fix: reject invalid order parameter values DHIS2-16935

Author: teleivo

dhis-2/dhis-api/src/main/java/org/hisp/dhis/webapi/controller/event/mapper/SortDirection.java

@@ -46,14 +46,17 @@ public enum SortDirection {
   private final boolean ignoreCase;
 
   public static SortDirection of(String value) {
-    return of(value, DEFAULT_SORTING_DIRECTION);
-  }
-
-  public static SortDirection of(String value, SortDirection defaultSortingDirection) {
     return Arrays.stream(values())
         .filter(sortDirection -> sortDirection.getValue().equalsIgnoreCase(value))
         .findFirst()
-        .orElse(defaultSortingDirection);
+        .orElseThrow(
+            () ->
+                new IllegalArgumentException(
+                    "'"
+                        + value
+                        + "' is not a valid sort direction. Valid values are: "
+                        + Arrays.toString(SortDirection.values())
+                        + "."));
   }
 
   public boolean isAscending() {

dhis-2/dhis-api/src/main/java/org/hisp/dhis/webapi/controller/event/webrequest/OrderCriteria.java

@@ -46,9 +46,9 @@
 @Value
 @AllArgsConstructor(staticName = "of")
 public class OrderCriteria {
-  private final String field;
+  String field;
 
-  private final SortDirection direction;
+  SortDirection direction;
 
   public OrderParam toOrderParam() {
     return new OrderParam(field, direction);
@@ -64,18 +64,36 @@ public static List<OrderCriteria> fromOrderString(String source) {
 
   private static List<OrderCriteria> toOrderCriterias(String s) {
     return Arrays.stream(s.split(","))
-        .map(OrderCriteria::toOrderCriteria)
+        .filter(StringUtils::isNotBlank)
+        .map(OrderCriteria::valueOf)
         .collect(Collectors.toList());
   }
 
-  private static OrderCriteria toOrderCriteria(String s1) {
-    String[] props = s1.split(":");
-    if (props.length == 2) {
-      return OrderCriteria.of(props[0], SortDirection.of(props[1]));
+  /**
+   * Create an {@link OrderCriteria} from a string in the format of "field:direction". Valid
+   * directions are defined by {@link SortDirection}.
+   *
+   * @throws IllegalArgumentException if the input is not in the correct format.
+   */
+  public static OrderCriteria valueOf(String input) {
+    String[] props = input.split(":");
+    if (props.length > 2) {
+      throw new IllegalArgumentException(
+          "Invalid order property: '"
+              + input
+              + "'. Valid formats are 'field:direction' or 'field'. Valid directions are 'asc' or 'desc'. Direction defaults to 'asc'.");
     }
-    if (props.length == 1) {
-      return OrderCriteria.of(props[0], SortDirection.ASC);
+
+    String field = props[0].trim();
+    if (StringUtils.isEmpty(field)) {
+      throw new IllegalArgumentException(
+          "Missing field name in order property: '"
+              + input
+              + "'. Valid formats are 'field:direction' or 'field'. Valid directions are 'asc' or 'desc'. Direction defaults to 'asc'.");
     }
-    return null;
+
+    SortDirection direction =
+        props.length == 1 ? SortDirection.ASC : SortDirection.of(props[1].trim());
+    return OrderCriteria.of(field, direction);
   }
 }

dhis-2/dhis-api/src/test/java/org/hisp/dhis/webapi/controller/event/webrequest/OrderCriteriaTest.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2004-2023, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.hisp.dhis.webapi.controller.event.webrequest;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.util.List;
+import org.hisp.dhis.webapi.controller.event.mapper.SortDirection;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+class OrderCriteriaTest {
+
+  @Test
+  void fromOrderString() {
+    List<OrderCriteria> order = OrderCriteria.fromOrderString("one:desc,, two:asc  ,three  ");
+
+    assertEquals(
+        List.of(
+            OrderCriteria.of("one", SortDirection.DESC),
+            OrderCriteria.of("two", SortDirection.ASC),
+            OrderCriteria.of("three", SortDirection.ASC)),
+        order);
+  }
+
+  @ValueSource(strings = {"one:desc", "one:Desc", "one:DESC"})
+  @ParameterizedTest
+  void fromOrderStringSortDirectionParsingIsCaseInsensitive(String source) {
+    List<OrderCriteria> order = OrderCriteria.fromOrderString(source);
+
+    assertEquals(List.of(OrderCriteria.of("one", SortDirection.DESC)), order);
+  }
+
+  @Test
+  void fromOrderStringDefaultsToAscGivenFieldAndColon() {
+    List<OrderCriteria> order = OrderCriteria.fromOrderString("one:");
+
+    assertEquals(List.of(OrderCriteria.of("one", SortDirection.ASC)), order);
+  }
+
+  @Test
+  void failGivenAnUnknownSortDirection() {
+    assertThrows(IllegalArgumentException.class, () -> OrderCriteria.fromOrderString("one:wrong"));
+  }
+
+  @Test
+  void fromOrderStringReturnsEmptyListGivenEmptyOrder() {
+    List<OrderCriteria> orderCriteria = OrderCriteria.fromOrderString(" ");
+
+    assertNotNull(orderCriteria);
+    assertEquals(
+        0, orderCriteria.size(), String.format("Expected 0 items, instead got %s", orderCriteria));
+  }
+
+  @Test
+  void failGivenMoreThanTwoColons() {
+    assertThrows(
+        IllegalArgumentException.class, () -> OrderCriteria.fromOrderString("one:desc:wrong"));
+  }
+
+  @Test
+  void failGivenEmptyField() {
+    assertThrows(IllegalArgumentException.class, () -> OrderCriteria.valueOf(" :desc"));
+  }
+}

dhis-2/dhis-test-e2e/src/test/resources/tracker/workinglists/trackedEntityFilters.json

@@ -1,75 +1,83 @@
 {
-    "id": "ctZIHTIIlYS",
-    "name": "TA Tracker program filter",
-    "program": {
-        "id": "f1AyMswryyQ"
+  "id": "ctZIHTIIlYS",
+  "name": "TA Tracker program filter",
+  "program": {
+    "id": "f1AyMswryyQ"
+  },
+  "sharing": {
+    "public": "rw------",
+    "userGroups": {
+      "OPVIvvXzNTw": {
+        "access": "rw------",
+        "id": "OPVIvvXzNTw"
+      }
+    }
+  },
+  "entityQueryCriteria": {
+    "enrollmentStatus": "COMPLETED",
+    "followUp": true,
+    "ouMode": "ACCESSIBLE",
+    "displayColumnOrder": [
+      "eventDate",
+      "dueDate",
+      "program",
+      "invalid"
+    ],
+    "assignedUserMode": "ANY",
+    "programStage": "a3kGcGDCuk6",
+    "trackedEntityType": "Q9GufDoplCL",
+    "lastUpdatedDate": {
+      "period": "TODAY",
+      "startBuffer": -5,
+      "endBuffer": 5,
+      "type": "RELATIVE"
     },
-    "sharing": {
-        "public": "rw------",
-        "userGroups": {
-            "OPVIvvXzNTw": {
-                "access": "rw------",
-                "id": "OPVIvvXzNTw"
-            }
-        }
+    "enrollmentCreatedDate": {
+      "period": "TODAY",
+      "startBuffer": -5,
+      "endBuffer": 5,
+      "type": "RELATIVE"
+    },
+    "enrollmentIncidentDate": {
+      "endDate": "2019-03-20T00:00:00.000",
+      "type": "ABSOLUTE",
+      "startDate": "2014-05-01T00:00:00.000"
     },
-    "entityQueryCriteria": {
-        "enrollmentStatus": "COMPLETED",
-        "followUp": true,
-        "ouMode": "ACCESSIBLE",
-        "displayColumnOrder": [ "eventDate", "dueDate", "program", "invalid"],
-        "assignedUserMode": "ANY",
-        "programStage":"a3kGcGDCuk6",
-        "trackedEntityType":"Q9GufDoplCL",
-        "lastUpdatedDate": {
-            "period": "TODAY",
-            "startBuffer": -5,
-            "endBuffer": 5,
-            "type": "RELATIVE"
-        },
-        "enrollmentCreatedDate": {
-            "period": "TODAY",
-            "startBuffer": -5,
-            "endBuffer": 5,
-            "type": "RELATIVE"
-        },
-        "enrollmentIncidentDate": {
-            "endDate": "2019-03-20T00:00:00.000",
-            "type": "ABSOLUTE",
-            "startDate": "2014-05-01T00:00:00.000"
-        },
-        "trackedEntityInstances": ["a3kGcGDCuk7", "a3kGcGDCuk8"],
-        "order": "createdAt:desc;orgUnit:asc",
-        "attributeValueFilters": [
-            {
-                "attribute": "dIVt4l5vIOa",
-                "sw": "a",
-                "ew": "e"
-            },
-            {
-                "attribute": "kZeSYCgaHTk",
-                "like": "abc"
-            },
-            {
-                "attribute": "x5yfLot5VCM",
-                "dateFilter": {
-                    "startDate": "2014-05-01T00:00:00.000",
-                    "endDate": "2019-03-20T00:00:00.000",
-                    "type": "ABSOLUTE"
-                }
-            },
-            {
-                "attribute": "ypGAwVRNtVY",
-                "le": "20",
-                "ge": "10"
-            },
-            {
-                "attribute": "aIga5mPOFOJ",
-                "in":  [
-                    "MALE",
-                    "FEMALE"
-                ]
-            }
+    "trackedEntityInstances": [
+      "a3kGcGDCuk7",
+      "a3kGcGDCuk8"
+    ],
+    "order": "createdAt:desc",
+    "attributeValueFilters": [
+      {
+        "attribute": "dIVt4l5vIOa",
+        "sw": "a",
+        "ew": "e"
+      },
+      {
+        "attribute": "kZeSYCgaHTk",
+        "like": "abc"
+      },
+      {
+        "attribute": "x5yfLot5VCM",
+        "dateFilter": {
+          "startDate": "2014-05-01T00:00:00.000",
+          "endDate": "2019-03-20T00:00:00.000",
+          "type": "ABSOLUTE"
+        }
+      },
+      {
+        "attribute": "ypGAwVRNtVY",
+        "le": "20",
+        "ge": "10"
+      },
+      {
+        "attribute": "aIga5mPOFOJ",
+        "in": [
+          "MALE",
+          "FEMALE"
         ]
-    }
-}
+      }
+    ]
+  }
+}

dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/MvcTestConfig.java

@@ -60,7 +60,6 @@
 import org.hisp.dhis.webapi.mvc.messageconverter.StreamingJsonRootMessageConverter;
 import org.hisp.dhis.webapi.mvc.messageconverter.XmlMessageConverter;
 import org.hisp.dhis.webapi.mvc.messageconverter.XmlPathMappingJackson2XmlHttpMessageConverter;
-import org.hisp.dhis.webapi.security.config.StringToOrderCriteriaListConverter;
 import org.hisp.dhis.webapi.view.CustomPathExtensionContentNegotiationStrategy;
 import org.mockito.Mockito;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -273,7 +272,6 @@ public void configureMessageConverters(List<HttpMessageConverter<?>> converters)
 
   @Override
   public void addFormatters(FormatterRegistry registry) {
-    registry.addConverter(new StringToOrderCriteriaListConverter());
     registry.addConverter(new FieldPathConverter());
   }