feat(validation): Add new @Cron validation expression based on jakarta.validation #618

Author: yyvess

README.md

@@ -20,12 +20,10 @@ cron-utils is available on [Maven central](http://search.maven.org/#search%7Cga%
     </dependency>
 
 For Android developers, cron-utils 7.0.0 assumes Android 26+. For earlier Android versions consider using cron-utils 6.0.6.
-If using ScheduleExpression from Java EE, this should be provided as a runtime dependency.
+If using ScheduleExpression from Java EE or Jakarta, this should be provided as a runtime dependency.
 
 **Current development**
 
-*We are currently working to update the codebase towards JDK 16, to ensure will be fully compatible with JDK 17 when released.* 
-
 Now we are developing a new generation of cron-descriptors using neural-translation! Any kind of contributions are welcome: from help with dataset generation to machine learning models training and utilities to load them! If interested, please follow issue [#3](https://github.com/jmrozanec/cron-utils/issues/3)
 
 **Features**

pom.xml

@@ -81,6 +81,12 @@
             <version>2.0.1.Final</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>jakarta.validation</groupId>
+            <artifactId>jakarta.validation-api</artifactId>
+            <version>3.0.2</version>
+            <scope>provided</scope>
+        </dependency>
 
         <!--test dependencies-->
         <dependency>
@@ -123,6 +129,13 @@
             <scope>test</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.hibernate.validator</groupId>
+            <artifactId>hibernate-validator</artifactId>
+            <version>7.0.5.Final</version>
+            <scope>test</scope>
+        </dependency>
+
 
         <dependency>
             <groupId>javax.el</groupId>

src/main/java/com/cronutils/validation/AbstractCronValidator.java

@@ -0,0 +1,25 @@
+package com.cronutils.validation;
+
+import com.cronutils.model.CronType;
+import com.cronutils.model.definition.CronDefinition;
+import com.cronutils.model.definition.CronDefinitionBuilder;
+import com.cronutils.parser.CronParser;
+
+public abstract class AbstractCronValidator {
+
+    private CronType type;
+
+    protected void initialize(CronType constraintAnnotation) {
+        this.type = constraintAnnotation;
+    }
+
+    protected boolean isValid(String value) throws IllegalArgumentException {
+        if (value == null) {
+            return true;
+        }
+        CronDefinition cronDefinition = CronDefinitionBuilder.instanceDefinitionFor(type);
+        CronParser cronParser = new CronParser(cronDefinition);
+        cronParser.parse(value).validate();
+        return true;
+    }
+}

src/main/java/com/cronutils/validation/Cron.java

@@ -21,4 +21,4 @@
 
     CronType type();
 
-}
+}

src/main/java/com/cronutils/validation/CronValidator.java

@@ -1,33 +1,20 @@
 package com.cronutils.validation;
 
-import com.cronutils.model.CronType;
-import com.cronutils.model.definition.CronDefinition;
-import com.cronutils.model.definition.CronDefinitionBuilder;
-import com.cronutils.parser.CronParser;
-
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;
 
-public class CronValidator implements ConstraintValidator<Cron, String> {
+public class CronValidator extends AbstractCronValidator implements ConstraintValidator<Cron, String> {
 
-    private CronType type;
 
     @Override
     public void initialize(Cron constraintAnnotation) {
-        this.type = constraintAnnotation.type();
+        super.initialize(constraintAnnotation.type());
     }
 
     @Override
     public boolean isValid(String value, ConstraintValidatorContext context) {
-        if (value == null) {
-            return true;
-        }
-
-        CronDefinition cronDefinition = CronDefinitionBuilder.instanceDefinitionFor(type);
-        CronParser cronParser = new CronParser(cronDefinition);
         try {
-            cronParser.parse(value).validate();
-            return true;
+            return super.isValid(value);
         } catch (IllegalArgumentException e) {
             context.disableDefaultConstraintViolation();
             context.buildConstraintViolationWithTemplate(e.getMessage()).addConstraintViolation();

src/main/java/com/cronutils/validation/jakarta/Cron.java

@@ -0,0 +1,24 @@
+package com.cronutils.validation.jakarta;
+
+import com.cronutils.model.CronType;
+import jakarta.validation.Constraint;
+import jakarta.validation.Payload;
+
+import java.lang.annotation.*;
+
+@Target({ElementType.FIELD, ElementType.ANNOTATION_TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Constraint(validatedBy = CronJakartaValidator.class)
+@Inherited
+@Documented
+public @interface Cron {
+
+    String message() default "UNUSED";
+
+    Class<?>[] groups() default {};
+
+    Class<? extends Payload>[] payload() default {};
+
+    CronType type();
+
+}

src/main/java/com/cronutils/validation/jakarta/CronJakartaValidator.java

@@ -0,0 +1,24 @@
+package com.cronutils.validation.jakarta;
+
+import com.cronutils.validation.AbstractCronValidator;
+import jakarta.validation.ConstraintValidator;
+import jakarta.validation.ConstraintValidatorContext;
+
+public class CronJakartaValidator extends AbstractCronValidator implements ConstraintValidator<Cron, String> {
+
+    @Override
+    public void initialize(Cron constraintAnnotation) {
+        super.initialize(constraintAnnotation.type());
+    }
+
+    @Override
+    public boolean isValid(String value, ConstraintValidatorContext context) {
+        try {
+            return super.isValid(value);
+        } catch (IllegalArgumentException e) {
+            context.disableDefaultConstraintViolation();
+            context.buildConstraintViolationWithTemplate(e.getMessage()).addConstraintViolation();
+            return false;
+        }
+    }
+}

src/test/java/com/cronutils/validation/jakarta/CronJakartaTestValidatorTest.java

@@ -0,0 +1,69 @@
+package com.cronutils.validation.jakarta;
+
+import com.cronutils.model.CronType;
+import jakarta.validation.ConstraintViolation;
+import jakarta.validation.Validation;
+import jakarta.validation.Validator;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Set;
+import java.util.stream.Stream;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class CronJakartaTestValidatorTest {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(CronJakartaTestValidatorTest.class);
+
+    private final Validator validator = Validation.buildDefaultValidatorFactory().getValidator();
+
+    public static Stream<Arguments> expressions() {
+        return Stream.of(
+                Arguments.of("0 0 * * * *", true),
+                Arguments.of("*/10 * * * * *", true),
+                Arguments.of("0 0 8-10 * * *", true),
+                Arguments.of("0 0 6,19 * * *", true),
+                Arguments.of("0 0/30 8-10 * * *", true),
+                Arguments.of("0 0 9-17 * * MON-FRI", true),
+                Arguments.of("0 0 0 25 12 ?", true),
+                Arguments.of("0 0 0 L 12 ?", false),
+                Arguments.of("1,2, * * * * *", false),
+                Arguments.of("1- * * * * *", false),
+                // Verification for RCE security vulnerability fix: https://github.com/jmrozanec/cron-utils/issues/461
+                Arguments.of("java.lang.Runtime.getRuntime().exec('touch /tmp/pwned'); // 4 5 [${''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval(validatedValue)}]", false)
+        );
+    }
+
+    @ParameterizedTest(name = "{0} ")
+    @MethodSource("expressions")
+    public void validateExamples(String expression, boolean valid) {
+        TestPojo testPojo = new TestPojo(expression);
+        Set<ConstraintViolation<TestPojo>> violations = validator.validate(testPojo);
+        violations.stream().map(ConstraintViolation::getMessage).forEach(LOGGER::info);
+
+        if (valid) {
+            assertTrue(violations.isEmpty());
+        } else {
+            assertFalse(violations.isEmpty());
+        }
+    }
+
+    public static class TestPojo {
+        @Cron(type = CronType.SPRING)
+        private final String cron;
+
+        public TestPojo(String cron) {
+            this.cron = cron;
+        }
+
+        public String getCron() {
+            return cron;
+        }
+
+    }
+}