Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-8436

Web service "api/rules/tags" fails if parameter "q" contains invalid characters

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.6.4, 6.2
    • Component/s: Rules
    • Labels:

      Description

      curl "http://localhost:9000/api/rules/tags?q=owas%5Bp.*" returns a 500 internal error and logs :

      java.lang.IllegalStateException: Fail to execute ES search request '{"query":{"match_all":{}},"aggregations":{"_ref":{"terms":{"field":"allTags","size":10000,"min_doc_count":1,"include":".*owas[p.*"}}}}' on indices '[rules]'
      	at org.sonar.server.es.request.ProxySearchRequestBuilder.get(ProxySearchRequestBuilder.java:48) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.es.request.ProxySearchRequestBuilder.get(ProxySearchRequestBuilder.java:36) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.rule.index.RuleIndex.terms(RuleIndex.java:487) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.rule.RuleService.listTags(RuleService.java:67) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.rule.ws.TagsAction.handle(TagsAction.java:63) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.ws.WebServiceEngine.execute(WebServiceEngine.java:109) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.ws.WebServiceFilter.doFilter(WebServiceFilter.java:74) [sonar-server-6.1.jar:na]
      	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:126) [sonar-server-6.1.jar:na]
      	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:95) [sonar-server-6.1.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:60) [sonar-server-6.1.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.sonar.server.platform.web.RoutesFilter.doFilter(RoutesFilter.java:55) [sonar-server-6.1.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:113) [sonar-server-6.1.jar:na]
      	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:81) [sonar-server-6.1.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:191) [logback-access-1.1.3.jar:na]
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_111]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_111]
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_111]
      Caused by: org.elasticsearch.action.search.SearchPhaseExecutionException: all shards failed
      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onFirstPhaseResult(AbstractSearchAsyncAction.java:206) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.AbstractSearchAsyncAction$1.onFailure(AbstractSearchAsyncAction.java:152) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.ActionListenerResponseHandler.handleException(ActionListenerResponseHandler.java:46) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.processException(TransportService.java:855) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.sendResponse(TransportService.java:833) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.TransportService$4.onFailure(TransportService.java:387) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:39) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_111]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_111]
      	... 1 common frames omitted
      Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: : expected ']' at position 10
      	at org.elasticsearch.ElasticsearchException.guessRootCauses(ElasticsearchException.java:386) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.SearchPhaseExecutionException.guessRootCauses(SearchPhaseExecutionException.java:152) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.SearchPhaseExecutionException.getCause(SearchPhaseExecutionException.java:99) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.ElasticsearchException.writeTo(ElasticsearchException.java:226) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.SearchPhaseExecutionException.writeTo(SearchPhaseExecutionException.java:64) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.common.io.stream.StreamOutput.writeThrowable(StreamOutput.java:564) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.ElasticsearchException.writeTo(ElasticsearchException.java:226) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.ActionTransportException.writeTo(ActionTransportException.java:64) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.common.io.stream.StreamOutput.writeThrowable(StreamOutput.java:564) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.netty.NettyTransportChannel.sendResponse(NettyTransportChannel.java:120) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.DelegatingTransportChannel.sendResponse(DelegatingTransportChannel.java:68) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.RequestHandlerRegistry$TransportChannelWrapper.sendResponse(RequestHandlerRegistry.java:146) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.support.HandledTransportAction$TransportHandler$1.onFailure(HandledTransportAction.java:74) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.raiseEarlyFailure(AbstractSearchAsyncAction.java:294) ~[elasticsearch-2.3.3.jar:2.3.3]
      	... 10 common frames omitted
      Caused by: java.lang.IllegalArgumentException: expected ']' at position 10
      	at org.apache.lucene.util.automaton.RegExp.parseCharClassExp(RegExp.java:1087) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseComplExp(RegExp.java:1078) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseRepeatExp(RegExp.java:1047) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1040) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseInterExp(RegExp.java:1033) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseUnionExp(RegExp.java:1027) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.<init>(RegExp.java:405) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      

      The parameter value is valid and should be correctly handled, whatever the characters. Moreover that injects a log flooding vulnerability.

      This bug exists in 6.2-RC1.

        Attachments

          Activity

            People

            • Assignee:
              simon.brandhof Simon Brandhof
              Reporter:
              simon.brandhof Simon Brandhof
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: