From e9953fcbc13328ec092ffa2edfc39561c5219322 Mon Sep 17 00:00:00 2001 From: ArqamFarooqui110719 Date: Tue, 8 Oct 2024 12:20:16 +0530 Subject: [PATCH] fix invalid date in query parameter with GET entities API --- CHANGES_NEXT_RELEASE | 1 + src/lib/rest/StringFilter.cpp | 5 + ..._datetime_query_expression_in_GET_API.test | 319 ++++++++++++++++++ 3 files changed, 325 insertions(+) create mode 100644 test/functionalTest/cases/1995_invalid_datetime_query_expression/invalid_datetime_query_expression_in_GET_API.test diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE index e69de29bb2..7f61bef9b8 100644 --- a/CHANGES_NEXT_RELEASE +++ b/CHANGES_NEXT_RELEASE @@ -0,0 +1 @@ +- Fix: invalid characters in date values with query parameter in GET API should not allowed (#1995) diff --git a/src/lib/rest/StringFilter.cpp b/src/lib/rest/StringFilter.cpp index 9ac0a26c76..a3372b4909 100644 --- a/src/lib/rest/StringFilter.cpp +++ b/src/lib/rest/StringFilter.cpp @@ -438,6 +438,11 @@ bool StringFilterItem::valueGet { *valueTypeP = SfvtDate; } + else if (*doubleP == -1) + { + *errorStringP = std::string("invalid characters in query parameter"); + return false; + } else if (strcmp(s, "true") == 0) { *valueTypeP = SfvtBool; diff --git a/test/functionalTest/cases/1995_invalid_datetime_query_expression/invalid_datetime_query_expression_in_GET_API.test b/test/functionalTest/cases/1995_invalid_datetime_query_expression/invalid_datetime_query_expression_in_GET_API.test new file mode 100644 index 0000000000..dc4aac907a --- /dev/null +++ b/test/functionalTest/cases/1995_invalid_datetime_query_expression/invalid_datetime_query_expression_in_GET_API.test @@ -0,0 +1,319 @@ +# Copyright 2024 Telefonica Investigacion y Desarrollo, S.A.U +# +# This file is part of Orion Context Broker. +# +# Orion Context Broker is free software: you can redistribute it and/or +# modify it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# Orion Context Broker is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero +# General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Orion Context Broker. If not, see http://www.gnu.org/licenses/. +# +# For those usages not covered by this license please contact with +# iot_support at tid dot es + +# VALGRIND_READY - to mark the test ready for valgrindTestSuite.sh + +--NAME-- +Invalid DateTime expression in query parameter with GET entities API + +--SHELL-INIT-- +dbInit CB +brokerStart CB + +--SHELL-- + +# +# 01. Create an entity E1 with attribute 'mytime' of type DateTime +# 02. Create an entity E2 with attribute 'mytime' of type DateTime +# 03. GET all entities (success case) +# 04. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:4XX.00Z (see error) +# 05. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:4X.00Z (see error) +# 06. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:00**;**00Z (see error) +# 07. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:00.j00Z (see error) +# 08. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14**;**10:00.00Z (see error) +# 09. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:00:XX00.00Z (see error) +# 10. GET entities with correct datetime value in query parameter i.e. q=mytime>=2016-08-08T17:09:24.238Z (success case) +# 11. GET entities with correct datetime value in query parameter i.e. q=mytime<=2016-08-08T17:09:24.238Z (success case) +# + + +echo "01. Create an entity E1 with attribute 'mytime' of type DateTime" +echo "================================================================" +payload='{ + "id": "E1", + "type": "E", + "mytime": { + "value": "2010-01-01T17:09:24.238Z", + "type": "DateTime" + } +}' +orionCurl --url /v2/entities --payload "$payload" +echo +echo + + +echo "02. Create an entity E2 with attribute 'mytime' of type DateTime" +echo "================================================================" +payload='{ + "id": "E2", + "type": "E", + "mytime": { + "value": "2024-07-16T11:08:22.127Z", + "type": "DateTime" + } +}' +orionCurl --url /v2/entities --payload "$payload" +echo +echo + + +echo "03. GET all entities (success case)" +echo "===================================" +orionCurl --url /v2/entities +echo +echo + + +echo "04. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:4XX.00Z (see error)" +echo "=======================================================================================================================" +orionCurl --url '/v2/entities?q=mytime<=2016-04-05T14:10:4XX.00Z' +echo +echo + + +echo "05. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:4X.00Z (see error)" +echo "======================================================================================================================" +orionCurl --url '/v2/entities?q=mytime<=2016-04-05T14:10:4X.00Z' +echo +echo + + +echo "06. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:00**;**00Z (see error)" +echo "==========================================================================================================================" +orionCurl --url '/v2/entities?q=mytime<=2016-04-05T14:10:00**;**00Z' +echo +echo + + +echo "07. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:00.j00Z (see error)" +echo "=======================================================================================================================" +orionCurl --url '/v2/entities?q=mytime<=2016-04-05T14:10:00.j00Z' +echo +echo + + +echo "08. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14**;**10:00.00Z (see error)" +echo "==========================================================================================================================" +orionCurl --url '/v2/entities?q=mytime<=2016-04-05T14**;**10:00.00Z' +echo +echo + + +echo "09. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:00:XX00.00Z (see error)" +echo "========================================================================================================================" +orionCurl --url '/v2/entities?q=mytime<=2016-04-05T14:00:XX00.00Z' +echo +echo + + +echo "10. GET entities with correct datetime value in query parameter i.e. q=mytime>=2016-08-08T17:09:24.238Z (success case)" +echo "======================================================================================================================" +orionCurl --url '/v2/entities?q=mytime>=2016-08-08T17:09:24.238Z' +echo +echo + + +echo "11. GET entities with correct datetime value in query parameter i.e. q=mytime<=2016-08-08T17:09:24.238Z (success case)" +echo "======================================================================================================================" +orionCurl --url '/v2/entities?q=mytime<=2016-08-08T17:09:24.238Z' +echo +echo + + +--REGEXPECT-- +01. Create an entity E1 with attribute 'mytime' of type DateTime +================================================================ +HTTP/1.1 201 Created +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Location: /v2/entities/E1?type=E +Content-Length: 0 + + + +02. Create an entity E2 with attribute 'mytime' of type DateTime +================================================================ +HTTP/1.1 201 Created +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Location: /v2/entities/E2?type=E +Content-Length: 0 + + + +03. GET all entities (success case) +=================================== +HTTP/1.1 200 OK +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 203 + +[ + { + "id": "E1", + "mytime": { + "metadata": {}, + "type": "DateTime", + "value": "2010-01-01T17:09:24.238Z" + }, + "type": "E" + }, + { + "id": "E2", + "mytime": { + "metadata": {}, + "type": "DateTime", + "value": "2024-07-16T11:08:22.127Z" + }, + "type": "E" + } +] + + +04. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:4XX.00Z (see error) +======================================================================================================================= +HTTP/1.1 400 Bad Request +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 76 + +{ + "description": "invalid characters in query parameter", + "error": "BadRequest" +} + + +05. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:4X.00Z (see error) +====================================================================================================================== +HTTP/1.1 400 Bad Request +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 76 + +{ + "description": "invalid characters in query parameter", + "error": "BadRequest" +} + + +06. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:00**;**00Z (see error) +========================================================================================================================== +HTTP/1.1 400 Bad Request +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 76 + +{ + "description": "invalid characters in query parameter", + "error": "BadRequest" +} + + +07. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:10:00.j00Z (see error) +======================================================================================================================= +HTTP/1.1 400 Bad Request +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 76 + +{ + "description": "invalid characters in query parameter", + "error": "BadRequest" +} + + +08. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14**;**10:00.00Z (see error) +========================================================================================================================== +HTTP/1.1 400 Bad Request +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 76 + +{ + "description": "invalid characters in query parameter", + "error": "BadRequest" +} + + +09. GET entities with invalid character in DateTime query parameter i.e. q=mytime<=2016-04-05T14:00:XX00.00Z (see error) +======================================================================================================================== +HTTP/1.1 400 Bad Request +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 76 + +{ + "description": "invalid characters in query parameter", + "error": "BadRequest" +} + + +10. GET entities with correct datetime value in query parameter i.e. q=mytime>=2016-08-08T17:09:24.238Z (success case) +====================================================================================================================== +HTTP/1.1 200 OK +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 102 + +[ + { + "id": "E2", + "mytime": { + "metadata": {}, + "type": "DateTime", + "value": "2024-07-16T11:08:22.127Z" + }, + "type": "E" + } +] + + +11. GET entities with correct datetime value in query parameter i.e. q=mytime<=2016-08-08T17:09:24.238Z (success case) +====================================================================================================================== +HTTP/1.1 200 OK +Date: REGEX(.*) +Fiware-Correlator: REGEX([0-9a-f\-]{36}) +Content-Type: application/json +Content-Length: 102 + +[ + { + "id": "E1", + "mytime": { + "metadata": {}, + "type": "DateTime", + "value": "2010-01-01T17:09:24.238Z" + }, + "type": "E" + } +] + + +--TEARDOWN-- +brokerStop CB +dbDrop CB