Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NAE-1944] Server-side JavaScript Code Injection (SSJI) #240

Merged
merged 4 commits into from
Feb 13, 2024
Merged

[NAE-1944] Server-side JavaScript Code Injection (SSJI) #240

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
87fcd93
[NAE-1944] Server-side JavaScript Code Injection (SSJI)
Kovy95 Feb 1, 2024
2633e14
Merge branch 'release/6.4.0' into NAE-1944
renczesstefan Feb 9, 2024
8d1b210
[NAE-1944] Server-side JavaScript Code Injection (SSJI)
Kovy95 Feb 9, 2024
b1802f5
Merge remote-tracking branch 'origin/NAE-1944' into NAE-1944
Kovy95 Feb 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/main/java/com/netgrif/application/engine/elastic/service/ElasticCaseService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import com.netgrif.application.engine.elastic.service.interfaces.IElasticCasePrioritySearch;
import com.netgrif.application.engine.elastic.service.interfaces.IElasticCaseService;
import com.netgrif.application.engine.elastic.web.requestbodies.CaseSearchRequest;
import com.netgrif.application.engine.petrinet.domain.PetriNetSearch;
import com.netgrif.application.engine.petrinet.service.interfaces.IPetriNetService;
import com.netgrif.application.engine.petrinet.web.responsebodies.PetriNetReference;
import com.netgrif.application.engine.utils.FullPageRequest;
Expand Down Expand Up @@ -465,8 +466,8 @@ private boolean buildGroupQuery(CaseSearchRequest request, LoggedUser user, Loca
return false;
}

Map<String, Object> processQuery = new HashMap<>();
processQuery.put("group", request.group);
PetriNetSearch processQuery = new PetriNetSearch();
processQuery.setGroup(request.group);
List<PetriNetReference> groupProcesses = this.petriNetService.search(processQuery, user, new FullPageRequest(), locale).getContent();
if (groupProcesses.size() == 0)
return true;
Expand Down
5 changes: 3 additions & 2 deletions src/main/java/com/netgrif/application/engine/elastic/service/ElasticTaskService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import com.netgrif.application.engine.elastic.service.interfaces.IElasticTaskService;
import com.netgrif.application.engine.elastic.web.requestbodies.CaseSearchRequest;
import com.netgrif.application.engine.elastic.web.requestbodies.ElasticTaskSearchRequest;
import com.netgrif.application.engine.petrinet.domain.PetriNetSearch;
import com.netgrif.application.engine.petrinet.service.interfaces.IPetriNetService;
import com.netgrif.application.engine.petrinet.web.responsebodies.PetriNetReference;
import com.netgrif.application.engine.utils.FullPageRequest;
Expand Down Expand Up @@ -423,8 +424,8 @@ public boolean buildGroupQuery(TaskSearchRequest request, LoggedUser user, Local
if (request.group == null || request.group.isEmpty())
return false;

Map<String, Object> processQuery = new HashMap<>();
processQuery.put("group", request.group);
PetriNetSearch processQuery = new PetriNetSearch();
processQuery.setGroup(request.group);
List<PetriNetReference> groupProcesses = this.petriNetService.search(processQuery, user, new FullPageRequest(), locale).getContent();
if (groupProcesses.size() == 0)
return true;
Expand Down
33 changes: 33 additions & 0 deletions src/main/java/com/netgrif/application/engine/petrinet/domain/PetriNetSearch.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package com.netgrif.application.engine.petrinet.domain;

import com.netgrif.application.engine.auth.domain.Author;
import com.netgrif.application.engine.petrinet.domain.version.Version;
import lombok.Getter;
import lombok.Setter;
import java.util.List;
import java.util.Map;

@Getter
@Setter
public class PetriNetSearch {

private String importId;

private String identifier;

private String title;

private String defaultCaseName;

private String initials;

private List<String> group;

private Version version;

private Author author;

private List<String> negativeViewRoles;

private Map<String, String> tags;
}
69 changes: 48 additions & 21 deletions src/main/java/com/netgrif/application/engine/petrinet/service/PetriNetService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
import com.netgrif.application.engine.workflow.service.interfaces.IFieldActionsCacheService;
import com.netgrif.application.engine.workflow.service.interfaces.IWorkflowService;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.tomcat.util.http.fileupload.IOUtils;
import org.bson.Document;
import org.bson.types.ObjectId;
Expand Down Expand Up @@ -457,35 +458,61 @@ public Optional<PetriNet> findByImportId(String id) {
}

@Override
public Page<PetriNetReference> search(Map<String, Object> criteria, LoggedUser user, Pageable pageable, Locale locale) {
public Page<PetriNetReference> search(PetriNetSearch criteriaClass, LoggedUser user, Pageable pageable, Locale locale) {
Query query = new Query();
Query query_total = new Query();
Query queryTotal = new Query();

if (!user.getSelfOrImpersonated().isAdmin())
query.addCriteria(getProcessRolesCriteria(user.getSelfOrImpersonated()));

criteria.forEach((key, value) -> {
Criteria valueCriteria;
if (key.equalsIgnoreCase("group")) {
if (value instanceof List) {
Collection<String> authors = this.groupService.getGroupsOwnerEmails((List<String>) value);
valueCriteria = Criteria.where("author.email").in(authors);
} else {
valueCriteria = Criteria.where("author.email").is(this.groupService.getGroupOwnerEmail((String) value));
}
} else if (value instanceof List)
valueCriteria = Criteria.where(key).in(value);
else if (key.equalsIgnoreCase("title") || key.equalsIgnoreCase("initials") || key.equalsIgnoreCase("identifier"))
valueCriteria = Criteria.where(key).regex((String) value, "i");
else
valueCriteria = Criteria.where(key).is(value);
query.addCriteria(valueCriteria);
query_total.addCriteria(valueCriteria);
});
if (criteriaClass.getIdentifier() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("identifier").regex(criteriaClass.getIdentifier(), "i"));
}
if (criteriaClass.getTitle() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("title.defaultValue").regex(criteriaClass.getTitle(), "i"));
}
if (criteriaClass.getInitials() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("initials").regex(criteriaClass.getInitials(), "i"));
}
if (criteriaClass.getDefaultCaseName() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("defaultCaseName.defaultValue").regex(criteriaClass.getDefaultCaseName(), "i"));
}
if (criteriaClass.getGroup() != null) {
if (criteriaClass.getGroup().size() == 1) {
this.addValueCriteria(query, queryTotal, Criteria.where("author.email").is(this.groupService.getGroupOwnerEmail(criteriaClass.getGroup().get(0))));
} else {
this.addValueCriteria(query, queryTotal,Criteria.where("author.email").in(this.groupService.getGroupsOwnerEmails(criteriaClass.getGroup())));
}
}
if (criteriaClass.getVersion() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("version").is(criteriaClass.getVersion()));
}
if (criteriaClass.getAuthor() != null) {
if (criteriaClass.getAuthor().getEmail() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("author.email").is(criteriaClass.getAuthor().getEmail()));
}
if (criteriaClass.getAuthor().getId() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("author.id").is(criteriaClass.getAuthor().getId()));
}
if (criteriaClass.getAuthor().getFullName() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("author.fullName").is(criteriaClass.getAuthor().getFullName()));
}
}
if (criteriaClass.getNegativeViewRoles() != null) {
this.addValueCriteria(query, queryTotal, Criteria.where("negativeViewRoles").in(criteriaClass.getNegativeViewRoles()));
}
if (criteriaClass.getTags() != null) {
criteriaClass.getTags().entrySet().forEach(stringStringEntry -> this.addValueCriteria(query, queryTotal, Criteria.where("tags." + stringStringEntry.getKey()).is(stringStringEntry.getValue())));
}

query.with(pageable);
List<PetriNet> nets = mongoTemplate.find(query, PetriNet.class);
return new PageImpl<>(nets.stream().map(net -> new PetriNetReference(net, locale)).collect(Collectors.toList()), pageable, mongoTemplate.count(query_total, PetriNet.class));
return new PageImpl<>(nets.stream().map(net -> new PetriNetReference(net, locale)).collect(Collectors.toList()), pageable, mongoTemplate.count(queryTotal, PetriNet.class));
}

private void addValueCriteria(Query query, Query queryTotal, Criteria criteria) {
query.addCriteria(criteria);
queryTotal.addCriteria(criteria);
}

@Override
Expand Down
3 changes: 2 additions & 1 deletion ...ain/java/com/netgrif/application/engine/petrinet/service/interfaces/IPetriNetService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import com.netgrif.application.engine.auth.domain.LoggedUser;
import com.netgrif.application.engine.importer.service.throwable.MissingIconKeyException;
import com.netgrif.application.engine.petrinet.domain.PetriNet;
import com.netgrif.application.engine.petrinet.domain.PetriNetSearch;
import com.netgrif.application.engine.petrinet.domain.Transition;
import com.netgrif.application.engine.petrinet.domain.VersionType;
import com.netgrif.application.engine.petrinet.domain.dataset.Field;
Expand Down Expand Up @@ -69,7 +70,7 @@ public interface IPetriNetService {

List<DataFieldReference> getDataFieldReferences(List<TransitionReference> transitions, Locale locale);

Page<PetriNetReference> search(Map<String, Object> criteria, LoggedUser user, Pageable pageable, Locale locale);
Page<PetriNetReference> search(PetriNetSearch criteria, LoggedUser user, Pageable pageable, Locale locale);

Optional<PetriNet> findByImportId(String id);

Expand Down
3 changes: 2 additions & 1 deletion src/main/java/com/netgrif/application/engine/petrinet/web/PetriNetController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import com.netgrif.application.engine.importer.service.Importer;
import com.netgrif.application.engine.importer.service.throwable.MissingIconKeyException;
import com.netgrif.application.engine.petrinet.domain.PetriNet;
import com.netgrif.application.engine.petrinet.domain.PetriNetSearch;
import com.netgrif.application.engine.petrinet.domain.VersionType;
import com.netgrif.application.engine.petrinet.domain.throwable.MissingPetriNetMetaDataException;
import com.netgrif.application.engine.petrinet.domain.version.StringToVersionConverter;
Expand Down Expand Up @@ -171,7 +172,7 @@ public FileSystemResource getNetFile(@PathVariable("netId") String netId, @Reque
@Operation(summary = "Search processes", security = {@SecurityRequirement(name = "BasicAuth")})
@PostMapping(value = "/search", produces = MediaTypes.HAL_JSON_VALUE)
public @ResponseBody
PagedModel<PetriNetReferenceResource> searchPetriNets(@RequestBody Map<String, Object> criteria, Authentication auth, Pageable pageable, PagedResourcesAssembler<PetriNetReference> assembler, Locale locale) {
PagedModel<PetriNetReferenceResource> searchPetriNets(@RequestBody PetriNetSearch criteria, Authentication auth, Pageable pageable, PagedResourcesAssembler<PetriNetReference> assembler, Locale locale) {
LoggedUser user = (LoggedUser) auth.getPrincipal();
Page<PetriNetReference> nets = service.search(criteria, user, pageable, locale);
Link selfLink = WebMvcLinkBuilder.linkTo(WebMvcLinkBuilder.methodOn(PetriNetController.class)
Expand Down
3 changes: 2 additions & 1 deletion src/main/java/com/netgrif/application/engine/petrinet/web/PublicPetriNetController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import com.netgrif.application.engine.auth.service.interfaces.IUserService;
import com.netgrif.application.engine.petrinet.domain.PetriNet;
import com.netgrif.application.engine.petrinet.domain.PetriNetSearch;
import com.netgrif.application.engine.petrinet.domain.version.StringToVersionConverter;
import com.netgrif.application.engine.petrinet.service.interfaces.IPetriNetService;
import com.netgrif.application.engine.petrinet.service.interfaces.IProcessRoleService;
Expand Down Expand Up @@ -69,7 +70,7 @@ public PetriNetReferenceResource getOne(@PathVariable("identifier") String ident

@Operation(summary = "Search processes")
@PostMapping(value = "/search", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaTypes.HAL_JSON_VALUE)
public PagedModel<PetriNetReferenceResource> searchPetriNets(@RequestBody Map<String, Object> criteria, Pageable pageable, PagedResourcesAssembler<PetriNetReference> assembler, Locale locale) {
public PagedModel<PetriNetReferenceResource> searchPetriNets(@RequestBody PetriNetSearch criteria, Pageable pageable, PagedResourcesAssembler<PetriNetReference> assembler, Locale locale) {
Page<PetriNetReference> nets = petriNetService.search(criteria, userService.getAnonymousLogged(), pageable, locale);
Link selfLink = WebMvcLinkBuilder.linkTo(WebMvcLinkBuilder.methodOn(PublicPetriNetController.class)
.searchPetriNets(criteria, pageable, assembler, locale)).withRel("search");
Expand Down
9 changes: 7 additions & 2 deletions src/main/java/com/netgrif/application/engine/workflow/service/CaseSearchService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import com.netgrif.application.engine.importer.service.FieldFactory;
import com.netgrif.application.engine.petrinet.domain.I18nString;
import com.netgrif.application.engine.petrinet.domain.PetriNet;
import com.netgrif.application.engine.petrinet.domain.PetriNetSearch;
import com.netgrif.application.engine.petrinet.domain.dataset.FieldType;
import com.netgrif.application.engine.petrinet.domain.dataset.UserFieldValue;
import com.netgrif.application.engine.petrinet.service.interfaces.IPetriNetService;
Expand Down Expand Up @@ -347,8 +348,12 @@ private static BooleanExpression caseIdString(String caseId) {
}

public Predicate group(Object query, LoggedUser user, Locale locale) {
Map<String, Object> processQuery = new HashMap<>();
processQuery.put(GROUP, query);
PetriNetSearch processQuery = new PetriNetSearch();
if (query instanceof List) {
processQuery.setGroup((List<String>) query);
} else if (query instanceof String) {
processQuery.setGroup(new ArrayList<String>( Arrays.asList((String) query)) );
}
List<PetriNetReference> groupProcesses = this.petriNetService.search(processQuery, user, new FullPageRequest(), locale).getContent();
if (groupProcesses.size() == 0)
return null;
Expand Down
8 changes: 6 additions & 2 deletions src/main/java/com/netgrif/application/engine/workflow/service/ConfigurableMenuService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
package com.netgrif.application.engine.workflow.service;

import com.netgrif.application.engine.auth.domain.Author;
import com.netgrif.application.engine.auth.domain.LoggedUser;
import com.netgrif.application.engine.auth.domain.User;
import com.netgrif.application.engine.petrinet.domain.I18nString;
import com.netgrif.application.engine.petrinet.domain.PetriNet;
import com.netgrif.application.engine.petrinet.domain.PetriNetSearch;
import com.netgrif.application.engine.petrinet.domain.dataset.EnumerationMapField;
import com.netgrif.application.engine.petrinet.domain.dataset.MultichoiceMapField;
import com.netgrif.application.engine.petrinet.domain.version.StringToVersionConverter;
Expand Down Expand Up @@ -43,8 +45,10 @@ public class ConfigurableMenuService implements IConfigurableMenuService {
@Override
public Map<String, I18nString> getNetsByAuthorAsMapOptions(User author, Locale locale){
LoggedUser loggedAuthor = author.transformToLoggedUser();
Map<String, Object> requestQuery = new HashMap<>();
requestQuery.put("author.email", author.getEmail());
PetriNetSearch requestQuery = new PetriNetSearch();
Author authorQuery = new Author();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

authorQuery is not used, should it be set to requestQuery?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

authorQuery.setEmail(author.getEmail());
requestQuery.setAuthor(authorQuery);
List<PetriNetReference> nets = this.petriNetService.search(requestQuery, loggedAuthor, new FullPageRequest(), locale).getContent();

Map<String, I18nString> options = new HashMap<>();
Expand Down
5 changes: 3 additions & 2 deletions src/main/java/com/netgrif/application/engine/workflow/service/TaskSearchService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package com.netgrif.application.engine.workflow.service;

import com.netgrif.application.engine.auth.domain.LoggedUser;
import com.netgrif.application.engine.petrinet.domain.PetriNetSearch;
import com.netgrif.application.engine.petrinet.service.interfaces.IPetriNetService;
import com.netgrif.application.engine.petrinet.web.responsebodies.PetriNetReference;
import com.netgrif.application.engine.utils.FullPageRequest;
Expand Down Expand Up @@ -271,8 +272,8 @@ public boolean buildGroupQuery(TaskSearchRequest request, LoggedUser user, Local
if (request.group == null || request.group.isEmpty())
return false;

Map<String, Object> processQuery = new HashMap<>();
processQuery.put("group", request.group);
PetriNetSearch processQuery = new PetriNetSearch();
processQuery.setGroup(request.group);
List<PetriNetReference> groupProcesses = this.petriNetService.search(processQuery, user, new FullPageRequest(), locale).getContent();
if (groupProcesses.size() == 0)
return true;
Expand Down
Loading
Loading