fix: remove exploitable matcher

Signed-off-by: jonathan zollinger <[email protected]>
Graqr · Aug 18, 2024 · 6dbe2bd · 6dbe2bd
1 parent ce7994b
commit 6dbe2bd
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 3 deletions.
diff --git a/src/main/java/com/graqr/threshr/model/queryparam/Page.java b/src/main/java/com/graqr/threshr/model/queryparam/Page.java
@@ -21,7 +21,8 @@ public Page(String page) throws ThreshrException {
     }
 
     /**
-     * Sets string value as "/c/" + provided value.
+     * Sets string value as "/c/" + provided value. As a means of security, value is permitted to be 26 alphanumeric
+     * words delimited with either - or _
      *
      * @param name Query parameter in redsky api to specify from where an api call is made in the browser
      * @throws ThreshrException if string contains anything other than letters or is empty
@@ -31,9 +32,9 @@ public void setName(String name) throws ThreshrException {
         if (tempPage.startsWith("/c/")) {
             tempPage = tempPage.substring(3);
         }
-        if (tempPage.matches(".+([^(a-z|\\-)]).+") || tempPage.isEmpty()) {
+        if (!tempPage.matches("^([a-z\\d]+[-_]?){1,31}$")) {
             throw new ThreshrException(String.format(
-                    "Expected only letters for the page value, but received \"%s\".", tempPage));
+                    "Expected non-space-character delimited string of up to 30 words, but got \"%s\".", tempPage));
         }
         this.name = "/c/" + tempPage;
     }

diff --git a/src/test/groovy/com/graqr/threshr/model/queryparam/PageSpec.groovy b/src/test/groovy/com/graqr/threshr/model/queryparam/PageSpec.groovy
@@ -5,6 +5,7 @@ import io.micronaut.context.annotation.Value
 import io.micronaut.core.io.ResourceLoader
 import io.micronaut.test.extensions.spock.annotation.MicronautTest
 import jakarta.inject.Inject
+import net.datafaker.Faker
 import spock.lang.Shared
 import spock.lang.Specification
 
@@ -69,6 +70,40 @@ class PageSpec extends Specification {
         expectedPages = getLinesFromFile("classpath:" + pagesFilepath)
     }
 
+    def "validate page title word count limit"() {
+        when: "create page title of #size word count"
+        String delimiter = new Random().nextBoolean() ? "_" : "-"
+        String pageValue = new Faker().lorem().sentence(size as int)
+                .replace(" ", delimiter)
+                .replace(".","") // remove ending punctuation
+
+        and: "create page object whose title is '#pageValue'"
+        //noinspection GroovyResultOfObjectAllocationIgnored
+        new Page(pageValue)
+
+        then:
+        noExceptionThrown()
+
+        where:
+        size << (1..30)
+    }
+
+    def "Creating Page with title word count under or over limit fails"() {
+        when: "creating page with '#pageValue' title"
+        //noinspection GroovyResultOfObjectAllocationIgnored
+        new Page(pageValue)
+
+        then:
+        def exception = thrown(ThreshrException)
+        exception.message.contains("Expected non-space-character delimited string of up to 30 words, but got")
+
+
+        where:
+        pageValue                        | _
+        ""                               | _
+        new Faker().lorem().sentence(31) | _
+    }
+
 
     def "test create new Page from #pageValue seed data creates object with expected value"() {
         given: