WafRule using PATH_LENGTH instead of RULE_LENGTH

[davesave]

Hello,

From an export plugin i'm writing, I tried creating a WafRule that's bigger than 1024 and got an Exception.

Commit: 3bead86
Diagnostics: 548 megabytes memory available out of 4 gigabytes. 126 gigabytes disk space available.

javax.validation.ConstraintViolationException: Validation failed for classes [com.denimgroup.threadfix.data.entities.WafRule] during persist time for groups [javax.validation.groups.Default, ]
List of constraint violations:[
    ConstraintViolationImpl{interpolatedMessage='This field has a maximum length of  1024.', propertyPath=rule, rootBeanClass=class com.denimgroup.threadfix.data.entities.WafRule, messageTemplate='{errors.maxlength} 1024.'}
]
    at org.hibernate.cfg.beanvalidation.BeanValidationEventListener.validate(BeanValidationEventListener.java:161)
    at org.hibernate.cfg.beanvalidation.BeanValidationEventListener.onPreInsert(BeanValidationEventListener.java:94)
    at org.hibernate.action.EntityIdentityInsertAction.preInsert(EntityIdentityInsertAction.java:160)
    at org.hibernate.action.EntityIdentityInsertAction.execute(EntityIdentityInsertAction.java:65)
    at org.hibernate.engine.ActionQueue.execute(ActionQueue.java:273)
    at org.hibernate.event.def.AbstractSaveEventListener.performSaveOrReplicate(AbstractSaveEventListener.java:320)
    at org.hibernate.event.def.AbstractSaveEventListener.performSave(AbstractSaveEventListener.java:203)
    at org.hibernate.event.def.AbstractSaveEventListener.saveWithGeneratedId(AbstractSaveEventListener.java:129)
    at org.hibernate.event.def.DefaultSaveOrUpdateEventListener.saveWithGeneratedOrRequestedId(DefaultSaveOrUpdateEventListener.java:210)
    at org.hibernate.event.def.DefaultSaveOrUpdateEventListener.entityIsTransient(DefaultSaveOrUpdateEventListener.java:195)
    at org.hibernate.event.def.DefaultSaveOrUpdateEventListener.performSaveOrUpdate(DefaultSaveOrUpdateEventListener.java:117)
    at org.hibernate.event.def.DefaultSaveOrUpdateEventListener.onSaveOrUpdate(DefaultSaveOrUpdateEventListener.java:93)
    at org.hibernate.impl.SessionImpl.fireSaveOrUpdate(SessionImpl.java:685)
    at org.hibernate.impl.SessionImpl.saveOrUpdate(SessionImpl.java:677)
    at org.hibernate.impl.SessionImpl.saveOrUpdate(SessionImpl.java:673)
    at com.denimgroup.threadfix.data.dao.AbstractObjectDao.saveOrUpdate(AbstractObjectDao.java:81)
    at com.denimgroup.threadfix.data.dao.AbstractObjectDao.saveOrUpdate(AbstractObjectDao.java:35)
    at sun.reflect.GeneratedMethodAccessor86.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:136)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
    at com.sun.proxy.$Proxy93.saveOrUpdate(Unknown Source)
    at com.denimgroup.threadfix.service.WafServiceImpl.saveOrUpdateRules(WafServiceImpl.java:199)
    at com.denimgroup.threadfix.service.WafServiceImpl.generateWafRules(WafServiceImpl.java:141)
    at com.denimgroup.threadfix.service.WafServiceImpl.generateWafRules(WafServiceImpl.java:185)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)

[davesave]

Found a problem with your hibernate @Size def above:

    @NotEmpty(message = "{errors.required}")
    @Size(max = PATH_LENGTH, message = "{errors.maxlength} " + PATH_LENGTH + ".")
    private String rule;

And it should be:

    @NotEmpty(message = "{errors.required}")
    @Size(max = RULE_LENGTH, message = "{errors.maxlength} " + RULE_LENGTH + ".")
    private String rule;

[d-maldonado]

Dave,

Thank you for pointing this out! A fix will be applied shortly.

Daniel Maldonado

[davesave]

Thanks!

[davesave]

Great! thanks for the quick fix.

I noticed that when trying to delete a scan (and after creating waf rules) the same problem occurs in the class DeletedWafRule, which have the same problem:

    @NotEmpty(message = "{errors.required}")
    @Size(max = WafRule.PATH_LENGTH, message = "{errors.maxlength} " + WafRule.PATH_LENGTH + ".")
    private String rule;

[d-maldonado]

Dave,

Thank you for bringing this to our attention as well. We will provide a fix shortly.

Daniel Maldonado