fix #2582 check usercode

2021-07-10 06:20:21 +09:00 · 2021-07-10 06:20:21 +09:00 · 3ac1ab99f7
commit 3ac1ab99f7
parent e13f0a220d
4 changed files with 62 additions and 9 deletions
--- a/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java
@ -91,13 +91,22 @@ public class UserInfoHelper {
            return null;
        }

-        final PrimaryCipher cipher = ComponentUtil.getPrimaryCipher();
-        userCode = cipher.encrypt(userCode);
+        userCode = createUserCodeFromUserId(userCode);
        request.setAttribute(Constants.USER_CODE, userCode);
        deleteUserCodeFromCookie(request);
        return userCode;
    }

+    protected String createUserCodeFromUserId(String userCode) {
+        final FessConfig fessConfig = ComponentUtil.getFessConfig();
+        final PrimaryCipher cipher = ComponentUtil.getPrimaryCipher();
+        userCode = cipher.encrypt(userCode);
+        if (fessConfig.isValidUserCode(userCode)) {
+            return userCode;
+        }
+        return null;
+    }
+
    public void deleteUserCodeFromCookie(final HttpServletRequest request) {
        final String cookieValue = getUserCodeFromCookie(request);
        if (cookieValue != null) {
@ -112,12 +121,6 @@ public class UserInfoHelper {
            return null;
        }

-        final int length = userCode.length();
-        if (fessConfig.getUserCodeMinLengthAsInteger().intValue() > length
-                || fessConfig.getUserCodeMaxLengthAsInteger().intValue() < length) {
-            return null;
-        }
-
        if (fessConfig.isValidUserCode(userCode)) {
            request.setAttribute(Constants.USER_CODE, userCode);
            return userCode;
@ -155,10 +158,11 @@ public class UserInfoHelper {
    }

    protected String getUserCodeFromCookie(final HttpServletRequest request) {
+        final FessConfig fessConfig = ComponentUtil.getFessConfig();
        final Cookie[] cookies = request.getCookies();
        if (cookies != null) {
            for (final Cookie cookie : cookies) {
-                if (cookieName.equals(cookie.getName())) {
+                if (cookieName.equals(cookie.getName()) && fessConfig.isValidUserCode(cookie.getValue())) {
                    return cookie.getValue();
                }
            }
--- a/src/main/java/org/codelibs/fess/mylasta/direction/FessProp.java
+++ b/src/main/java/org/codelibs/fess/mylasta/direction/FessProp.java
@ -1675,10 +1675,20 @@ public interface FessProp {

    String getUserCodePattern();

+    Integer getUserCodeMinLengthAsInteger();
+
+    Integer getUserCodeMaxLengthAsInteger();
+
    default boolean isValidUserCode(final String userCode) {
        if (userCode == null) {
            return false;
        }
+
+        final int length = userCode.length();
+        if (getUserCodeMinLengthAsInteger().intValue() > length || getUserCodeMaxLengthAsInteger().intValue() < length) {
+            return false;
+        }
+
        Pattern pattern = (Pattern) propMap.get(USER_CODE_PATTERN);
        if (pattern == null) {
            pattern = Pattern.compile(getUserCodePattern());
--- a/src/test/java/org/codelibs/fess/helper/UserInfoHelperTest.java
+++ b/src/test/java/org/codelibs/fess/helper/UserInfoHelperTest.java
@ -70,4 +70,15 @@ public class UserInfoHelperTest extends UnitFessTestCase {
        request.setParameter("userCode", buf.toString() + "x");
        assertNull(userInfoHelper.getUserCodeFromRequest(request));
    }
+
+    public void test_createUserCodeFromUserId() {
+        UserInfoHelper userInfoHelper = new UserInfoHelper();
+        assertEquals("009ab986effa1a9664ada54eb81d7fce", userInfoHelper.createUserCodeFromUserId("a"));
+        assertEquals("b17816944bb30c19cb3265480470288caaa93e36666527a57ca94d8a8b8d7b80",
+                userInfoHelper.createUserCodeFromUserId("test@example.com"));
+        assertEquals("41ebbef035e6cebb9d0cf6b98266d9335abd454718a3b172efa30635ef19f1cc",
+                userInfoHelper.createUserCodeFromUserId("!\"#$%&'()'\\^-=,./_?><+*}{`P@[]"));
+        assertNull(userInfoHelper
+                .createUserCodeFromUserId("123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"));
+    }
 }
--- a/src/test/java/org/codelibs/fess/mylasta/direction/FessPropTest.java
+++ b/src/test/java/org/codelibs/fess/mylasta/direction/FessPropTest.java
@ -234,6 +234,34 @@ public class FessPropTest extends UnitFessTestCase {
        assertEquals(Locale.TRADITIONAL_CHINESE, fessConfig.getQueryLocaleFromName("test_zh_TW"));
    }

+    public void test_isValidUserCode() {
+        FessProp.propMap.clear();
+        FessConfig fessConfig = new FessConfig.SimpleImpl() {
+            @Override
+            public Integer getUserCodeMinLengthAsInteger() {
+                return 10;
+            }
+
+            @Override
+            public Integer getUserCodeMaxLengthAsInteger() {
+                return 20;
+            }
+
+            @Override
+            public String getUserCodePattern() {
+                return "[a-zA-Z0-9_]+";
+            }
+        };
+
+        assertTrue(fessConfig.isValidUserCode("1234567890"));
+        assertTrue(fessConfig.isValidUserCode("12345678901234567890"));
+        assertTrue(fessConfig.isValidUserCode("1234567890abcdeABCD_"));
+
+        assertFalse(fessConfig.isValidUserCode("123456789"));
+        assertFalse(fessConfig.isValidUserCode("123456789012345678901"));
+        assertFalse(fessConfig.isValidUserCode("123456789?"));
+    }
+
    private void assertArrays(final String[] expected, final String[] actual) {
        Arrays.sort(expected);
        Arrays.sort(actual);