Marmelator/redaction-service
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases 622 Wiki Activity

Merge branch 'RED-9350-2' into 'master'

Browse Source 
RED-9350- Prohibit access to tenant context in rule execution

Closes RED-9350

See merge request redactmanager/redaction-service!444
This commit is contained in:
Corina Olariu 2024-06-24 12:37:18 +02:00
commit ea88ea339d
3 changed files with 73 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
redaction-service-v1/redaction-service-server-v1/src/main/java/com/iqser/red/service/redaction/v1/server/service/drools/DroolsValidationService.java
View File

@ -251,22 +251,23 @@ public class DroolsValidationService {
if (!blacklistedKeywords.isEmpty()) {
SearchImplementation blacklistedKeywordSearchImplementation = new SearchImplementation(blacklistedKeywords, false);
// check also the imports
DroolsBlacklistErrorMessage blacklistErrorMessage = checkAndGetBlackListedMessages(blacklistedKeywordSearchImplementation,
ruleFileBluePrint.getImports(),
ruleFileBluePrint.getImportLine());
if (blacklistErrorMessage != null) {
blacklistErrorMessages.add(blacklistErrorMessage);
}
// check the rules
for (RuleClass ruleClass : ruleFileBluePrint.getRuleClasses()) {
for (RuleUnit ruleUnit : ruleClass.ruleUnits()) {
for (BasicRule basicRule : ruleUnit.rules()) {
String sanitizedRuleText = StringUtils.deleteWhitespace(basicRule.getCode());
List<SearchImplementation.MatchPosition> matches = blacklistedKeywordSearchImplementation.getMatches(sanitizedRuleText);
if (!matches.isEmpty()) {
List<String> foundBlacklistedKeywords = matches.stream()
.map(m -> sanitizedRuleText.substring(m.startIndex(), m.endIndex()))
.distinct()
.toList();
blacklistErrorMessages.add(DroolsBlacklistErrorMessage.builder()
.line(basicRule.getLine())
.column(0)
.blacklistedKeywords(foundBlacklistedKeywords)
.build());
DroolsBlacklistErrorMessage ruleBlacklistErrorMessage = checkAndGetBlackListedMessages(blacklistedKeywordSearchImplementation,
basicRule.getCode(),
basicRule.getLine());
if (ruleBlacklistErrorMessage != null) {
blacklistErrorMessages.add(ruleBlacklistErrorMessage);
}
}
}
@ -280,6 +281,22 @@ public class DroolsValidationService {
}
private DroolsBlacklistErrorMessage checkAndGetBlackListedMessages(SearchImplementation blacklistedKeywordSearchImplementation, String stringToCheck, int lineIndexStart) {
String sanitizedRuleText = StringUtils.deleteWhitespace(stringToCheck);
List<SearchImplementation.MatchPosition> matches = blacklistedKeywordSearchImplementation.getMatches(sanitizedRuleText);
if (!matches.isEmpty()) {
List<String> foundBlacklistedKeywords = matches.stream()
.map(m -> sanitizedRuleText.substring(m.startIndex(), m.endIndex()))
.distinct()
.toList();
return DroolsBlacklistErrorMessage.builder().line(lineIndexStart).column(0).blacklistedKeywords(foundBlacklistedKeywords).build();
}
return null;
}
private List<String> parseBlacklistFile(String blacklistFileString) {
return Stream.of(blacklistFileString.split(LINEBREAK_MATCHER))

2
redaction-service-v1/redaction-service-server-v1/src/main/resources/drools/blacklist.txt
View File

@ -14,6 +14,4 @@ java.io.Object
java.net
java.lang
java.util.zip

52
redaction-service-v1/redaction-service-server-v1/src/test/java/com/iqser/red/service/redaction/v1/server/drools/files/management/services/DroolsValidationServiceTest.java
View File

@ -376,10 +376,10 @@ class DroolsValidationServiceTest {
String globalStart = "\nglobal Document document";
String importTenantContext = "import com.knecon.fforesight.tenantcommons.TenantContext;\n";
int indexGlobalStart = rulesString.indexOf(globalStart);
rulesString = rulesString.substring(0, indexGlobalStart) + importTenantContext + rulesString.substring(indexGlobalStart);
String rulesString1 = rulesString.substring(0, indexGlobalStart) + importTenantContext + rulesString.substring(indexGlobalStart);
String evilRule = """
String evilRulePart1 = """
//------------------------------------ All the evil rules ------------------------------------
// Rule unit: EV.1
@ -388,21 +388,55 @@ class DroolsValidationServiceTest {
when
$fileAttribute: FileAttribute($label: label, $value: value)
$duplicate: FileAttribute(this != $fileAttribute, label == $label, value == $value)
$tenantId: TenantContext.getTenantId();
""";
String evilRulePart2 = """
then
retract($duplicate);
System.exit(0);
end
""";
rulesString = rulesString + evilRule;
String usingTenantContext = """
$tenantId: TenantContext.getTenantId()
""";
String usingStaticTenantContext = """
$tenantId: getTenantId()
""";
rulesString1 = rulesString1 + evilRulePart1 + usingTenantContext + evilRulePart2;
DroolsValidation droolsValidation = droolsValidationService.testRules(new RuleValidationModel(RuleFileType.ENTITY.name(), rulesString));
DroolsValidation droolsValidation = droolsValidationService.testRules(new RuleValidationModel(RuleFileType.ENTITY.name(), rulesString1));
droolsValidation.getBlacklistErrorMessages()
.forEach(System.out::println);
assertFalse(droolsValidation.isCompiled());
assertEquals(droolsValidation.getBlacklistErrorMessages().size(), 1);
assertEquals(droolsValidation.getBlacklistErrorMessages().get(0).getBlacklistedKeywords().size(), 2);
assertTrue(droolsValidation.getBlacklistErrorMessages().get(0).getBlacklistedKeywords().contains("TenantContext"));
assertEquals(2, droolsValidation.getBlacklistErrorMessages().size());
assertEquals(1, droolsValidation.getBlacklistErrorMessages()
.get(0).getBlacklistedKeywords().size());
assertTrue(droolsValidation.getBlacklistErrorMessages()
.get(0).getBlacklistedKeywords().contains("TenantContext"));
assertEquals(2, droolsValidation.getBlacklistErrorMessages()
.get(1).getBlacklistedKeywords().size());
assertTrue(droolsValidation.getBlacklistErrorMessages()
.get(1).getBlacklistedKeywords().contains("TenantContext"));
String importStaticTenantContext = "\nimport static com.knecon.fforesight.tenantcommons.TenantContext.getTenantId;";
String importStaticStart = "\nimport static java.lang.String.format;";
int indexStaticImportStart = rulesString.indexOf(importStaticStart);
String rulesStringWithStaticImport = rulesString.substring(0, indexStaticImportStart) + importStaticTenantContext + rulesString.substring(indexStaticImportStart);
rulesStringWithStaticImport = rulesStringWithStaticImport + evilRulePart1 + usingStaticTenantContext + evilRulePart2;
DroolsValidation droolsValidation2 = droolsValidationService.testRules(new RuleValidationModel(RuleFileType.ENTITY.name(), rulesStringWithStaticImport));
droolsValidation2.getBlacklistErrorMessages()
.forEach(System.out::println);
assertFalse(droolsValidation2.isCompiled());
assertEquals(2, droolsValidation2.getBlacklistErrorMessages().size());
assertEquals(1, droolsValidation2.getBlacklistErrorMessages()
.get(0).getBlacklistedKeywords().size());
assertTrue(droolsValidation2.getBlacklistErrorMessages()
.get(0).getBlacklistedKeywords().contains("TenantContext"));
assertEquals(1, droolsValidation2.getBlacklistErrorMessages()
.get(1).getBlacklistedKeywords().size());
assertTrue(droolsValidation2.getBlacklistErrorMessages()
.get(1).getBlacklistedKeywords().contains("System."));
}
}