Fixes #117. Sql injection filter for ${} expressions

Author: emacarron

src/main/java/org/apache/ibatis/builder/BaseBuilder.java

@@ -18,6 +18,7 @@
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import org.apache.ibatis.mapping.ParameterMode;
 import org.apache.ibatis.mapping.ResultSetType;
@@ -45,6 +46,10 @@ public Configuration getConfiguration() {
     return configuration;
   }
 
+  protected Pattern parseExpression(String regex, String defaultValue) {
+    return Pattern.compile(regex == null ? defaultValue : regex);
+  }
+
   protected Boolean booleanValueOf(String value, Boolean defaultValue) {
     return value == null ? defaultValue : Boolean.valueOf(value);
   }

src/main/java/org/apache/ibatis/builder/xml/XMLConfigBuilder.java

@@ -217,9 +217,11 @@ private void settingsElement(XNode context) throws Exception {
       configuration.setLogPrefix(props.getProperty("logPrefix"));
       configuration.setLogImpl(resolveClass(props.getProperty("logImpl")));
       configuration.setConfigurationFactory(resolveClass(props.getProperty("configurationFactory")));
+      configuration.setInjectionFilterEnabled(booleanValueOf(props.getProperty("injectionFilterEnabled"), false));
+      configuration.setInjectionFilter(parseExpression(props.getProperty("injectionFilter"), "^[a-zA-Z0-9._]*$"));
     }
   }
-
+  
   private void environmentsElement(XNode context) throws Exception {
     if (context != null) {
       if (environment == null) {

src/main/java/org/apache/ibatis/scripting/xmltags/TextSqlNode.java

@@ -15,18 +15,27 @@
  */
 package org.apache.ibatis.scripting.xmltags;
 
+import java.util.regex.Pattern;
+
 import org.apache.ibatis.parsing.GenericTokenParser;
 import org.apache.ibatis.parsing.TokenHandler;
+import org.apache.ibatis.scripting.ScriptingException;
 import org.apache.ibatis.type.SimpleTypeRegistry;
 
 /**
  * @author Clinton Begin
  */
 public class TextSqlNode implements SqlNode {
   private String text;
+  private Pattern injectionFilter;
 
   public TextSqlNode(String text) {
+    this(text, null);
+  }
+  
+  public TextSqlNode(String text, Pattern injectionFilter) {
     this.text = text;
+    this.injectionFilter = injectionFilter;
   }
 
   public boolean isDynamic() {
@@ -37,7 +46,7 @@ public boolean isDynamic() {
   }
 
   public boolean apply(DynamicContext context) {
-    GenericTokenParser parser = createParser(new BindingTokenParser(context));
+    GenericTokenParser parser = createParser(new BindingTokenParser(context, injectionFilter));
     context.appendSql(parser.parse(text));
     return true;
   }
@@ -49,9 +58,11 @@ private GenericTokenParser createParser(TokenHandler handler) {
   private static class BindingTokenParser implements TokenHandler {
 
     private DynamicContext context;
+    private Pattern injectionFilter;
 
-    public BindingTokenParser(DynamicContext context) {
+    public BindingTokenParser(DynamicContext context, Pattern injectionFilter) {
       this.context = context;
+      this.injectionFilter = injectionFilter;
     }
 
     public String handleToken(String content) {
@@ -62,10 +73,18 @@ public String handleToken(String content) {
         context.getBindings().put("value", parameter);
       }
       Object value = OgnlCache.getValue(content, context.getBindings());
-      return (value == null ? "" : String.valueOf(value)); // issue #274 return "" instead of "null"
+      String srtValue = (value == null ? "" : String.valueOf(value)); // issue #274 return "" instead of "null"
+      checkInjection(srtValue);
+      return srtValue;
     }
-  }
 
+    private void checkInjection(String value) {
+      if (injectionFilter != null && !injectionFilter.matcher(value).matches()) {
+        throw new ScriptingException("Invalid input. Please conform to regex" + injectionFilter.pattern());
+      }
+    }
+  }
+  
   private static class DynamicCheckerTokenParser implements TokenHandler {
 
     private boolean isDynamic;

src/main/java/org/apache/ibatis/scripting/xmltags/XMLLanguageDriver.java

@@ -15,6 +15,8 @@
  */
 package org.apache.ibatis.scripting.xmltags;
 
+import java.util.regex.Pattern;
+
 import org.apache.ibatis.builder.xml.XMLMapperEntityResolver;
 import org.apache.ibatis.executor.parameter.ParameterHandler;
 import org.apache.ibatis.mapping.BoundSql;
@@ -48,13 +50,17 @@ public SqlSource createSqlSource(Configuration configuration, String script, Cla
       return createSqlSource(configuration, parser.evalNode("/script"), parameterType);
     } else {
       script = PropertyParser.parse(script, configuration.getVariables()); // issue #127
-      TextSqlNode textSqlNode = new TextSqlNode(script);
+      TextSqlNode textSqlNode = new TextSqlNode(script, getInjectionFilter(configuration));
       if (textSqlNode.isDynamic()) {
         return new DynamicSqlSource(configuration, textSqlNode);
       } else {
         return new RawSqlSource(configuration, script, parameterType);
       }
     }
   }
+  
+  private Pattern getInjectionFilter(Configuration configuration) {
+    return configuration.isInjectionFilterEnabled() ? configuration.getInjectionFilter() : null; 
+  }
 
 }

src/main/java/org/apache/ibatis/scripting/xmltags/XMLScriptBuilder.java

@@ -19,6 +19,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 import org.apache.ibatis.builder.BaseBuilder;
 import org.apache.ibatis.builder.BuilderException;
@@ -67,7 +68,7 @@ private List<SqlNode> parseDynamicTags(XNode node) {
       XNode child = node.newXNode(children.item(i));
       if (child.getNode().getNodeType() == Node.CDATA_SECTION_NODE || child.getNode().getNodeType() == Node.TEXT_NODE) {
         String data = child.getStringBody("");
-        TextSqlNode textSqlNode = new TextSqlNode(data);
+        TextSqlNode textSqlNode = new TextSqlNode(data, getInjectionFilter(configuration));
         if (textSqlNode.isDynamic()) {
           contents.add(textSqlNode);
           isDynamic = true;
@@ -86,6 +87,10 @@ private List<SqlNode> parseDynamicTags(XNode node) {
     }
     return contents;
   }
+  
+  private Pattern getInjectionFilter(Configuration configuration) {
+    return configuration.isInjectionFilterEnabled() ? configuration.getInjectionFilter() : null; 
+  }
 
   private Map<String, NodeHandler> nodeHandlers = new HashMap<String, NodeHandler>() {
     private static final long serialVersionUID = 7123056019193266281L;

src/main/java/org/apache/ibatis/session/Configuration.java

@@ -24,6 +24,7 @@
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import org.apache.ibatis.binding.MapperRegistry;
 import org.apache.ibatis.builder.CacheRefResolver;
@@ -103,6 +104,9 @@ public class Configuration {
   protected boolean useColumnLabel = true;
   protected boolean cacheEnabled = true;
   protected boolean callSettersOnNulls = false;
+  protected boolean injectionFilterEnabled = false; 
+  protected Pattern injectionFilter = Pattern.compile("^[a-zA-Z0-9._]*$");
+  
   protected String logPrefix;
   protected Class <? extends Log> logImpl;
   protected LocalCacheScope localCacheScope = LocalCacheScope.SESSION;
@@ -673,6 +677,22 @@ public void addCacheRef(String namespace, String referencedNamespace) {
     cacheRefMap.put(namespace, referencedNamespace);
   }
 
+  public boolean isInjectionFilterEnabled() {
+    return injectionFilterEnabled;
+  }
+
+  public void setInjectionFilterEnabled(boolean injectionFilterEnabled) {
+    this.injectionFilterEnabled = injectionFilterEnabled;
+  }
+
+  public Pattern getInjectionFilter() {
+    return injectionFilter;
+  }
+
+  public void setInjectionFilter(Pattern injectionFilter) {
+    this.injectionFilter = injectionFilter;
+  }
+  
   /*
    * Parses all the unprocessed statement nodes in the cache. It is recommended
    * to call this method once all the mappers are added as it provides fail-fast

src/test/java/org/apache/ibatis/submitted/injection/CreateDB.sql

@@ -0,0 +1,25 @@
+--
+--    Copyright 2009-2012 the original author or authors.
+--
+--    Licensed under the Apache License, Version 2.0 (the "License");
+--    you may not use this file except in compliance with the License.
+--    You may obtain a copy of the License at
+--
+--       http://www.apache.org/licenses/LICENSE-2.0
+--
+--    Unless required by applicable law or agreed to in writing, software
+--    distributed under the License is distributed on an "AS IS" BASIS,
+--    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--    See the License for the specific language governing permissions and
+--    limitations under the License.
+--
+
+drop table users if exists;
+
+create table users (
+  id int,
+  name varchar(20)
+);
+
+insert into users (id, name) values(1, 'User1');
+insert into users (id, name) values(2, 'User2');

src/test/java/org/apache/ibatis/submitted/injection/InjectionTest.java

@@ -0,0 +1,86 @@
+/*
+ *    Copyright 2009-2013 the original author or authors.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+package org.apache.ibatis.submitted.injection;
+
+import java.io.Reader;
+import java.sql.Connection;
+import java.util.List;
+import java.util.regex.Pattern;
+
+import org.apache.ibatis.exceptions.PersistenceException;
+import org.apache.ibatis.io.Resources;
+import org.apache.ibatis.jdbc.ScriptRunner;
+import org.apache.ibatis.session.SqlSession;
+import org.apache.ibatis.session.SqlSessionFactory;
+import org.apache.ibatis.session.SqlSessionFactoryBuilder;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class InjectionTest {
+
+  private static SqlSessionFactory sqlSessionFactory;
+
+  @BeforeClass
+  public static void setUp() throws Exception {
+    // create an SqlSessionFactory
+    Reader reader = Resources.getResourceAsReader("org/apache/ibatis/submitted/injection/mybatis-config.xml");
+    sqlSessionFactory = new SqlSessionFactoryBuilder().build(reader);
+    reader.close();
+
+    // populate in-memory database
+    SqlSession session = sqlSessionFactory.openSession();
+    Connection conn = session.getConnection();
+    reader = Resources.getResourceAsReader("org/apache/ibatis/submitted/injection/CreateDB.sql");
+    ScriptRunner runner = new ScriptRunner(conn);
+    runner.setLogWriter(null);
+    runner.runScript(reader);
+    reader.close();
+    session.close();
+  }
+
+  @Test
+  public void shouldGetAUser() {
+    SqlSession sqlSession = sqlSessionFactory.openSession();
+    try {
+      Mapper mapper = sqlSession.getMapper(Mapper.class);
+      List<User> users = mapper.getUsers("users");
+      Assert.assertEquals(1, users.size());
+    } finally {
+      sqlSession.close();
+    }
+  }
+
+  @Test(expected=PersistenceException.class)
+  public void shouldDetectAnSqlInjectionAttack() {
+    SqlSession sqlSession = sqlSessionFactory.openSession();
+    try {
+      Mapper mapper = sqlSession.getMapper(Mapper.class);
+      List<User> users = mapper.getUsers("users where 1=1 union select * from users");
+      Assert.assertEquals(1, users.size());
+    } finally {
+      sqlSession.close();
+    }
+  }
+  
+  @Test
+  public void check() {
+    Pattern p = Pattern.compile("^[a-zA-Z0-9.]*$");
+    Assert.assertTrue(p.matcher("a9.").matches());
+  }
+  
+
+}

src/test/java/org/apache/ibatis/submitted/injection/Mapper.java

@@ -0,0 +1,24 @@
+/*
+ *    Copyright 2009-2012 the original author or authors.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+package org.apache.ibatis.submitted.injection;
+
+import java.util.List;
+
+public interface Mapper {
+
+  List<User> getUsers(String name);
+
+}

src/test/java/org/apache/ibatis/submitted/injection/Mapper.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+       Copyright 2009-2013 the original author or authors.
+
+       Licensed under the Apache License, Version 2.0 (the "License");
+       you may not use this file except in compliance with the License.
+       You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+       Unless required by applicable law or agreed to in writing, software
+       distributed under the License is distributed on an "AS IS" BASIS,
+       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+       See the License for the specific language governing permissions and
+       limitations under the License.
+-->
+<!DOCTYPE mapper
+    PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+
+<mapper namespace="org.apache.ibatis.submitted.injection.Mapper">
+
+	<select id="getUsers" resultType="org.apache.ibatis.submitted.injection.User">
+		select * from ${value} where id = 1
+	</select>
+
+</mapper>