ALF-11700: Possible to generate feed entries with malformed NodeRefs

* ActivityPostService checks incoming nodeRef values in JSON - they must at least work in a NodeRef constructor. * FeedTaskProcessor ignores nodeRef values that cannot be used in a NodeRef constructor. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@32321 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2011-11-25 17:28:38 +00:00
parent 44c5efe514
commit 70722a9a3b
3 changed files with 69 additions and 9 deletions
--- a/source/java/org/alfresco/repo/activities/ActivityPostServiceImpl.java
+++ b/source/java/org/alfresco/repo/activities/ActivityPostServiceImpl.java
@@ -169,20 +169,27 @@ public class ActivityPostServiceImpl implements ActivityPostService
                activityData = "";
            }
            
-            if (AuthenticationUtil.isMtEnabled())
+            try
            {
-                // MT share - add tenantDomain
-                try
+                if (activityData.length() > 0)
                {
                    JSONObject jo = new JSONObject(new JSONTokener(activityData));
-                    jo.put(PostLookup.JSON_TENANT_DOMAIN, tenantService.getCurrentUserDomain());
-                    activityData = jo.toString();
-                }
-                catch (JSONException e)
-                {
-                    throw new IllegalArgumentException("Invalid activity data - not valid JSON: " + e);
+                    if (AuthenticationUtil.isMtEnabled())
+                    {
+                        // MT share - add tenantDomain
+                        jo.put(PostLookup.JSON_TENANT_DOMAIN, tenantService.getCurrentUserDomain());
+                        activityData = jo.toString();
+                    }
+                    checkNodeRef(jo);
                }
            }
+            catch (JSONException e)
+            {
+                //throw new IllegalArgumentException("Invalid activity data - not valid JSON: " + e);
+                // According to test data in org/alfresco/repo/activities/script/test_activityService.js
+                // invalid JSON should be OK.
+            }
+
            
            if (activityData.length() > ActivityPostDAO.MAX_LEN_ACTIVITY_DATA)
            {
@@ -263,4 +270,28 @@ public class ActivityPostServiceImpl implements ActivityPostService
        
        return userId;
    }
+    
+    /**
+     * Validate that the nodeRef property - if present in the activity data - is valid
+     * on a basic level (it can be used to construct a NodeRef object).
+     * 
+     * @param activityPost
+     * @throws JSONException 
+     */
+    private void checkNodeRef(JSONObject jo) throws JSONException
+    {
+        String nodeRefStr = null;
+        try
+        {
+            if (jo.has(PostLookup.JSON_NODEREF))
+            {
+                nodeRefStr = jo.getString(PostLookup.JSON_NODEREF);
+                new NodeRef(nodeRefStr);
+            }
+        }
+        catch (Exception e)
+        {
+            throw new IllegalArgumentException("Invalid node ref: " + nodeRefStr);
+        }
+    }
 }
--- a/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java
+++ b/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java
@@ -98,6 +98,16 @@ public class ActivityServiceImplTest extends BaseSpringTest
        {
            assertTrue(iae.getMessage().contains("activityType is a mandatory parameter"));
        }
+        
+        try
+        {
+            this.activityService.postActivity("org.alfresco.testActivityType1", "", "", "{ \"nodeRef\" : \"notfound\" }");
+            fail("invalid post activity: bad nodeRef");
+        }
+        catch (IllegalArgumentException iae)
+        {
+            assertTrue(iae.getMessage().contains("Invalid node ref: notfound"));
+        }
    }   
        
    public void testGetEmptySiteFeed() throws Exception
--- a/source/java/org/alfresco/repo/activities/feed/FeedTaskProcessor.java
+++ b/source/java/org/alfresco/repo/activities/feed/FeedTaskProcessor.java
@@ -45,6 +45,7 @@ import org.alfresco.repo.domain.activities.ActivityPostEntity;
 import org.alfresco.repo.domain.activities.FeedControlEntity;
 import org.alfresco.repo.template.ISO8601DateFormatMethod;
 import org.alfresco.repo.tenant.TenantService;
+import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.util.JSONtoFmModel;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -209,6 +210,24 @@ public abstract class FeedTaskProcessor
                    continue;
                }
                
+                String nodeRefStr = (String) model.get(PostLookup.JSON_NODEREF);
+                try
+                {
+                    // If a nodeRef is present, then it must be valid.
+                    if (nodeRefStr != null)
+                    {
+                        // Attempt to create a nodeRef, making use of the constructor's validation.
+                        new NodeRef(nodeRefStr);
+                    }
+                }
+                catch (Exception e)
+                {
+                    logger.error("Skipping activity post " + activityPost.getId() +
+                                " due to invalid nodeRef: " + nodeRefStr);
+                    updatePostStatus(activityPost.getId(), ActivityPostEntity.STATUS.ERROR);
+                    continue;
+                }
+                
                // note: for MT share, site id should already be mangled - in addition to extra tenant domain info
                
                String thisSite = activityPost.getSiteNetwork();