Merge pull request #179 from markgcera/Add-JsonInjectionParser

Add JsonInjectionParser class and its test classes.
AY2324S1-CS2103T-F10-1 · Oct 30, 2023 · 3836985 · 3836985
2 parents ba9bc2f + 5a5b1e9
commit 3836985
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 1 deletion.
diff --git a/src/main/java/seedu/address/logic/parser/BookingBookParser.java b/src/main/java/seedu/address/logic/parser/BookingBookParser.java
@@ -31,6 +31,7 @@ public class BookingBookParser {
      */
     private static final Pattern BASIC_COMMAND_FORMAT = Pattern.compile("(?<commandWord>\\S+)(?<arguments>.*)");
     private static final Logger logger = LogsCenter.getLogger(BookingBookParser.class);
+    private static final JsonInjectionParser inputSanitiser = new JsonInjectionParser();
 
     /**
      * Parses user input into command for execution.
@@ -40,6 +41,7 @@ public class BookingBookParser {
      * @throws ParseException if the user input does not conform the expected format
      */
     public Command parseCommand(String userInput) throws ParseException {
+        inputSanitiser.parse(userInput);
         final Matcher matcher = BASIC_COMMAND_FORMAT.matcher(userInput.trim());
         if (!matcher.matches()) {
             throw new ParseException(String.format(MESSAGE_INVALID_COMMAND_FORMAT, HelpCommand.MESSAGE_USAGE));

diff --git a/src/main/java/seedu/address/logic/parser/JsonInjectionParser.java b/src/main/java/seedu/address/logic/parser/JsonInjectionParser.java
@@ -0,0 +1,35 @@
+package seedu.address.logic.parser;
+
+import java.util.Arrays;
+
+import seedu.address.logic.parser.exceptions.ParseException;
+
+/**
+ * This class handles the sanitisation of user input to prevent any possible JSON injections.
+ */
+public class JsonInjectionParser {
+    // List of possible JSON commands.
+    private final String quote = "\'";
+    private final String hexEscape = "\\x";
+    private final String octalEscape = "\\0";
+    private final String comma = ",";
+    private final String openParentheses = "(";
+    private final String closedParentheses = ")";
+    private final String openCurlyBrackets = "{";
+    private final String closedCurlyBrackets = "}";
+    private String[] wordsToSanitise =
+            new String[]{quote, hexEscape, octalEscape, comma, openParentheses, closedParentheses,
+                openCurlyBrackets, closedCurlyBrackets};
+
+    /**
+     * This method parses the user input.
+     * @param args The String input from the user.
+     * @throws ParseException The exception with the message ot the user to not include characters that could
+     *     form a JSON command.
+     */
+    public void parse(String args) throws ParseException {
+        if (Arrays.stream(wordsToSanitise).anyMatch(args::contains)) {
+            throw new ParseException("Please do not input JSON like content");
+        }
+    }
+}
diff --git a/src/main/java/seedu/address/logic/parser/UnflagCommandParser.java b/src/main/java/seedu/address/logic/parser/UnflagCommandParser.java
@@ -8,7 +8,7 @@
 /**
  * Parses input arguments and creates a new UnflagCommand object
  */
-public class UnflagCommandParser {
+public class UnflagCommandParser implements Parser<UnflagCommand> {
     /**
      * Parses the given {@code String} of arguments in the context of the UnflagCommand
      * and returns a UnflagCommand object for execution.

diff --git a/src/test/java/seedu/address/logic/parser/JsonInjectionParserTest.java b/src/test/java/seedu/address/logic/parser/JsonInjectionParserTest.java
@@ -0,0 +1,34 @@
+package seedu.address.logic.parser;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.junit.jupiter.api.Test;
+
+import seedu.address.logic.parser.exceptions.ParseException;
+
+public class JsonInjectionParserTest {
+    private static final JsonInjectionParser parser = new JsonInjectionParser();
+
+    @Test
+    public void parse_singleInvalidInput_throwsException() {
+        String testString = "This is a te'st input";
+        Exception exception = assertThrows(ParseException.class, () -> {
+            parser.parse(testString);
+        });
+        String expectedMessage = "Please do not input JSON like content";
+        String actualMessage = exception.getMessage();
+        assertTrue(actualMessage.contains(expectedMessage));
+    }
+
+    @Test
+    public void parse_multipleInvalidInputs_throwsException() {
+        String testString = "This \\x0 is a te'st inp:ut()";
+        Exception exception = assertThrows(ParseException.class, () -> {
+            parser.parse(testString);
+        });
+        String expectedMessage = "Please do not input JSON like content";
+        String actualMessage = exception.getMessage();
+        assertTrue(actualMessage.contains(expectedMessage));
+    }
+}
diff --git a/src/test/java/seedu/address/logic/parser/UnflagCommandParserTest.java b/src/test/java/seedu/address/logic/parser/UnflagCommandParserTest.java
@@ -1,4 +1,17 @@
 package seedu.address.logic.parser;
 
+import static seedu.address.logic.Messages.MESSAGE_INVALID_COMMAND_FORMAT;
+import static seedu.address.logic.parser.CommandParserTestUtil.assertParseFailure;
+
+import org.junit.jupiter.api.Test;
+
+import seedu.address.logic.commands.UnflagCommand;
+
 public class UnflagCommandParserTest {
+    private UnflagCommandParser parser = new UnflagCommandParser();
+    @Test
+    public void parse_emptyArg_throwsParseException() {
+        assertParseFailure(parser, "     ", String.format(MESSAGE_INVALID_COMMAND_FORMAT,
+                UnflagCommand.MESSAGE_USAGE));
+    }
 }