From cd45223ccd9ac0e49ebf94efc44b7ced0c50b165 Mon Sep 17 00:00:00 2001
From: Manuel Soulier <manuel.soulier@insee.fr>
Date: Mon, 27 Nov 2023 08:45:29 +0100
Subject: [PATCH] fix: security inputFilter

---
 .../arc/utils/security/GuiInputSecurity.java  | 42 +++++++++++++++++++
 .../utils/security/GuiInputSecurityTest.java  | 36 ++++++++++++++++
 .../insee/arc/web/gui/all/util/VObject.java   | 11 ++---
 .../WEB-INF/jsp/tiles/templateVObject.jsp     |  2 -
 4 files changed, 84 insertions(+), 7 deletions(-)
 create mode 100644 arc-utils/src/main/java/fr/insee/arc/utils/security/GuiInputSecurity.java
 create mode 100644 arc-utils/src/test/java/fr/insee/arc/utils/security/GuiInputSecurityTest.java

diff --git a/arc-utils/src/main/java/fr/insee/arc/utils/security/GuiInputSecurity.java b/arc-utils/src/main/java/fr/insee/arc/utils/security/GuiInputSecurity.java
new file mode 100644
index 000000000..df5f6b7aa
--- /dev/null
+++ b/arc-utils/src/main/java/fr/insee/arc/utils/security/GuiInputSecurity.java
@@ -0,0 +1,42 @@
+package fr.insee.arc.utils.security;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class GuiInputSecurity {
+
+	private GuiInputSecurity() {
+		throw new IllegalStateException("Utility class");
+	}
+
+	/**
+	 * format an input field as a database identifier
+	 * @param guiInput
+	 * @return
+	 */
+	public static String formatAsDatabaseIdentifier(String guiInput) {
+		
+		if (guiInput==null)
+		{
+			return null;
+		}
+		
+		return guiInput.replaceAll("[^\\w$]", "") // remove all but world and $ symbol. worlds are 0-9a-zA-Z and _
+				.replaceFirst("^[_$]*", "") // remove begin trailings $ and _
+				.replaceFirst("[_$]*$", "") // remove end trailings $ and _
+		;
+	}
+	
+	public static List<String> formatAsDatabaseIdentifier(List<String> guiInputs) {
+		if (guiInputs==null)
+		{
+			return null;
+		}
+		
+		return guiInputs.stream().map(t->formatAsDatabaseIdentifier(t)).collect(Collectors.toList());
+	}
+	
+	
+	
+
+}
diff --git a/arc-utils/src/test/java/fr/insee/arc/utils/security/GuiInputSecurityTest.java b/arc-utils/src/test/java/fr/insee/arc/utils/security/GuiInputSecurityTest.java
new file mode 100644
index 000000000..06e30ad3a
--- /dev/null
+++ b/arc-utils/src/test/java/fr/insee/arc/utils/security/GuiInputSecurityTest.java
@@ -0,0 +1,36 @@
+package fr.insee.arc.utils.security;
+
+import static org.junit.Assert.*;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.junit.Test;
+
+public class GuiInputSecurityTest {
+
+	@Test
+	public void testFormatAsDatabaseIdentifier() {
+		
+		assertEquals("var_table_metier",GuiInputSecurity.formatAsDatabaseIdentifier("var_table_metier"));
+		
+		// remove space and ; and other chars
+		assertEquals("var_tablemetier",GuiInputSecurity.formatAsDatabaseIdentifier("var_table metier"));
+		assertEquals("dropdatabasetoto",GuiInputSecurity.formatAsDatabaseIdentifier("drop database toto;"));
+		assertEquals("var_table_metier$10",GuiInputSecurity.formatAsDatabaseIdentifier("var_table_metier$10"));
+		assertEquals("var_tableMETIER",GuiInputSecurity.formatAsDatabaseIdentifier("var_table METIER"));
+
+		// remove trailing $ and _
+		assertEquals("var_table_metier",GuiInputSecurity.formatAsDatabaseIdentifier("__var_table_metier$$"));
+		assertEquals("var_table_metier",GuiInputSecurity.formatAsDatabaseIdentifier("$var_table_metier_$"));
+		assertEquals("var_table_metier",GuiInputSecurity.formatAsDatabaseIdentifier("$_$var_table_metier$__;"));
+
+		
+		List<String> guiInputs = Arrays.asList("__var_table_metier$$", "drop database toto;");
+		List<String> guiInputsReformat = GuiInputSecurity.formatAsDatabaseIdentifier(guiInputs);
+		assertEquals("var_table_metier", guiInputsReformat.get(0));
+		assertEquals("dropdatabasetoto", guiInputsReformat.get(1));
+				
+	}
+
+}
diff --git a/arc-web/src/main/java/fr/insee/arc/web/gui/all/util/VObject.java b/arc-web/src/main/java/fr/insee/arc/web/gui/all/util/VObject.java
index f3f65be11..cda6c341d 100644
--- a/arc-web/src/main/java/fr/insee/arc/web/gui/all/util/VObject.java
+++ b/arc-web/src/main/java/fr/insee/arc/web/gui/all/util/VObject.java
@@ -8,6 +8,7 @@
 import org.springframework.web.multipart.MultipartFile;
 
 import fr.insee.arc.core.dataobjects.ArcPreparedStatementBuilder;
+import fr.insee.arc.utils.security.GuiInputSecurity;
 import fr.insee.arc.utils.structure.GenericBean;
 import fr.insee.arc.utils.utils.ManipString;
 
@@ -791,9 +792,13 @@ public List<String> getHeaderSortDLabels() {
 	}
 
 	public void setHeaderSortDLabels(List<String> headerSortDLabels) {
-		this.headerSortDLabels = headerSortDLabels;
+		this.headerSortDLabels = GuiInputSecurity.formatAsDatabaseIdentifier(headerSortDLabels);
 	}
 
+	public String getHeaderSortDLabel() {
+		return headerSortDLabel;
+	}
+	
 	public List<Boolean> getHeaderSortDOrders() {
 		return headerSortDOrders;
 	}
@@ -802,10 +807,6 @@ public void setHeaderSortDOrders(List<Boolean> headerSortDOrders) {
 		this.headerSortDOrders = headerSortDOrders;
 	}
 
-	public String getHeaderSortDLabel() {
-		return headerSortDLabel;
-	}
-
 	public void setHeaderSortDLabel(String headerSortDLabel) {
 		this.headerSortDLabel = headerSortDLabel;
 	}
diff --git a/arc-web/src/main/webapp/WEB-INF/jsp/tiles/templateVObject.jsp b/arc-web/src/main/webapp/WEB-INF/jsp/tiles/templateVObject.jsp
index 322805c35..ce319db25 100644
--- a/arc-web/src/main/webapp/WEB-INF/jsp/tiles/templateVObject.jsp
+++ b/arc-web/src/main/webapp/WEB-INF/jsp/tiles/templateVObject.jsp
@@ -56,13 +56,11 @@
 	class='bg-body ${taille}'
 >
 
-<%-- <input type="hidden" name="${view.sessionName}.sessionName" value="${view.sessionName}" m="js"> --%>
 	<c:if test="${view.isInitialized && view.isScoped}">
 		<div class="row">
 			<div class="col-md">
 				<div class="card m-0 overflow-auto w-fitcontent">
 					<div class="card-header bg-primary p-0">
-<!-- 					onclick="var fullIdentifier='full';var fullCss= fullIdentifier + ' position-fixed min-vh-100 min-vw-100 top-0 left-0 zindex-1000';if ($('#${view.sessionName}').hasClass(fullIdentifier)){$('#${view.sessionName}').removeClass(fullCss);}else{$('#${view.sessionName}').addClass(fullCss);}" -->				
 						<h3 class="text-white m-1 float-left" id="${view.sessionName}_description"><spring:message code="${view.title}" text="${view.title}"/></h3>
 							<c:import url="tiles/template_help.jsp">
 								<c:param name="helpPage" value="/html/en/${view.sessionName}.html" />