Escape Java EL in validation message before interpolation (#117)

SAP · Nov 30, 2020 · 413b5d7 · 413b5d7
1 parent 8a09b8c
commit 413b5d7
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/scimono-server/src/main/java/com/sap/scimono/entity/schema/validation/ValidationUtil.java b/scimono-server/src/main/java/com/sap/scimono/entity/schema/validation/ValidationUtil.java
@@ -1,13 +1,20 @@
 
 package com.sap.scimono.entity.schema.validation;
 
+import java.util.regex.Pattern;
+
 import javax.validation.ConstraintValidatorContext;
 
 class ValidationUtil {
+  private static final Pattern EXPRESSION_LANGUAGE_CHARACTERS = Pattern.compile("([${}])");
 
   public static void interpolateErrorMessage(ConstraintValidatorContext context, String errorMessage) {
     context.disableDefaultConstraintViolation();
-    context.buildConstraintViolationWithTemplate(errorMessage).addConstraintViolation();
+    context.buildConstraintViolationWithTemplate(escapeExpressionLanguage(errorMessage)).addConstraintViolation();
+  }
+
+  private static String escapeExpressionLanguage(String text) {
+    return EXPRESSION_LANGUAGE_CHARACTERS.matcher(text).replaceAll( "\\\\$1" );
   }
 
 }