Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-8437

The facets involved in web services do not correctly unescape characters of selected value

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.6.4, 6.2
    • Component/s: Rules
    • Labels:

      Description

      Fail to process request http://172.30.2.252:12475/api/rules/search?p=1&ps=200&facets=types%2Clanguages%2Ctags&f=name%2Clang%2ClangName%2CsysTags%2Ctags%2Cstatus%2Cseverity&s=name&asc=true&tags=misra%2B%2B%5C&languages=c%2Ccpp
      java.lang.IllegalStateException: Fail to execute ES search request '{"from":0,"size":200,"query":{"bool":{"must":{"match_all":{}},"filter":{"bool":{"must":[{"terms":{"allTags":["misra++\"]}},{"terms":{"lang":["c","cpp"]}},{"bool":{"must_not":{"term":{"status":"REMOVED"}}}}]}}}},"sort":[{"name.sort":{"order":"asc"}}],"aggregations":{"types":{"global":{},"aggregations":{"types_filter":{"filter":{"bool":{"must":[{"match_all":{}},{"terms":{"allTags":["misra++\"]}},{"terms":{"lang":["c","cpp"]}},{"bool":{"must_not":{"term":{"status":"REMOVED"}}}}]}},"aggregations":{"types":{"terms":{"field":"type","size":10,"min_doc_count":1,"order":{"_count":"desc"}}}}}}},"languages":{"global":{},"aggregations":{"languages_filter":{"filter":{"bool":{"must":[{"match_all":{}},{"terms":{"allTags":["misra++\"]}},{"bool":{"must_not":{"term":{"status":"REMOVED"}}}}]}},"aggregations":{"languages":{"terms":{"field":"lang","size":10,"min_doc_count":1,"order":{"_count":"desc"}}},"languages_selected":{"terms":{"field":"lang","include":"c|cpp"}}}}}},"tags":{"global":{},"aggregations":{"tags_filter":{"filter":{"bool":{"must":[{"match_all":{}},{"terms":{"lang":["c","cpp"]}},{"bool":{"must_not":{"term":{"status":"REMOVED"}}}}]}},"aggregations":{"tags":{"terms":{"field":"allTags","size":10,"min_doc_count":1,"order":{"_count":"desc"}}},"tags_selected":{"terms":{"field":"allTags","include":"misra++\"}}}}}}}}' on indices '[rules]' on types '[rule]'
      	at org.sonar.server.es.request.ProxySearchRequestBuilder.get(ProxySearchRequestBuilder.java:48) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.es.request.ProxySearchRequestBuilder.get(ProxySearchRequestBuilder.java:36) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.rule.index.RuleIndex.search(RuleIndex.java:138) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.rule.ws.SearchAction.doSearch(SearchAction.java:353) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.rule.ws.SearchAction.handle(SearchAction.java:159) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.ws.WebServiceEngine.execute(WebServiceEngine.java:109) ~[sonar-server-6.1.jar:na]
      	at org.sonar.server.ws.WebServiceFilter.doFilter(WebServiceFilter.java:74) [sonar-server-6.1.jar:na]
      	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:126) [sonar-server-6.1.jar:na]
      	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:95) [sonar-server-6.1.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:60) [sonar-server-6.1.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.sonar.server.platform.web.RoutesFilter.doFilter(RoutesFilter.java:55) [sonar-server-6.1.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:113) [sonar-server-6.1.jar:na]
      	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:81) [sonar-server-6.1.jar:na]
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:191) [logback-access-1.1.3.jar:na]
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_111]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_111]
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.32.jar:8.0.32]
      	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_111]
      Caused by: org.elasticsearch.action.search.SearchPhaseExecutionException: all shards failed
      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onFirstPhaseResult(AbstractSearchAsyncAction.java:206) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.AbstractSearchAsyncAction$1.onFailure(AbstractSearchAsyncAction.java:152) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.ActionListenerResponseHandler.handleException(ActionListenerResponseHandler.java:46) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.processException(TransportService.java:855) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.sendResponse(TransportService.java:833) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.TransportService$4.onFailure(TransportService.java:387) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:39) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_111]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_111]
      	... 1 common frames omitted
      Caused by: org.elasticsearch.common.io.stream.NotSerializableExceptionWrapper: : unexpected end-of-string
      	at org.elasticsearch.ElasticsearchException.guessRootCauses(ElasticsearchException.java:386) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.SearchPhaseExecutionException.guessRootCauses(SearchPhaseExecutionException.java:152) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.SearchPhaseExecutionException.getCause(SearchPhaseExecutionException.java:99) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.ElasticsearchException.writeTo(ElasticsearchException.java:226) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.SearchPhaseExecutionException.writeTo(SearchPhaseExecutionException.java:64) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.common.io.stream.StreamOutput.writeThrowable(StreamOutput.java:564) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.ElasticsearchException.writeTo(ElasticsearchException.java:226) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.ActionTransportException.writeTo(ActionTransportException.java:64) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.common.io.stream.StreamOutput.writeThrowable(StreamOutput.java:564) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.netty.NettyTransportChannel.sendResponse(NettyTransportChannel.java:120) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.DelegatingTransportChannel.sendResponse(DelegatingTransportChannel.java:68) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.RequestHandlerRegistry$TransportChannelWrapper.sendResponse(RequestHandlerRegistry.java:146) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.support.HandledTransportAction$TransportHandler$1.onFailure(HandledTransportAction.java:74) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.raiseEarlyFailure(AbstractSearchAsyncAction.java:294) ~[elasticsearch-2.3.3.jar:2.3.3]
      	... 10 common frames omitted
      Caused by: java.lang.IllegalArgumentException: unexpected end-of-string
      	at org.apache.lucene.util.automaton.RegExp.next(RegExp.java:1016) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseCharExp(RegExp.java:1163) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseSimpleExp(RegExp.java:1158) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseCharClassExp(RegExp.java:1090) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseComplExp(RegExp.java:1078) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseRepeatExp(RegExp.java:1047) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1040) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseConcatExp(RegExp.java:1041) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseInterExp(RegExp.java:1033) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.parseUnionExp(RegExp.java:1027) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.<init>(RegExp.java:405) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.apache.lucene.util.automaton.RegExp.<init>(RegExp.java:387) ~[lucene-core-5.5.0.jar:5.5.0 2a228b3920a07f930f7afb6a42d0d20e184a943c - mike - 2016-02-16 15:18:34]
      	at org.elasticsearch.search.aggregations.bucket.terms.support.IncludeExclude$Parser.includeExclude(IncludeExclude.java:361) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.aggregations.bucket.terms.AbstractTermsParametersParser.parse(AbstractTermsParametersParser.java:105) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.aggregations.bucket.terms.TermsParser.parse(TermsParser.java:50) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:198) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:176) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:176) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:103) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.aggregations.AggregationParseElement.parse(AggregationParseElement.java:60) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.SearchService.parseSource(SearchService.java:838) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.SearchService.createContext(SearchService.java:654) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:620) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.SearchService.executeFetchPhase(SearchService.java:463) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.action.SearchServiceTransportAction$SearchQueryFetchTransportHandler.messageReceived(SearchServiceTransportAction.java:392) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.search.action.SearchServiceTransportAction$SearchQueryFetchTransportHandler.messageReceived(SearchServiceTransportAction.java:389) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.TransportRequestHandler.messageReceived(TransportRequestHandler.java:33) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:75) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:376) ~[elasticsearch-2.3.3.jar:2.3.3]
      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-2.3.3.jar:2.3.3]
      	... 3 common frames omitted
      

      There are two vulnerabilities:

      • selected value is not escaped, so user input is interpreted as a regexp and is executed as-is
      • log flooding when user input is not a valid regexp, for example foo[.

      This bug exists in 6.2-RC1.

        Attachments

          Activity

            People

            • Assignee:
              simon.brandhof Simon Brandhof
              Reporter:
              simon.brandhof Simon Brandhof
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: