From f215cd04e06f4ba09ca04b2a059dc6e813f1504b Mon Sep 17 00:00:00 2001 From: nscuro Date: Fri, 29 Sep 2023 11:47:23 +0200 Subject: [PATCH] Use `escapeQuotes` over `escapeJson` for values passed to CEL policy script sources Continuation of #337 Signed-off-by: nscuro --- .../compat/ComponentHashCelPolicyScriptSourceBuilder.java | 4 ++-- .../cel/compat/CoordinatesCelPolicyScriptSourceBuilder.java | 6 +++--- .../cel/compat/LicenseCelPolicyScriptSourceBuilder.java | 4 ++-- .../compat/LicenseGroupCelPolicyScriptSourceBuilder.java | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/main/java/org/dependencytrack/policy/cel/compat/ComponentHashCelPolicyScriptSourceBuilder.java b/src/main/java/org/dependencytrack/policy/cel/compat/ComponentHashCelPolicyScriptSourceBuilder.java index 34e9dde97..c75faf798 100644 --- a/src/main/java/org/dependencytrack/policy/cel/compat/ComponentHashCelPolicyScriptSourceBuilder.java +++ b/src/main/java/org/dependencytrack/policy/cel/compat/ComponentHashCelPolicyScriptSourceBuilder.java @@ -5,7 +5,7 @@ import org.dependencytrack.model.PolicyCondition; import org.json.JSONObject; -import static org.apache.commons.lang3.StringEscapeUtils.escapeJson; +import static org.dependencytrack.policy.cel.compat.CelPolicyScriptSourceBuilder.escapeQuotes; public class ComponentHashCelPolicyScriptSourceBuilder implements CelPolicyScriptSourceBuilder { @@ -26,7 +26,7 @@ public String apply(final PolicyCondition policyCondition) { if (policyCondition.getOperator().equals(PolicyCondition.Operator.IS)) { return """ component.%s == "%s" - """.formatted(fieldName, escapeJson(hash.getValue())); + """.formatted(fieldName, escapeQuotes(hash.getValue())); } else { LOGGER.warn("Policy operator %s is not allowed with this policy".formatted(policyCondition.getOperator().toString())); return null; diff --git a/src/main/java/org/dependencytrack/policy/cel/compat/CoordinatesCelPolicyScriptSourceBuilder.java b/src/main/java/org/dependencytrack/policy/cel/compat/CoordinatesCelPolicyScriptSourceBuilder.java index 721f1fe03..76fa18469 100644 --- a/src/main/java/org/dependencytrack/policy/cel/compat/CoordinatesCelPolicyScriptSourceBuilder.java +++ b/src/main/java/org/dependencytrack/policy/cel/compat/CoordinatesCelPolicyScriptSourceBuilder.java @@ -11,7 +11,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; -import static org.apache.commons.lang3.StringEscapeUtils.escapeJson; +import static org.dependencytrack.policy.cel.compat.CelPolicyScriptSourceBuilder.escapeQuotes; public class CoordinatesCelPolicyScriptSourceBuilder implements CelPolicyScriptSourceBuilder { @@ -52,7 +52,7 @@ private static String evaluateScript(final String conditionGroupPart, final Stri .build(); return """ component.group.matches("%s") && component.name.matches("%s") && component.matches_range("%s") - """.formatted(escapeJson(group), escapeJson(name), conditionVers.toString()); + """.formatted(escapeQuotes(group), escapeQuotes(name), conditionVers.toString()); } io.github.nscuro.versatile.Comparator versionComparator = switch (versionOperatorMatcher.group(1)) { @@ -76,7 +76,7 @@ private static String evaluateScript(final String conditionGroupPart, final Stri return """ component.group.matches("%s") && component.name.matches("%s") && component.matches_range("%s") - """.formatted(escapeJson(group), escapeJson(name), conditionVers.toString()); + """.formatted(escapeQuotes(group), escapeQuotes(name), conditionVers.toString()); } private static String replace(String conditionString) { diff --git a/src/main/java/org/dependencytrack/policy/cel/compat/LicenseCelPolicyScriptSourceBuilder.java b/src/main/java/org/dependencytrack/policy/cel/compat/LicenseCelPolicyScriptSourceBuilder.java index 1927a7253..d66b36bf4 100644 --- a/src/main/java/org/dependencytrack/policy/cel/compat/LicenseCelPolicyScriptSourceBuilder.java +++ b/src/main/java/org/dependencytrack/policy/cel/compat/LicenseCelPolicyScriptSourceBuilder.java @@ -20,7 +20,7 @@ import org.dependencytrack.model.PolicyCondition; -import static org.apache.commons.lang3.StringEscapeUtils.escapeJson; +import static org.dependencytrack.policy.cel.compat.CelPolicyScriptSourceBuilder.escapeQuotes; public class LicenseCelPolicyScriptSourceBuilder implements CelPolicyScriptSourceBuilder { @@ -37,7 +37,7 @@ public String apply(final PolicyCondition policyCondition) { """; } } else { - final String escapedLicenseUuid = escapeJson(policyCondition.getValue()); + final String escapedLicenseUuid = escapeQuotes(policyCondition.getValue()); if (policyCondition.getOperator() == PolicyCondition.Operator.IS) { return """ component.resolved_license.uuid == "%s" diff --git a/src/main/java/org/dependencytrack/policy/cel/compat/LicenseGroupCelPolicyScriptSourceBuilder.java b/src/main/java/org/dependencytrack/policy/cel/compat/LicenseGroupCelPolicyScriptSourceBuilder.java index 87b8bf540..617458658 100644 --- a/src/main/java/org/dependencytrack/policy/cel/compat/LicenseGroupCelPolicyScriptSourceBuilder.java +++ b/src/main/java/org/dependencytrack/policy/cel/compat/LicenseGroupCelPolicyScriptSourceBuilder.java @@ -2,7 +2,7 @@ import org.dependencytrack.model.PolicyCondition; -import static org.apache.commons.lang3.StringEscapeUtils.escapeJson; +import static org.dependencytrack.policy.cel.compat.CelPolicyScriptSourceBuilder.escapeQuotes; public class LicenseGroupCelPolicyScriptSourceBuilder implements CelPolicyScriptSourceBuilder { @@ -10,7 +10,7 @@ public class LicenseGroupCelPolicyScriptSourceBuilder implements CelPolicyScript public String apply(final PolicyCondition policyCondition) { final String scriptSrc = """ component.resolved_license.groups.exists(group, group.uuid == "%s") - """.formatted(escapeJson(policyCondition.getValue())); + """.formatted(escapeQuotes(policyCondition.getValue())); if (policyCondition.getOperator() == PolicyCondition.Operator.IS) { return scriptSrc;