XWIKI-22718, XWIKI-22691: Improve query validation

tmortagne · tmortagne · commit 5c11a874bd24 · 2024-12-06T18:29:39.000+01:00
diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/hibernate/query/HqlQueryExecutor.java b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/store/hibernate/query/HqlQueryExecutor.java
@@ -131,12 +131,23 @@ private Set<String> getAllowedNamedQueries()
      */
     protected static boolean isSafeSelect(String statementString)
     {
-        return HqlQueryUtils.isShortFormStatement(statementString) || HqlQueryUtils.isSafe(statementString);
+        // An empty statement is safe
+        if (statementString.isEmpty()) {
+            return true;
+        }
+
+        // HqlQueryUtils#isSafe only works with complete statements
+        String completeStatement = toCompleteShortForm(statementString);
+
+        // Parse and validate the statement
+        return HqlQueryUtils.isSafe(completeStatement);
     }
 
     protected void checkAllowed(final Query query) throws QueryException
     {
-        if (query instanceof SecureQuery && ((SecureQuery) query).isCurrentAuthorChecked()) {
+        // Check if the query needs to be validated according to the current author
+        if (query instanceof SecureQuery secureQuery && secureQuery.isCurrentAuthorChecked()) {
+            // Not need to check the details if current author has programming right
             if (!this.authorization.hasAccess(Right.PROGRAM)) {
                 if (query.isNamed() && !getAllowedNamedQueries().contains(query.getStatement())) {
                     throw new QueryException("Named queries requires programming right", query, null);
@@ -152,15 +163,15 @@ protected void checkAllowed(final Query query) throws QueryException
     @Override
     public <T> List<T> execute(final Query query) throws QueryException
     {
-        // Make sure the query is allowed in the current context
-        checkAllowed(query);
-
         String oldDatabase = getContext().getWikiId();
         try {
             if (query.getWiki() != null) {
                 getContext().setWikiId(query.getWiki());
             }
 
+            // Make sure the query is allowed. Make sure to do it in the target context.
+            checkAllowed(query);
+
             // Filter the query
             Query filteredQuery = filterQuery(query);
 
@@ -333,13 +344,18 @@ private boolean hasQueryParametersType(Query query)
      */
     protected String completeShortFormStatement(String statement)
     {
-        String lcStatement = statement.toLowerCase().trim();
-        if (lcStatement.isEmpty() || lcStatement.startsWith(",") || lcStatement.startsWith("where ")
-            || lcStatement.startsWith("order by ")) {
-            return "select doc.fullName from XWikiDocument doc " + statement.trim();
+        return toCompleteShortForm(statement);
+    }
+
+    private static String toCompleteShortForm(String statement)
+    {
+        String filteredStatement = statement;
+
+        if (statement.isEmpty() || HqlQueryUtils.isShortFormStatement(statement)) {
+            filteredStatement = "select doc.fullName from XWikiDocument doc " + statement.trim();
         }
 
-        return statement;
+        return filteredStatement;
     }
 
     private <T> org.hibernate.query.Query<T> createNamedHibernateQuery(Session session, Query query)
diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/internal/store/hibernate/query/HqlQueryUtilsTest.java b/xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/internal/store/hibernate/query/HqlQueryUtilsTest.java
@@ -63,6 +63,8 @@ public void isSafe()
             .isSafe("select doc.name, ot.field from XWikiDocument doc, XWikiSpace space, OtherTable as ot"));
         assertFalse(HqlQueryUtils.isSafe("select count(*) from OtherTable"));
         assertFalse(HqlQueryUtils.isSafe("select count(other.*) from OtherTable other"));
+        assertFalse(HqlQueryUtils.isSafe("select doc.fullName from XWikiDocument doc union all select name from OtherTable"));
+        assertFalse(HqlQueryUtils.isSafe("select doc.fullName from XWikiDocument doc where 1<>'1\\'' union select name from OtherTable #'"));
     }
 
     @Test
diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/store/hibernate/query/HqlQueryExecutorTest.java b/xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/store/hibernate/query/HqlQueryExecutorTest.java
@@ -220,7 +220,7 @@ public void setNamedParameterArray()
     {
         org.hibernate.query.Query query = mock(org.hibernate.query.Query.class);
         String name = "bar";
-        Integer[] value = new Integer[] { 1, 2, 3 };
+        Integer[] value = new Integer[] {1, 2, 3};
         this.executor.setNamedParameter(query, name, value);
 
         verify(query).setParameterList(name, value);
@@ -403,7 +403,7 @@ public void executeWhenNotAllowedSelect() throws Exception
             assertEquals(
                 "The query requires programming right."
                     + " Query statement = [select notallowed.name from NotAllowedTable notallowed]",
-                expected.getMessage());
+                expected.getCause().getMessage());
         }
     }
 
@@ -415,7 +415,7 @@ public void executeDeleteWithoutProgrammingRight() throws Exception
             fail("Should have thrown an exception here");
         } catch (QueryException expected) {
             assertEquals("The query requires programming right. Query statement = [delete from XWikiDocument as doc]",
-                expected.getMessage());
+                expected.getCause().getMessage());
         }
     }
 
@@ -426,7 +426,8 @@ public void executeNamedQueryWithoutProgrammingRight() throws Exception
             executeNamed("somename", false);
             fail("Should have thrown an exception here");
         } catch (QueryException expected) {
-            assertEquals("Named queries requires programming right. Named query = [somename]", expected.getMessage());
+            assertEquals("Named queries requires programming right. Named query = [somename]",
+                expected.getCause().getMessage());
         }
     }
 
@@ -439,7 +440,7 @@ public void executeUpdateWithoutProgrammingRight() throws Exception
         } catch (QueryException expected) {
             assertEquals(
                 "The query requires programming right. Query statement = [update XWikiDocument set name='name']",
-                expected.getMessage());
+                expected.getCause().getMessage());
         }
     }
 }
diff --git a/xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/search/AbstractDatabaseSearchSource.java b/xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/resources/search/AbstractDatabaseSearchSource.java
@@ -63,6 +63,7 @@ public abstract class AbstractDatabaseSearchSource extends AbstractSearchSource
     protected Provider<XWikiContext> xcontextProvider;
 
     @Inject
+    @Named("secure")
     protected QueryManager queryManager;
 
     @Inject

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,8 @@ public void isSafe()`
`63`	`63`	`.isSafe("select doc.name, ot.field from XWikiDocument doc, XWikiSpace space, OtherTable as ot"));`
`64`	`64`	`assertFalse(HqlQueryUtils.isSafe("select count(*) from OtherTable"));`
`65`	`65`	`assertFalse(HqlQueryUtils.isSafe("select count(other.*) from OtherTable other"));`
	`66`	`+ assertFalse(HqlQueryUtils.isSafe("select doc.fullName from XWikiDocument doc union all select name from OtherTable"));`
	`67`	`+ assertFalse(HqlQueryUtils.isSafe("select doc.fullName from XWikiDocument doc where 1<>'1\\'' union select name from OtherTable #'"));`
`66`	`68`	`}`
`67`	`69`
`68`	`70`	`@Test`
Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ public void setNamedParameterArray()`
`220`	`220`	`{`
`221`	`221`	`org.hibernate.query.Query query = mock(org.hibernate.query.Query.class);`
`222`	`222`	`String name = "bar";`
`223`		`- Integer[] value = new Integer[] { 1, 2, 3 };`
	`223`	`+ Integer[] value = new Integer[] {1, 2, 3};`
`224`	`224`	`this.executor.setNamedParameter(query, name, value);`
`225`	`225`
`226`	`226`	`verify(query).setParameterList(name, value);`
`@@ -403,7 +403,7 @@ public void executeWhenNotAllowedSelect() throws Exception`
`403`	`403`	`assertEquals(`
`404`	`404`	`"The query requires programming right."`
`405`	`405`	`+ " Query statement = [select notallowed.name from NotAllowedTable notallowed]",`
`406`		`- expected.getMessage());`
	`406`	`+ expected.getCause().getMessage());`
`407`	`407`	`}`
`408`	`408`	`}`
`409`	`409`
`@@ -415,7 +415,7 @@ public void executeDeleteWithoutProgrammingRight() throws Exception`
`415`	`415`	`fail("Should have thrown an exception here");`
`416`	`416`	`} catch (QueryException expected) {`
`417`	`417`	`assertEquals("The query requires programming right. Query statement = [delete from XWikiDocument as doc]",`
`418`		`- expected.getMessage());`
	`418`	`+ expected.getCause().getMessage());`
`419`	`419`	`}`
`420`	`420`	`}`
`421`	`421`
`@@ -426,7 +426,8 @@ public void executeNamedQueryWithoutProgrammingRight() throws Exception`
`426`	`426`	`executeNamed("somename", false);`
`427`	`427`	`fail("Should have thrown an exception here");`
`428`	`428`	`} catch (QueryException expected) {`
`429`		`- assertEquals("Named queries requires programming right. Named query = [somename]", expected.getMessage());`
	`429`	`+ assertEquals("Named queries requires programming right. Named query = [somename]",`
	`430`	`+ expected.getCause().getMessage());`
`430`	`431`	`}`
`431`	`432`	`}`
`432`	`433`
`@@ -439,7 +440,7 @@ public void executeUpdateWithoutProgrammingRight() throws Exception`
`439`	`440`	`} catch (QueryException expected) {`
`440`	`441`	`assertEquals(`
`441`	`442`	`"The query requires programming right. Query statement = [update XWikiDocument set name='name']",`
`442`		`- expected.getMessage());`
	`443`	`+ expected.getCause().getMessage());`
`443`	`444`	`}`
`444`	`445`	`}`
`445`	`446`	`}`