Merge pull request #338 from DependencyTrack/fix-cel-value-encoding

Use `escapeQuotes` over `escapeJson` for values passed to CEL policy script sources
DependencyTrack · Sep 29, 2023 · ba48f63 · ba48f63
2 parents 4524636 + f215cd0
commit ba48f63
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 9 deletions.
diff --git a/...java/org/dependencytrack/policy/cel/compat/ComponentHashCelPolicyScriptSourceBuilder.java b/...java/org/dependencytrack/policy/cel/compat/ComponentHashCelPolicyScriptSourceBuilder.java
@@ -5,7 +5,7 @@
 import org.dependencytrack.model.PolicyCondition;
 import org.json.JSONObject;
 
-import static org.apache.commons.lang3.StringEscapeUtils.escapeJson;
+import static org.dependencytrack.policy.cel.compat.CelPolicyScriptSourceBuilder.escapeQuotes;
 
 public class ComponentHashCelPolicyScriptSourceBuilder implements CelPolicyScriptSourceBuilder {
 
@@ -26,7 +26,7 @@ public String apply(final PolicyCondition policyCondition) {
         if (policyCondition.getOperator().equals(PolicyCondition.Operator.IS)) {
             return """
                     component.%s == "%s"
-                    """.formatted(fieldName, escapeJson(hash.getValue()));
+                    """.formatted(fieldName, escapeQuotes(hash.getValue()));
         } else {
             LOGGER.warn("Policy operator %s is not allowed with this policy".formatted(policyCondition.getOperator().toString()));
             return null;

diff --git a/...n/java/org/dependencytrack/policy/cel/compat/CoordinatesCelPolicyScriptSourceBuilder.java b/...n/java/org/dependencytrack/policy/cel/compat/CoordinatesCelPolicyScriptSourceBuilder.java
@@ -11,7 +11,7 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import static org.apache.commons.lang3.StringEscapeUtils.escapeJson;
+import static org.dependencytrack.policy.cel.compat.CelPolicyScriptSourceBuilder.escapeQuotes;
 
 public class CoordinatesCelPolicyScriptSourceBuilder implements CelPolicyScriptSourceBuilder {
 
@@ -52,7 +52,7 @@ private static String evaluateScript(final String conditionGroupPart, final Stri
                     .build();
             return """
                 component.group.matches("%s") && component.name.matches("%s") && component.matches_range("%s")
-                """.formatted(escapeJson(group), escapeJson(name), conditionVers.toString());
+                """.formatted(escapeQuotes(group), escapeQuotes(name), conditionVers.toString());
         }
 
         io.github.nscuro.versatile.Comparator versionComparator = switch (versionOperatorMatcher.group(1)) {
@@ -76,7 +76,7 @@ private static String evaluateScript(final String conditionGroupPart, final Stri
 
         return """
                 component.group.matches("%s") && component.name.matches("%s") && component.matches_range("%s")
-                """.formatted(escapeJson(group), escapeJson(name), conditionVers.toString());
+                """.formatted(escapeQuotes(group), escapeQuotes(name), conditionVers.toString());
     }
 
     private static String replace(String conditionString) {

diff --git a/src/main/java/org/dependencytrack/policy/cel/compat/LicenseCelPolicyScriptSourceBuilder.java b/src/main/java/org/dependencytrack/policy/cel/compat/LicenseCelPolicyScriptSourceBuilder.java
@@ -20,7 +20,7 @@
 
 import org.dependencytrack.model.PolicyCondition;
 
-import static org.apache.commons.lang3.StringEscapeUtils.escapeJson;
+import static org.dependencytrack.policy.cel.compat.CelPolicyScriptSourceBuilder.escapeQuotes;
 
 public class LicenseCelPolicyScriptSourceBuilder implements CelPolicyScriptSourceBuilder {
 
@@ -37,7 +37,7 @@ public String apply(final PolicyCondition policyCondition) {
                         """;
             }
         } else {
-            final String escapedLicenseUuid = escapeJson(policyCondition.getValue());
+            final String escapedLicenseUuid = escapeQuotes(policyCondition.getValue());
             if (policyCondition.getOperator() == PolicyCondition.Operator.IS) {
                 return """
                         component.resolved_license.uuid == "%s"

diff --git a/.../java/org/dependencytrack/policy/cel/compat/LicenseGroupCelPolicyScriptSourceBuilder.java b/.../java/org/dependencytrack/policy/cel/compat/LicenseGroupCelPolicyScriptSourceBuilder.java
@@ -2,15 +2,15 @@
 
 import org.dependencytrack.model.PolicyCondition;
 
-import static org.apache.commons.lang3.StringEscapeUtils.escapeJson;
+import static org.dependencytrack.policy.cel.compat.CelPolicyScriptSourceBuilder.escapeQuotes;
 
 public class LicenseGroupCelPolicyScriptSourceBuilder implements CelPolicyScriptSourceBuilder {
 
     @Override
     public String apply(final PolicyCondition policyCondition) {
         final String scriptSrc = """
                 component.resolved_license.groups.exists(group, group.uuid == "%s")
-                """.formatted(escapeJson(policyCondition.getValue()));
+                """.formatted(escapeQuotes(policyCondition.getValue()));
 
         if (policyCondition.getOperator() == PolicyCondition.Operator.IS) {
             return scriptSrc;