-
Notifications
You must be signed in to change notification settings - Fork 334
refactor(filters): add filter pkg and middleware for slice architecture BED-8594 #2943
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 4 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| // Copyright 2026 Specter Ops, Inc. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| package middleware | ||
|
|
||
| import ( | ||
| "errors" | ||
| "fmt" | ||
| "net/http" | ||
|
|
||
| "github.com/gorilla/mux" | ||
|
|
||
| "github.com/specterops/bloodhound/cmd/api/src/api" | ||
| "github.com/specterops/bloodhound/cmd/api/src/bhctx" | ||
| "github.com/specterops/bloodhound/cmd/api/src/model" | ||
| "github.com/specterops/bloodhound/packages/go/filters" | ||
| ) | ||
|
|
||
| // FilterMiddleware parses query parameter filters from the request, validates them against the supplied | ||
| // filters.Filterable definition, and enriches the BloodHound context with the resulting filters.Filters map. | ||
| // | ||
| // When filterable is nil the middleware performs no parsing and passes the request through unchanged. If | ||
| // the filters are malformed, reference a column that cannot be filtered, or use an operator the column | ||
| // does not support, the middleware writes a 400 response and halts the chain. | ||
| func FilterMiddleware(filterable filters.Filterable) mux.MiddlewareFunc { | ||
| return func(next http.Handler) http.Handler { | ||
| return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) { | ||
| if filterable == nil { | ||
| next.ServeHTTP(response, request) | ||
| return | ||
| } | ||
|
|
||
| parser := filters.NewQueryParameterFilterParser(append(model.IgnoreFilters(), model.AllPaginationQueryParameters()...)...) | ||
| if parsedFilters, err := parser.ParseAndValidate(request.URL.Query(), filterable); err != nil { | ||
| api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, filterErrorMessage(err), request), response) | ||
| return | ||
| } else { | ||
| bhCtx := bhctx.Get(request.Context()) | ||
| bhCtx.Filters = parsedFilters | ||
| } | ||
|
|
||
| next.ServeHTTP(response, request) | ||
| }) | ||
| } | ||
| } | ||
|
|
||
| // filterErrorMessage maps a filter validation failure to the appropriate API error response detail, | ||
| // preserving the offending field and operator in the message where available. | ||
| func filterErrorMessage(err error) string { | ||
| var validationErr *filters.ValidationError | ||
| if !errors.As(err, &validationErr) { | ||
| return api.ErrorResponseDetailsBadQueryParameterFilters | ||
| } | ||
|
|
||
| switch { | ||
| case errors.Is(validationErr, filters.ErrFieldNotFilterable): | ||
| return fmt.Sprintf("%s: %s", api.ErrorResponseDetailsColumnNotFilterable, validationErr.Field) | ||
| case errors.Is(validationErr, filters.ErrOperatorNotSupported): | ||
| return fmt.Sprintf("%s: %s %s", api.ErrorResponseDetailsFilterPredicateNotSupported, validationErr.Field, validationErr.Operator) | ||
| default: | ||
| return api.ErrorResponseDetailsBadQueryParameterFilters | ||
| } | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| // Copyright 2026 Specter Ops, Inc. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| // Package filters provides a storage-agnostic model for parsing and validating query parameter filters. | ||
| // It intentionally carries no knowledge of how filters are ultimately applied (SQL, graph, etc.) so that | ||
| // it can be reused across the API without coupling to any particular persistence layer. | ||
| package filters | ||
|
|
||
| import ( | ||
| "errors" | ||
| "fmt" | ||
| ) | ||
|
|
||
| // FilterOperator identifies the comparison predicate applied to a filtered column. | ||
| type FilterOperator string | ||
|
|
||
| const ( | ||
| GreaterThan FilterOperator = "gt" | ||
| GreaterThanOrEquals FilterOperator = "gte" | ||
| LessThan FilterOperator = "lt" | ||
| LessThanOrEquals FilterOperator = "lte" | ||
| Equals FilterOperator = "eq" | ||
| NotEquals FilterOperator = "neq" | ||
| ApproximatelyEquals FilterOperator = "~eq" | ||
| ) | ||
|
|
||
| // Validation sentinels classify why a set of query parameter filters failed validation. Callers should | ||
| // classify failures with errors.Is and may extract the offending field/operator via a *ValidationError | ||
| // using errors.As. These are intentionally free of any transport- or presentation-specific wording. | ||
| var ( | ||
| ErrMalformedFilter = errors.New("query parameter filter is malformed") | ||
| ErrFieldNotFilterable = errors.New("column cannot be filtered") | ||
| ErrOperatorNotSupported = errors.New("filter operator is not supported for column") | ||
| ) | ||
|
|
||
| // ValidationError describes a filter validation failure. It wraps one of the validation sentinels so it | ||
| // can be classified with errors.Is, while also carrying the offending field and operator so callers can | ||
| // build their own messaging without parsing strings. | ||
| type ValidationError struct { | ||
| Err error | ||
| Field string | ||
| Operator FilterOperator | ||
| } | ||
|
|
||
| func (s *ValidationError) Error() string { | ||
| switch { | ||
| case s.Field != "" && s.Operator != "": | ||
| return fmt.Sprintf("%s: %s %s", s.Err, s.Field, s.Operator) | ||
| case s.Field != "": | ||
| return fmt.Sprintf("%s: %s", s.Err, s.Field) | ||
| default: | ||
| return s.Err.Error() | ||
| } | ||
| } | ||
|
|
||
| func (s *ValidationError) Unwrap() error { | ||
| return s.Err | ||
| } | ||
|
|
||
| // ParseFilterOperator validates a raw operator string and returns the corresponding FilterOperator. | ||
| func ParseFilterOperator(raw string) (FilterOperator, error) { | ||
| switch operator := FilterOperator(raw); operator { | ||
| case GreaterThan, GreaterThanOrEquals, LessThan, LessThanOrEquals, Equals, NotEquals, ApproximatelyEquals: | ||
| return operator, nil | ||
| default: | ||
| return "", fmt.Errorf("%w: unknown predicate %q", ErrMalformedFilter, raw) | ||
| } | ||
| } | ||
|
|
||
| // FilterSetOperator describes how multiple filters on the same column are combined. | ||
| type FilterSetOperator string | ||
|
|
||
| const ( | ||
| FilterAnd FilterSetOperator = "AND" | ||
| FilterOr FilterSetOperator = "OR" | ||
| ) | ||
|
|
||
| // Filter is a single validated filter applied to a field. | ||
| type Filter struct { | ||
| Field string | ||
| Operator FilterOperator | ||
| Value string | ||
| SetOperator FilterSetOperator | ||
| IsStringData bool | ||
| } | ||
|
|
||
| // Filters maps a field name to the set of filters applied to it. | ||
| type Filters map[string][]Filter | ||
|
|
||
| // FilterableField describes a single field that may be filtered on. It carries the set of operators the | ||
| // field supports, IsStringData (whether the field holds string data), and SetOperator (how multiple | ||
| // filters applied to the field are combined). An empty SetOperator defaults to FilterAnd. | ||
| type FilterableField struct { | ||
| Operators []FilterOperator | ||
| IsStringData bool | ||
| SetOperator FilterSetOperator | ||
| } | ||
|
|
||
| // Filterable is implemented by types that expose the fields that may be filtered along with each | ||
| // field's supported operators and data typing. | ||
| type Filterable interface { | ||
| ValidFilters() map[string]FilterableField | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| // Copyright 2026 Specter Ops, Inc. | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| package filters | ||
|
|
||
| import ( | ||
| "net/url" | ||
| "regexp" | ||
| "slices" | ||
| ) | ||
|
|
||
| // QueryParameterFilterParser extracts filters from request query parameters. Parameters whose names are | ||
| // listed in ignoredParameters are skipped, allowing callers to exclude application-specific concerns such | ||
| // as pagination parameters without coupling this package to them. | ||
| type QueryParameterFilterParser struct { | ||
| valuePattern *regexp.Regexp | ||
| ignoredParameters []string | ||
| } | ||
|
|
||
| // NewQueryParameterFilterParser returns a parser that ignores the supplied query parameter names. | ||
| func NewQueryParameterFilterParser(ignoredParameters ...string) QueryParameterFilterParser { | ||
| return QueryParameterFilterParser{ | ||
| valuePattern: regexp.MustCompile(`([~\w]+):([\w\--_ ]+)`), | ||
| ignoredParameters: ignoredParameters, | ||
| } | ||
| } | ||
|
Comment on lines
+34
to
+39
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🌐 Web query:
💡 Result: In Go's regexp package (which is based on the RE2 engine), the behavior of the expression [\w--_ ] inside a character class is as follows: The backslash \ before the first hyphen acts as an escape, treating it as a literal hyphen character within the character class [1][2]. Consequently, it does not function as a range operator. When the RE2 parser encounters the sequence -, it consumes the hyphen as a literal character element [2][3]. The subsequent hyphen in your expression (--) is then interpreted as a range operator because it is placed between the literal hyphen (from -) and the underscore character [4][5]. Therefore, the expression [\w-- ] expands to include: 1. All characters matched by \w (the word characters: [0-9A-Za-z_]) [6][7]. 2. A literal hyphen (the result of the - escape) [2]. 3. The range of characters from hyphen to underscore (hyphen through underscore, inclusive) [5]. 4. The space character [6]. Because the range --_ spans characters in the ASCII table where the hyphen (ASCII 45) comes before the underscore (ASCII 95), this effectively adds all characters between those two points (including punctuation like slash, colon, etc.) to the character class [6][5]. Using an escape before a hyphen is a reliable way to include a literal hyphen in a character class without triggering range behavior [2]. Citations:
🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the parser and its tests around the regex/matching behavior.
git ls-files packages/go/filters/parser.go packages/go/filters/parser_test.go
echo '--- parser.go ---'
cat -n packages/go/filters/parser.go
echo '--- parser_test.go ---'
cat -n packages/go/filters/parser_test.go
# Programmatic probe for the regex semantics in Go.
python3 - <<'PY'
import re
pattern = r'([~\w]+):([\w\--_ ]+)'
samples = [
"eq:foo",
"eq:foo-bar",
"eq:foo/bar",
"junk eq:foo",
"eq:foo:bar",
]
print("Python-re module is not Go RE2, so this is only a placeholder for structure.")
print("Use the Go regexp docs / repo tests for the actual semantics.")
for s in samples:
m = re.search(pattern, s)
print(s, "=>", m.groups() if m else None)
PYRepository: SpecterOps/BloodHound Length of output: 12447 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Search for documented/expected filter value syntax beyond parser_test.go.
rg -n "auth\.value|hello world|QueryParameterFilterParser|ParseAndValidate|operator:value|filter" packages/go -g '!**/*vendor*'
# Inspect any additional parser-related tests or docs in the repository.
fd -a -t f 'README.md' . packages/go
fd -a -t f '*filter*' packages/goRepository: SpecterOps/BloodHound Length of output: 50377 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo '--- packages/go/openapi/src/schemas/api.params.predicate.filter.string.yaml ---'
cat -n packages/go/openapi/src/schemas/api.params.predicate.filter.string.yaml
echo '--- packages/go/openapi/src/paths/config.config.yaml ---'
cat -n packages/go/openapi/src/paths/config.config.yaml
echo '--- parser test excerpt ---'
sed -n '54,90p' packages/go/filters/parser_test.goRepository: SpecterOps/BloodHound Length of output: 6379 Reject partial filter matches in 🤖 Prompt for AI Agents |
||
|
|
||
| // ParseAndValidate parses the supplied query parameters and validates them against the Filterable schema | ||
| // in a single pass, returning a fully-enriched Filters value. Every returned Filter has its SetOperator | ||
| // and IsStringData populated from the column definition. On failure it returns a *ValidationError wrapping | ||
| // one of the validation sentinels. | ||
| func (s QueryParameterFilterParser) ParseAndValidate(values url.Values, filterable Filterable) (Filters, error) { | ||
| var ( | ||
| validFields = filterable.ValidFilters() | ||
| parsedFilters = Filters{} | ||
| ) | ||
|
|
||
| for name, fieldValues := range values { | ||
| if slices.Contains(s.ignoredParameters, name) { | ||
| continue | ||
| } | ||
|
|
||
| for _, value := range fieldValues { | ||
| if subgroups := s.valuePattern.FindStringSubmatch(value); len(subgroups) == 0 { | ||
| continue | ||
| } else if operator, err := ParseFilterOperator(subgroups[1]); err != nil { | ||
| return nil, &ValidationError{Err: err} | ||
| } else if field, isFilterable := validFields[name]; !isFilterable { | ||
| return nil, &ValidationError{Err: ErrFieldNotFilterable, Field: name} | ||
| } else if !slices.Contains(field.Operators, operator) { | ||
| return nil, &ValidationError{Err: ErrOperatorNotSupported, Field: name, Operator: operator} | ||
| } else { | ||
| setOperator := field.SetOperator | ||
| if setOperator == "" { | ||
| setOperator = FilterAnd | ||
| } | ||
|
|
||
| parsedFilters[name] = append(parsedFilters[name], Filter{ | ||
| Field: name, | ||
| Operator: operator, | ||
| Value: subgroups[2], | ||
| SetOperator: setOperator, | ||
| IsStringData: field.IsStringData, | ||
| }) | ||
| } | ||
| } | ||
| } | ||
|
|
||
| return parsedFilters, nil | ||
| } | ||
Uh oh!
There was an error while loading. Please reload this page.