Validate sort keys for task executions

jvalkeal · jvalkeal · commit 60c5bcf26958 · 2021-01-07T09:54:05.000Z
- Now simply does a check for sort field that it is what can possibly work and alignes i.e. what we can request from UI. - Fixes #4319 Use correct assert as andReturn()... doesn't work Support both cases
diff --git a/spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/controller/TaskExecutionController.java b/spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/controller/TaskExecutionController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 the original author or authors.
+ * Copyright 2016-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,7 @@
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageImpl;
 import org.springframework.data.domain.Pageable;
+import org.springframework.data.domain.Sort;
 import org.springframework.data.web.PagedResourcesAssembler;
 import org.springframework.hateoas.PagedModel;
 import org.springframework.hateoas.server.ExposesResourceFor;
@@ -87,6 +88,9 @@ public class TaskExecutionController {
 
 	private final TaskSanitizer taskSanitizer = new TaskSanitizer();
 
+	private static final List<String> allowedSorts = Arrays.asList("task_execution_id", "task_name", "start_time",
+			"end_time", "exit_code");
+
 	/**
 	 * Creates a {@code TaskExecutionController} that retrieves Task Execution information
 	 * from a the {@link TaskExplorer}
@@ -124,6 +128,7 @@ public TaskExecutionController(TaskExplorer explorer, TaskExecutionService taskE
 	@ResponseStatus(HttpStatus.OK)
 	public PagedModel<TaskExecutionResource> list(Pageable pageable,
 			PagedResourcesAssembler<TaskJobExecutionRel> assembler) {
+		validatePageable(pageable);
 		Page<TaskExecution> taskExecutions = this.explorer.findAll(pageable);
 		Page<TaskJobExecutionRel> result = getPageableRelationships(taskExecutions, pageable);
 		return assembler.toModel(result, this.taskAssembler);
@@ -141,6 +146,7 @@ public PagedModel<TaskExecutionResource> list(Pageable pageable,
 	@ResponseStatus(HttpStatus.OK)
 	public PagedModel<TaskExecutionResource> retrieveTasksByName(@RequestParam("name") String taskName,
 			Pageable pageable, PagedResourcesAssembler<TaskJobExecutionRel> assembler) {
+		validatePageable(pageable);
 		this.taskDefinitionRepository.findById(taskName)
 				.orElseThrow(() -> new NoSuchTaskDefinitionException(taskName));
 		Page<TaskExecution> taskExecutions = this.explorer.findTaskExecutionsByName(taskName, pageable);
@@ -257,6 +263,20 @@ private Page<TaskJobExecutionRel> getPageableRelationships(Page<TaskExecution> t
 		return new PageImpl<>(taskJobExecutionRels, pageable, taskExecutions.getTotalElements());
 	}
 
+	private static void validatePageable(Pageable pageable) {
+		if (pageable != null) {
+			Sort sort = pageable.getSort();
+			if (sort != null) {
+				for (Sort.Order order : sort) {
+					String property = order.getProperty();
+					if (property != null && !allowedSorts.contains(property.toLowerCase())) {
+						throw new IllegalArgumentException("Sorting column " + order.getProperty() + " not allowed");
+					}
+				}
+			}
+		}
+	}
+
 	/**
 	 * {@link org.springframework.hateoas.server.RepresentationModelAssembler} implementation that converts
 	 * {@link TaskJobExecutionRel}s to {@link TaskExecutionResource}s.
diff --git a/spring-cloud-dataflow-server-core/src/test/java/org/springframework/cloud/dataflow/server/controller/TaskExecutionControllerTests.java b/spring-cloud-dataflow-server-core/src/test/java/org/springframework/cloud/dataflow/server/controller/TaskExecutionControllerTests.java
@@ -62,6 +62,7 @@
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
 
+import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
@@ -365,4 +366,19 @@ private ResultActions verifyTaskArgs(List<String> expectedArgs, String prefix, R
 		}
 		return ra;
 	}
+
+	@Test
+	public void testSorting() throws Exception {
+		mockMvc.perform(get("/tasks/executions").param("sort", "TASK_EXECUTION_ID").accept(MediaType.APPLICATION_JSON))
+			.andExpect(status().isOk());
+		mockMvc.perform(get("/tasks/executions").param("sort", "task_execution_id").accept(MediaType.APPLICATION_JSON))
+			.andExpect(status().isOk());
+
+		mockMvc.perform(get("/tasks/executions").param("sort", "WRONG_FIELD").accept(MediaType.APPLICATION_JSON))
+			.andExpect(status().is5xxServerError())
+			.andExpect(content().string(containsString("Sorting column WRONG_FIELD not allowed")));
+		mockMvc.perform(get("/tasks/executions").param("sort", "wrong_field").accept(MediaType.APPLICATION_JSON))
+			.andExpect(status().is5xxServerError())
+			.andExpect(content().string(containsString("Sorting column wrong_field not allowed")));
+	}
 }
