From fe875666688395b34d2867b26f1efd9a3c6ddd93 Mon Sep 17 00:00:00 2001 From: Athou Date: Sun, 24 Jul 2022 13:26:33 +0200 Subject: [PATCH] validate more inputs --- .../model/request/AddCategoryRequest.java | 6 ++++++ .../request/CategoryModificationRequest.java | 6 ++++++ .../model/request/FeedInfoRequest.java | 5 +++++ .../model/request/FeedMergeRequest.java | 21 ------------------- .../request/FeedModificationRequest.java | 5 +++++ .../frontend/model/request/LoginRequest.java | 6 ++++++ .../frontend/model/request/MarkRequest.java | 6 ++++++ .../model/request/MultipleMarkRequest.java | 4 +++- .../model/request/PasswordResetRequest.java | 2 ++ .../request/ProfileModificationRequest.java | 6 ++++++ .../model/request/RegistrationRequest.java | 8 +++---- .../frontend/model/request/StarRequest.java | 5 +++++ .../model/request/SubscribeRequest.java | 8 +++++++ .../frontend/resource/CategoryREST.java | 8 ++++--- .../frontend/resource/EntryREST.java | 9 ++++---- .../commafeed/frontend/resource/FeedREST.java | 9 ++++---- .../commafeed/frontend/resource/UserREST.java | 3 ++- 17 files changed, 79 insertions(+), 38 deletions(-) delete mode 100644 src/main/java/com/commafeed/frontend/model/request/FeedMergeRequest.java diff --git a/src/main/java/com/commafeed/frontend/model/request/AddCategoryRequest.java b/src/main/java/com/commafeed/frontend/model/request/AddCategoryRequest.java index c56d1bf1c..41441a90e 100644 --- a/src/main/java/com/commafeed/frontend/model/request/AddCategoryRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/AddCategoryRequest.java @@ -2,6 +2,9 @@ import java.io.Serializable; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -12,9 +15,12 @@ public class AddCategoryRequest implements Serializable { @ApiModelProperty(value = "name", required = true) + @NotEmpty + @Size(max = 128) private String name; @ApiModelProperty(value = "parent category id, if any") + @Size(max = 128) private String parentId; } diff --git a/src/main/java/com/commafeed/frontend/model/request/CategoryModificationRequest.java b/src/main/java/com/commafeed/frontend/model/request/CategoryModificationRequest.java index 01a2420af..84abbce50 100644 --- a/src/main/java/com/commafeed/frontend/model/request/CategoryModificationRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/CategoryModificationRequest.java @@ -2,6 +2,9 @@ import java.io.Serializable; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -12,12 +15,15 @@ public class CategoryModificationRequest implements Serializable { @ApiModelProperty(value = "id", required = true) + @NotEmpty private Long id; @ApiModelProperty(value = "new name, null if not changed") + @Size(max = 128) private String name; @ApiModelProperty(value = "new parent category id") + @Size(max = 128) private String parentId; @ApiModelProperty(value = "new display position, null if not changed") diff --git a/src/main/java/com/commafeed/frontend/model/request/FeedInfoRequest.java b/src/main/java/com/commafeed/frontend/model/request/FeedInfoRequest.java index 9db8a5a8b..3ab7f3db3 100644 --- a/src/main/java/com/commafeed/frontend/model/request/FeedInfoRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/FeedInfoRequest.java @@ -2,6 +2,9 @@ import java.io.Serializable; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -12,6 +15,8 @@ public class FeedInfoRequest implements Serializable { @ApiModelProperty(value = "feed url", required = true) + @NotEmpty + @Size(max = 4096) private String url; } diff --git a/src/main/java/com/commafeed/frontend/model/request/FeedMergeRequest.java b/src/main/java/com/commafeed/frontend/model/request/FeedMergeRequest.java deleted file mode 100644 index 601314412..000000000 --- a/src/main/java/com/commafeed/frontend/model/request/FeedMergeRequest.java +++ /dev/null @@ -1,21 +0,0 @@ -package com.commafeed.frontend.model.request; - -import java.io.Serializable; -import java.util.List; - -import io.swagger.annotations.ApiModel; -import io.swagger.annotations.ApiModelProperty; -import lombok.Data; - -@SuppressWarnings("serial") -@ApiModel(description = "Feed merge Request") -@Data -public class FeedMergeRequest implements Serializable { - - @ApiModelProperty(value = "merge into this feed", required = true) - private Long intoFeedId; - - @ApiModelProperty(value = "id of the feeds to merge", required = true) - private List feedIds; - -} diff --git a/src/main/java/com/commafeed/frontend/model/request/FeedModificationRequest.java b/src/main/java/com/commafeed/frontend/model/request/FeedModificationRequest.java index 9a219792c..ae27b9bcc 100644 --- a/src/main/java/com/commafeed/frontend/model/request/FeedModificationRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/FeedModificationRequest.java @@ -2,6 +2,8 @@ import java.io.Serializable; +import javax.validation.constraints.Size; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -15,15 +17,18 @@ public class FeedModificationRequest implements Serializable { private Long id; @ApiModelProperty(value = "new name, null if not changed") + @Size(max = 128) private String name; @ApiModelProperty(value = "new parent category id") + @Size(max = 128) private String categoryId; @ApiModelProperty(value = "new display position, null if not changed") private Integer position; @ApiModelProperty(value = "JEXL string evaluated on new entries to mark them as read if they do not match") + @Size(max = 4096) private String filter; } diff --git a/src/main/java/com/commafeed/frontend/model/request/LoginRequest.java b/src/main/java/com/commafeed/frontend/model/request/LoginRequest.java index a6b016603..a773f80c5 100644 --- a/src/main/java/com/commafeed/frontend/model/request/LoginRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/LoginRequest.java @@ -2,6 +2,9 @@ import java.io.Serializable; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -12,8 +15,11 @@ public class LoginRequest implements Serializable { @ApiModelProperty(value = "username", required = true) + @Size(min = 3, max = 32) private String name; @ApiModelProperty(value = "password", required = true) + @NotEmpty + @Size(max = 128) private String password; } diff --git a/src/main/java/com/commafeed/frontend/model/request/MarkRequest.java b/src/main/java/com/commafeed/frontend/model/request/MarkRequest.java index e0f27e673..3f8f7e2d4 100644 --- a/src/main/java/com/commafeed/frontend/model/request/MarkRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/MarkRequest.java @@ -3,6 +3,9 @@ import java.io.Serializable; import java.util.List; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -13,6 +16,8 @@ public class MarkRequest implements Serializable { @ApiModelProperty(value = "entry id, category id, 'all' or 'starred'", required = true) + @NotEmpty + @Size(max = 128) private String id; @ApiModelProperty(value = "mark as read or unread", required = true) @@ -24,6 +29,7 @@ public class MarkRequest implements Serializable { private Long olderThan; @ApiModelProperty(value = "only mark read if a feed has these keywords in the title or rss content", required = false) + @Size(max = 128) private String keywords; @ApiModelProperty(value = "if marking a category or 'all', exclude those subscriptions from the marking", required = false) diff --git a/src/main/java/com/commafeed/frontend/model/request/MultipleMarkRequest.java b/src/main/java/com/commafeed/frontend/model/request/MultipleMarkRequest.java index 51c9e928b..68b56889a 100644 --- a/src/main/java/com/commafeed/frontend/model/request/MultipleMarkRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/MultipleMarkRequest.java @@ -3,6 +3,8 @@ import java.io.Serializable; import java.util.List; +import javax.validation.Valid; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -13,6 +15,6 @@ public class MultipleMarkRequest implements Serializable { @ApiModelProperty(value = "list of mark requests", required = true) - private List requests; + private List<@Valid MarkRequest> requests; } diff --git a/src/main/java/com/commafeed/frontend/model/request/PasswordResetRequest.java b/src/main/java/com/commafeed/frontend/model/request/PasswordResetRequest.java index 75c5d8413..f27ba6a8a 100644 --- a/src/main/java/com/commafeed/frontend/model/request/PasswordResetRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/PasswordResetRequest.java @@ -4,6 +4,7 @@ import javax.validation.constraints.Email; import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; @@ -17,5 +18,6 @@ public class PasswordResetRequest implements Serializable { @ApiModelProperty(value = "email address for password recovery", required = true) @Email @NotEmpty + @Size(max = 255) private String email; } diff --git a/src/main/java/com/commafeed/frontend/model/request/ProfileModificationRequest.java b/src/main/java/com/commafeed/frontend/model/request/ProfileModificationRequest.java index bdf4ceea7..84322d940 100644 --- a/src/main/java/com/commafeed/frontend/model/request/ProfileModificationRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/ProfileModificationRequest.java @@ -2,6 +2,9 @@ import java.io.Serializable; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; + import com.commafeed.frontend.auth.ValidPassword; import io.swagger.annotations.ApiModel; @@ -13,9 +16,12 @@ @Data public class ProfileModificationRequest implements Serializable { @ApiModelProperty(value = "current user password, required to change profile data", required = true) + @NotEmpty + @Size(max = 128) private String currentPassword; @ApiModelProperty(value = "changes email of the user, if specified") + @Size(max = 255) private String email; @ApiModelProperty(value = "changes password of the user, if specified") diff --git a/src/main/java/com/commafeed/frontend/model/request/RegistrationRequest.java b/src/main/java/com/commafeed/frontend/model/request/RegistrationRequest.java index 0977d2cc5..3dce12d5a 100644 --- a/src/main/java/com/commafeed/frontend/model/request/RegistrationRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/RegistrationRequest.java @@ -4,8 +4,7 @@ import javax.validation.constraints.Email; import javax.validation.constraints.NotEmpty; - -import org.hibernate.validator.constraints.Length; +import javax.validation.constraints.Size; import com.commafeed.frontend.auth.ValidPassword; @@ -19,18 +18,19 @@ public class RegistrationRequest implements Serializable { @ApiModelProperty(value = "username, between 3 and 32 characters", required = true) - @Length(min = 3, max = 32) @NotEmpty + @Size(min = 3, max = 32) private String name; @ApiModelProperty(value = "password, minimum 6 characters", required = true) - @ValidPassword @NotEmpty + @ValidPassword private String password; @ApiModelProperty(value = "email address for password recovery", required = true) @Email @NotEmpty + @Size(max = 255) private String email; } diff --git a/src/main/java/com/commafeed/frontend/model/request/StarRequest.java b/src/main/java/com/commafeed/frontend/model/request/StarRequest.java index cc520635d..79099ad48 100644 --- a/src/main/java/com/commafeed/frontend/model/request/StarRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/StarRequest.java @@ -2,6 +2,9 @@ import java.io.Serializable; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -12,6 +15,8 @@ public class StarRequest implements Serializable { @ApiModelProperty(value = "id", required = true) + @NotEmpty + @Size(max = 128) private String id; @ApiModelProperty(value = "feed id", required = true) diff --git a/src/main/java/com/commafeed/frontend/model/request/SubscribeRequest.java b/src/main/java/com/commafeed/frontend/model/request/SubscribeRequest.java index ae72c79e7..e095accb8 100644 --- a/src/main/java/com/commafeed/frontend/model/request/SubscribeRequest.java +++ b/src/main/java/com/commafeed/frontend/model/request/SubscribeRequest.java @@ -2,6 +2,9 @@ import java.io.Serializable; +import javax.validation.constraints.NotEmpty; +import javax.validation.constraints.Size; + import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import lombok.Data; @@ -12,12 +15,17 @@ public class SubscribeRequest implements Serializable { @ApiModelProperty(value = "url of the feed", required = true) + @NotEmpty + @Size(max = 4096) private String url; @ApiModelProperty(value = "name of the feed for the user", required = true) + @NotEmpty + @Size(max = 128) private String title; @ApiModelProperty(value = "id of the user category to place the feed in") + @Size(max = 128) private String categoryId; } diff --git a/src/main/java/com/commafeed/frontend/resource/CategoryREST.java b/src/main/java/com/commafeed/frontend/resource/CategoryREST.java index 88022055b..c7c83fba3 100644 --- a/src/main/java/com/commafeed/frontend/resource/CategoryREST.java +++ b/src/main/java/com/commafeed/frontend/resource/CategoryREST.java @@ -14,6 +14,7 @@ import javax.inject.Inject; import javax.inject.Singleton; +import javax.validation.Valid; import javax.ws.rs.Consumes; import javax.ws.rs.DefaultValue; import javax.ws.rs.GET; @@ -244,7 +245,7 @@ public Response getCategoryEntriesAsFeed(@ApiParam(hidden = true) @SecurityCheck @ApiOperation(value = "Mark category entries", notes = "Mark feed entries of this category as read") @Timed public Response markCategoryEntries(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "category id, or 'all'", required = true) MarkRequest req) { + @Valid @ApiParam(value = "category id, or 'all'", required = true) MarkRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getId()); @@ -285,7 +286,8 @@ private void removeExcludedSubscriptions(List subs, List @UnitOfWork @ApiOperation(value = "Add a category", notes = "Add a new feed category", response = Long.class) @Timed - public Response addCategory(@ApiParam(hidden = true) @SecurityCheck User user, @ApiParam(required = true) AddCategoryRequest req) { + public Response addCategory(@ApiParam(hidden = true) @SecurityCheck User user, + @Valid @ApiParam(required = true) AddCategoryRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getName()); @@ -343,7 +345,7 @@ public Response deleteCategory(@ApiParam(hidden = true) @SecurityCheck User user @ApiOperation(value = "Rename a category", notes = "Rename an existing feed category") @Timed public Response modifyCategory(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(required = true) CategoryModificationRequest req) { + @Valid @ApiParam(required = true) CategoryModificationRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getId()); diff --git a/src/main/java/com/commafeed/frontend/resource/EntryREST.java b/src/main/java/com/commafeed/frontend/resource/EntryREST.java index a9a8a9afe..d0a6049f7 100644 --- a/src/main/java/com/commafeed/frontend/resource/EntryREST.java +++ b/src/main/java/com/commafeed/frontend/resource/EntryREST.java @@ -4,6 +4,7 @@ import javax.inject.Inject; import javax.inject.Singleton; +import javax.validation.Valid; import javax.ws.rs.Consumes; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -48,7 +49,7 @@ public class EntryREST { @ApiOperation(value = "Mark a feed entry", notes = "Mark a feed entry as read/unread") @Timed public Response markEntry(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "Mark Request", required = true) MarkRequest req) { + @Valid @ApiParam(value = "Mark Request", required = true) MarkRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getId()); @@ -62,7 +63,7 @@ public Response markEntry(@ApiParam(hidden = true) @SecurityCheck User user, @ApiOperation(value = "Mark multiple feed entries", notes = "Mark feed entries as read/unread") @Timed public Response markEntries(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "Multiple Mark Request", required = true) MultipleMarkRequest req) { + @Valid @ApiParam(value = "Multiple Mark Request", required = true) MultipleMarkRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getRequests()); @@ -79,7 +80,7 @@ public Response markEntries(@ApiParam(hidden = true) @SecurityCheck User user, @ApiOperation(value = "Mark a feed entry", notes = "Mark a feed entry as read/unread") @Timed public Response starEntry(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "Star Request", required = true) StarRequest req) { + @Valid @ApiParam(value = "Star Request", required = true) StarRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getId()); Preconditions.checkNotNull(req.getFeedId()); @@ -105,7 +106,7 @@ public Response getTags(@ApiParam(hidden = true) @SecurityCheck User user) { @ApiOperation(value = "Mark a feed entry", notes = "Mark a feed entry as read/unread") @Timed public Response tagEntry(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "Tag Request", required = true) TagRequest req) { + @Valid @ApiParam(value = "Tag Request", required = true) TagRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getEntryId()); diff --git a/src/main/java/com/commafeed/frontend/resource/FeedREST.java b/src/main/java/com/commafeed/frontend/resource/FeedREST.java index 6a62dff10..1ab771146 100644 --- a/src/main/java/com/commafeed/frontend/resource/FeedREST.java +++ b/src/main/java/com/commafeed/frontend/resource/FeedREST.java @@ -14,6 +14,7 @@ import javax.inject.Inject; import javax.inject.Singleton; +import javax.validation.Valid; import javax.ws.rs.Consumes; import javax.ws.rs.DefaultValue; import javax.ws.rs.GET; @@ -263,7 +264,7 @@ private FeedInfo fetchFeedInternal(String url) { @ApiOperation(value = "Fetch a feed", notes = "Fetch a feed by its url", response = FeedInfo.class) @Timed public Response fetchFeed(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "feed url", required = true) FeedInfoRequest req) { + @Valid @ApiParam(value = "feed url", required = true) FeedInfoRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getUrl()); @@ -315,7 +316,7 @@ public Response queueForRefresh(@ApiParam(hidden = true) @SecurityCheck User use @ApiOperation(value = "Mark feed entries", notes = "Mark feed entries as read (unread is not supported)") @Timed public Response markFeedEntries(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "Mark request", required = true) MarkRequest req) { + @Valid @ApiParam(value = "Mark request", required = true) MarkRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getId()); @@ -384,7 +385,7 @@ public Response getFeedFavicon(@ApiParam(hidden = true) @SecurityCheck User user @ApiOperation(value = "Subscribe to a feed", notes = "Subscribe to a feed") @Timed public Response subscribe(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "subscription request", required = true) SubscribeRequest req) { + @Valid @ApiParam(value = "subscription request", required = true) SubscribeRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getTitle()); Preconditions.checkNotNull(req.getUrl()); @@ -458,7 +459,7 @@ public Response unsubscribe(@ApiParam(hidden = true) @SecurityCheck User user, @ @ApiOperation(value = "Modify a subscription", notes = "Modify a feed subscription") @Timed public Response modifyFeed(@ApiParam(hidden = true) @SecurityCheck User user, - @ApiParam(value = "subscription id", required = true) FeedModificationRequest req) { + @Valid @ApiParam(value = "subscription id", required = true) FeedModificationRequest req) { Preconditions.checkNotNull(req); Preconditions.checkNotNull(req.getId()); diff --git a/src/main/java/com/commafeed/frontend/resource/UserREST.java b/src/main/java/com/commafeed/frontend/resource/UserREST.java index fae102a90..5af5f1816 100644 --- a/src/main/java/com/commafeed/frontend/resource/UserREST.java +++ b/src/main/java/com/commafeed/frontend/resource/UserREST.java @@ -251,7 +251,8 @@ public Response registerUser(@Valid @ApiParam(required = true) RegistrationReque @UnitOfWork @ApiOperation(value = "Login and create a session") @Timed - public Response login(@ApiParam(required = true) LoginRequest req, @ApiParam(hidden = true) @Context SessionHelper sessionHelper) { + public Response login(@Valid @ApiParam(required = true) LoginRequest req, + @ApiParam(hidden = true) @Context SessionHelper sessionHelper) { Optional user = userService.login(req.getName(), req.getPassword()); if (user.isPresent()) { sessionHelper.setLoggedInUser(user.get());