From ae8f44afc34081550110f6fe8867a295c2bbe3d2 Mon Sep 17 00:00:00 2001 From: Raitis Veinbahs Date: Tue, 20 Aug 2024 12:21:48 +0300 Subject: [PATCH] fix: Fix escaping issues in labels, add fuzz testing to make sure (DEV-3976) (#3339) --- .../src/test/resources/application.conf | 2 ++ .../webapi/e2e/v2/OntologyV2R2RSpec.scala | 16 ++++++++- .../org/knora/webapi/config/AppConfig.scala | 1 + .../resourcemessages/ResourceMessagesV2.scala | 2 +- .../resources/CreateResourceV2Handler.scala | 36 +++++++------------ .../impl/TriplestoreServiceLive.scala | 2 +- 6 files changed, 33 insertions(+), 26 deletions(-) diff --git a/integration/src/test/resources/application.conf b/integration/src/test/resources/application.conf index d91b6568bb..8f075c2713 100644 --- a/integration/src/test/resources/application.conf +++ b/integration/src/test/resources/application.conf @@ -12,6 +12,8 @@ app { } reload-on-start = false + + is-test-env = true } features { diff --git a/integration/src/test/scala/org/knora/webapi/e2e/v2/OntologyV2R2RSpec.scala b/integration/src/test/scala/org/knora/webapi/e2e/v2/OntologyV2R2RSpec.scala index e7e7abff83..a5c2d6ef46 100644 --- a/integration/src/test/scala/org/knora/webapi/e2e/v2/OntologyV2R2RSpec.scala +++ b/integration/src/test/scala/org/knora/webapi/e2e/v2/OntologyV2R2RSpec.scala @@ -6,10 +6,12 @@ package org.knora.webapi.e2e.v2 import org.apache.pekko +import spray.json.JsString import java.net.URLEncoder import java.time.Instant import scala.concurrent.ExecutionContextExecutor +import scala.util.Random import dsp.constants.SalsahGui import dsp.errors.BadRequestException @@ -2790,6 +2792,13 @@ class OntologyV2R2RSpec extends R2RSpec { // Create a resource of #BlueTestClass using only #hasBlueTestIntProp + val resourceLabel: String = { + val fuzz1 = Random.nextString(1000) + val fuzz2 = List.fill(1000)(()).map(_ => Random.nextInt(128).toChar).mkString + val fuzz3 = List.fill(1000)(()).map(_ => Random.nextPrintableChar()).mkString + fuzz1 ++ fuzz2 ++ fuzz3 + } + val createResourceWithValues: String = s"""{ | "@type" : "freetest:BlueFreeTestClass", @@ -2802,7 +2811,7 @@ class OntologyV2R2RSpec extends R2RSpec { | "knora-api:attachedToProject" : { | "@id" : "http://rdfh.ch/projects/0001" | }, - | "rdfs:label" : "my blue test class thing instance", + | "rdfs:label" : ${JsString(resourceLabel).toString}, | "@context" : { | "rdf" : "http://www.w3.org/1999/02/22-rdf-syntax-ns#", | "knora-api" : "http://api.knora.org/ontology/knora-api/v2#", @@ -2818,10 +2827,15 @@ class OntologyV2R2RSpec extends R2RSpec { ) ~> addCredentials(BasicHttpCredentials(anythingUsername, password)) ~> resourcesPath ~> check { val responseStr = responseAs[String] assert(status == StatusCodes.OK, responseStr) + val responseJsonDoc = JsonLDUtil.parseJsonLD(responseStr) val validationFun: (String, => Nothing) => String = (s, e) => Iri.validateAndEscapeIri(s).getOrElse(e) val resourceIri: IRI = responseJsonDoc.body.requireStringWithValidation(JsonLDKeywords.ID, validationFun) assert(resourceIri.toSmartIri.isKnoraDataIri) + + val responseJsonDoc2 = JsonLDUtil.parseJsonLD(responseStr) + val label = responseJsonDoc2.body.value.get(OntologyConstants.Rdfs.Label).get + assert(label == JsonLDString(resourceLabel)) } // payload to test cardinality can't be deleted diff --git a/webapi/src/main/scala/org/knora/webapi/config/AppConfig.scala b/webapi/src/main/scala/org/knora/webapi/config/AppConfig.scala index 6dd625afcd..3be474e899 100644 --- a/webapi/src/main/scala/org/knora/webapi/config/AppConfig.scala +++ b/webapi/src/main/scala/org/knora/webapi/config/AppConfig.scala @@ -157,6 +157,7 @@ final case class Triplestore( autoInit: Boolean, fuseki: Fuseki, profileQueries: Boolean, + isTestEnv: Boolean = false, ) final case class Fuseki( diff --git a/webapi/src/main/scala/org/knora/webapi/messages/v2/responder/resourcemessages/ResourceMessagesV2.scala b/webapi/src/main/scala/org/knora/webapi/messages/v2/responder/resourcemessages/ResourceMessagesV2.scala index dd5d5f79b0..bb4d9f4de0 100644 --- a/webapi/src/main/scala/org/knora/webapi/messages/v2/responder/resourcemessages/ResourceMessagesV2.scala +++ b/webapi/src/main/scala/org/knora/webapi/messages/v2/responder/resourcemessages/ResourceMessagesV2.scala @@ -685,7 +685,7 @@ object CreateResourceRequestV2 { // Get the resource's rdfs:label. label <- - ZIO.attempt(jsonLDDocument.body.requireStringWithValidation(Rdfs.Label, validationFun)) + ZIO.attempt(jsonLDDocument.body.requireStringWithValidation(Rdfs.Label, (s, _) => s)) // Get information about the project that the resource should be created in. projectIri <- ZIO.attempt( diff --git a/webapi/src/main/scala/org/knora/webapi/responders/v2/resources/CreateResourceV2Handler.scala b/webapi/src/main/scala/org/knora/webapi/responders/v2/resources/CreateResourceV2Handler.scala index 0b839cad53..4bcecee04a 100644 --- a/webapi/src/main/scala/org/knora/webapi/responders/v2/resources/CreateResourceV2Handler.scala +++ b/webapi/src/main/scala/org/knora/webapi/responders/v2/resources/CreateResourceV2Handler.scala @@ -164,7 +164,7 @@ final case class CreateResourceV2Handler( private def makeTask( createResourceRequestV2: CreateResourceRequestV2, resourceIri: IRI, - ): Task[ReadResourcesSequenceV2] = { + ): Task[ReadResourcesSequenceV2] = for { _ <- // check if resourceIri already exists holding a lock on the IRI ZIO @@ -219,17 +219,13 @@ final case class CreateResourceV2Handler( ) // Get the default permissions of the resource class. - defaultResourcePermissionsMap <- getResourceClassDefaultPermissions( projectIri = createResourceRequestV2.createResource.projectADM.id, resourceClassIris = Set(internalCreateResource.resourceClassIri), requestingUser = createResourceRequestV2.requestingUser, ) - defaultResourcePermissions: String = defaultResourcePermissionsMap(internalCreateResource.resourceClassIri) - // Get the default permissions of each property used. - defaultPropertyPermissionsMap <- getDefaultPropertyPermissions( projectIri = createResourceRequestV2.createResource.projectADM.id, resourceClassProperties = Map( @@ -237,26 +233,21 @@ final case class CreateResourceV2Handler( ), requestingUser = createResourceRequestV2.requestingUser, ) - defaultPropertyPermissions: Map[SmartIri, String] = defaultPropertyPermissionsMap( - internalCreateResource.resourceClassIri, - ) - - // Make a versionDate for the resource and its values. - creationDate: Instant = internalCreateResource.creationDate.getOrElse(Instant.now) // Do the remaining pre-update checks and make a ResourceReadyToCreate describing the SPARQL // for creating the resource. - resourceReadyToCreate <- generateResourceReadyToCreate( - resourceIri = resourceIri, - internalCreateResource = internalCreateResource, - linkTargetClasses = linkTargetClasses, - entityInfo = allEntityInfo, - clientResourceIDs = Map.empty[IRI, String], - defaultResourcePermissions = defaultResourcePermissions, - defaultPropertyPermissions = defaultPropertyPermissions, - creationDate = creationDate, - requestingUser = createResourceRequestV2.requestingUser, - ) + resourceReadyToCreate <- + generateResourceReadyToCreate( + resourceIri = resourceIri, + internalCreateResource = internalCreateResource, + linkTargetClasses = linkTargetClasses, + entityInfo = allEntityInfo, + clientResourceIDs = Map.empty[IRI, String], + defaultResourcePermissions = defaultResourcePermissionsMap(internalCreateResource.resourceClassIri), + defaultPropertyPermissions = defaultPropertyPermissionsMap(internalCreateResource.resourceClassIri), + creationDate = internalCreateResource.creationDate.getOrElse(Instant.now), + requestingUser = createResourceRequestV2.requestingUser, + ) dataNamedGraph = ProjectService.projectDataNamedGraphV2(createResourceRequestV2.createResource.projectADM) @@ -273,7 +264,6 @@ final case class CreateResourceV2Handler( requestingUser = createResourceRequestV2.requestingUser, ) } yield previewOfCreatedResource - } /** * Generates a [[ResourceReadyToCreate]] describing SPARQL for creating a resource and its values. diff --git a/webapi/src/main/scala/org/knora/webapi/store/triplestore/impl/TriplestoreServiceLive.scala b/webapi/src/main/scala/org/knora/webapi/store/triplestore/impl/TriplestoreServiceLive.scala index 0215a2c357..950120341c 100644 --- a/webapi/src/main/scala/org/knora/webapi/store/triplestore/impl/TriplestoreServiceLive.scala +++ b/webapi/src/main/scala/org/knora/webapi/store/triplestore/impl/TriplestoreServiceLive.scala @@ -409,7 +409,7 @@ case class TriplestoreServiceLive( _ <- { val endTime = java.lang.System.nanoTime() val duration = Duration.fromNanos(endTime - startTime) - ZIO.when(duration >= trackingThreshold) { + ZIO.when(!triplestoreConfig.isTestEnv && duration >= trackingThreshold) { ZIO.logInfo( s"Fuseki request took $duration, which is longer than $trackingThreshold, timeout=${query.timeout}\n ${query.sparql}", )