mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
ALF-11700: Possible to generate feed entries with malformed NodeRefs
* ActivityPostService checks incoming nodeRef values in JSON - they must at least work in a NodeRef constructor. * FeedTaskProcessor ignores nodeRef values that cannot be used in a NodeRef constructor. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@32321 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Matt Ward
@@ -169,20 +169,27 @@ public class ActivityPostServiceImpl implements ActivityPostService
|
|||||||
activityData = "";
|
activityData = "";
|
||||||
}
|
}
|
||||||
|
|
||||||
if (AuthenticationUtil.isMtEnabled())
|
try
|
||||||
{
|
{
|
||||||
// MT share - add tenantDomain
|
if (activityData.length() > 0)
|
||||||
try
|
|
||||||
{
|
{
|
||||||
JSONObject jo = new JSONObject(new JSONTokener(activityData));
|
JSONObject jo = new JSONObject(new JSONTokener(activityData));
|
||||||
jo.put(PostLookup.JSON_TENANT_DOMAIN, tenantService.getCurrentUserDomain());
|
if (AuthenticationUtil.isMtEnabled())
|
||||||
activityData = jo.toString();
|
{
|
||||||
}
|
// MT share - add tenantDomain
|
||||||
catch (JSONException e)
|
jo.put(PostLookup.JSON_TENANT_DOMAIN, tenantService.getCurrentUserDomain());
|
||||||
{
|
activityData = jo.toString();
|
||||||
throw new IllegalArgumentException("Invalid activity data - not valid JSON: " + e);
|
}
|
||||||
|
checkNodeRef(jo);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
catch (JSONException e)
|
||||||
|
{
|
||||||
|
//throw new IllegalArgumentException("Invalid activity data - not valid JSON: " + e);
|
||||||
|
// According to test data in org/alfresco/repo/activities/script/test_activityService.js
|
||||||
|
// invalid JSON should be OK.
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
if (activityData.length() > ActivityPostDAO.MAX_LEN_ACTIVITY_DATA)
|
if (activityData.length() > ActivityPostDAO.MAX_LEN_ACTIVITY_DATA)
|
||||||
{
|
{
|
||||||
@@ -263,4 +270,28 @@ public class ActivityPostServiceImpl implements ActivityPostService
|
|||||||
|
|
||||||
return userId;
|
return userId;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validate that the nodeRef property - if present in the activity data - is valid
|
||||||
|
* on a basic level (it can be used to construct a NodeRef object).
|
||||||
|
*
|
||||||
|
* @param activityPost
|
||||||
|
* @throws JSONException
|
||||||
|
*/
|
||||||
|
private void checkNodeRef(JSONObject jo) throws JSONException
|
||||||
|
{
|
||||||
|
String nodeRefStr = null;
|
||||||
|
try
|
||||||
|
{
|
||||||
|
if (jo.has(PostLookup.JSON_NODEREF))
|
||||||
|
{
|
||||||
|
nodeRefStr = jo.getString(PostLookup.JSON_NODEREF);
|
||||||
|
new NodeRef(nodeRefStr);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (Exception e)
|
||||||
|
{
|
||||||
|
throw new IllegalArgumentException("Invalid node ref: " + nodeRefStr);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -98,6 +98,16 @@ public class ActivityServiceImplTest extends BaseSpringTest
|
|||||||
{
|
{
|
||||||
assertTrue(iae.getMessage().contains("activityType is a mandatory parameter"));
|
assertTrue(iae.getMessage().contains("activityType is a mandatory parameter"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
this.activityService.postActivity("org.alfresco.testActivityType1", "", "", "{ \"nodeRef\" : \"notfound\" }");
|
||||||
|
fail("invalid post activity: bad nodeRef");
|
||||||
|
}
|
||||||
|
catch (IllegalArgumentException iae)
|
||||||
|
{
|
||||||
|
assertTrue(iae.getMessage().contains("Invalid node ref: notfound"));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetEmptySiteFeed() throws Exception
|
public void testGetEmptySiteFeed() throws Exception
|
||||||
|
|||||||
@@ -45,6 +45,7 @@ import org.alfresco.repo.domain.activities.ActivityPostEntity;
|
|||||||
import org.alfresco.repo.domain.activities.FeedControlEntity;
|
import org.alfresco.repo.domain.activities.FeedControlEntity;
|
||||||
import org.alfresco.repo.template.ISO8601DateFormatMethod;
|
import org.alfresco.repo.template.ISO8601DateFormatMethod;
|
||||||
import org.alfresco.repo.tenant.TenantService;
|
import org.alfresco.repo.tenant.TenantService;
|
||||||
|
import org.alfresco.service.cmr.repository.NodeRef;
|
||||||
import org.alfresco.util.JSONtoFmModel;
|
import org.alfresco.util.JSONtoFmModel;
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
@@ -209,6 +210,24 @@ public abstract class FeedTaskProcessor
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String nodeRefStr = (String) model.get(PostLookup.JSON_NODEREF);
|
||||||
|
try
|
||||||
|
{
|
||||||
|
// If a nodeRef is present, then it must be valid.
|
||||||
|
if (nodeRefStr != null)
|
||||||
|
{
|
||||||
|
// Attempt to create a nodeRef, making use of the constructor's validation.
|
||||||
|
new NodeRef(nodeRefStr);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (Exception e)
|
||||||
|
{
|
||||||
|
logger.error("Skipping activity post " + activityPost.getId() +
|
||||||
|
" due to invalid nodeRef: " + nodeRefStr);
|
||||||
|
updatePostStatus(activityPost.getId(), ActivityPostEntity.STATUS.ERROR);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
// note: for MT share, site id should already be mangled - in addition to extra tenant domain info
|
// note: for MT share, site id should already be mangled - in addition to extra tenant domain info
|
||||||
|
|
||||||
String thisSite = activityPost.getSiteNetwork();
|
String thisSite = activityPost.getSiteNetwork();
|
||||||
|
|||||||
Reference in New Issue
Block a user