From 78f429a2fc310677f8b01fce80a80d050afeb17c Mon Sep 17 00:00:00 2001 From: guoshoujing Date: Mon, 22 Mar 2021 17:24:39 +0800 Subject: [PATCH 1/2] auth: check username/password is empty string --- .../baidu/hugegraph/api/filter/AuthenticationFilter.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java index 20146695bc..e98e47a341 100644 --- a/hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java @@ -37,6 +37,7 @@ import javax.ws.rs.ext.Provider; import javax.xml.bind.DatatypeConverter; +import org.apache.commons.lang3.StringUtils; import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException; import org.glassfish.grizzly.http.server.Request; import org.glassfish.grizzly.utils.Charsets; @@ -113,7 +114,11 @@ protected User authenticate(ContainerRequestContext context) { final String username = values[0]; final String password = values[1]; - assert username != null && password != null; + + if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { + throw new BadRequestException( + "Invalid syntax for username and password"); + } // Validate the extracted credentials try { From 250e0b8725a3d494f17499544c4f4e8d2651d49f Mon Sep 17 00:00:00 2001 From: guoshoujing Date: Mon, 22 Mar 2021 19:04:18 +0800 Subject: [PATCH 2/2] auth: modifiy userinfo verification on create/update --- .../java/com/baidu/hugegraph/api/auth/UserAPI.java | 11 ++++++----- .../hugegraph/api/filter/AuthenticationFilter.java | 2 +- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/hugegraph-api/src/main/java/com/baidu/hugegraph/api/auth/UserAPI.java b/hugegraph-api/src/main/java/com/baidu/hugegraph/api/auth/UserAPI.java index eca1ba9b9d..6b947b6ead 100644 --- a/hugegraph-api/src/main/java/com/baidu/hugegraph/api/auth/UserAPI.java +++ b/hugegraph-api/src/main/java/com/baidu/hugegraph/api/auth/UserAPI.java @@ -34,6 +34,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.Context; +import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import com.baidu.hugegraph.HugeGraph; @@ -208,15 +209,15 @@ public HugeUser build() { @Override public void checkCreate(boolean isBatch) { - E.checkArgumentNotNull(this.name, - "The name of user can't be null"); - E.checkArgumentNotNull(this.password, - "The password of user can't be null"); + E.checkArgument(!StringUtils.isEmpty(this.name), + "The name of user can't be null"); + E.checkArgument(!StringUtils.isEmpty(this.password), + "The password of user can't be null"); } @Override public void checkUpdate() { - E.checkArgument(this.password != null || + E.checkArgument(!StringUtils.isEmpty(this.password) || this.phone != null || this.email != null || this.avatar != null, diff --git a/hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java b/hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java index e98e47a341..d63b5ca2b5 100644 --- a/hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java +++ b/hugegraph-api/src/main/java/com/baidu/hugegraph/api/filter/AuthenticationFilter.java @@ -117,7 +117,7 @@ protected User authenticate(ContainerRequestContext context) { if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { throw new BadRequestException( - "Invalid syntax for username and password"); + "Invalid syntax for username and password"); } // Validate the extracted credentials