From 49d065af20325be2760693ba59bf4c0942c76e68 Mon Sep 17 00:00:00 2001
From: hongwei <hongwei@tesobe.com>
Date: Wed, 13 Sep 2023 16:21:02 +0200
Subject: [PATCH] refactor/moved uriAndQueryString to ObpS

---
 .../src/main/scala/code/api/OBPRestHelper.scala  |  4 ++--
 .../ResourceDocsAPIMethods.scala                 |  6 +++---
 .../src/main/scala/code/api/util/APIUtil.scala   | 16 ++++++++++++++--
 .../scala/code/model/dataAccess/AuthUser.scala   | 10 +++++-----
 .../scala/code/snippet/OAuthAuthorisation.scala  |  2 +-
 obp-api/src/main/scala/code/util/Helper.scala    | 11 ++++++++++-
 6 files changed, 35 insertions(+), 14 deletions(-)

diff --git a/obp-api/src/main/scala/code/api/OBPRestHelper.scala b/obp-api/src/main/scala/code/api/OBPRestHelper.scala
index 42a18cd21..1a5853f75 100644
--- a/obp-api/src/main/scala/code/api/OBPRestHelper.scala
+++ b/obp-api/src/main/scala/code/api/OBPRestHelper.scala
@@ -41,7 +41,7 @@ import code.api.v5_0_0.OBPAPI5_0_0
 import code.api.v5_1_0.OBPAPI5_1_0
 import code.loginattempts.LoginAttempt
 import code.model.dataAccess.AuthUser
-import code.util.Helper.MdcLoggable
+import code.util.Helper.{MdcLoggable, ObpS}
 import com.alibaba.ttl.TransmittableThreadLocal
 import com.openbankproject.commons.model.ErrorMessage
 import com.openbankproject.commons.util.{ApiVersion, ReflectUtils, ScannedApiVersion}
@@ -376,7 +376,7 @@ trait OBPRestHelper extends RestHelper with MdcLoggable {
     val body: Box[String] = getRequestBody(S.request)
     val implementedInVersion = S.request.openOrThrowException(attemptedToOpenAnEmptyBox).view
     val verb = S.request.openOrThrowException(attemptedToOpenAnEmptyBox).requestType.method
-    val url = URLDecoder.decode(S.uriAndQueryString.getOrElse(""),"UTF-8")
+    val url = URLDecoder.decode(ObpS.uriAndQueryString.getOrElse(""),"UTF-8")
     val correlationId = getCorrelationId()
     val reqHeaders = S.request.openOrThrowException(attemptedToOpenAnEmptyBox).request.headers
     val remoteIpAddress = getRemoteIpAddress()
diff --git a/obp-api/src/main/scala/code/api/ResourceDocs1_4_0/ResourceDocsAPIMethods.scala b/obp-api/src/main/scala/code/api/ResourceDocs1_4_0/ResourceDocsAPIMethods.scala
index 75087a8b0..5764e4432 100644
--- a/obp-api/src/main/scala/code/api/ResourceDocs1_4_0/ResourceDocsAPIMethods.scala
+++ b/obp-api/src/main/scala/code/api/ResourceDocs1_4_0/ResourceDocsAPIMethods.scala
@@ -250,7 +250,7 @@ trait ResourceDocsAPIMethods extends MdcLoggable with APIMethods220 with APIMeth
       var cacheKey = (randomUUID().toString, randomUUID().toString, randomUUID().toString)
       CacheKeyFromArguments.buildCacheKey {
         Caching.memoizeSyncWithProvider (Some(cacheKey.toString())) (getStaticResourceDocsTTL second) {
-          logger.debug(s"Generating OBP Resource Docs requestedApiVersion is $requestedApiVersionString")
+          logger.debug(s"Generating OBP-getStaticResourceDocsObpCached requestedApiVersion is $requestedApiVersionString")
           val requestedApiVersion  = ApiVersionUtils.valueOf(requestedApiVersionString)
 
           val resourceDocJson = resourceDocsToResourceDocJson(getResourceDocsList(requestedApiVersion), resourceDocTags, partialFunctionNames, isVersion4OrHigher, locale)
@@ -284,7 +284,7 @@ trait ResourceDocsAPIMethods extends MdcLoggable with APIMethods220 with APIMeth
       var cacheKey = (randomUUID().toString, randomUUID().toString, randomUUID().toString)
       CacheKeyFromArguments.buildCacheKey {
         Caching.memoizeSyncWithProvider (Some(cacheKey.toString())) (getStaticResourceDocsTTL second) {
-          logger.debug(s"Generating OBP Resource Docs requestedApiVersion is $requestedApiVersionString")
+          logger.debug(s"Generating getAllResourceDocsObpCached-Docs requestedApiVersion is $requestedApiVersionString")
           val requestedApiVersion  = ApiVersionUtils.valueOf(requestedApiVersionString)
           
           val dynamicDocs = allDynamicResourceDocs
@@ -723,7 +723,7 @@ trait ResourceDocsAPIMethods extends MdcLoggable with APIMethods220 with APIMeth
       var cacheKey = (randomUUID().toString, randomUUID().toString, randomUUID().toString)
       CacheKeyFromArguments.buildCacheKey {
         Caching.memoizeSyncWithProvider (Some(cacheKey.toString())) (getStaticResourceDocsTTL second) {
-          logger.debug(s"Generating Swagger requestedApiVersion is $requestedApiVersionString")
+          logger.debug(s"Generating Swagger-getResourceDocsSwaggerCached requestedApiVersion is $requestedApiVersionString")
 
           Box.tryo(ApiVersionUtils.valueOf(requestedApiVersionString)) match {
             case Full(requestedApiVersion) =>
diff --git a/obp-api/src/main/scala/code/api/util/APIUtil.scala b/obp-api/src/main/scala/code/api/util/APIUtil.scala
index d871793e2..2268edfe7 100644
--- a/obp-api/src/main/scala/code/api/util/APIUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala
@@ -419,7 +419,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
       val implementedInVersion = S.request.openOrThrowException(attemptedToOpenAnEmptyBox).view
       //(GET, POST etc.) --S.request.get.requestType.method
       val verb = S.request.openOrThrowException(attemptedToOpenAnEmptyBox).requestType.method
-      val url = S.uriAndQueryString.getOrElse("")
+      val url = ObpS.uriAndQueryString.getOrElse("")
       val correlationId = getCorrelationId()
 
       //execute saveMetric in future, as we do not need to know result of operation
@@ -899,6 +899,18 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
       case _ => false
     }
   }
+  
+  
+  /** only  A-Z, a-z, 0-9,-,_,. =, & and max length <= 2048  */
+  def basicUriAndQueryStringValidation(urlString: String): Boolean = {
+    val regex =
+      """^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?""".r
+    val decodeUrlValue = URLDecoder.decode(urlString, "UTF-8").trim()
+    decodeUrlValue match {
+      case regex(_*) if (decodeUrlValue.length <= 2048) => true
+      case _ => false
+    }
+  }
 
 
 
@@ -3001,7 +3013,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
     val body: Box[String] = getRequestBody(S.request)
     val implementedInVersion = S.request.openOrThrowException(attemptedToOpenAnEmptyBox).view
     val verb = S.request.openOrThrowException(attemptedToOpenAnEmptyBox).requestType.method
-    val url = URLDecoder.decode(S.uriAndQueryString.getOrElse(""),"UTF-8")
+    val url = URLDecoder.decode(ObpS.uriAndQueryString.getOrElse(""),"UTF-8")
     val correlationId = getCorrelationId()
     val reqHeaders = S.request.openOrThrowException(attemptedToOpenAnEmptyBox).request.headers
     val remoteIpAddress = getRemoteIpAddress()
diff --git a/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala b/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
index f7d5a387f..de919c28c 100644
--- a/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
+++ b/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
@@ -744,7 +744,7 @@ import net.liftweb.util.Helpers._
   
   override def signupXhtml (user:AuthUser) =  {
     <div id="signup" tabindex="-1">
-      <form method="post" action={S.uriAndQueryString.getOrElse(S.uri)}>
+      <form method="post" action={ObpS.uriAndQueryString.getOrElse(S.uri)}>
           <h1>{signupFormTitle}</h1>
           {legalNoticeDiv}
           <div id="signup-general-error" class="alert alert-danger hide"><span data-lift="Msg?id=error"/></div>
@@ -786,13 +786,13 @@ import net.liftweb.util.Helpers._
   def userLoginFailed = {
     logger.info("failed: " + failedLoginRedirect.get)
     // variable redir is from failedLoginRedirect, it is set-up in OAuthAuthorisation.scala as following code:
-    // val currentUrl = S.uriAndQueryString.getOrElse("/")
+    // val currentUrl = ObpS.uriAndQueryString.getOrElse("/")
     // AuthUser.failedLoginRedirect.set(Full(Helpers.appendParams(currentUrl, List((FailedLoginParam, "true")))))
     val redir = failedLoginRedirect.get
 
     //Check the internal redirect, in case for open redirect issue.
     // variable redir is from loginRedirect, it is set-up in OAuthAuthorisation.scala as following code:
-    // val currentUrl = S.uriAndQueryString.getOrElse("/")
+    // val currentUrl = ObpS.uriAndQueryString.getOrElse("/")
     // AuthUser.loginRedirect.set(Full(Helpers.appendParams(currentUrl, List((LogUserOutParam, "false")))))
     if (Helper.isValidInternalRedirectUrl(redir.toString)) {
         S.redirectTo(redir.toString)
@@ -1016,7 +1016,7 @@ def restoreSomeSessions(): Unit = {
     }
     //Check the internal redirect, in case for open redirect issue.
     // variable redirect is from loginRedirect, it is set-up in OAuthAuthorisation.scala as following code:
-    // val currentUrl = S.uriAndQueryString.getOrElse("/")
+    // val currentUrl = ObpS.uriAndQueryString.getOrElse("/")
     // AuthUser.loginRedirect.set(Full(Helpers.appendParams(currentUrl, List((LogUserOutParam, "false")))))
     def checkInternalRedirectAndLogUserIn(preLoginState: () => Unit, redirect: String, user: AuthUser) = {
       if (Helper.isValidInternalRedirectUrl(redirect)) {
@@ -1573,7 +1573,7 @@ def restoreSomeSessions(): Unit = {
 
     //Check the internal redirect, in case for open redirect issue.
     // variable redir is from loginRedirect, it is set-up in OAuthAuthorisation.scala as following code:
-    // val currentUrl = S.uriAndQueryString.getOrElse("/")
+    // val currentUrl = ObpS.uriAndQueryString.getOrElse("/")
     // AuthUser.loginRedirect.set(Full(Helpers.appendParams(currentUrl, List((LogUserOutParam, "false")))))
     val loginRedirectSave = loginRedirect.is
 
diff --git a/obp-api/src/main/scala/code/snippet/OAuthAuthorisation.scala b/obp-api/src/main/scala/code/snippet/OAuthAuthorisation.scala
index 17e54c6f7..a5cfe1e08 100644
--- a/obp-api/src/main/scala/code/snippet/OAuthAuthorisation.scala
+++ b/obp-api/src/main/scala/code/snippet/OAuthAuthorisation.scala
@@ -122,7 +122,7 @@ object OAuthAuthorisation {
           S.redirectTo(appendParams(redirectionUrl, redirectionParam))
         }
       } else {
-        val currentUrl = S.uriAndQueryString.getOrElse("/")
+        val currentUrl = ObpS.uriAndQueryString.getOrElse("/")
         /*if (AuthUser.loggedIn_?) {
           AuthUser.logUserOut()
           //Bit of a hack here, but for reasons I haven't had time to discover, if this page doesn't get
diff --git a/obp-api/src/main/scala/code/util/Helper.scala b/obp-api/src/main/scala/code/util/Helper.scala
index 1ccd0230f..fdbc0d57a 100644
--- a/obp-api/src/main/scala/code/util/Helper.scala
+++ b/obp-api/src/main/scala/code/util/Helper.scala
@@ -464,6 +464,7 @@ object Helper extends Loggable {
 
       lazy val result = method.invoke(net.liftweb.http.S, args: _*)
       val methodName = method.getName
+      
       if (methodName.equals("param")&&result.isInstanceOf[Box[String]]&&result.asInstanceOf[Box[String]].isDefined) {
         //we provide the basic check for all the parameters
         val resultAfterChecked = 
@@ -479,7 +480,15 @@ object Helper extends Loggable {
             result.asInstanceOf[Box[String]].filter(APIUtil.checkMediumString(_)==SILENCE_IS_GOLDEN)
           }
         if(resultAfterChecked.isEmpty) { 
-          logger.debug(s"ObpS.param validation failed. The input key is: ${if (args.length>0)args.apply(0) else ""}, value is:$result")
+          logger.debug(s"ObpS.${methodName} validation failed. The input key is: ${if (args.length>0)args.apply(0) else ""}, value is:$result")
+        }
+        resultAfterChecked
+      } else if (methodName.equals("uri") && result.isInstanceOf[String] ||
+        methodName.equals("uriAndQueryString") && result.isInstanceOf[Box[String]] && result.asInstanceOf[Box[String]].isDefined ||
+        methodName.equals("queryString") && result.isInstanceOf[Box[String]]&&result.asInstanceOf[Box[String]].isDefined){
+        val resultAfterChecked = result.asInstanceOf[Box[String]].filter(APIUtil.basicUriAndQueryStringValidation(_))
+        if(resultAfterChecked.isEmpty) { 
+          logger.debug(s"ObpS.${methodName} validation failed. The value is:$result")
         }
         resultAfterChecked
       } else {