMessages.add(DroolsBlacklistErrorMessage.builder()
diff --git a/redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt b/redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt
index 62d61d1f..b52283ab 100644
--- a/redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt
+++ b/redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt
@@ -1,11 +1,12 @@
 System.
 Runtime.
 Thread.
-ProcessBuilder.
-SecurityManager.
-ClassLoader.
 Class.
 
+ProcessBuilder
+SecurityManager
+ClassLoader
+
 java.io.File
 java.nio.file
 java.io.Object