Issue 54218: Escape special characters in form field names

Author: labkey-nicka

api/src/org/labkey/api/assay/AssayFileWriter.java

@@ -24,6 +24,7 @@
 import org.labkey.api.audit.provider.FileSystemAuditProvider;
 import org.labkey.api.collections.CollectionUtils;
 import org.labkey.api.data.Container;
+import org.labkey.api.data.TableViewForm;
 import org.labkey.api.exp.ExperimentException;
 import org.labkey.api.exp.api.ExpProtocol;
 import org.labkey.api.pipeline.PipeRoot;
@@ -40,9 +41,11 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayDeque;
+import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Deque;
+import java.util.HashMap;
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -229,72 +232,84 @@ public String getFileName(MultipartFile file)
 
     public Map<String, FileLike> savePostedFiles(ContextType context, @NotNull Set<String> parameterNames, boolean allowMultiple, boolean ensureExpData) throws ExperimentException, IOException
     {
+        if (!(context.getRequest() instanceof MultipartHttpServletRequest multipartRequest))
+            return Collections.emptyMap();
+
         Map<String, FileLike> files = CollectionUtils.enforceValueClass(new TreeMap<>(), FileLike.class);
         Set<String> originalFileNames = new HashSet<>();
-        if (context.getRequest() instanceof MultipartHttpServletRequest multipartRequest)
+        Map<String, String> encodedParameterNames = new HashMap<>();
+        for (String parameterName : parameterNames)
+            encodedParameterNames.put(TableViewForm.getMultiPartFormFieldNameForColumn(parameterName), parameterName);
+
+        Deque<FileLike> overflowFiles = new ArrayDeque<>();  // using a deque for easy removal of single elements
+        Set<String> unusedParameterNames = new HashSet<>(parameterNames);
+        List<FileSystemAuditProvider.FileSystemAuditEvent> auditEvents = new ArrayList<>();
+
+        for (Map.Entry<String, List<MultipartFile>> entry : multipartRequest.getMultiFileMap().entrySet())
         {
-            Iterator<Map.Entry<String, List<MultipartFile>>> iter = multipartRequest.getMultiFileMap().entrySet().iterator();
-            Deque<FileLike> overflowFiles = new ArrayDeque<>();  // using a deque for easy removal of single elements
-            Set<String> unusedParameterNames = new HashSet<>(parameterNames);
-            while (iter.hasNext())
+            if (!(encodedParameterNames.containsKey(entry.getKey()) || parameterNames.contains(entry.getKey())))
+                continue;
+
+            boolean isAfterFirstFile = false;
+            for (MultipartFile multipartFile : entry.getValue())
             {
-                Map.Entry<String, List<MultipartFile>> entry = iter.next();
-                if (parameterNames.contains(entry.getKey()))
+                String fileName = getFileName(multipartFile);
+                if (!fileName.isEmpty() && !originalFileNames.add(fileName))
+                    throw new ExperimentException("The file '" + fileName + " ' was uploaded twice - all files must be unique");
+
+                if (multipartFile.isEmpty())
+                    continue;
+
+                FileLike dir = getFileTargetDir(context);
+                FileLike file = FileUtil.findUniqueFileName(fileName, dir);
+                multipartFile.transferTo(toFileForWrite(file));
+                if (!dir.toURI().getPath().contains(TEMP_DIR_NAME))
                 {
-                    List<MultipartFile> multipartFiles = entry.getValue();
-                    boolean isAfterFirstFile = false;
-                    for (MultipartFile multipartFile : multipartFiles)
-                    {
-                        String fileName = getFileName(multipartFile);
-                        if (!fileName.isEmpty() && !originalFileNames.add(fileName))
-                        {
-                            throw new ExperimentException("The file '" + fileName + " ' was uploaded twice - all files must be unique");
-                        }
-                        if (!multipartFile.isEmpty())
-                        {
-                            FileLike dir = getFileTargetDir(context);
-                            FileLike file = FileUtil.findUniqueFileName(fileName, dir);
-                            multipartFile.transferTo(toFileForWrite(file));
-                            if (!dir.toURI().getPath().contains(TEMP_DIR_NAME))
-                            {
-                                FileSystemAuditProvider.FileSystemAuditEvent event = new FileSystemAuditProvider.FileSystemAuditEvent(context.getContainer(), allowMultiple ? "File field provided for assay import" : "Primary file provided for assay import");
-                                event.setProvidedFileName(fileName);
-                                event.setFile(file.getName());
-                                event.setDirectory(dir.toURI().getPath());
-                                AuditLogService.get().addEvent(context.getUser(), event);
-                            }
-                            if (!isAfterFirstFile)  // first file gets stored with multipartFile's name
-                            {
-                                files.put(multipartFile.getName(), file);
-                                isAfterFirstFile = true;
-                                unusedParameterNames.remove(multipartFile.getName());
-                            }
-                            else  // other files get stored in leftover keys later to store only one file per key (bit of a hack)
-                            {
-                                overflowFiles.add(file);
-                            }
-
-                            if (ensureExpData)
-                                AbstractQueryUpdateService.ensureExpData(context.getUser(), context.getContainer(), toFileForWrite(file));
-                        }
-                    }
+                    FileSystemAuditProvider.FileSystemAuditEvent event = new FileSystemAuditProvider.FileSystemAuditEvent(context.getContainer(), allowMultiple ? "File field provided for assay import" : "Primary file provided for assay import");
+                    event.setProvidedFileName(fileName);
+                    event.setFile(file.getName());
+                    event.setDirectory(dir.toURI().getPath());
+                    auditEvents.add(event);
                 }
-            }
-            // now process overflow files, if any
-            for (String unusedParameterName : unusedParameterNames)
-            {
-                if (overflowFiles.isEmpty())
-                    break;  // we're done
-                else
+                if (!isAfterFirstFile)  // first file gets stored with multipartFile's name
                 {
-                    files.put(unusedParameterName, overflowFiles.remove());
+                    String name = multipartFile.getName();
+                    String param = encodedParameterNames.get(name);
+                    if (param == null && parameterNames.contains(name))
+                        param = name;
+                    if (param == null)
+                        throw new ExperimentException("No parameter name found for multipart file '" + name + "'");
+
+                    files.put(param, file);
+                    isAfterFirstFile = true;
+                    unusedParameterNames.remove(param);
                 }
+                else  // other files get stored in leftover keys later to store only one file per key (bit of a hack)
+                {
+                    overflowFiles.add(file);
+                }
+
+                if (ensureExpData)
+                    AbstractQueryUpdateService.ensureExpData(context.getUser(), context.getContainer(), toFileForWrite(file));
             }
+        }
+
+        if (!auditEvents.isEmpty())
+            AuditLogService.get().addEvents(context.getUser(), auditEvents);
 
-            if (!overflowFiles.isEmpty() && !allowMultiple)  // too many files; shouldn't happen, but if it does, throw an error
-                throw new ExperimentException("Tried to save too many files: number of keys is " + parameterNames.size() +
-                        ", but " + overflowFiles.size() + " extra file(s) were found.");
+        // now process overflow files, if any
+        for (String unusedParameterName : unusedParameterNames)
+        {
+            if (overflowFiles.isEmpty())
+                break;  // we're done
+
+            files.put(unusedParameterName, overflowFiles.remove());
         }
+
+        if (!overflowFiles.isEmpty() && !allowMultiple)  // too many files; shouldn't happen, but if it does, throw an error
+            throw new ExperimentException("Tried to save too many files: number of keys is " + parameterNames.size() +
+                    ", but " + overflowFiles.size() + " extra file(s) were found.");
+
         return files;
     }
 

api/src/org/labkey/api/data/TableViewForm.java

@@ -31,6 +31,7 @@
 import org.labkey.api.action.NullSafeBindException;
 import org.labkey.api.action.SpringActionController;
 import org.labkey.api.collections.CaseInsensitiveHashMap;
+import org.labkey.api.dataiterator.DataIteratorUtil;
 import org.labkey.api.ontology.Quantity;
 import org.labkey.api.security.permissions.DeletePermission;
 import org.labkey.api.security.permissions.InsertPermission;
@@ -759,20 +760,64 @@ private String getPropertyCaption(String propName)
         return null==column ? propName : column.getLabel();
     }
 
+    // RFC 2616 / RFC 7230: Escape characters inside the field name
+    private static final char BACKSLASH = '\\';
+    private static final String SPECIAL_CHARS = BACKSLASH + "\";=,";
+
+    public static String getFormFieldNameForColumn(@NotNull String columnName)
+    {
+        StringBuilder sb = new StringBuilder();
+        for (char c : columnName.toCharArray())
+        {
+            if (SPECIAL_CHARS.indexOf(c) >= 0)
+                sb.append(BACKSLASH);
+            sb.append(c);
+        }
+
+        return sb.toString();
+    }
+
     public String getFormFieldName(@NotNull ColumnInfo column)
     {
-        return column.getName();
+        return getFormFieldNameForColumn(column.getName());
+    }
+
+    public static String getMultiPartFormFieldNameForColumn(@NotNull String columnName)
+    {
+        return DataIteratorUtil.MatchType.multiPartFormData.getMatchedName(getFormFieldNameForColumn(columnName));
     }
 
     public String getMultiPartFormFieldName(@NotNull ColumnInfo column)
     {
-        return getFormFieldName(column);
+        return getMultiPartFormFieldNameForColumn(column.getName());
     }
 
     @Nullable
-    public ColumnInfo getColumnByFormFieldName(@NotNull String name)
+    public ColumnInfo getColumnByFormFieldName(@NotNull String fieldName)
     {
-        return null == getTable() ? null : getTable().getColumn(name);
+        if (null == getTable())
+            return null;
+
+        StringBuilder sb = new StringBuilder(fieldName.length());
+        boolean escaping = false;
+        for (char c : fieldName.toCharArray())
+        {
+            if (escaping)
+            {
+                sb.append(c);
+                escaping = false;
+            }
+            else if (c == BACKSLASH)
+                escaping = true;
+            else
+                sb.append(c);
+        }
+
+        // Issue 54094: Ensure it works when backslash is the last character
+        if (escaping)
+            sb.append(BACKSLASH);
+
+        return getTable().getColumn(sb.toString());
     }
 
     @Override

api/src/org/labkey/api/query/QueryUpdateForm.java

@@ -21,7 +21,6 @@
 import org.labkey.api.data.ColumnInfo;
 import org.labkey.api.data.TableInfo;
 import org.labkey.api.data.TableViewForm;
-import org.labkey.api.dataiterator.DataIteratorUtil;
 import org.labkey.api.view.ViewContext;
 import org.springframework.validation.BindException;
 
@@ -68,10 +67,6 @@ public QueryUpdateForm(@NotNull TableInfo table, @NotNull ViewContext ctx, @Null
         }
     }
 
-    // RFC 2616 / RFC 7230: Escape characters inside the field name
-    private static final char BACKSLASH = '\\';
-    private static final String SPECIAL_CHARS = BACKSLASH + "\";=,";
-
     @Override
     @Nullable
     public ColumnInfo getColumnByFormFieldName(@NotNull String fieldName)
@@ -81,47 +76,13 @@ public ColumnInfo getColumnByFormFieldName(@NotNull String fieldName)
 
         var columnName = _ignorePrefix ? fieldName : fieldName.substring(PREFIX.length());
 
-        StringBuilder sb = new StringBuilder(columnName.length());
-        boolean escaping = false;
-        for (char c : columnName.toCharArray())
-        {
-            if (escaping)
-            {
-                sb.append(c);
-                escaping = false;
-            }
-            else if (c == BACKSLASH)
-                escaping = true;
-            else
-                sb.append(c);
-        }
-
-        // Issue 54094: Ensure it works when backslash is the last character
-        if (escaping)
-            sb.append(BACKSLASH);
-
-        return getTable().getColumn(sb.toString());
+        return super.getColumnByFormFieldName(columnName);
     }
 
     @Override
     public String getFormFieldName(@NotNull ColumnInfo column)
     {
-        String columnName = column.getName();
-        StringBuilder sb = new StringBuilder();
-        for (char c : columnName.toCharArray())
-        {
-            if (SPECIAL_CHARS.indexOf(c) >= 0)
-                sb.append(BACKSLASH);
-            sb.append(c);
-        }
-
-        String fieldName = sb.toString();
+        String fieldName = super.getFormFieldName(column);
         return _ignorePrefix ? fieldName : PREFIX + fieldName;
     }
-
-    @Override
-    public String getMultiPartFormFieldName(@NotNull ColumnInfo column)
-    {
-        return DataIteratorUtil.MatchType.multiPartFormData.getMatchedName(getFormFieldName(column));
-    }
 }