[ISSUE #10734] Implement http request param check filter and http param extractors

config/src/main/java/com/alibaba/nacos/config/server/configuration/NacosConfigConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,8 +16,9 @@
 
 package com.alibaba.nacos.config.server.configuration;
 
-import com.alibaba.nacos.config.server.filter.NacosWebFilter;
 import com.alibaba.nacos.config.server.filter.CircuitFilter;
+import com.alibaba.nacos.config.server.filter.ConfigParamCheckFilter;
+import com.alibaba.nacos.config.server.filter.NacosWebFilter;
 import com.alibaba.nacos.persistence.configuration.condition.ConditionDistributedEmbedStorage;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
@@ -65,4 +66,19 @@ public CircuitFilter transferToLeader() {
         return new CircuitFilter();
     }
 
+    @Bean
+    public FilterRegistrationBean<ConfigParamCheckFilter> configParamCheckFilterRegistration() {
+        FilterRegistrationBean<ConfigParamCheckFilter> registration = new FilterRegistrationBean<>();
+        registration.setFilter(configParamCheckFilter());
+        registration.addUrlPatterns("/v1/cs/*");
+        registration.addUrlPatterns("/v2/cs/*");
+        registration.setName("configparamcheckfilter");
+        registration.setOrder(8);
+        return registration;
+    }
+
+    @Bean
+    public ConfigParamCheckFilter configParamCheckFilter() {
+        return new ConfigParamCheckFilter();
+    }
 }

config/src/main/java/com/alibaba/nacos/config/server/filter/ConfigParamCheckFilter.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.config.server.filter;
+
+import com.alibaba.nacos.core.paramcheck.AbstractHttpParamExtractor;
+import com.alibaba.nacos.core.paramcheck.HttpParamExtractorManager;
+import com.alibaba.nacos.sys.env.EnvUtil;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+
+/**
+ * Config param check filter.
+ *
+ * @author zhuoguang
+ */
+public class ConfigParamCheckFilter implements Filter {
+
+    private static final String MODULE = "config";
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        boolean ifParamCheck = EnvUtil.getProperty("nacos.paramcheck", Boolean.class, true);
+        if (!ifParamCheck) {
+            chain.doFilter(request, response);
+            return;
+        }
+        HttpServletRequest req = (HttpServletRequest) request;
+        HttpServletResponse resp = (HttpServletResponse) response;
+        try {
+            String uri = req.getRequestURI();
+            String method = req.getMethod();
+            HttpParamExtractorManager extractorManager = HttpParamExtractorManager.getInstance();
+            AbstractHttpParamExtractor paramExtractor = extractorManager.getExtractor(uri, method, MODULE);
+            paramExtractor.extractParamAndCheck(req);
+            chain.doFilter(req, resp);
+        } catch (Exception e) {
+            resp.setStatus(400);
+            PrintWriter writer = resp.getWriter();
+            writer.print(e.getMessage());
+            writer.flush();
+        }
+    }
+}

config/src/main/java/com/alibaba/nacos/config/server/paramcheck/ConfigDefaultHttpParamExtractor.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.config.server.paramcheck;
+
+import com.alibaba.nacos.common.paramcheck.ParamCheckUtils;
+import com.alibaba.nacos.common.paramcheck.ParamInfo;
+import com.alibaba.nacos.common.utils.StringUtils;
+import com.alibaba.nacos.core.paramcheck.AbstractHttpParamExtractor;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Config default http param extractor.
+ *
+ * @author zhuoguang
+ */
+public class ConfigDefaultHttpParamExtractor extends AbstractHttpParamExtractor {
+
+    @Override
+    public void init() {
+        addDefaultTargetRequest("config");
+    }
+
+    @Override
+    public void extractParamAndCheck(HttpServletRequest request) {
+        ParamInfo paramInfo = new ParamInfo();
+        paramInfo.setNamespaceId(getAliasNamespaceId(request));
+        paramInfo.setDataId(getAliasDataId(request));
+        paramInfo.setGroup(getAliasGroup(request));
+        paramInfo.setIp(getAliasIp(request));
+        ParamCheckUtils.checkParamInfoFormat(paramInfo);
+    }
+
+    private String getAliasNamespaceId(HttpServletRequest request) {
+        String namespaceid = request.getParameter("namespaceId");
+        if (StringUtils.isBlank(namespaceid)) {
+            namespaceid = request.getParameter("tenant");
+        }
+        if (StringUtils.isBlank(namespaceid)) {
+            namespaceid = request.getParameter("namespace");
+        }
+        return namespaceid;
+    }
+
+    private String getAliasDataId(HttpServletRequest request) {
+        String dataid = request.getParameter("dataId");
+        return dataid;
+    }
+
+    private String getAliasGroup(HttpServletRequest request) {
+        String group = request.getParameter("group");
+        return group;
+    }
+
+    private String getAliasIp(HttpServletRequest request) {
+        String ip = request.getParameter("ip");
+        return ip;
+    }
+}

config/src/main/java/com/alibaba/nacos/config/server/paramcheck/ConfigListenerHttpParamExtractor.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.config.server.paramcheck;
+
+import com.alibaba.nacos.common.paramcheck.ParamCheckUtils;
+import com.alibaba.nacos.common.paramcheck.ParamInfo;
+import com.alibaba.nacos.common.utils.HttpMethod;
+import com.alibaba.nacos.common.utils.StringUtils;
+import com.alibaba.nacos.config.server.constant.Constants;
+import com.alibaba.nacos.core.paramcheck.AbstractHttpParamExtractor;
+
+import javax.servlet.http.HttpServletRequest;
+import java.net.URLDecoder;
+
+/**
+ * ConfigListener http param extractor.
+ *
+ * @author zhuoguang
+ */
+public class ConfigListenerHttpParamExtractor extends AbstractHttpParamExtractor {
+
+    static final char WORD_SEPARATOR_CHAR = (char) 2;
+
+    static final char LINE_SEPARATOR_CHAR = (char) 1;
+
+    @Override
+    public void init() {
+        addTargetRequest(Constants.CONFIG_CONTROLLER_PATH + "/listener", HttpMethod.POST);
+    }
+
+    @Override
+    public void extractParamAndCheck(HttpServletRequest request) throws Exception {
+        String listenConfigs = request.getParameter("Listening-Configs");
+        if (StringUtils.isBlank(listenConfigs)) {
+            return;
+        }
+        listenConfigs = URLDecoder.decode(listenConfigs, Constants.ENCODE);
+        if (StringUtils.isBlank(listenConfigs)) {
+            return;
+        }
+        String[] lines = listenConfigs.split(Character.toString(LINE_SEPARATOR_CHAR));
+        for (String line : lines) {
+            ParamInfo paramInfo = new ParamInfo();
+            String[] words = line.split(Character.toString(WORD_SEPARATOR_CHAR));
+            if (words.length < 3 || words.length > 4) {
+                throw new IllegalArgumentException("invalid probeModify");
+            }
+            paramInfo.setDataId(words[0]);
+            paramInfo.setGroup(words[1]);
+            if (words.length == 4) {
+                paramInfo.setNamespaceId(words[3]);
+            }
+            ParamCheckUtils.checkParamInfoFormat(paramInfo);
+        }
+    }
+}

config/src/main/resources/META-INF/services/com.alibaba.nacos.core.paramcheck.AbstractHttpParamExtractor

@@ -0,0 +1,18 @@
+#
+# Copyright 1999-2023 Alibaba Group Holding Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+com.alibaba.nacos.config.server.paramcheck.ConfigDefaultHttpParamExtractor
+com.alibaba.nacos.config.server.paramcheck.ConfigListenerHttpParamExtractor

config/src/test/java/com/alibaba/nacos/config/server/paramcheck/ConfigDefaultHttpParamExtractorTest.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.config.server.paramcheck;
+
+import com.alibaba.nacos.common.utils.HttpMethod;
+import com.alibaba.nacos.core.paramcheck.AbstractHttpParamExtractor;
+import com.alibaba.nacos.core.paramcheck.HttpParamExtractorManager;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * The type Config default http param extractor test.
+ *
+ * @author zhuoguang
+ */
+public class ConfigDefaultHttpParamExtractorTest {
+
+    /**
+     * Extract param and check.
+     */
+    @Test
+    public void extractParamAndCheck() {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setRequestURI("/nacos/v1/cs/testst");
+        request.setMethod(HttpMethod.PUT);
+        HttpParamExtractorManager manager = HttpParamExtractorManager.getInstance();
+        AbstractHttpParamExtractor extractor = manager.getExtractor(request.getRequestURI(), request.getMethod(), "config");
+        assertEquals(ConfigDefaultHttpParamExtractor.class.getSimpleName(), extractor.getClass().getSimpleName());
+    }
+}

config/src/test/java/com/alibaba/nacos/config/server/paramcheck/ConfigListenerHttpParamExtractorTest.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.config.server.paramcheck;
+
+import com.alibaba.nacos.common.utils.HttpMethod;
+import com.alibaba.nacos.config.server.constant.Constants;
+import com.alibaba.nacos.core.paramcheck.AbstractHttpParamExtractor;
+import com.alibaba.nacos.core.paramcheck.HttpParamExtractorManager;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * The type Config listener http param extractor test.
+ *
+ * @author zhuoguang
+ */
+public class ConfigListenerHttpParamExtractorTest {
+
+    @Test
+    public void extractParamAndCheck() {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setRequestURI("/nacos" + Constants.CONFIG_CONTROLLER_PATH + "/listener");
+        request.setMethod(HttpMethod.POST);
+        HttpParamExtractorManager manager = HttpParamExtractorManager.getInstance();
+        AbstractHttpParamExtractor extractor = manager.getExtractor(request.getRequestURI(), request.getMethod(), "config");
+        assertEquals(ConfigListenerHttpParamExtractor.class.getSimpleName(), extractor.getClass().getSimpleName());
+    }
+}