Potential Error in the SCIM Filter Validation of the /ids/Users Endpoint

[adrianhoelzl-sap]

The /ids/Users endpoint allows passing a SCIM filter as a URL parameter. For validating this filter string, the value is parsed and subsequently traversed recursively, checking each clause for validity.

When handling clauses joined by the operator or or and, we saw that an OR-operator is used for combining the validation result of the left-hand side and the right-hand-side of the expression (see

uaa/server/src/main/java/org/cloudfoundry/identity/uaa/scim/endpoints/UserIdConversionEndpoints.java

Line 123 in d962dd6

return checkFilter(filter.getFilterComponents().get(1)) || resultLeftOperand;

).

If the RHS of the expression is valid (i.e., checkFilter returned true for it) while the LHS is invalid (i.e., checkFilter returned false for it), the method will return true for the joined expression.

Instead, the two clauses should be combined by using an AND operator, so that both clauses are required to be valid.

If the current state of the code is however correct, this shall be made clear in the comments of the code.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186965053

The labels on this github issue will be updated when the story is started.