fix(security): Fix SQL injection vulnerabilities in ContainerFactoryImpl #33369
+337
−36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resolves critical SQL injection vulnerabilities identified by Semgrep in container search functionality where user input was directly concatenated into SQL queries without proper parameterization. Changes: - Replace all SQL string concatenation with parameterized queries using DotConnect.addParam() - Add strict input validation for UUID fields (inode, identifier, siteId) - Add validation for content type identifiers with alphanumeric pattern - Throw DotSecurityException for invalid input formats - Update method signature to support parameterized query execution - Add comprehensive security comments and documentation Security Impact: - Prevents SQL injection attacks via contentTypeIdOrVar parameter - Prevents SQL injection via siteId, containerInode, containerIdentifier parameters - Blocks malicious SQL in search condition parameters - Maintains backward compatibility while eliminating attack surface Fixes #32581 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
mbiuki
added
OKR : Security & Privacy
spbolton
reviewed
Sep 24, 2025
dotCMS/src/main/java/com/dotmarketing/portlets/containers/business/ContainerFactoryImpl.java
Outdated
Show resolved
Hide resolved
…FactoryImpl Address reviewer feedback by replacing custom regex validation with dotCMS's existing UUIDUtil.isUUID() utility method for consistency and better maintainability. Changes: - Replace all custom UUID regex patterns with UUIDUtil.isUUID() calls - Maintain same security validation while using established dotCMS utility - Improve code consistency by leveraging existing framework utilities - Keep all parameterized query protections intact Reviewer feedback from @fabrizzio-dotCMS: "check com.dotmarketing.util.UUIDUtil.isUUID(String)" Updates #32581 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
dotCMS/src/main/java/com/dotmarketing/portlets/containers/business/ContainerFactoryImpl.java
Show resolved
Hide resolved
…toryImpl Address missed validation spot identified by reviewer @fabrizzio-dotCMS where contentTypeIdOrVar still used custom regex instead of proper validation. Changes: - Replace custom regex with comprehensive validation that accepts both UUIDs and variable names - Add isValidVariableName() helper method for velocity variable validation - Use UUIDUtil.isUUID() for UUID validation and custom method for variable names - Maintain security while supporting both inode and velocityVarName input formats The contentTypeIdOrVar parameter can be either: 1. A UUID (content type inode) - validated with UUIDUtil.isUUID() 2. A velocity variable name - validated with new isValidVariableName() method Addresses reviewer feedback: "you missed a spot here" Updates #32581 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
dotCMS/src/main/java/com/dotmarketing/portlets/containers/business/ContainerFactoryImpl.java
Outdated
Show resolved
Hide resolved
…rFactoryImpl Address compilation error reported by @fabrizzio-dotCMS where DotSecurityException was thrown but not declared in method signatures. Changes: - Add throws DotSecurityException to buildConditionParameterAndBuildConditionQuery method signature - Add throws DotSecurityException to getConditionParametersAndBuildConditionQuery method signature - Maintains proper exception propagation chain to findContainers method which already handles DotSecurityException The exception chain is now properly declared: buildConditionParameterAndBuildConditionQuery → getConditionParametersAndBuildConditionQuery → findContainers Fixes compilation error: "unreported exception DotSecurityException; must be caught or declared to be thrown" Updates #32581
fabrizzio-dotCMS
approved these changes
Sep 26, 2025
wezell
reviewed
Sep 29, 2025
dotCMS/src/main/java/com/dotmarketing/portlets/containers/business/ContainerFactoryImpl.java
Outdated
Show resolved
Hide resolved
wezell
reviewed
Sep 29, 2025
dotCMS/src/main/java/com/dotmarketing/portlets/containers/business/ContainerFactoryImpl.java
Outdated
Show resolved
Hide resolved
wezell
reviewed
Sep 29, 2025
dotCMS/src/main/java/com/dotmarketing/portlets/containers/business/ContainerFactoryImpl.java
Outdated
Show resolved
Hide resolved
wezell
previously requested changes
Sep 29, 2025
dotCMS/src/main/java/com/dotmarketing/portlets/containers/business/ContainerFactoryImpl.java
Outdated
Show resolved
Hide resolved
…ation - Replace strict UUID validation with flexible isValidIdentifier() method - Handle system identifiers (SYSTEM_HOST, SYSTEM_FOLDER) per Will's feedback - Apply DRY principle with VALID_VARIABLE_NAME_REGEX constant per spbolton - Create utility methods for UUID and system identifier validation per fabrizzio - Use UUIDUtil.isUUID() throughout instead of custom regex patterns - Maintain parameterized queries for SQL injection prevention - Support UUIDs, system identifiers, and variable names consistently 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…ctoryImpl - Make WorkflowFactoryImpl.VALID_VARIABLE_NAME_REGEX public per fabrizzio feedback - Remove duplicate regex constant from ContainerFactoryImpl - Use established regex pattern consistently across validation methods - Maintain same validation logic while following DRY principle properly Addresses fabrizzio's specific comment: "We already have a regex constant, VALID_VARIABLE_NAME_REGEX, to validate variable names. Make it public and use it in your validation method" 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Ensure paramValues is never null when passed to buildFindContainersQuery() - getConditionParametersAndBuildConditionQuery() returns null when no filtering criteria - Initialize empty ArrayList when paramValues is null to prevent NPE - Fixes test failure: AnalyticsValidatorUtilTest site deletion Error: Cannot invoke "java.util.List.add(Object)" because "paramValues" is null at ContainerFactoryImpl.buildFindContainersQuery(ContainerFactoryImpl.java:913) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add fallback regex pattern ^[a-zA-Z0-9_-]{1,255}$ for identifiers
- Prevents test failures from overly restrictive validation
- Maintains security while accepting broader range of valid identifiers
- WorkflowFactoryImpl regex [_A-Za-z][_0-9A-Za-z]* is quite restrictive
- Fallback handles identifiers that are valid but don't match strict patterns
Fixes test failures:
- ContainerPaginatorTest.getPaginatedContainers
- ContainerFactoryImplTest.test_container_find_by_query_no_SQL_injection_in_orderby
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
…er sorting Fix test failure in ContainerFactoryImplTest where file-based container sorting was using the unsanitized searchParams.orderBy() value instead of the sanitized orderBy variable. This caused the test to fail when passing malicious SQL injection strings as the orderBy parameter. Changes: - Use sanitized orderBy variable in file-based container switch statement - Add support for both "moddate" and "mod_date" formats - Add default case to handle unknown/malicious orderBy values gracefully Fixes: Integration Tests - MainSuite 2b failure Test: ContainerFactoryImplTest.test_container_find_by_query_no_SQL_injection_in_orderby 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Address reviewer comments from fabrizzio-dotCMS and wezell by: - Moving validation methods from ContainerFactoryImpl to SecurityUtils - Making VALID_VARIABLE_NAME_REGEX public and reusable in SecurityUtils - Implementing comprehensive identifier validation supporting UUIDs, system identifiers, and variable names - Adding proper exception handling for SecurityException - Creating comprehensive unit tests for all validation methods Changes: - Added SecurityUtils.validateIdentifier() with support for: * Valid UUIDs * System identifiers (SYSTEM_HOST, SYSTEM_FOLDER) * Content type variable names - Added SecurityUtils.isValidIdentifier() for non-throwing validation - Added SecurityUtils.isSystemIdentifier() helper - Added SecurityUtils.isValidVariableName() helper - Updated ContainerFactoryImpl to use SecurityUtils.validateIdentifier() - Removed duplicate validation methods from ContainerFactoryImpl - Added 13 comprehensive unit tests covering: * Valid inputs (UUIDs, system identifiers, variable names) * SQL injection attempts * XSS attempts * Path traversal attempts * Null/empty values * Invalid characters Addresses reviewer comments: - fabrizzio-dotCMS: Use existing VALID_VARIABLE_NAME_REGEX pattern - fabrizzio-dotCMS: Create utility method for UUID and system identifier validation - fabrizzio-dotCMS: Move validation to SecurityUtils with comprehensive tests - wezell: Support SYSTEM_HOST and other system identifiers (not just UUIDs) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Fix compilation errors from refactoring: - Add orderBy variable declaration with sanitization in findFolderAssetContainers() - Replace removed isValidIdentifier() method calls with SecurityUtils.isValidIdentifier() - Ensure all identifier validation uses the centralized SecurityUtils methods Fixes compilation errors at: - Line 671: orderBy variable not in scope - Line 672: orderBy variable not in scope - Line 903: isValidIdentifier() method removed - Line 1026: isValidIdentifier() method removed 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…yUtilsTest Add missing static imports for assertTrue and assertFalse from org.junit.Assert to fix compilation errors in test methods. Fixes 25 compilation errors: - Lines 193-197: assertTrue method not found - Lines 205-210: assertFalse method not found - Lines 218-222: assertTrue/assertFalse method not found - Lines 230-239: assertTrue/assertFalse method not found 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Added SYSTEM_CONTAINER, SYSTEM_TEMPLATE, and SYSTEM_THEME to SecurityUtils.isSystemIdentifier() method to support all dotCMS system identifiers. Updated documentation in validateIdentifier() and isValidIdentifier() methods to reflect all 5 system constants. This fixes the Postman Tests - Container failure where these system identifiers were being rejected as invalid. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…ps://github.com/dotCMS/core into issue-32581-fix-sql-injection-containerresource
Fixed file-based container sorting to handle orderBy parameters without explicit direction (e.g., "mod_date" without "asc" or "desc"). When no direction is specified, defaults to descending order to match the behavior of database-based queries. This fixes the flaky test failure in ContainerFactoryImplTest.test_container_find_by_query_no_SQL_injection_in_orderby where the test passed "mod_date" without a direction. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Fixed pagination issue where database containers and file-based containers were not sorted together before applying offset/limit. This caused incorrect results when mixing both container types. Changes: - Added sortCombinedContainers() method to sort the merged list - Ensures consistent ordering across DB and file containers before pagination - Fixes ContainerPaginatorTest.getPaginatedContainers test failure The issue occurred because: 1. File containers were retrieved and sorted separately 2. DB containers were retrieved and sorted via SQL 3. Both lists were concatenated without re-sorting 4. Pagination was applied to the unsorted combined list Now the combined list is properly sorted before pagination is applied. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Added null-safe comparators to sortCombinedContainers method to handle containers with null titles or modification dates. This prevents NullPointerException during sorting and ensures stable sorting behavior. Changes: - Use Comparator.nullsLast() for title comparisons - Use Comparator.nullsLast() for date comparisons - Apply case-insensitive ordering for title fields This fixes potential test flakiness when containers have null metadata fields. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…ainers Modified sortCombinedContainers to only run when there are actually file-based containers in the result set. When only DB containers are present, they're already sorted by the SQL ORDER BY clause, so no additional sorting is needed. This fixes test failures where: - Tests only created DB containers - The additional sorting was unnecessary and potentially disruptive - The original SQL ordering was sufficient The sort still runs when mixing DB and file containers to ensure consistent ordering across both types. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Reverted the combined container sorting changes as they were causing test failures and were outside the scope of the SQL injection fix PR. The original code structure is restored where: - File containers are added first (sorted via findFolderAssetContainers) - DB containers are added second (sorted via SQL ORDER BY) - Pagination is applied to the combined list Kept only the essential changes: - SQL injection fixes with parameterized queries - Input validation for identifiers - OrderBy parameter handling in findFolderAssetContainers This ensures the PR stays focused on its original security objective. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Fixes two critical issues in container pagination and testing: 1. ContainerPaginator sorting bug (lines 142-150): - Changed .stream().sorted() to .sort() for in-place sorting - Previous code created sorted streams but discarded results - Lists remained unsorted, causing pagination inconsistencies 2. Improved test assertions in ContainerFactoryImplTest: - Replaced Java assert statements with JUnit assertions - Added descriptive error messages for faster debugging - Previous "undefined" errors now show clear failure reasons 3. Added comprehensive debug logging in ContainerFactoryImpl: - Log SQL queries with parameters before execution - Log container counts before/after pagination - Helps diagnose query execution issues These changes address test failures in: - ContainerPaginatorTest.getPaginatedContainers - ContainerFactoryImplTest.test_container_find_by_query_no_SQL_injection_in_orderby 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
erickgonzalez
approved these changes
Oct 22, 2025
erickgonzalez
deleted the
issue-32581-fix-sql-injection-containerresource
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes critical SQL injection vulnerabilities in container search functionality where user input was directly concatenated into SQL queries without proper parameterization.
Security Impact
/api/v1/containersChanges Made
DotConnect.addParam()DotSecurityExceptionfor invalid input formats to prevent attacksValidation Testing
'; DROP TABLE containers; --Files Modified
dotCMS/src/main/java/com/dotmarketing/portlets/containers/business/ContainerFactoryImpl.javabuildFindContainersQuery()method signature and implementationbuildConditionParameterAndBuildConditionQuery()methodSecurity Review Notes
This fix addresses the Semgrep findings reported in the security vulnerability disclosure. The solution follows dotCMS security best practices:
DotConnectparameterized query infrastructureCloses #32581
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com
This PR fixes: #32581