Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (5.0/Cloud)

84937: Merged PLATFORM1 (5.0/Cloud) to HEAD-BUG-FIX (5.0/Cloud) 83533: ACE-2640: Added filterId validation to the remote-api's faceted search configuration. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@85254 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2014-09-20 09:18:27 +00:00
parent 05c1bb9d58
commit b605e62834
2 changed files with 17 additions and 0 deletions
--- a/source/java/org/alfresco/repo/web/scripts/facet/AbstractSolrFacetConfigAdminWebScript.java
+++ b/source/java/org/alfresco/repo/web/scripts/facet/AbstractSolrFacetConfigAdminWebScript.java
@@ -25,6 +25,8 @@ import java.util.Collections;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;

 import javax.servlet.http.HttpServletResponse;

@@ -70,6 +72,9 @@ public abstract class AbstractSolrFacetConfigAdminWebScript extends DeclarativeW
    protected static final String CUSTOM_PARAM_NAME = "name";
    protected static final String CUSTOM_PARAM_VALUE = "value";

+    // The pattern is equivalent to the pattern defined in the forms-runtime.js
+    protected static final Pattern FILTER_ID_PATTERN = Pattern.compile("([\"\\*\\\\\\>\\<\\?\\/\\:\\|]+)|([\\.]?[\\.]+$)");
+
    protected SolrFacetService facetService;

    /**
@@ -190,6 +195,16 @@ public abstract class AbstractSolrFacetConfigAdminWebScript extends DeclarativeW

    }

+    protected void validateFilterID(String filterID)
+    {
+        Matcher matcher = FILTER_ID_PATTERN.matcher(filterID);
+        if (matcher.find())
+        {
+            throw new WebScriptException(HttpServletResponse.SC_BAD_REQUEST,
+                        "Invalid Filter Id. The characters \" * \\ < > ? / : | are not allowed. The Filter Id cannot end with a dot.");
+        }
+    }
+
    private Serializable getSerializableValue(Object object) throws JSONException
    {
        if (!(object instanceof Serializable))
--- a/source/java/org/alfresco/repo/web/scripts/facet/SolrFacetConfigAdminPost.java
+++ b/source/java/org/alfresco/repo/web/scripts/facet/SolrFacetConfigAdminPost.java
@@ -77,6 +77,8 @@ public class SolrFacetConfigAdminPost extends AbstractSolrFacetConfigAdminWebScr
            json = new JSONObject(new JSONTokener(req.getContent().getContent()));

            final String filterID = json.getString(PARAM_FILTER_ID);
+            validateFilterID(filterID);
+
            final String facetQNameStr = json.getString(PARAM_FACET_QNAME);
            final QName facetQName = QName.createQName(facetQNameStr);
            final String displayName = json.getString(PARAM_DISPLAY_NAME);