From 70722a9a3b14b48c2e851a6cc68b9ee17a23fe0e Mon Sep 17 00:00:00 2001 From: Matt Ward Date: Fri, 25 Nov 2011 17:28:38 +0000 Subject: [PATCH] ALF-11700: Possible to generate feed entries with malformed NodeRefs * ActivityPostService checks incoming nodeRef values in JSON - they must at least work in a NodeRef constructor. * FeedTaskProcessor ignores nodeRef values that cannot be used in a NodeRef constructor. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@32321 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../activities/ActivityPostServiceImpl.java | 49 +++++++++++++++---- .../activities/ActivityServiceImplTest.java | 10 ++++ .../activities/feed/FeedTaskProcessor.java | 19 +++++++ 3 files changed, 69 insertions(+), 9 deletions(-) diff --git a/source/java/org/alfresco/repo/activities/ActivityPostServiceImpl.java b/source/java/org/alfresco/repo/activities/ActivityPostServiceImpl.java index 80244fe10f..8f58c381da 100644 --- a/source/java/org/alfresco/repo/activities/ActivityPostServiceImpl.java +++ b/source/java/org/alfresco/repo/activities/ActivityPostServiceImpl.java @@ -169,20 +169,27 @@ public class ActivityPostServiceImpl implements ActivityPostService activityData = ""; } - if (AuthenticationUtil.isMtEnabled()) + try { - // MT share - add tenantDomain - try + if (activityData.length() > 0) { JSONObject jo = new JSONObject(new JSONTokener(activityData)); - jo.put(PostLookup.JSON_TENANT_DOMAIN, tenantService.getCurrentUserDomain()); - activityData = jo.toString(); - } - catch (JSONException e) - { - throw new IllegalArgumentException("Invalid activity data - not valid JSON: " + e); + if (AuthenticationUtil.isMtEnabled()) + { + // MT share - add tenantDomain + jo.put(PostLookup.JSON_TENANT_DOMAIN, tenantService.getCurrentUserDomain()); + activityData = jo.toString(); + } + checkNodeRef(jo); } } + catch (JSONException e) + { + //throw new IllegalArgumentException("Invalid activity data - not valid JSON: " + e); + // According to test data in org/alfresco/repo/activities/script/test_activityService.js + // invalid JSON should be OK. + } + if (activityData.length() > ActivityPostDAO.MAX_LEN_ACTIVITY_DATA) { @@ -263,4 +270,28 @@ public class ActivityPostServiceImpl implements ActivityPostService return userId; } + + /** + * Validate that the nodeRef property - if present in the activity data - is valid + * on a basic level (it can be used to construct a NodeRef object). + * + * @param activityPost + * @throws JSONException + */ + private void checkNodeRef(JSONObject jo) throws JSONException + { + String nodeRefStr = null; + try + { + if (jo.has(PostLookup.JSON_NODEREF)) + { + nodeRefStr = jo.getString(PostLookup.JSON_NODEREF); + new NodeRef(nodeRefStr); + } + } + catch (Exception e) + { + throw new IllegalArgumentException("Invalid node ref: " + nodeRefStr); + } + } } diff --git a/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java b/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java index cd2d49da1a..3c04953f5d 100644 --- a/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java +++ b/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java @@ -98,6 +98,16 @@ public class ActivityServiceImplTest extends BaseSpringTest { assertTrue(iae.getMessage().contains("activityType is a mandatory parameter")); } + + try + { + this.activityService.postActivity("org.alfresco.testActivityType1", "", "", "{ \"nodeRef\" : \"notfound\" }"); + fail("invalid post activity: bad nodeRef"); + } + catch (IllegalArgumentException iae) + { + assertTrue(iae.getMessage().contains("Invalid node ref: notfound")); + } } public void testGetEmptySiteFeed() throws Exception diff --git a/source/java/org/alfresco/repo/activities/feed/FeedTaskProcessor.java b/source/java/org/alfresco/repo/activities/feed/FeedTaskProcessor.java index 4c85923b70..f6f2d2fd6f 100644 --- a/source/java/org/alfresco/repo/activities/feed/FeedTaskProcessor.java +++ b/source/java/org/alfresco/repo/activities/feed/FeedTaskProcessor.java @@ -45,6 +45,7 @@ import org.alfresco.repo.domain.activities.ActivityPostEntity; import org.alfresco.repo.domain.activities.FeedControlEntity; import org.alfresco.repo.template.ISO8601DateFormatMethod; import org.alfresco.repo.tenant.TenantService; +import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.util.JSONtoFmModel; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -209,6 +210,24 @@ public abstract class FeedTaskProcessor continue; } + String nodeRefStr = (String) model.get(PostLookup.JSON_NODEREF); + try + { + // If a nodeRef is present, then it must be valid. + if (nodeRefStr != null) + { + // Attempt to create a nodeRef, making use of the constructor's validation. + new NodeRef(nodeRefStr); + } + } + catch (Exception e) + { + logger.error("Skipping activity post " + activityPost.getId() + + " due to invalid nodeRef: " + nodeRefStr); + updatePostStatus(activityPost.getId(), ActivityPostEntity.STATUS.ERROR); + continue; + } + // note: for MT share, site id should already be mangled - in addition to extra tenant domain info String thisSite = activityPost.getSiteNetwork();