RANGER-5513:Enhance Ranger lookup API input validation (#880)

* RANGER-5513:Enhance Ranger lookup API input validation

* RANGER-5513:Enhance Ranger lookup API input validation - fixed copilot comments

* RANGER-5513:Enhance Ranger lookup API input validation - fixed copilot comments #2 set

* RANGER-5513:Enhance Ranger lookup API input validation - fixed copilot comments #3 set

* RANGER-5513:Enhance Ranger lookup API input validation - fixed copilot comments #4 set

* RANGER-5513:Enhance Ranger lookup API input validation - exception propagation issue fix

* RANGER-5513:Enhance Ranger lookup API input validation - hiveclient hms api call validation fix

* RANGER-5513:Enhance Ranger lookup API input validation - remove hadoopexception dependency on schemaregistry client

* RANGER-5513:Enhance Ranger lookup API input validation - HBase lookup issue fix

* RANGER-5513:Enhance Ranger lookup API input validation - Fix Baseclient compilation issue

---------

Co-authored-by: Ramesh Mani <rmani@apache.org>

Author: rameeshm

agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java

@@ -31,6 +31,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.PatternSyntaxException;
 
 public abstract class BaseClient {
     private static final Logger LOG = LoggerFactory.getLogger(BaseClient.class);
@@ -184,6 +185,168 @@ private void init() {
         }
     }
 
+    protected void validateSqlIdentifier(String identifier, String identifierType) throws HadoopException {
+        if (StringUtils.isBlank(identifier)) {
+            return;
+        }
+        if (identifier.contains("..") || identifier.contains("//") || identifier.contains("\\")) {
+            String msgDesc = "Invalid " + identifierType + ": [" + identifier + "]. Path traversal patterns are not allowed.";
+            HadoopException hdpException = new HadoopException(msgDesc);
+            hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null);
+            LOG.error(msgDesc);
+            throw hdpException;
+        }
+        if (!identifier.matches("^[a-zA-Z0-9*?\\[\\]\\-\\$%\\{\\}\\=\\/\\._]+$")) {
+            String msgDesc = "Invalid " + identifierType + ": [" + identifier + "]. Only alphanumeric characters along with ( ., _, -, *, ?, [], {}, %, $, = / ) are allowed.";
+            HadoopException hdpException = new HadoopException(msgDesc);
+            hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null);
+            LOG.error(msgDesc);
+            throw hdpException;
+        }
+    }
+
+    protected String convertToSqlPattern(String pattern) throws HadoopException {
+        if (pattern == null || pattern.isEmpty()) {
+            return "%";
+        }
+        // Convert custom wildcards to SQL LIKE pattern:
+        // '*' -> '%' (multi-character wildcard)
+        // '?' -> '_' (single-character wildcard)
+        String sqlPattern = pattern.replace("*", "%").replace("?", "_");
+        return sqlPattern;
+    }
+
+    protected boolean matchesSqlPattern(String value, String pattern) throws HadoopException {
+        if (pattern == null || pattern.equals("%")) {
+            return true;
+        }
+
+        String regex = convertSqlPatternToRegex(pattern);
+        try {
+            return value.matches(regex);
+        } catch (PatternSyntaxException pe) {
+            String msgDesc = "Invalid value: [" + value + "]. Only alphanumeric characters along with ( ., _, -, *, ?, [], {}, %, $, = / ) are allowed.";
+            HadoopException hdpException = new HadoopException(msgDesc);
+            hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null);
+            LOG.error(msgDesc);
+            throw hdpException;
+        }
+    }
+
+    protected void validateUrlResourceName(String resourceName, String resourceType) throws HadoopException {
+        if (resourceName == null) {
+            return;
+        }
+        if (resourceName.contains("..") || resourceName.contains("//") || resourceName.contains("\\")) {
+            String msgDesc = "Invalid " + resourceType + ": [" + resourceName + "]. Path traversal patterns are not allowed.";
+            HadoopException hdpException = new HadoopException(msgDesc);
+            hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null);
+            LOG.error(msgDesc);
+            throw hdpException;
+        }
+        if (!resourceName.matches("^[a-zA-Z0-9_.*\\-]+$")) {
+            String msgDesc = "Invalid " + resourceType + ": [" + resourceName + "]. Only alphanumeric characters with ( ., _, *, -) are allowed.";
+            HadoopException hdpException = new HadoopException(msgDesc);
+            hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null);
+            LOG.error(msgDesc);
+            throw hdpException;
+        }
+    }
+
+    public void validateWildcardPattern(String pattern, String patternType) throws HadoopException {
+        if (pattern == null || pattern.isEmpty()) {
+            return;
+        }
+        if (pattern.contains("..") || pattern.contains("//") || pattern.contains("\\")) {
+            String msgDesc = "Invalid " + patternType + ": [" + pattern + "]. Path traversal patterns are not allowed.";
+            HadoopException hdpException = new HadoopException(msgDesc);
+            hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null);
+            LOG.error(msgDesc);
+            throw hdpException;
+        }
+        if (!pattern.matches("^[a-zA-Z0-9_.*?\\[\\]\\-\\$%\\{\\}\\=\\/]+$")) {
+            String msgDesc = "Invalid " + patternType + ": [" + pattern + "]. Only alphanumeric characters along with ( ., _, -, *, ?, [], {}, %, $, = / ) are allowed.";
+            HadoopException hdpException = new HadoopException(msgDesc);
+            hdpException.generateResponseDataMap(false, msgDesc, msgDesc + DEFAULT_ERROR_MESSAGE, null, null);
+            LOG.error(msgDesc);
+            throw hdpException;
+        }
+    }
+
+    protected String convertSqlPatternToRegex(String pattern) {
+        StringBuilder regexBuilder = new StringBuilder("^");
+
+        for (int i = 0; i < pattern.length(); i++) {
+            char c = pattern.charAt(i);
+            switch (c) {
+                case '%':
+                    // SQL LIKE wildcard: zero or more characters
+                    regexBuilder.append(".*");
+                    break;
+                case '_':
+                    // SQL LIKE wildcard: exactly one character
+                    regexBuilder.append('.');
+                    break;
+                case '.':
+                case '^':
+                case '$':
+                case '+':
+                case '?':
+                case '{':
+                case '}':
+                case '[':
+                case ']':
+                case '(':
+                case ')':
+                case '|':
+                case '\\':
+                    // Escape regex metacharacters so they are treated literally
+                    regexBuilder.append('\\').append(c);
+                    break;
+                default:
+                    regexBuilder.append(c);
+                    break;
+            }
+        }
+
+        return regexBuilder.toString();
+    }
+
+    public String convertWildcardToRegex(String wildcard) {
+        if (wildcard == null || wildcard.isEmpty()) {
+            return ".*";
+        }
+        StringBuilder regex = new StringBuilder("^");
+        for (int i = 0; i < wildcard.length(); i++) {
+            char c = wildcard.charAt(i);
+            switch (c) {
+                case '*':
+                    regex.append(".*");
+                    break;
+                case '?':
+                    regex.append(".");
+                    break;
+                case '.':
+                case '\\':
+                case '^':
+                case '$':
+                case '|':
+                    regex.append('\\').append(c);
+                    break;
+                case '{':
+                case '}':
+                case '[':
+                case ']':
+                    regex.append('\\').append(c);
+                    break;
+                default:
+                    regex.append(c);
+            }
+        }
+        regex.append('$');
+        return regex.toString();
+    }
+
     private HadoopException createException(Exception exp) {
         return createException("Unable to login to Hadoop environment [" + serviceName + "]", exp);
     }

agents-common/src/test/java/org/apache/ranger/plugin/client/TestBaseClient.java

@@ -326,4 +326,114 @@ class TestClient extends BaseClient {
             assertEquals(IllegalArgumentException.class, ex.getClass());
         }
     }
+
+    @Test
+    public void test15_convertWildcardToRegex() {
+        class TestClient extends BaseClient {
+            TestClient() {
+                super("test", new HashMap<>());
+            }
+
+            @Override
+            protected void login() {
+            }
+
+            public String convert(String s) {
+                return convertWildcardToRegex(s);
+            }
+        }
+
+        TestClient client = new TestClient();
+        assertEquals(".*", client.convert(null));
+        assertEquals(".*", client.convert(""));
+        assertEquals("^atlas.*$", client.convert("atlas*"));
+        assertEquals("^atlas\\..*$", client.convert("atlas.*"));
+        assertEquals("^.*atlas.*$", client.convert("*atlas*"));
+        assertEquals("^at.as$", client.convert("at?as"));
+        assertEquals("^atlas\\.$", client.convert("atlas."));
+        assertEquals("^atlas\\$$", client.convert("atlas$"));
+        assertEquals("^atlas\\^$", client.convert("atlas^"));
+        assertEquals("^atlas\\[\\]$", client.convert("atlas[]"));
+    }
+
+    @Test
+    public void test16_convertToSqlPattern() throws Exception {
+        class TestClient extends BaseClient {
+            TestClient() {
+                super("test", new HashMap<>());
+            }
+
+            @Override
+            protected void login() {
+            }
+
+            public String convert(String s) throws Exception {
+                return convertToSqlPattern(s);
+            }
+        }
+
+        TestClient client = new TestClient();
+        assertEquals("%", client.convert(null));
+        assertEquals("%", client.convert(""));
+        assertEquals("atlas%", client.convert("atlas*"));
+        assertEquals("at_as", client.convert("at?as"));
+    }
+
+    @Test
+    public void test17_matchesSqlPattern() throws Exception {
+        class TestClient extends BaseClient {
+            TestClient() {
+                super("test", new HashMap<>());
+            }
+
+            @Override
+            protected void login() {
+            }
+
+            public boolean match(String v, String p) throws Exception {
+                return matchesSqlPattern(v, p);
+            }
+        }
+
+        TestClient client = new TestClient();
+        assertEquals(true, client.match("atlas", null));
+        assertEquals(true, client.match("atlas", "%"));
+        assertEquals(true, client.match("atlas", "atlas%"));
+        assertEquals(true, client.match("atlas_test", "atlas%"));
+        assertEquals(true, client.match("atlas", "at_as"));
+        assertEquals(false, client.match("atlas", "at_a"));
+    }
+
+    @Test
+    public void test18_validateWildcardPattern() {
+        class TestClient extends BaseClient {
+            TestClient() {
+                super("test", new HashMap<>());
+            }
+
+            @Override
+            protected void login() {
+            }
+
+            public void validate(String s) throws Exception {
+                validateWildcardPattern(s, "test");
+            }
+        }
+
+        TestClient client = new TestClient();
+        try {
+            client.validate("atlas*");
+            client.validate("atlas.*");
+            client.validate("atlas?");
+        } catch (Exception e) {
+            org.junit.jupiter.api.Assertions.fail("Should not throw exception for valid patterns");
+        }
+
+        try {
+            client.validate("atlas../test");
+            org.junit.jupiter.api.Assertions.fail("Should throw exception for path traversal");
+        } catch (Exception e) {
+            // Expected
+        }
+    }
 }

hbase-agent/src/main/java/org/apache/ranger/services/hbase/client/HBaseClient.java

@@ -191,6 +191,12 @@ public List<String> getTableList(final String tableNameMatching, final List<Stri
             ret = Subject.doAs(subj, new PrivilegedAction<List<String>>() {
                 @Override
                 public List<String> run() {
+                    String wildcard = tableNameMatching;
+                    if (wildcard != null) {
+                        wildcard = wildcard.replace(".*", "*");
+                    }
+                    validateWildcardPattern(wildcard, "table pattern");
+                    String safeTablePattern = convertWildcardToRegex(wildcard);
                     List<String> tableList = new ArrayList<>();
                     Admin        admin     = null;
 
@@ -205,8 +211,7 @@ public List<String> run() {
                             LOG.info("getTableList: no exception: HbaseAvailability true");
 
                             admin = conn.getAdmin();
-
-                            List<TableDescriptor> htds = admin.listTableDescriptors(Pattern.compile(tableNameMatching));
+                            List<TableDescriptor> htds = admin.listTableDescriptors(Pattern.compile(safeTablePattern));
 
                             if (htds != null) {
                                 for (TableDescriptor htd : htds) {
@@ -240,6 +245,8 @@ public List<String> run() {
                         LOG.error(msgDesc + mnre);
 
                         throw hdpException;
+                    } catch (HadoopException he) {
+                        throw he;
                     } catch (IOException io) {
                         String          msgDesc      = "getTableList: Unable to get HBase table List for [repository:" + getConfigHolder().getDatasourceName() + ",table-match:" + tableNameMatching + "].";
                         HadoopException hdpException = new HadoopException(msgDesc, io);
@@ -291,14 +298,18 @@ public List<String> getColumnFamilyList(final String columnFamilyMatching, final
 
                     @Override
                     public List<String> run() {
+                        String wildcard = columnFamilyMatching;
+                        if (wildcard != null) {
+                            wildcard = wildcard.replace(".*", "*");
+                        }
+                        validateWildcardPattern(wildcard, "column family pattern");
+                        String safeColumnPattern = convertWildcardToRegex(wildcard);
                         List<String> colfList = new ArrayList<>();
                         Admin        admin    = null;
 
                         try {
                             LOG.info("getColumnFamilyList: setting config values from client");
-
                             setClientConfigValues(conf);
-
                             LOG.info("getColumnFamilyList: checking HbaseAvailability with the new config");
 
                             try (Connection conn = ConnectionFactory.createConnection(conf)) {
@@ -314,8 +325,7 @@ public List<String> run() {
                                         if (htd != null) {
                                             for (ColumnFamilyDescriptor hcd : htd.getColumnFamilies()) {
                                                 String colf = hcd.getNameAsString();
-
-                                                if (colf.matches(columnFamilyMatching)) {
+                                                if (colf.matches(safeColumnPattern)) {
                                                     if (existingColumnFamilies != null && existingColumnFamilies.contains(colf)) {
                                                         continue;
                                                     } else {
@@ -345,6 +355,8 @@ public List<String> run() {
                             LOG.error(msgDesc + mnre);
 
                             throw hdpException;
+                        } catch (HadoopException he) {
+                            throw he;
                         } catch (IOException io) {
                             String          msgDesc      = "getColumnFamilyList: Unable to get HBase ColumnFamilyList for [repository:" + getConfigHolder().getDatasourceName() + ",table:" + tblName + ", table-match:" + columnFamilyMatching + "] ";
                             HadoopException hdpException = new HadoopException(msgDesc, io);