fix: avoid regex injection in filter parameters

Signed-off-by: Michael Edgar <medgar@redhat.com>
streamshub · Feb 16, 2024 · a2cc92d · a2cc92d
1 parent 43e2702
commit a2cc92d
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/api/src/main/java/com/github/eyefloaters/console/api/support/FetchFilterPredicate.java b/api/src/main/java/com/github/eyefloaters/console/api/support/FetchFilterPredicate.java
@@ -24,10 +24,37 @@ public FetchFilterPredicate(String name, FetchFilter filter, Function<String, F>
         if (operator.equals("like")) {
             // throws ClassCastException if this class is constructed with an incorrect operandParser (API bug)
             String firstOperand = (String) firstOperand();
-            likePattern = Pattern.compile(firstOperand
-                .replace(".", "\\.")
-                .replace("*", ".*")
-                .replace("?", "."));
+            StringBuilder pattern = new StringBuilder();
+            StringBuilder quoted = new StringBuilder();
+            Runnable appendQuoted = () -> {
+                if (quoted.length() > 0) {
+                    pattern.append(Pattern.quote(quoted.toString()));
+                    quoted.setLength(0);
+                }
+            };
+
+            firstOperand.chars().forEach(c -> {
+                switch (c) {
+                case '.':
+                    appendQuoted.run();
+                    pattern.append("\\.");
+                    break;
+                case '*':
+                    appendQuoted.run();
+                    pattern.append(".*");
+                    break;
+                case '?':
+                    appendQuoted.run();
+                    pattern.append(".");
+                    break;
+                default:
+                    quoted.append(c);
+                    break;
+                }
+            });
+
+            appendQuoted.run();
+            likePattern = Pattern.compile(pattern.toString());
         } else {
             likePattern = null;
         }

diff --git a/api/src/main/java/com/github/eyefloaters/console/api/support/TrustAllCertificateManager.java b/api/src/main/java/com/github/eyefloaters/console/api/support/TrustAllCertificateManager.java
@@ -36,7 +36,7 @@ public void trustClusterCertificate(Map<String, Object> cfg) {
         TrustManager[] trustAllCerts = {this};
 
         try {
-            SSLContext sc = SSLContext.getInstance("TLS");
+            SSLContext sc = SSLContext.getInstance("TLSv1.2");
             sc.init(null, trustAllCerts, new SecureRandom());
             SSLSocketFactory factory = sc.getSocketFactory();
             String bootstrap = (String) cfg.get(CommonClientConfigs.BOOTSTRAP_SERVERS_CONFIG);