Verify sortBy parameter before application

scm-webapp/src/main/java/sonia/scm/api/rest/resources/AbstractManagerResource.java

@@ -55,6 +55,11 @@ import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 import javax.ws.rs.core.UriInfo;
+import java.beans.BeanInfo;
+import java.beans.IntrospectionException;
+import java.beans.Introspector;
+import java.beans.PropertyDescriptor;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Comparator;
 import java.util.Date;
@@ -76,17 +81,15 @@ public abstract class AbstractManagerResource<T extends ModelObject,
   private static final Logger logger =
     LoggerFactory.getLogger(AbstractManagerResource.class);
 
-  //~--- constructors ---------------------------------------------------------
+  protected final Manager<T, E> manager;
+  private final Class<T> type;
 
-  /**
-   * Constructs ...
-   *
-   *
-   * @param manager
-   */
-  public AbstractManagerResource(Manager<T, E> manager)
-  {
+  protected int cacheMaxAge = 0;
+  protected boolean disableCache = false;
+
+  public AbstractManagerResource(Manager<T, E> manager, Class<T> type) {
     this.manager = manager;
+    this.type = type;
   }
 
   //~--- methods --------------------------------------------------------------
@@ -526,45 +529,25 @@ public abstract class AbstractManagerResource<T extends ModelObject,
     return builder.build();
   }
 
-  /**
-   * Method description
-   *
-   *
-   * @param sortby
-   * @param desc
-   *
-   * @return
-   */
   @SuppressWarnings("unchecked")
-  private Comparator<T> createComparator(String sortby, boolean desc)
+  private Comparator<T> createComparator(String sortBy, boolean desc)
   {
+    checkSortByField(sortBy);
     Comparator comparator;
 
     if (desc)
     {
-      comparator = new BeanReverseComparator(sortby);
+      comparator = new BeanReverseComparator(sortBy);
     }
     else
     {
-      comparator = new BeanComparator(sortby);
+      comparator = new BeanComparator(sortBy);
     }
 
     return comparator;
   }
 
-  /**
-   * Method description
-   *
-   *
-   *
-   * @param sortby
-   * @param desc
-   * @param start
-   * @param limit
-   *
-   * @return
-   */
-  private Collection<T> fetchItems(String sortby, boolean desc, int start,
+  private Collection<T> fetchItems(String sortBy, boolean desc, int start,
     int limit)
   {
     AssertUtil.assertPositive(start);
@@ -573,18 +556,18 @@ public abstract class AbstractManagerResource<T extends ModelObject,
 
     if (limit > 0)
     {
-      if (Util.isEmpty(sortby))
+      if (Util.isEmpty(sortBy))
       {
 
         // replace with something useful
-        sortby = "id";
+        sortBy = "id";
       }
 
-      items = manager.getAll(createComparator(sortby, desc), start, limit);
+      items = manager.getAll(createComparator(sortBy, desc), start, limit);
     }
-    else if (Util.isNotEmpty(sortby))
+    else if (Util.isNotEmpty(sortBy))
     {
-      items = manager.getAll(createComparator(sortby, desc));
+      items = manager.getAll(createComparator(sortBy, desc));
     }
     else
     {
@@ -594,6 +577,18 @@ public abstract class AbstractManagerResource<T extends ModelObject,
     return items;
   }
 
+  private void checkSortByField(String sortBy) {
+    try {
+      BeanInfo info = Introspector.getBeanInfo(type);
+      PropertyDescriptor[] pds = info.getPropertyDescriptors();
+      if (Arrays.stream(pds).noneMatch(p -> p.getName().equals(sortBy))) {
+        throw new IllegalArgumentException("sortBy");
+      }
+    } catch (IntrospectionException e) {
+      throw new RuntimeException("error introspecting model type " + type.getName(), e);
+    }
+  }
+
   protected PageResult<T> fetchPage(String sortby, boolean desc, int pageNumber,
     int pageSize) {
     AssertUtil.assertPositive(pageNumber);
@@ -676,16 +671,4 @@ public abstract class AbstractManagerResource<T extends ModelObject,
       return super.compare(o1, o2) * -1;
     }
   }
-
-
-  //~--- fields ---------------------------------------------------------------
-
-  /** Field description */
-  protected int cacheMaxAge = 0;
-
-  /** Field description */
-  protected boolean disableCache = false;
-
-  /** Field description */
-  protected Manager<T, E> manager;
 }

scm-webapp/src/main/java/sonia/scm/api/rest/resources/GroupResource.java

@@ -41,18 +41,12 @@ import com.webcohesion.enunciate.metadata.rs.ResponseCode;
 import com.webcohesion.enunciate.metadata.rs.ResponseHeader;
 import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
-
 import org.apache.shiro.SecurityUtils;
-
 import sonia.scm.group.Group;
 import sonia.scm.group.GroupException;
 import sonia.scm.group.GroupManager;
 import sonia.scm.security.Role;
 
-//~--- JDK imports ------------------------------------------------------------
-
-import java.util.Collection;
-
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.DefaultValue;
@@ -69,6 +63,9 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
+import java.util.Collection;
+
+//~--- JDK imports ------------------------------------------------------------
 
 /**
  * RESTful Web Service Resource to manage groups and their members.
@@ -97,7 +94,7 @@ public class GroupResource
   @Inject
   public GroupResource(GroupManager groupManager)
   {
-    super(groupManager);
+    super(groupManager, Group.class);
   }
 
   //~--- methods --------------------------------------------------------------

scm-webapp/src/main/java/sonia/scm/api/rest/resources/RepositoryResource.java

@@ -131,7 +131,7 @@ public class RepositoryResource extends AbstractManagerResource<Repository, Repo
     RepositoryManager repositoryManager,
     RepositoryServiceFactory servicefactory, HealthChecker healthChecker)
   {
-    super(repositoryManager);
+    super(repositoryManager, Repository.class);
     this.configuration = configuration;
     this.repositoryManager = repositoryManager;
     this.servicefactory = servicefactory;

scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java

@@ -41,10 +41,8 @@ import com.webcohesion.enunciate.metadata.rs.ResponseCode;
 import com.webcohesion.enunciate.metadata.rs.ResponseHeader;
 import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
-
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.credential.PasswordService;
-
 import sonia.scm.security.Role;
 import sonia.scm.user.User;
 import sonia.scm.user.UserException;
@@ -52,11 +50,6 @@ import sonia.scm.user.UserManager;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.util.Util;
 
-//~--- JDK imports ------------------------------------------------------------
-
-import java.util.Collection;
-
-import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
@@ -72,6 +65,9 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
+import java.util.Collection;
+
+//~--- JDK imports ------------------------------------------------------------
 
 /**
  * RESTful Web Service Resource to manage users.
@@ -101,7 +97,7 @@ public class UserResource extends AbstractManagerResource<User, UserException>
   @Inject
   public UserResource(UserManager userManager, PasswordService passwordService)
   {
-    super(userManager);
+    super(userManager, User.class);
     this.passwordService = passwordService;
   }