From 3c8f96e18dc55b18b011db232fb7b2c751833d37 Mon Sep 17 00:00:00 2001 From: egernug Date: Wed, 30 Apr 2025 10:16:40 +0100 Subject: [PATCH] Extend CpsPathQuerySpec for dangerous SQLi characters Issue-ID: CPS-2781 Change-Id: Ic658028d0ed48c3345db218ab913732d7665e2c6 Signed-off-by: egernug --- .../cps/cpspath/parser/CpsPathQuerySpec.groovy | 36 ++++++++++++++-------- 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/cps-path-parser/src/test/groovy/org/onap/cps/cpspath/parser/CpsPathQuerySpec.groovy b/cps-path-parser/src/test/groovy/org/onap/cps/cpspath/parser/CpsPathQuerySpec.groovy index b551080b40..5cf3fa2950 100644 --- a/cps-path-parser/src/test/groovy/org/onap/cps/cpspath/parser/CpsPathQuerySpec.groovy +++ b/cps-path-parser/src/test/groovy/org/onap/cps/cpspath/parser/CpsPathQuerySpec.groovy @@ -1,6 +1,6 @@ /* * ============LICENSE_START======================================================= - * Copyright (C) 2021-2024 Nordix Foundation + * Copyright (C) 2021-2025 OpenInfra Foundation Europe. All rights reserved. * Modifications Copyright (C) 2023 TechMahindra Ltd * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); @@ -180,17 +180,29 @@ class CpsPathQuerySpec extends Specification { then: 'a CpsPathException is thrown' thrown(PathParsingException) where: 'the following data is used' - scenario | cpsPath - 'no / at the start' | 'invalid-cps-path/child' - 'additional / after descendant option' | '///cps-path' - 'float value' | '/parent/child[@someFloat=5.0]' - 'unmatched quotes, double quote first ' | '/parent/child[@someString="value with unmatched quotes\']' - 'unmatched quotes, single quote first' | '/parent/child[@someString=\'value with unmatched quotes"]' - 'missing attribute value' | '//child[@int-leaf=5 and @name]' - 'incomplete ancestor value' | '//books/ancestor::' - 'invalid list element with missing [' | '/parent-206/child-206/grand-child-206@key="A"]' - 'invalid list element with incorrect ]' | '/parent-206/child-206/grand-child-206]@key="A"]' - 'invalid list element with incorrect ::' | '/parent-206/child-206/grand-child-206::@key"A"]' + group | scenario | cpsPath + 'axis' | 'incomplete ancestor value' | '//books/ancestor::' + 'list element' | 'invalid list element with missing [' | '/parent-206/child-206/grand-child-206@key="A"]' + 'list element' | 'invalid list element with incorrect ]' | '/parent-206/child-206/grand-child-206]@key="A"]' + 'list element' | 'invalid list element with incorrect ::' | '/parent-206/child-206/grand-child-206::@key"A"]' + 'operators' | 'hash preceding string ' | '/parent/child[@someString=#"value with preceding hash"]' + 'operators' | 'semi-colon preceding string ' | '/parent/child[@someString=;"value with preceding hash"]' + 'operators' | 'double dash comment ' | '/parent/child[--dangerous sql]' + 'operators' | 'dangling operator' | '/parent/child[@a=5 AND]' + 'predicate_logic' | 'included OR expression' | '/parent/child[@a=5 OR 1=1]' + 'predicate_logic' | 'float value' | '/parent/child[@someFloat=5.0]' + 'predicate_logic' | 'missing attribute value' | '//child[@int-leaf=5 and @name]' + 'predicate_syntax' | 'missing value' | '/parent/child[]' + 'predicate_syntax' | 'unclosed value' | '/parent/child[@attr=\'val\'' + 'predicate_syntax' | 'missing closing bracket' | '/parent/child[@attr="val"' + 'quotes' | 'unmatched quotes, double quote first ' | '/parent/child[@someString="value with unmatched quotes\']' + 'quotes' | 'unmatched quotes, single quote first' | '/parent/child[@someString=\'value with unmatched quotes"]' + 'quotes' | 'quotes in leaf name' | '/parent/child[@leaf\'name=\'123\']' + 'structure' | 'no / at the start' | 'invalid-cps-path/child' + 'structure' | 'additional / after descendant option' | '///cps-path' + 'structure' | 'wildcard misuse' | '/parent/*/' + 'structure' | 'empty path' | '' + 'structure' | 'single slash only' | '/' } def 'Parse cps path using ancestor by schema node identifier with a #scenario.'() { -- 2.16.6