fix: add validation for cron in page source during import to prevent malformed cron expressions

Author: vikrantgravitee

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/main/java/io/gravitee/rest/api/service/impl/ApiDuplicatorServiceImpl.java

@@ -25,6 +25,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import io.gravitee.common.http.HttpMethod;
 import io.gravitee.common.utils.IdGenerator;
@@ -102,6 +103,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Lazy;
+import org.springframework.scheduling.support.CronExpression;
 import org.springframework.stereotype.Component;
 
 /**
@@ -1092,6 +1094,23 @@ private void checkPagesConsistency(ImportApiJsonNode apiJsonNode) {
             if (systemFoldersCount > 1) {
                 throw new ApiImportException("Only one system folder is allowed in the API pages definition");
             }
+            for (JsonNode pageNode : apiJsonNode.getPagesArray()) {
+                JsonNode sourceNode = pageNode.path("source");
+                JsonNode configNode = sourceNode.path("configuration");
+
+                if (!configNode.isMissingNode() && configNode.has("fetchCron")) {
+                    String cron = configNode.path("fetchCron").asText(null);
+
+                    if (cron != null && !cron.isEmpty()) {
+                        try {
+                            CronExpression.parse(cron); // Validate cron
+                        } catch (IllegalArgumentException e) {
+                            String pageName = pageNode.path("name").asText("Unnamed Page");
+                            throw new ApiImportException("Invalid fetchCron expression in page '" + pageName + "': " + e.getMessage());
+                        }
+                    }
+                }
+            }
         }
     }
 

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/main/java/io/gravitee/rest/api/service/impl/PageServiceImpl.java

@@ -330,6 +330,27 @@ private static PageSource convert(PageSourceEntity pageSourceEntity) {
         return source;
     }
 
+    public static void validateFetchConfig(String jsonConfig) throws TechnicalException {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            JsonNode root = mapper.readTree(jsonConfig);
+            boolean autoFetch = root.path("autoFetch").asBoolean(false);
+            String fetchCron = root.path("fetchCron").asText();
+            if (autoFetch) {
+                if (fetchCron == null || fetchCron.isEmpty()) {
+                    throw new TechnicalException("fetchCron is required when autoFetch is true.");
+                }
+            }
+            if (fetchCron != null && !fetchCron.isEmpty() && !"null".equals(fetchCron)) {
+                CronExpression.parse(fetchCron);
+            }
+        } catch (IllegalArgumentException e) {
+            throw new TechnicalException("Invalid cron expression: " + e.getMessage(), e);
+        } catch (Exception e) {
+            throw new TechnicalException("Failed to parse configuration JSON: " + e.getMessage(), e);
+        }
+    }
+
     @SuppressWarnings("squid:S1166")
     private static boolean isJson(String content) {
         try {
@@ -895,7 +916,9 @@ public PageEntity createPage(final ExecutionContext executionContext, String api
             if (newPageEntity.getContent() == null && newPageEntity.getSource() != null && newPageType != ROOT) {
                 fetchPage(newPageEntity);
             }
-
+            if (newPageEntity.getSource() != null && newPageEntity.getSource().getConfiguration() != null) {
+                validateFetchConfig(newPageEntity.getSource().getConfiguration());
+            }
             Page page = convert(newPageEntity);
 
             page.setId(id);
@@ -1226,6 +1249,9 @@ public PageEntity update(final ExecutionContext executionContext, String pageId,
             if (partial) {
                 page = merge(updatePageEntity, pageToUpdate);
             } else {
+                if (updatePageEntity.getSource() != null && updatePageEntity.getSource().getConfiguration() != null) {
+                    validateFetchConfig(updatePageEntity.getSource().getConfiguration());
+                }
                 page = convert(updatePageEntity);
             }
 

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/test/java/io/gravitee/rest/api/service/impl/ApiDuplicatorServiceImplTest.java

@@ -19,6 +19,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
@@ -58,6 +59,7 @@
 import io.gravitee.rest.api.service.UserService;
 import io.gravitee.rest.api.service.common.GraviteeContext;
 import io.gravitee.rest.api.service.converter.CategoryMapper;
+import io.gravitee.rest.api.service.exceptions.ApiImportException;
 import io.gravitee.rest.api.service.exceptions.TechnicalManagementException;
 import io.gravitee.rest.api.service.imports.ImportApiJsonNode;
 import io.gravitee.rest.api.service.spring.ServiceConfiguration;
@@ -532,4 +534,16 @@ public void shouldPreserveValidAccessControlGroups() throws IOException {
                 eq(API_ID)
             );
     }
+
+    @Test
+    public void shouldThrowExceptionForInvalidFetchCronExpression() throws IOException {
+        ImportApiJsonNode node = loadTestNode(IMPORT_FILES_FOLDER + "import-api.invalid.cron.json");
+        ApiImportException exception = assertThrows(
+            ApiImportException.class,
+            () -> ReflectionTestUtils.invokeMethod(apiDuplicatorService, "checkPagesConsistency", node)
+        );
+
+        assertTrue(exception.getMessage().startsWith("Invalid fetchCron expression in page"));
+        assertTrue(exception.getMessage().contains("Cron expression must consist of 6 fields"));
+    }
 }

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/test/java/io/gravitee/rest/api/service/impl/PageService_CreateTest.java

@@ -23,6 +23,7 @@
 import static org.springframework.test.util.ReflectionTestUtils.setField;
 
 import com.fasterxml.jackson.databind.node.JsonNodeFactory;
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.common.base.Charsets;
 import com.google.common.io.Resources;
 import freemarker.template.TemplateException;
@@ -587,4 +588,14 @@ public void shouldNotCreateBecausePageContentTemplatingException() throws Techni
 
         verify(pageRepository).create(any());
     }
+
+    @Test(expected = TechnicalManagementException.class)
+    public void shouldFailToCreatePageWithInvalidFetchCron() {
+        PageSourceEntity source = new PageSourceEntity();
+        source.setType("github-fetcher");
+        source.setConfiguration(JsonNodeFactory.instance.objectNode().put("autoFetch", true).put("fetchCron", "15 8,13 * * MON-FRI")); // Invalid cron
+        when(newPage.getSource()).thenReturn(source);
+        when(newPage.getVisibility()).thenReturn(Visibility.PUBLIC);
+        pageService.createPage(GraviteeContext.getExecutionContext(), API_ID, newPage);
+    }
 }

gravitee-apim-rest-api/gravitee-apim-rest-api-service/src/test/resources/io/gravitee/rest/api/management/service/import/import-api.invalid.cron.json

@@ -0,0 +1,165 @@
+{
+  "name" : "Test",
+  "crossId" : "3bb7f9b3-a75b-47cd-b7f9-b3a75bd7cd66",
+  "version" : "1",
+  "execution_mode" : "v4-emulation-engine",
+  "description" : "Test",
+  "visibility" : "PRIVATE",
+  "flows" : [ ],
+  "gravitee" : "2.0.0",
+  "flow_mode" : "DEFAULT",
+  "resources" : [ ],
+  "properties" : [ ],
+  "members" : [ {
+    "source" : "memory",
+    "sourceId" : "admin",
+    "roles" : [ "0716e6d1-dccb-4c16-96e6-d1dccbac1674" ]
+  } ],
+  "pages" : [ {
+    "id" : "8812c075-92ce-41a6-92c0-7592cea1a684",
+    "crossId" : "21c3673a-e29c-4470-8367-3ae29c147099",
+    "name" : "Aside",
+    "type" : "SYSTEM_FOLDER",
+    "order" : 0,
+    "published" : true,
+    "visibility" : "PUBLIC",
+    "lastModificationDate" : 1745480801827,
+    "contentType" : "application/json",
+    "homepage" : false,
+    "parentPath" : "",
+    "excludedAccessControls" : false,
+    "accessControls" : [ ],
+    "api" : "c57c319b-62b6-427c-bc31-9b62b6527c37",
+    "attached_media" : [ ]
+  }, {
+    "id" : "0efebe71-6cb1-43e5-bebe-716cb163e539",
+    "crossId" : "fc3d8a92-b18c-4ba4-bd8a-92b18cfba4ce",
+    "name" : "Test",
+    "type" : "SWAGGER",
+    "content" : "{}",
+    "order" : 1,
+    "lastContributor" : "4407b94b-a747-41d6-87b9-4ba747f1d67c",
+    "published" : false,
+    "visibility" : "PUBLIC",
+    "lastModificationDate" : 1745480801842,
+    "contentType" : "application/json",
+    "source" : {
+      "type" : "gitlab-fetcher",
+      "configuration" : {"gitlabUrl":"https://gitlab.com/api/v4","useSystemProxy":false,"namespace":"t3551","project":"test","branchOrTag":"main","filepath":"/PetStore.json","privateToken":"********","apiVersion":"V4","editLink":null,"fetchCron":"15 8,13 * * MON-FRI","autoFetch":false}
+    },
+    "configuration" : {
+      "viewer" : "Swagger"
+    },
+    "homepage" : false,
+    "parentPath" : "",
+    "excludedAccessControls" : false,
+    "accessControls" : [ ],
+    "api" : "c57c319b-62b6-427c-bc31-9b62b6527c37",
+    "attached_media" : [ ]
+  } ],
+  "plans" : [ {
+    "id" : "ad8e4d1d-7c2c-4036-8e4d-1d7c2c203637",
+    "definitionVersion" : "2.0.0",
+    "crossId" : "5514b581-1083-4ca4-94b5-8110839ca4b1",
+    "name" : "KeylessPlan",
+    "description" : "KeylessPlan",
+    "validation" : "AUTO",
+    "security" : "KEY_LESS",
+    "type" : "API",
+    "status" : "PUBLISHED",
+    "api" : "c57c319b-62b6-427c-bc31-9b62b6527c37",
+    "order" : 0,
+    "characteristics" : [ ],
+    "tags" : [ ],
+    "created_at" : 1742314598986,
+    "updated_at" : 1745480801740,
+    "published_at" : 1742314598996,
+    "paths" : { },
+    "comment_required" : false,
+    "flows" : [ {
+      "id" : "29fef3df-5a55-4e45-bef3-df5a559e4526",
+      "path-operator" : {
+        "path" : "/",
+        "operator" : "STARTS_WITH"
+      },
+      "condition" : "",
+      "consumers" : [ ],
+      "methods" : [ ],
+      "pre" : [ ],
+      "post" : [ ],
+      "enabled" : true
+    } ]
+  } ],
+  "metadata" : [ {
+    "key" : "email-support",
+    "name" : "email-support",
+    "format" : "MAIL",
+    "value" : "${(api.primaryOwner.email)!''}",
+    "defaultValue" : "[email protected]",
+    "apiId" : "c57c319b-62b6-427c-bc31-9b62b6527c37"
+  } ],
+  "id" : "c57c319b-62b6-427c-bc31-9b62b6527c37",
+  "path_mappings" : [ ],
+  "proxy" : {
+    "virtual_hosts" : [ {
+      "path" : "/test/"
+    } ],
+    "strip_context_path" : false,
+    "preserve_host" : false,
+    "logging" : {
+      "mode" : "CLIENT_PROXY",
+      "content" : "HEADERS_PAYLOADS",
+      "scope" : "REQUEST_RESPONSE",
+      "condition" : "{#request.timestamp <= 1688987810835l}"
+    },
+    "groups" : [ {
+      "name" : "default-group",
+      "endpoints" : [ {
+        "name" : "default",
+        "target" : "https://webhook.site/356688cd-27d5-4365-ab40-963a7e945e35",
+        "weight" : 1,
+        "backup" : false,
+        "status" : "UP",
+        "type" : "http",
+        "inherit" : true,
+        "proxy" : null,
+        "http" : null,
+        "ssl" : null,
+        "healthcheck" : {
+          "enabled" : true,
+          "inherit" : true
+        }
+      } ],
+      "load_balancing" : {
+        "type" : "ROUND_ROBIN"
+      },
+      "services" : {
+        "discovery" : {
+          "enabled" : false
+        }
+      },
+      "http" : {
+        "connectTimeout" : 5000,
+        "idleTimeout" : 60000,
+        "keepAliveTimeout" : 300000,
+        "keepAlive" : false,
+        "readTimeout" : 300000,
+        "pipelining" : false,
+        "maxConcurrentConnections" : 100,
+        "useCompression" : true,
+        "followRedirects" : false
+      },
+      "ssl" : {
+        "trustAll" : false,
+        "hostnameVerifier" : false
+      }
+    } ]
+  },
+  "response_templates" : { },
+  "primaryOwner" : {
+    "id" : "4407b94b-a747-41d6-87b9-4ba747f1d67c",
+    "displayName" : "admin",
+    "type" : "USER"
+  },
+  "disable_membership_notifications" : false
+}