From 2636e049d6cf1454fb10ebd178d20fd1c2622936 Mon Sep 17 00:00:00 2001
From: Manuel Spuhler <manuel.spuhler@chuv.ch>
Date: Mon, 30 Apr 2018 16:11:28 +0200
Subject: [PATCH] Simple Regex against SQL injection

---
 src/main/java/eu/hbp/mip/controllers/RequestsApi.java | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/java/eu/hbp/mip/controllers/RequestsApi.java b/src/main/java/eu/hbp/mip/controllers/RequestsApi.java
index b50514e91..9d5d2ecee 100644
--- a/src/main/java/eu/hbp/mip/controllers/RequestsApi.java
+++ b/src/main/java/eu/hbp/mip/controllers/RequestsApi.java
@@ -83,9 +83,13 @@ public class RequestsApi {
     private List<String> extractVarCodes(JsonObject q, String field) {
         List<String> codes = new LinkedList<>();
         JsonArray elements = q.getAsJsonArray(field) != null ? q.getAsJsonArray(field) : new JsonArray();
+        Pattern p = Pattern.compile("\\w+");
         for (JsonElement var : elements) {
             String varCode = var.getAsJsonObject().get("code").getAsString();
-            codes.add(varCode);
+            Boolean isValidString = p.matcher(varCode).matches();
+            if (isValidString) {
+                codes.add(varCode);
+            }
         }
         return codes;
     }
-- 
GitLab