fix(id-filter): allow JSON 'id' key on particular endpoints only (#337)

cryostatio · Mar 22, 2024 · d730054 · d730054
1 parent b25a178
commit d730054
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/src/main/java/io/cryostat/JsonRequestFilter.java b/src/main/java/io/cryostat/JsonRequestFilter.java
@@ -19,6 +19,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.util.Set;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -31,12 +32,17 @@
 @Provider
 public class JsonRequestFilter implements ContainerRequestFilter {
 
+ static final Set<String> disallowedFields = Set.of("id");
+ static final Set<String> allowedPaths = Set.of("/api/v2.2/discovery");
+
  private final ObjectMapper objectMapper = new ObjectMapper();
 
  @Override
  public void filter(ContainerRequestContext requestContext) throws IOException {
  if (requestContext.getMediaType() != null
- && requestContext.getMediaType().isCompatible(MediaType.APPLICATION_JSON_TYPE)) {
+ && requestContext.getMediaType().isCompatible(MediaType.APPLICATION_JSON_TYPE)
+ && (requestContext.getUriInfo() != null
+ && !allowedPaths.contains(requestContext.getUriInfo().getPath()))) {
  try (InputStream stream = requestContext.getEntityStream()) {
  JsonNode rootNode = objectMapper.readTree(stream);
 
@@ -56,8 +62,10 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
  }
 
  private boolean containsIdField(JsonNode node) {
- if (node.has("id")) {
- return true;
+ for (String field : disallowedFields) {
+ if (node.has(field)) {
+ return true;
+ }
  }
  if (node.isContainerNode()) {
  for (JsonNode child : node) {

diff --git a/src/test/java/io/cryostat/JsonRequestFilterTest.java b/src/test/java/io/cryostat/JsonRequestFilterTest.java
@@ -25,9 +25,11 @@
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.UriInfo;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.MethodSource;
+import org.mockito.Mockito;
 
 public class JsonRequestFilterTest {
  private JsonRequestFilter filter;
@@ -76,6 +78,9 @@ private void simulateRequest(String jsonPayload) throws Exception {
  new ByteArrayInputStream(jsonPayload.getBytes(StandardCharsets.UTF_8));
  when(requestContext.getEntityStream()).thenReturn(payloadStream);
  when(requestContext.getMediaType()).thenReturn(MediaType.APPLICATION_JSON_TYPE);
+ UriInfo uriInfo = Mockito.mock(UriInfo.class);
+ Mockito.when(uriInfo.getPath()).thenReturn("/some/path");
+ when(requestContext.getUriInfo()).thenReturn(uriInfo);
  filter.filter(requestContext);
  }
 }