Merge pull request #360 from catenax-ng/main

chore: TRACEFOSS-2882 SQL injection issue

CHANGELOG.md

@@ -13,6 +13,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Changed
 - Fixed helm repository path for backend & frontend (wrong prefix)
+- Autocomplete endpoints changed owner String type param to Owner for input validation and sql injection prevention
 - Fixed several bugs in local filtering of the parts table
 
 ### Removed

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/application/asbuilt/rest/AssetAsBuiltController.java

@@ -38,6 +38,7 @@
 import org.eclipse.tractusx.traceability.assets.application.base.request.SyncAssetsRequest;
 import org.eclipse.tractusx.traceability.assets.application.base.request.UpdateAssetRequest;
 import org.eclipse.tractusx.traceability.assets.application.base.service.AssetBaseService;
+import org.eclipse.tractusx.traceability.assets.domain.base.model.Owner;
 import org.eclipse.tractusx.traceability.common.model.BaseRequestFieldMapper;
 import org.eclipse.tractusx.traceability.common.model.PageResult;
 import org.eclipse.tractusx.traceability.common.request.OwnPageable;
@@ -252,7 +253,7 @@ public PageResult<AssetAsBuiltResponse> assets(OwnPageable pageable, SearchCrite
                             mediaType = "application/json",
                             schema = @Schema(implementation = ErrorResponse.class)))})
     @GetMapping("distinctFilterValues")
-    public List<String> distinctFilterValues(@QueryParam("fieldName") String fieldName, @QueryParam("size") Long size, @QueryParam("startWith") String startWith, @QueryParam("owner") String owner) {
+    public List<String> distinctFilterValues(@QueryParam("fieldName") String fieldName, @QueryParam("size") Long size, @QueryParam("startWith") String startWith, @QueryParam("owner") Owner owner) {
         return assetBaseService.getDistinctFilterValues(fieldMapper.mapRequestFieldName(fieldName), startWith, size, owner);
     }
 

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/application/asplanned/rest/AssetAsPlannedController.java

@@ -36,6 +36,7 @@
 import org.eclipse.tractusx.traceability.assets.application.base.request.SyncAssetsRequest;
 import org.eclipse.tractusx.traceability.assets.application.base.request.UpdateAssetRequest;
 import org.eclipse.tractusx.traceability.assets.application.base.service.AssetBaseService;
+import org.eclipse.tractusx.traceability.assets.domain.base.model.Owner;
 import org.eclipse.tractusx.traceability.common.model.BaseRequestFieldMapper;
 import org.eclipse.tractusx.traceability.common.model.PageResult;
 import org.eclipse.tractusx.traceability.common.request.OwnPageable;
@@ -248,7 +249,7 @@ public PageResult<AssetAsPlannedResponse> assets(OwnPageable pageable, SearchCri
                             mediaType = "application/json",
                             schema = @Schema(implementation = ErrorResponse.class)))})
     @GetMapping("distinctFilterValues")
-    public List<String> distinctFilterValues(@QueryParam("fieldName") String fieldName, @QueryParam("size") Long size, @QueryParam("startWith") String startWith, @QueryParam("owner") String owner) {
+    public List<String> distinctFilterValues(@QueryParam("fieldName") String fieldName, @QueryParam("size") Long size, @QueryParam("startWith") String startWith, @QueryParam("owner") Owner owner) {
         return assetService.getDistinctFilterValues(fieldMapper.mapRequestFieldName(fieldName), startWith, size, owner);
     }
 

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/application/base/service/AssetBaseService.java

@@ -19,6 +19,7 @@
 package org.eclipse.tractusx.traceability.assets.application.base.service;
 
 import org.eclipse.tractusx.traceability.assets.domain.base.model.AssetBase;
+import org.eclipse.tractusx.traceability.assets.domain.base.model.Owner;
 import org.eclipse.tractusx.traceability.assets.domain.base.model.QualityType;
 import org.eclipse.tractusx.traceability.common.model.PageResult;
 import org.eclipse.tractusx.traceability.common.model.SearchCriteria;
@@ -49,5 +50,5 @@ public interface AssetBaseService {
 
     AssetBase updateQualityType(String assetId, QualityType qualityType);
 
-    List<String> getDistinctFilterValues(String fieldName, String startWith, Long size, String owner);
+    List<String> getDistinctFilterValues(String fieldName, String startWith, Long size, Owner owner);
 }

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/domain/base/AssetRepository.java

@@ -50,5 +50,5 @@ public interface AssetRepository {
 
     long countAssetsByOwner(Owner owner);
 
-    List<String> getFieldValues(String fieldName, String startWith, Long resultLimit, String owner);
+    List<String> getFieldValues(String fieldName, String startWith, Long resultLimit, Owner owner);
 }

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/domain/base/service/AbstractAssetBaseService.java

@@ -154,7 +154,7 @@ public Map<String, Long> getAssetsCountryMap() {
     }
 
     @Override
-    public List<String> getDistinctFilterValues(String fieldName, String startWith, Long size, String owner) {
+    public List<String> getDistinctFilterValues(String fieldName, String startWith, Long size, Owner owner) {
         if (isSupportedEnumType(fieldName)) {
             return getAssetEnumFieldValues(fieldName);
         }

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/infrastructure/asbuilt/repository/AssetAsBuiltRepositoryImpl.java

@@ -88,7 +88,7 @@ public PageResult<AssetBase> getAssets(Pageable pageable, SearchCriteria searchC
     }
 
     @Override
-    public List<String> getFieldValues(String fieldName, String startWith, Long resultLimit, String owner) {
+    public List<String> getFieldValues(String fieldName, String startWith, Long resultLimit, Owner owner) {
         String databaseFieldName = toDatabaseName(fieldName);
         String getFieldValuesQuery = "SELECT DISTINCT " + databaseFieldName + " FROM assets_as_built" + combineWhereClause(constructLikeWildcardQuery(databaseFieldName, startWith), constructAndOwnerWildcardQuery(owner)) + " ORDER BY " + databaseFieldName + " ASC LIMIT :resultLimit";
         return entityManager.createNativeQuery(getFieldValuesQuery, String.class)

tx-backend/src/main/java/org/eclipse/tractusx/traceability/assets/infrastructure/asplanned/repository/AssetAsPlannedRepositoryImpl.java

@@ -123,7 +123,7 @@ public long countAssetsByOwner(Owner owner) {
     }
 
     @Override
-    public List<String> getFieldValues(String fieldName, String startWith, Long resultLimit, String owner) {
+    public List<String> getFieldValues(String fieldName, String startWith, Long resultLimit, Owner owner) {
         String databaseFieldName = toDatabaseName(fieldName);
         String getFieldValuesQuery = "SELECT DISTINCT " + databaseFieldName + " FROM assets_as_planned" + combineWhereClause(constructLikeWildcardQuery(databaseFieldName, startWith), constructAndOwnerWildcardQuery(owner)) + " ORDER BY " + databaseFieldName + " ASC LIMIT :resultLimit";
 

tx-backend/src/main/java/org/eclipse/tractusx/traceability/common/config/ErrorHandlingConfig.java

@@ -57,6 +57,7 @@
 import org.springframework.web.bind.MethodArgumentNotValidException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.method.annotation.MethodArgumentTypeMismatchException;
 
 import java.io.IOException;
 import java.util.NoSuchElementException;
@@ -260,4 +261,12 @@ ResponseEntity<ErrorResponse> handleSubmodelNotFoundException(SubmodelNotFoundEx
         return ResponseEntity.status(HttpStatus.NOT_FOUND)
                 .body(new ErrorResponse(errorMessage));
     }
+
+    @ExceptionHandler(MethodArgumentTypeMismatchException.class)
+    public ResponseEntity<ErrorResponse> handleMethodArgumentTypeMismatchException(final MethodArgumentTypeMismatchException exception) {
+        log.error("MethodArgumentTypeMismatchException exception", exception);
+
+        return ResponseEntity.status(HttpStatus.BAD_REQUEST)
+                .body(new ErrorResponse(exception.getMessage()));
+    }
 }

tx-backend/src/main/java/org/eclipse/tractusx/traceability/common/repository/SqlUtil.java

@@ -21,6 +21,7 @@
 
 import lombok.experimental.UtilityClass;
 import org.apache.commons.lang3.StringUtils;
+import org.eclipse.tractusx.traceability.assets.domain.base.model.Owner;
 
 import java.util.Arrays;
 import java.util.List;
@@ -52,10 +53,10 @@ public static String constructLikeWildcardQuery(String databaseFieldName, String
         return " ( " + databaseFieldName + " LIKE '" + startsWith + "%')";
     }
 
-    public static String constructAndOwnerWildcardQuery(String owner) {
+    public static String constructAndOwnerWildcardQuery(Owner owner) {
         if (Objects.isNull(owner)) {
             return "";
         }
-        return " owner='" + owner + "' ";
+        return " owner='" + owner.name() + "' ";
     }
 }

tx-backend/src/test/java/org/eclipse/tractusx/traceability/integration/assets/AssetAsBuiltControllerFilterValuesIT.java

@@ -119,6 +119,31 @@ void givenNotEnumTypeFieldNameAndSizeAndOwnerOwn_whenCallDistinctFilterValues_th
                 .body("size()", is(1));
     }
 
+    @Test
+    void givenNotExistentOwnerEnumValue_whenCallDistinctFilterValues_thenProperResponse() throws JoseException {
+        // given
+        assetsSupport.defaultAssetsStored();
+        String fieldName = "id";
+        String resultLimit = "100";
+        String owner = "NON_EXISTENT_ENUM_VALUE";
+
+        // then
+        given()
+                .header(oAuth2Support.jwtAuthorization(ADMIN))
+                .contentType(ContentType.JSON)
+                .log().all()
+                .when()
+                .param("fieldName", fieldName)
+                .param("size", resultLimit)
+                .param("owner", owner)
+                .get("/api/assets/as-built/distinctFilterValues")
+                .then()
+                .log().all()
+                .statusCode(400)
+                .assertThat()
+                .body("size()", is(1));
+    }
+
     @Test
     void givenNotEnumTypeFieldNameAndSizeAndOwnerSupplier_whenCallDistinctFilterValues_thenProperResponse() throws JoseException {
         // given

tx-backend/src/test/java/org/eclipse/tractusx/traceability/integration/assets/AssetAsPlannedControllerFilterValuesIT.java

@@ -95,6 +95,31 @@ void givenNotEnumTypeFieldNameAndSizeAndOwnerOwn_whenCallDistinctFilterValues_th
                 .body("size()", is(1));
     }
 
+    @Test
+    void givenWrongOwnerEnum_whenCallDistinctFilterValues_thenProperResponse() throws JoseException {
+        // given
+        assetsSupport.defaultAssetsAsPlannedStored();
+        String fieldName = "id";
+        String resultLimit = "100";
+        String owner = "nonExistentEnumValue";
+
+        // then
+        given()
+                .header(oAuth2Support.jwtAuthorization(ADMIN))
+                .contentType(ContentType.JSON)
+                .log().all()
+                .when()
+                .param("fieldName", fieldName)
+                .param("size", resultLimit)
+                .param("owner", owner)
+                .get("/api/assets/as-planned/distinctFilterValues")
+                .then()
+                .log().all()
+                .statusCode(400)
+                .assertThat()
+                .body("size()", is(1));
+    }
+
     @Test
     void givenNotEnumTypeFieldNameAndSizeAndOwnerSupplier_whenCallDistinctFilterValues_thenProperResponse() throws JoseException {
         // given