From 0021561fb11c70af019a6742fe662ae25da0b365 Mon Sep 17 00:00:00 2001
From: Jafer Khan <jaferkhan846@gmail.com>
Date: Tue, 31 Mar 2020 02:20:05 +0500
Subject: [PATCH] Raise an error on including invalid query string parameter(s)
 in read operations

---
 .../java/ca/uhn/fhir/rest/api/Constants.java  |  2 ++
 .../ca/uhn/fhir/i18n/hapi-messages.properties |  2 ++
 .../rest/server/method/ReadMethodBinding.java | 19 ++++++++++++++++++-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/api/Constants.java b/hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/api/Constants.java
index 09dfbae3d4f..9628034b3f9 100644
--- a/hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/api/Constants.java
+++ b/hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/api/Constants.java
@@ -149,6 +149,8 @@ public class Constants {
 	 */
 	public static final String PARAM_BUNDLETYPE = "_bundletype";
 	public static final String PARAM_FILTER = "_filter";
+	public static final String PARAM_CONTAINED = "_contained";
+	public static final String PARAM_CONTAINED_TYPE = "_containedType";
 	public static final String PARAM_CONTENT = "_content";
 	public static final String PARAM_COUNT = "_count";
 	public static final String PARAM_DELETE = "_delete";
diff --git a/hapi-fhir-base/src/main/resources/ca/uhn/fhir/i18n/hapi-messages.properties b/hapi-fhir-base/src/main/resources/ca/uhn/fhir/i18n/hapi-messages.properties
index bc15d09dc64..a0dc8e9b51e 100644
--- a/hapi-fhir-base/src/main/resources/ca/uhn/fhir/i18n/hapi-messages.properties
+++ b/hapi-fhir-base/src/main/resources/ca/uhn/fhir/i18n/hapi-messages.properties
@@ -36,6 +36,8 @@ ca.uhn.fhir.rest.server.method.IncludeParameter.orIncludeInRequest='OR' query pa
 
 ca.uhn.fhir.rest.server.method.PageMethodBinding.unknownSearchId=Search ID "{0}" does not exist and may have expired
 
+ca.uhn.fhir.rest.server.method.ReadMethodBinding.invalidParamsInRequest=Invalid query parameter(s) for this request: "{0}"
+
 ca.uhn.fhir.rest.server.method.SearchMethodBinding.invalidSpecialParamName=Method [{0}] in provider [{1}] contains search parameter annotated to use name [{2}] - This name is reserved according to the FHIR specification and can not be used as a search parameter name.
 ca.uhn.fhir.rest.server.method.SearchMethodBinding.idWithoutCompartment=Method [{0}] in provider [{1}] has an @IdParam parameter. This is only allowable for compartment search (e.g. @Search(compartment="foo") )
 ca.uhn.fhir.rest.server.method.SearchMethodBinding.idNullForCompartmentSearch=ID parameter can not be null or empty for compartment search
diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/method/ReadMethodBinding.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/method/ReadMethodBinding.java
index facae61707d..538b8652c52 100644
--- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/method/ReadMethodBinding.java
+++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/method/ReadMethodBinding.java
@@ -51,6 +51,7 @@ import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
+import java.util.Set;
 
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
 
@@ -153,6 +154,22 @@ public class ReadMethodBinding extends BaseResourceReturningMethodBinding {
 	@Override
 	public IBundleProvider invokeServer(IRestfulServer<?> theServer, RequestDetails theRequest, Object[] theMethodParams) throws InvalidRequestException, InternalErrorException {
 		IIdType requestId = theRequest.getId();
+		FhirContext ctx = theRequest.getServer().getFhirContext();
+
+		String[] invalidQueryStringParams = new String[]{Constants.PARAM_CONTAINED, Constants.PARAM_COUNT, Constants.PARAM_INCLUDE, Constants.PARAM_REVINCLUDE, Constants.PARAM_SORT, Constants.PARAM_SEARCH_TOTAL_MODE};
+		List<String> invalidQueryStringParamsInRequest = new ArrayList<>();
+		Set<String> queryStringParamsInRequest = theRequest.getParameters().keySet();
+
+		for (String queryStringParamName : queryStringParamsInRequest) {
+			String lowercaseQueryStringParamName = queryStringParamName.toLowerCase();
+			if (StringUtils.startsWithAny(lowercaseQueryStringParamName, invalidQueryStringParams)) {
+				invalidQueryStringParamsInRequest.add(queryStringParamName);
+			}
+		}
+
+		if (!invalidQueryStringParamsInRequest.isEmpty()) {
+			throw new InvalidRequestException(ctx.getLocalizer().getMessage(ReadMethodBinding.class, "invalidParamsInRequest", invalidQueryStringParamsInRequest));
+		}
 
 		theMethodParams[myIdIndex] = ParameterUtil.convertIdToType(requestId, myIdParameterType);
 
@@ -201,7 +218,7 @@ public class ReadMethodBinding extends BaseResourceReturningMethodBinding {
 			}
 				
 		} // if we have at least 1 result
-		
+
 		
 		return retVal;
 	}