You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by av...@apache.org on 2018/03/09 19:44:25 UTC
[01/10] fineract git commit: Injection fix
Repository: fineract
Updated Branches:
refs/heads/1.1.0 17fd243ae -> d2b341159
Injection fix
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/e7035d1f
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/e7035d1f
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/e7035d1f
Branch: refs/heads/1.1.0
Commit: e7035d1f394bd4f65603cc9a31d79d44f1dc73ef
Parents: 17fd243
Author: Avik Ganguly <av...@gmail.com>
Authored: Sat Jan 20 10:00:51 2018 +0530
Committer: Avik Ganguly <av...@gmail.com>
Committed: Sat Jan 20 10:00:51 2018 +0530
----------------------------------------------------------------------
.../JournalEntryReadPlatformServiceImpl.java | 11 +++++--
.../service/AuditReadPlatformServiceImpl.java | 2 ++
.../SchedulerJobRunnerReadServiceImpl.java | 9 ++++--
...ReportMailingJobReadPlatformServiceImpl.java | 9 ++++--
...ingJobRunHistoryReadPlatformServiceImpl.java | 9 ++++--
.../security/utils/ColumnValidator.java | 30 +++++++++++---------
.../security/utils/SQLInjectionValidator.java | 2 +-
.../sms/service/SmsReadPlatformServiceImpl.java | 9 ++++--
.../NotificationReadPlatformServiceImpl.java | 26 +++++++++++------
.../service/OfficeReadPlatformServiceImpl.java | 10 +++++--
...AccountTransfersReadPlatformServiceImpl.java | 12 ++++++--
...structionHistoryReadPlatformServiceImpl.java | 9 ++++--
...ndingInstructionReadPlatformServiceImpl.java | 9 ++++--
.../service/ClientReadPlatformServiceImpl.java | 3 +-
.../service/CenterReadPlatformServiceImpl.java | 5 ++++
.../service/GroupReadPlatformServiceImpl.java | 4 +++
.../service/LoanReadPlatformServiceImpl.java | 2 ++
...nHoldTransactionReadPlatformServiceImpl.java | 8 +++++-
.../SavingsAccountReadPlatformServiceImpl.java | 4 ++-
...eAccountDividendReadPlatformServiceImpl.java | 11 +++++--
...eProductDividendReadPlatformServiceImpl.java | 12 ++++++--
21 files changed, 146 insertions(+), 50 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java
index 49efaa0..928ed40 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java
@@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.monetary.data.CurrencyData;
import org.apache.fineract.organisation.office.data.OfficeData;
import org.apache.fineract.organisation.office.service.OfficeReadPlatformService;
@@ -74,18 +75,22 @@ public class JournalEntryReadPlatformServiceImpl implements JournalEntryReadPlat
private final JdbcTemplate jdbcTemplate;
private final GLAccountReadPlatformService glAccountReadPlatformService;
private final OfficeReadPlatformService officeReadPlatformService;
+ private final ColumnValidator columnValidator;
private final FinancialActivityAccountRepositoryWrapper financialActivityAccountRepositoryWrapper;
private final PaginationHelper<JournalEntryData> paginationHelper = new PaginationHelper<>();
@Autowired
public JournalEntryReadPlatformServiceImpl(final RoutingDataSource dataSource,
- final GLAccountReadPlatformService glAccountReadPlatformService, final OfficeReadPlatformService officeReadPlatformService,
+ final GLAccountReadPlatformService glAccountReadPlatformService,
+ final ColumnValidator columnValidator,
+ final OfficeReadPlatformService officeReadPlatformService,
final FinancialActivityAccountRepositoryWrapper financialActivityAccountRepositoryWrapper) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.glAccountReadPlatformService = glAccountReadPlatformService;
this.officeReadPlatformService = officeReadPlatformService;
this.financialActivityAccountRepositoryWrapper = financialActivityAccountRepositoryWrapper;
+ this.columnValidator = columnValidator;
}
private static final class GLJournalEntryMapper implements RowMapper<JournalEntryData> {
@@ -356,9 +361,11 @@ public class JournalEntryReadPlatformServiceImpl implements JournalEntryReadPlat
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
+
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
}
} else {
sqlBuilder.append(" order by journalEntry.entry_date, journalEntry.id");
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java
index 1315055..447fbb5 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java
@@ -218,12 +218,14 @@ public class AuditReadPlatformServiceImpl implements AuditReadPlatformService {
this.columnValidator.validateSqlInjection(sqlBuilder.toString(), extraCriteria);
if (parameters.isOrderByRequested()) {
sqlBuilder.append(' ').append(parameters.orderBySql());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.orderBySql());
} else {
sqlBuilder.append(' ').append(' ').append(" order by aud.id DESC");
}
if (parameters.isLimited()) {
sqlBuilder.append(' ').append(parameters.limitSql());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.limitSql());
}
logger.info("sql: " + sqlBuilder.toString());
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java
index b61b8da..f692fe6 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java
@@ -31,6 +31,7 @@ import org.apache.fineract.infrastructure.jobs.data.JobDetailData;
import org.apache.fineract.infrastructure.jobs.data.JobDetailHistoryData;
import org.apache.fineract.infrastructure.jobs.exception.JobNotFoundException;
import org.apache.fineract.infrastructure.jobs.exception.OperationNotAllowedException;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.jdbc.core.JdbcTemplate;
@@ -41,12 +42,15 @@ import org.springframework.stereotype.Service;
public class SchedulerJobRunnerReadServiceImpl implements SchedulerJobRunnerReadService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<JobDetailHistoryData> paginationHelper = new PaginationHelper<>();
@Autowired
- public SchedulerJobRunnerReadServiceImpl(final RoutingDataSource dataSource) {
+ public SchedulerJobRunnerReadServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
+ this.columnValidator = columnValidator;
}
@Override
@@ -79,9 +83,10 @@ public class SchedulerJobRunnerReadServiceImpl implements SchedulerJobRunnerRead
sqlBuilder.append(" where job.id=?");
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java
index afec180..4e20d4a 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java
@@ -36,6 +36,7 @@ import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJob
import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobStretchyReportParamDateOption;
import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobTimelineData;
import org.apache.fineract.infrastructure.reportmailingjob.exception.ReportMailingJobNotFoundException;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.joda.time.DateTime;
import org.joda.time.LocalDate;
import org.springframework.beans.factory.annotation.Autowired;
@@ -47,10 +48,13 @@ import org.springframework.stereotype.Service;
@Service
public class ReportMailingJobReadPlatformServiceImpl implements ReportMailingJobReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
@Autowired
- public ReportMailingJobReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public ReportMailingJobReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
+ this.columnValidator = columnValidator;
}
@Override
@@ -66,9 +70,10 @@ public class ReportMailingJobReadPlatformServiceImpl implements ReportMailingJob
if (searchParameters.isOrderByRequested()) {
sqlStringBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlStringBuilder.append(" ").append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getSortOrder());
}
} else {
sqlStringBuilder.append(" order by rmj.name ");
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java
index 4aeb68f..01002d6 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java
@@ -29,6 +29,7 @@ import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobRunHistoryData;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.joda.time.DateTime;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
@@ -39,12 +40,15 @@ import org.springframework.stereotype.Service;
public class ReportMailingJobRunHistoryReadPlatformServiceImpl implements ReportMailingJobRunHistoryReadPlatformService {
private final JdbcTemplate jdbcTemplate;
private final ReportMailingJobRunHistoryMapper reportMailingJobRunHistoryMapper;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<ReportMailingJobRunHistoryData> paginationHelper = new PaginationHelper<>();
@Autowired
- public ReportMailingJobRunHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public ReportMailingJobRunHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.reportMailingJobRunHistoryMapper = new ReportMailingJobRunHistoryMapper();
+ this.columnValidator = columnValidator;
}
@Override
@@ -63,9 +67,10 @@ public class ReportMailingJobRunHistoryReadPlatformServiceImpl implements Report
if (searchParameters.isOrderByRequested()) {
sqlStringBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlStringBuilder.append(" ").append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
index c2a261a..e109687 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
@@ -90,21 +90,23 @@ public class ColumnValidator {
return columns;
}
- public void validateSqlInjection(String schema, String condition) {
- SQLInjectionValidator.validateSQLInput(condition);
- List<String> operator = new ArrayList<>(Arrays.asList("=", ">", "<",
- "> =", "< =", "! =", "!=", ">=", "<="));
- condition = condition.trim().replace("( ", "(").replace(" )", ")")
- .toLowerCase();
- for (String op : operator) {
- condition = replaceAll(condition, op).replaceAll(" +", " ");
+ public void validateSqlInjection(String schema, String... conditions) {
+ for(String condition: conditions) {
+ SQLInjectionValidator.validateSQLInput(condition);
+ List<String> operator = new ArrayList<>(Arrays.asList("=", ">", "<",
+ "> =", "< =", "! =", "!=", ">=", "<="));
+ condition = condition.trim().replace("( ", "(").replace(" )", ")")
+ .toLowerCase();
+ for (String op : operator) {
+ condition = replaceAll(condition, op).replaceAll(" +", " ");
+ }
+ Set<String> operands = getOperand(condition);
+ schema = schema.trim().replaceAll(" +", " ").toLowerCase();
+ Map<String, Set<String>> tableColumnAliasMap = getTableColumnAliasMap(operands);
+ Map<String, Set<String>> tableColumnMap = getTableColumnMap(schema,
+ tableColumnAliasMap);
+ validateColumn(tableColumnMap);
}
- Set<String> operands = getOperand(condition);
- schema = schema.trim().replaceAll(" +", " ").toLowerCase();
- Map<String, Set<String>> tableColumnAliasMap = getTableColumnAliasMap(operands);
- Map<String, Set<String>> tableColumnMap = getTableColumnMap(schema,
- tableColumnAliasMap);
- validateColumn(tableColumnMap);
}
private static Map<String, Set<String>> getTableColumnMap(String schema,
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
index d03b2f4..2fd6746 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
@@ -24,7 +24,7 @@ import java.util.regex.Pattern;
public class SQLInjectionValidator {
- private final static String[] DDL_COMMANDS = { "create", "drop", "alter", "truncate", "comment" };
+ private final static String[] DDL_COMMANDS = { "create", "drop", "alter", "truncate", "comment", "sleep" };
private final static String[] DML_COMMANDS = { "select", "insert", "update", "delete", "merge", "upsert", "call" };
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java
index 5ad0eac..dfd82c8 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java
@@ -33,6 +33,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.infrastructure.sms.data.SmsData;
import org.apache.fineract.infrastructure.sms.domain.SmsMessageEnumerations;
import org.apache.fineract.infrastructure.sms.domain.SmsMessageStatusType;
@@ -49,11 +50,14 @@ public class SmsReadPlatformServiceImpl implements SmsReadPlatformService {
private final JdbcTemplate jdbcTemplate;
private final SmsMapper smsRowMapper;
private final PaginationHelper<SmsData> paginationHelper = new PaginationHelper<>();
+ private final ColumnValidator columnValidator;
@Autowired
- public SmsReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public SmsReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.smsRowMapper = new SmsMapper();
+ this.columnValidator = columnValidator;
}
private static final class SmsMapper implements RowMapper<SmsData> {
@@ -224,9 +228,10 @@ public class SmsReadPlatformServiceImpl implements SmsReadPlatformService {
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
} else {
sqlBuilder.append(" order by smo.submittedon_date, smo.id");
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java
index 799fddf..4d3dc6a 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java
@@ -18,8 +18,18 @@
*/
package org.apache.fineract.notification.service;
-import org.apache.fineract.infrastructure.core.service.*;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.List;
+
+import org.apache.fineract.infrastructure.core.service.Page;
+import org.apache.fineract.infrastructure.core.service.PaginationHelper;
+import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
+import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.core.service.ThreadLocalContextUtil;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.notification.cache.CacheNotificationResponseHeader;
import org.apache.fineract.notification.data.NotificationData;
import org.apache.fineract.notification.data.NotificationMapperData;
@@ -28,16 +38,12 @@ import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.stereotype.Service;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.util.HashMap;
-import java.util.List;
-
@Service
public class NotificationReadPlatformServiceImpl implements NotificationReadPlatformService {
private final JdbcTemplate jdbcTemplate;
private final PlatformSecurityContext context;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<NotificationData> paginationHelper = new PaginationHelper<>();
private final NotificationDataRow notificationDataRow = new NotificationDataRow();
private final NotificationMapperRow notificationMapperRow = new NotificationMapperRow();
@@ -45,9 +51,12 @@ public class NotificationReadPlatformServiceImpl implements NotificationReadPlat
tenantNotificationResponseHeaderCache = new HashMap<>();
@Autowired
- public NotificationReadPlatformServiceImpl(final RoutingDataSource dataSource, final PlatformSecurityContext context) {
+ public NotificationReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final PlatformSecurityContext context,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.context = context;
+ this.columnValidator = columnValidator;
}
@Override
@@ -139,9 +148,10 @@ public class NotificationReadPlatformServiceImpl implements NotificationReadPlat
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java
index 769b2a1..ffc9f57 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java
@@ -28,6 +28,7 @@ import org.apache.fineract.infrastructure.core.domain.JdbcSupport;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.monetary.data.CurrencyData;
import org.apache.fineract.organisation.monetary.service.CurrencyReadPlatformService;
import org.apache.fineract.organisation.office.data.OfficeData;
@@ -48,13 +49,17 @@ public class OfficeReadPlatformServiceImpl implements OfficeReadPlatformService
private final JdbcTemplate jdbcTemplate;
private final PlatformSecurityContext context;
private final CurrencyReadPlatformService currencyReadPlatformService;
+ private final ColumnValidator columnValidator;
private final static String nameDecoratedBaseOnHierarchy = "concat(substring('........................................', 1, ((LENGTH(o.hierarchy) - LENGTH(REPLACE(o.hierarchy, '.', '')) - 1) * 4)), o.name)";
@Autowired
public OfficeReadPlatformServiceImpl(final PlatformSecurityContext context,
- final CurrencyReadPlatformService currencyReadPlatformService, final RoutingDataSource dataSource) {
+ final CurrencyReadPlatformService currencyReadPlatformService,
+ final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.context = context;
this.currencyReadPlatformService = currencyReadPlatformService;
+ this.columnValidator = columnValidator;
this.jdbcTemplate = new JdbcTemplate(dataSource);
}
@@ -159,9 +164,10 @@ public class OfficeReadPlatformServiceImpl implements OfficeReadPlatformService
if(searchParameters!=null) {
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append("order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
} else {
sqlBuilder.append("order by o.hierarchy");
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java
index 08af091..ebe5eb7 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java
@@ -33,6 +33,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.monetary.data.CurrencyData;
import org.apache.fineract.organisation.office.data.OfficeData;
import org.apache.fineract.organisation.office.service.OfficeReadPlatformService;
@@ -62,6 +63,7 @@ public class AccountTransfersReadPlatformServiceImpl implements
private final ClientReadPlatformService clientReadPlatformService;
private final OfficeReadPlatformService officeReadPlatformService;
private final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService;
+ private final ColumnValidator columnValidator;
// mapper
private final AccountTransfersMapper accountTransfersMapper;
@@ -76,11 +78,13 @@ public class AccountTransfersReadPlatformServiceImpl implements
final RoutingDataSource dataSource,
final ClientReadPlatformService clientReadPlatformService,
final OfficeReadPlatformService officeReadPlatformService,
- final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService) {
+ final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.clientReadPlatformService = clientReadPlatformService;
this.officeReadPlatformService = officeReadPlatformService;
this.portfolioAccountReadPlatformService = portfolioAccountReadPlatformService;
+ this.columnValidator = columnValidator;
this.accountTransfersMapper = new AccountTransfersMapper();
}
@@ -259,9 +263,10 @@ public class AccountTransfersReadPlatformServiceImpl implements
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(
searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
@@ -514,10 +519,11 @@ public class AccountTransfersReadPlatformServiceImpl implements
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(
searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(
searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java
index d0df176..0307b47 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java
@@ -34,6 +34,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.office.data.OfficeData;
import org.apache.fineract.portfolio.account.PortfolioAccountType;
import org.apache.fineract.portfolio.account.data.PortfolioAccountData;
@@ -50,6 +51,7 @@ import org.springframework.stereotype.Service;
public class StandingInstructionHistoryReadPlatformServiceImpl implements StandingInstructionHistoryReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
// mapper
private final StandingInstructionHistoryMapper standingInstructionHistoryMapper;
@@ -58,9 +60,11 @@ public class StandingInstructionHistoryReadPlatformServiceImpl implements Standi
private final PaginationHelper<StandingInstructionHistoryData> paginationHelper = new PaginationHelper<>();
@Autowired
- public StandingInstructionHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public StandingInstructionHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.standingInstructionHistoryMapper = new StandingInstructionHistoryMapper();
+ this.columnValidator = columnValidator;
}
@Override
@@ -139,9 +143,10 @@ public class StandingInstructionHistoryReadPlatformServiceImpl implements Standi
final SearchParameters searchParameters = standingInstructionDTO.searchParameters();
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java
index 9c35c4f..b5b9f22 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java
@@ -40,6 +40,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.office.data.OfficeData;
import org.apache.fineract.organisation.office.service.OfficeReadPlatformService;
import org.apache.fineract.portfolio.account.PortfolioAccountType;
@@ -71,6 +72,7 @@ import org.springframework.util.CollectionUtils;
public class StandingInstructionReadPlatformServiceImpl implements StandingInstructionReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final ClientReadPlatformService clientReadPlatformService;
private final OfficeReadPlatformService officeReadPlatformService;
private final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService;
@@ -86,13 +88,15 @@ public class StandingInstructionReadPlatformServiceImpl implements StandingInstr
public StandingInstructionReadPlatformServiceImpl(final RoutingDataSource dataSource,
final ClientReadPlatformService clientReadPlatformService, final OfficeReadPlatformService officeReadPlatformService,
final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService,
- final DropdownReadPlatformService dropdownReadPlatformService) {
+ final DropdownReadPlatformService dropdownReadPlatformService,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.clientReadPlatformService = clientReadPlatformService;
this.officeReadPlatformService = officeReadPlatformService;
this.portfolioAccountReadPlatformService = portfolioAccountReadPlatformService;
this.dropdownReadPlatformService = dropdownReadPlatformService;
this.standingInstructionMapper = new StandingInstructionMapper();
+ this.columnValidator = columnValidator;
}
@Override
@@ -309,9 +313,10 @@ public class StandingInstructionReadPlatformServiceImpl implements StandingInstr
final SearchParameters searchParameters = standingInstructionDTO.searchParameters();
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java
index ede17f6..4b1313b 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java
@@ -204,9 +204,10 @@ public class ClientReadPlatformServiceImpl implements ClientReadPlatformService
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java
index 38823fb..0b75d75 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java
@@ -393,6 +393,9 @@ public class CenterReadPlatformServiceImpl implements CenterReadPlatformService
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(),
+ searchParameters.getSortOrder());
+
}
if (searchParameters.isLimited()) {
@@ -431,6 +434,8 @@ public class CenterReadPlatformServiceImpl implements CenterReadPlatformService
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(),
+ searchParameters.getSortOrder());
}
if (searchParameters.isLimited()) {
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java
index 2caf668..72f044c 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java
@@ -162,6 +162,8 @@ public class GroupReadPlatformServiceImpl implements GroupReadPlatformService {
if (parameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(),
+ searchParameters.getSortOrder());
}
if (parameters.isLimited()) {
@@ -198,10 +200,12 @@ public class GroupReadPlatformServiceImpl implements GroupReadPlatformService {
if (parameters!=null) {
if (parameters.isOrderByRequested()) {
sqlBuilder.append(parameters.orderBySql());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.orderBySql());
}
if (parameters.isLimited()) {
sqlBuilder.append(parameters.limitSql());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.limitSql());
}
}
return this.jdbcTemplate.query(sqlBuilder.toString(), this.allGroupTypesDataMapper, paramList.toArray());
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java
index 4fc15ad..0fcacf6 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java
@@ -330,9 +330,11 @@ public class LoanReadPlatformServiceImpl implements LoanReadPlatformService {
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java
index 9be2258..2677bd2 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java
@@ -30,6 +30,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.portfolio.savings.data.DepositAccountOnHoldTransactionData;
import org.joda.time.LocalDate;
import org.springframework.beans.factory.annotation.Autowired;
@@ -41,13 +42,16 @@ import org.springframework.stereotype.Service;
public class DepositAccountOnHoldTransactionReadPlatformServiceImpl implements DepositAccountOnHoldTransactionReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<DepositAccountOnHoldTransactionData> paginationHelper = new PaginationHelper<>();
private final DepositAccountOnHoldTransactionsMapper mapper;
@Autowired
- public DepositAccountOnHoldTransactionReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public DepositAccountOnHoldTransactionReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
mapper = new DepositAccountOnHoldTransactionsMapper();
+ this.columnValidator = columnValidator;
}
@Override
@@ -66,9 +70,11 @@ public class DepositAccountOnHoldTransactionReadPlatformServiceImpl implements D
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java
index c728ca3..6bb4fd1 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java
@@ -198,9 +198,11 @@ public class SavingsAccountReadPlatformServiceImpl implements SavingsAccountRead
}
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
+
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java
index 1be1eac..440d2f0 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java
@@ -31,8 +31,9 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
-import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountData;
+import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData;
import org.apache.fineract.portfolio.shareaccounts.domain.ShareAccountDividendStatusType;
import org.apache.fineract.portfolio.shareproducts.domain.ShareProductDividendStatusType;
import org.springframework.beans.factory.annotation.Autowired;
@@ -44,11 +45,14 @@ import org.springframework.stereotype.Service;
public class ShareAccountDividendReadPlatformServiceImpl implements ShareAccountDividendReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<ShareAccountDividendData> paginationHelper = new PaginationHelper<>();
@Autowired
- public ShareAccountDividendReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public ShareAccountDividendReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
+ this.columnValidator = columnValidator;
}
@Override
@@ -80,9 +84,12 @@ public class ShareAccountDividendReadPlatformServiceImpl implements ShareAccount
}
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
+
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java
index 6760ef9..afb9b9b 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java
@@ -31,10 +31,11 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData;
import org.apache.fineract.portfolio.shareaccounts.service.SharesEnumerations;
-import org.apache.fineract.portfolio.shareproducts.data.ShareProductDividendPayOutData;
import org.apache.fineract.portfolio.shareproducts.data.ShareProductData;
+import org.apache.fineract.portfolio.shareproducts.data.ShareProductDividendPayOutData;
import org.joda.time.LocalDate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
@@ -45,11 +46,14 @@ import org.springframework.stereotype.Service;
public class ShareProductDividendReadPlatformServiceImpl implements ShareProductDividendReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<ShareProductDividendPayOutData> paginationHelper = new PaginationHelper<>();
@Autowired
- public ShareProductDividendReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public ShareProductDividendReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
+ this.columnValidator = columnValidator;
}
@Override
@@ -68,9 +72,11 @@ public class ShareProductDividendReadPlatformServiceImpl implements ShareProduct
}
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
+
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
[03/10] fineract git commit: FINERACT-590
Posted by av...@apache.org.
FINERACT-590
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/8e7bd01e
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/8e7bd01e
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/8e7bd01e
Branch: refs/heads/1.1.0
Commit: 8e7bd01ed46021d09a80b1a427cf7e65564d26d1
Parents: 1d38bd2
Author: conradsp <sc...@gmail.com>
Authored: Sat Feb 3 14:29:02 2018 -0600
Committer: conradsp <sc...@gmail.com>
Committed: Sat Feb 3 14:29:02 2018 -0600
----------------------------------------------------------------------
.../portfolio/client/domain/AccountNumberGenerator.java | 5 +++++
1 file changed, 5 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/8e7bd01e/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java
index e977114..3d2deb1 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java
@@ -108,6 +108,11 @@ public class AccountNumberGenerator {
break;
}
+
+ // FINERACT-590
+ // Because account_no is limited to 20 chars, we can only use the first 10 chars of prefix - trim if necessary
+ prefix = prefix.substring(0, Math.min(prefix.length(), 10));
+
accountNumber = StringUtils.overlay(accountNumber, prefix, 0, 0);
}
return accountNumber;
[05/10] fineract git commit: Merge branch
'i601-create-cashier-teller-end-date' into develop
Posted by av...@apache.org.
Merge branch 'i601-create-cashier-teller-end-date' into develop
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/8ac54855
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/8ac54855
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/8ac54855
Branch: refs/heads/1.1.0
Commit: 8ac5485544833f5ca31ce1d72466451f6b098735
Parents: 8e7bd01 e13616b
Author: Terence Denzil Monteiro <te...@sanjosesolutions.in>
Authored: Tue Feb 6 21:45:03 2018 +0530
Committer: Terence Denzil Monteiro <te...@sanjosesolutions.in>
Committed: Tue Feb 6 21:45:03 2018 +0530
----------------------------------------------------------------------
.../teller/data/CashierTransactionDataValidator.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
[06/10] fineract git commit: handling null pointer exception and
updating integration tests for changes made as a part of FINERACT-590
Posted by av...@apache.org.
handling null pointer exception and updating integration tests for changes made as a part of FINERACT-590
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/e3ce5f3a
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/e3ce5f3a
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/e3ce5f3a
Branch: refs/heads/1.1.0
Commit: e3ce5f3ae054ae2a4194184d6438622bb865a7f7
Parents: 8ac5485
Author: Vishwas Babu A J <vi...@confluxtechnologies.com>
Authored: Fri Feb 9 18:02:56 2018 -0800
Committer: Vishwas Babu A J <vi...@confluxtechnologies.com>
Committed: Fri Feb 9 18:02:56 2018 -0800
----------------------------------------------------------------------
.../fineract/integrationtests/AccountNumberPreferencesTest.java | 3 ++-
.../fineract/portfolio/client/domain/AccountNumberGenerator.java | 4 +++-
2 files changed, 5 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/e3ce5f3a/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/AccountNumberPreferencesTest.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/AccountNumberPreferencesTest.java b/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/AccountNumberPreferencesTest.java
index 97c3fac..12830cd 100644
--- a/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/AccountNumberPreferencesTest.java
+++ b/fineract-provider/src/integrationTest/java/org/apache/fineract/integrationtests/AccountNumberPreferencesTest.java
@@ -373,8 +373,9 @@ public class AccountNumberPreferencesTest {
}
}
- private void validateAccountNumberLengthAndStartsWithPrefix(final String accountNumber, final String prefix) {
+ private void validateAccountNumberLengthAndStartsWithPrefix(final String accountNumber, String prefix) {
if (prefix != null) {
+ prefix = prefix.substring(0, Math.min(prefix.length(), 10));
Assert.assertEquals(accountNumber.length(), prefix.length() + 9);
Assert.assertTrue(accountNumber.startsWith(prefix));
} else {
http://git-wip-us.apache.org/repos/asf/fineract/blob/e3ce5f3a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java
index 3d2deb1..8feff41 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/domain/AccountNumberGenerator.java
@@ -111,7 +111,9 @@ public class AccountNumberGenerator {
// FINERACT-590
// Because account_no is limited to 20 chars, we can only use the first 10 chars of prefix - trim if necessary
- prefix = prefix.substring(0, Math.min(prefix.length(), 10));
+ if (prefix != null) {
+ prefix = prefix.substring(0, Math.min(prefix.length(), 10));
+ }
accountNumber = StringUtils.overlay(accountNumber, prefix, 0, 0);
}
[07/10] fineract git commit: For a triggered SMS message,
check if notification flag is set. If so, send to GCM service.
Posted by av...@apache.org.
For a triggered SMS message, check if notification flag is set. If so, send to GCM service.
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/e2ae145a
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/e2ae145a
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/e2ae145a
Branch: refs/heads/1.1.0
Commit: e2ae145a11a7a5232c2750b9479e8e855fbd2202
Parents: e3ce5f3
Author: conradsp <sc...@gmail.com>
Authored: Thu Feb 15 20:55:31 2018 -0600
Committer: conradsp <sc...@gmail.com>
Committed: Fri Feb 16 08:26:25 2018 -0600
----------------------------------------------------------------------
.../SmsMessageScheduledJobServiceImpl.java | 33 +++++++++++++++-----
1 file changed, 25 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/e2ae145a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java
index e2e998a..092a243 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java
@@ -194,21 +194,38 @@ public class SmsMessageScheduledJobServiceImpl implements SmsMessageScheduledJob
public void sendTriggeredMessages(Map<SmsCampaign, Collection<SmsMessage>> smsDataMap) {
try {
if (!smsDataMap.isEmpty()) {
+ List<SmsMessage> toSaveMessages = new ArrayList<>() ;
+ List<SmsMessage> toSendNotificationMessages = new ArrayList<>() ;
for (Entry<SmsCampaign, Collection<SmsMessage>> entry : smsDataMap.entrySet()) {
Iterator<SmsMessage> smsMessageIterator = entry.getValue().iterator();
Collection<SmsMessageApiQueueResourceData> apiQueueResourceDatas = new ArrayList<>();
StringBuilder request = new StringBuilder();
while (smsMessageIterator.hasNext()) {
SmsMessage smsMessage = smsMessageIterator.next();
- SmsMessageApiQueueResourceData apiQueueResourceData = SmsMessageApiQueueResourceData.instance(smsMessage.getId(),
- null, null, null, smsMessage.getMobileNo(), smsMessage.getMessage(), entry.getKey().getProviderId());
- apiQueueResourceDatas.add(apiQueueResourceData);
- smsMessage.setStatusType(SmsMessageStatusType.WAITING_FOR_DELIVERY_REPORT.getValue());
+ if(smsMessage.isNotification()){
+ smsMessage.setStatusType(SmsMessageStatusType.WAITING_FOR_DELIVERY_REPORT.getValue());
+ toSendNotificationMessages.add(smsMessage);
+ }else {
+ SmsMessageApiQueueResourceData apiQueueResourceData = SmsMessageApiQueueResourceData.instance(smsMessage.getId(),
+ null, null, null, smsMessage.getMobileNo(), smsMessage.getMessage(), entry.getKey().getProviderId());
+ apiQueueResourceDatas.add(apiQueueResourceData);
+ smsMessage.setStatusType(SmsMessageStatusType.WAITING_FOR_DELIVERY_REPORT.getValue());
+ toSaveMessages.add(smsMessage) ;
+ }
+ }
+ if(toSaveMessages.size()>0){
+ this.smsMessageRepository.save(toSaveMessages);
+ this.smsMessageRepository.flush();
+ //this.smsMessageRepository.save(entry.getValue());
+ //request.append(SmsMessageApiQueueResourceData.toJsonString(apiQueueResourceDatas));
+ //logger.info("Sending triggered SMS with request - " + request.toString());
+ this.triggeredExecutorService.execute(new SmsTask(ThreadLocalContextUtil.getTenant(), apiQueueResourceDatas));
}
- this.smsMessageRepository.save(entry.getValue()) ;
- request.append(SmsMessageApiQueueResourceData.toJsonString(apiQueueResourceDatas));
- logger.info("Sending triggered SMS with request - " + request.toString());
- this.triggeredExecutorService.execute(new SmsTask(ThreadLocalContextUtil.getTenant(), apiQueueResourceDatas));
+ if(!toSendNotificationMessages.isEmpty()){
+ this.notificationSenderService.sendNotification(toSendNotificationMessages);
+ }
+
+
}
}
} catch (Exception e) {
[02/10] fineract git commit: fixes for CVE-2018-1289
Posted by av...@apache.org.
fixes for CVE-2018-1289
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/1d38bd25
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/1d38bd25
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/1d38bd25
Branch: refs/heads/1.1.0
Commit: 1d38bd25d0b90e6260b9d24d37d77bc50055b8bb
Parents: 17fd243 e7035d1
Author: Vishwas Babu A J <vi...@confluxtechnologies.com>
Authored: Fri Feb 2 15:36:07 2018 -0800
Committer: Vishwas Babu A J <vi...@confluxtechnologies.com>
Committed: Fri Feb 2 15:36:07 2018 -0800
----------------------------------------------------------------------
.../JournalEntryReadPlatformServiceImpl.java | 11 +++++--
.../service/AuditReadPlatformServiceImpl.java | 2 ++
.../SchedulerJobRunnerReadServiceImpl.java | 9 ++++--
...ReportMailingJobReadPlatformServiceImpl.java | 9 ++++--
...ingJobRunHistoryReadPlatformServiceImpl.java | 9 ++++--
.../security/utils/ColumnValidator.java | 30 +++++++++++---------
.../security/utils/SQLInjectionValidator.java | 2 +-
.../sms/service/SmsReadPlatformServiceImpl.java | 9 ++++--
.../NotificationReadPlatformServiceImpl.java | 26 +++++++++++------
.../service/OfficeReadPlatformServiceImpl.java | 10 +++++--
...AccountTransfersReadPlatformServiceImpl.java | 12 ++++++--
...structionHistoryReadPlatformServiceImpl.java | 9 ++++--
...ndingInstructionReadPlatformServiceImpl.java | 9 ++++--
.../service/ClientReadPlatformServiceImpl.java | 3 +-
.../service/CenterReadPlatformServiceImpl.java | 5 ++++
.../service/GroupReadPlatformServiceImpl.java | 4 +++
.../service/LoanReadPlatformServiceImpl.java | 2 ++
...nHoldTransactionReadPlatformServiceImpl.java | 8 +++++-
.../SavingsAccountReadPlatformServiceImpl.java | 4 ++-
...eAccountDividendReadPlatformServiceImpl.java | 11 +++++--
...eProductDividendReadPlatformServiceImpl.java | 12 ++++++--
21 files changed, 146 insertions(+), 50 deletions(-)
----------------------------------------------------------------------
[10/10] fineract git commit: Merge branch 'injection' into develop
Posted by av...@apache.org.
Merge branch 'injection' into develop
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/d2b34115
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/d2b34115
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/d2b34115
Branch: refs/heads/1.1.0
Commit: d2b341159c2b8bc27a16212ebe326dd7bdc4566f
Parents: f28aadf 8c60476
Author: Avik Ganguly <av...@gmail.com>
Authored: Mon Mar 5 06:38:31 2018 +0530
Committer: Avik Ganguly <av...@gmail.com>
Committed: Mon Mar 5 06:38:31 2018 +0530
----------------------------------------------------------------------
.../infrastructure/core/api/ApiParameterHelper.java | 4 ++++
.../dataqueries/service/ReadReportingServiceImpl.java | 9 +++++++--
.../service/ReadWriteNonCoreDataServiceImpl.java | 7 ++++++-
3 files changed, 17 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
[09/10] fineract git commit: CVE-2018-1290-1291-1292
Posted by av...@apache.org.
CVE-2018-1290-1291-1292
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/8c60476b
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/8c60476b
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/8c60476b
Branch: refs/heads/1.1.0
Commit: 8c60476bd1445674072b54cef9c4c1e91c3feaa1
Parents: f28aadf
Author: Avik Ganguly <av...@gmail.com>
Authored: Mon Mar 5 06:14:10 2018 +0530
Committer: Avik Ganguly <av...@gmail.com>
Committed: Mon Mar 5 06:14:10 2018 +0530
----------------------------------------------------------------------
.../infrastructure/core/api/ApiParameterHelper.java | 4 ++++
.../dataqueries/service/ReadReportingServiceImpl.java | 9 +++++++--
.../service/ReadWriteNonCoreDataServiceImpl.java | 7 ++++++-
3 files changed, 17 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
index 2828f5b..62ac666 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
@@ -18,6 +18,7 @@
*/
package org.apache.fineract.infrastructure.core.api;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
@@ -30,6 +31,7 @@ import javax.ws.rs.core.MultivaluedMap;
import org.apache.commons.lang.StringUtils;
import org.apache.fineract.infrastructure.core.serialization.JsonParserHelper;
+import org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator;
public class ApiParameterHelper {
@@ -166,8 +168,10 @@ public class ApiParameterHelper {
public static String sqlEncodeString(final String str) {
final String singleQuote = "'";
final String twoSingleQuotes = "''";
+ SQLInjectionValidator.validateSQLInput(str);
return singleQuote + StringUtils.replace(str, singleQuote, twoSingleQuotes, -1) + singleQuote;
}
+
public static Map<String, String> asMap(final MultivaluedMap<String, String> queryParameters) {
http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
index b7cd352..c732f0d 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
@@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.dataqueries.exception.ReportNotFoundEx
import org.apache.fineract.infrastructure.documentmanagement.contentrepository.FileSystemContentRepository;
import org.apache.fineract.infrastructure.report.provider.ReportingProcessServiceProvider;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.useradministration.domain.AppUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -73,16 +74,19 @@ public class ReadReportingServiceImpl implements ReadReportingService {
private final PlatformSecurityContext context;
private final GenericDataService genericDataService;
private final ReportingProcessServiceProvider reportingProcessServiceProvider;
+ private final ColumnValidator columnValidator;
@Autowired
public ReadReportingServiceImpl(final PlatformSecurityContext context, final RoutingDataSource dataSource,
- final GenericDataService genericDataService, final ReportingProcessServiceProvider reportingProcessServiceProvider) {
+ final GenericDataService genericDataService, final ReportingProcessServiceProvider reportingProcessServiceProvider,
+ final ColumnValidator columnValidator) {
this.context = context;
this.dataSource = dataSource;
this.jdbcTemplate = new JdbcTemplate(this.dataSource);
this.genericDataService = genericDataService;
this.reportingProcessServiceProvider = reportingProcessServiceProvider;
+ this.columnValidator = columnValidator;
}
@Override
@@ -221,7 +225,8 @@ public class ReadReportingServiceImpl implements ReadReportingService {
public String getReportType(final String reportName) {
final String sql = "SELECT ifnull(report_type,'') as report_type FROM `stretchy_report` where report_name = '" + reportName + "'";
-
+ this.columnValidator.validateSqlInjection(sql, reportName);
+
final String sqlWrapped = this.genericDataService.wrapSQL(sql);
final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sqlWrapped);
http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
index e5b7055..31fdfca 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
@@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.dataqueries.exception.DatatableEntryRe
import org.apache.fineract.infrastructure.dataqueries.exception.DatatableNotFoundException;
import org.apache.fineract.infrastructure.dataqueries.exception.DatatableSystemErrorException;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator;
import org.apache.fineract.useradministration.domain.AppUser;
import org.joda.time.LocalDate;
@@ -106,6 +107,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ
private final ConfigurationDomainService configurationDomainService;
private final CodeReadPlatformService codeReadPlatformService;
private final DataTableValidator dataTableValidator;
+ private final ColumnValidator columnValidator;
// private final GlobalConfigurationWritePlatformServiceJpaRepositoryImpl
// configurationWriteService;
@@ -114,7 +116,8 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ
public ReadWriteNonCoreDataServiceImpl(final RoutingDataSource dataSource, final PlatformSecurityContext context,
final FromJsonHelper fromJsonHelper, final GenericDataService genericDataService,
final DatatableCommandFromApiJsonDeserializer fromApiJsonDeserializer, final CodeReadPlatformService codeReadPlatformService,
- final ConfigurationDomainService configurationDomainService, final DataTableValidator dataTableValidator) {
+ final ConfigurationDomainService configurationDomainService, final DataTableValidator dataTableValidator,
+ final ColumnValidator columnValidator) {
this.dataSource = dataSource;
this.jdbcTemplate = new JdbcTemplate(this.dataSource);
this.context = context;
@@ -125,6 +128,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ
this.codeReadPlatformService = codeReadPlatformService;
this.configurationDomainService = configurationDomainService;
this.dataTableValidator = dataTableValidator;
+ this.columnValidator = columnValidator;
// this.configurationWriteService = configurationWriteService;
}
@@ -1183,6 +1187,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ
sql = sql + "select * from `" + dataTableName + "` where id = " + id;
}
+ this.columnValidator.validateSqlInjection(sql, order);
if (order != null) {
sql = sql + " order by " + order;
}
[08/10] fineract git commit: For a triggered SMS message,
check if notification flag is set. If so, send to GCM service.
Posted by av...@apache.org.
For a triggered SMS message, check if notification flag is set. If so, send to GCM service.
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/f28aadf3
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/f28aadf3
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/f28aadf3
Branch: refs/heads/1.1.0
Commit: f28aadf3128f00f32d640a4bc194ed6f57558975
Parents: e2ae145
Author: conradsp <sc...@gmail.com>
Authored: Thu Feb 15 20:56:22 2018 -0600
Committer: conradsp <sc...@gmail.com>
Committed: Fri Feb 16 08:27:05 2018 -0600
----------------------------------------------------------------------
.../sms/scheduler/SmsMessageScheduledJobServiceImpl.java | 3 ---
1 file changed, 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/f28aadf3/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java
index 092a243..4bb4d8f 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/scheduler/SmsMessageScheduledJobServiceImpl.java
@@ -216,9 +216,6 @@ public class SmsMessageScheduledJobServiceImpl implements SmsMessageScheduledJob
if(toSaveMessages.size()>0){
this.smsMessageRepository.save(toSaveMessages);
this.smsMessageRepository.flush();
- //this.smsMessageRepository.save(entry.getValue());
- //request.append(SmsMessageApiQueueResourceData.toJsonString(apiQueueResourceDatas));
- //logger.info("Sending triggered SMS with request - " + request.toString());
this.triggeredExecutorService.execute(new SmsTask(ThreadLocalContextUtil.getTenant(), apiQueueResourceDatas));
}
if(!toSendNotificationMessages.isEmpty()){
[04/10] fineract git commit: Only compare Teller and Cashier endDate
if its not null
Posted by av...@apache.org.
Only compare Teller and Cashier endDate if its not null
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/e13616b0
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/e13616b0
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/e13616b0
Branch: refs/heads/1.1.0
Commit: e13616b0e9c9232cd044bdf12bf41f225c76cbb3
Parents: 8e7bd01
Author: Terence Denzil Monteiro <te...@sanjosesolutions.in>
Authored: Tue Feb 6 20:42:32 2018 +0530
Committer: Terence Denzil Monteiro <te...@sanjosesolutions.in>
Committed: Tue Feb 6 20:42:32 2018 +0530
----------------------------------------------------------------------
.../teller/data/CashierTransactionDataValidator.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/e13616b0/fineract-provider/src/main/java/org/apache/fineract/organisation/teller/data/CashierTransactionDataValidator.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/organisation/teller/data/CashierTransactionDataValidator.java b/fineract-provider/src/main/java/org/apache/fineract/organisation/teller/data/CashierTransactionDataValidator.java
index a0b897e..f36bd15 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/organisation/teller/data/CashierTransactionDataValidator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/organisation/teller/data/CashierTransactionDataValidator.java
@@ -95,8 +95,9 @@ public class CashierTransactionDataValidator {
*/
if (fromDate.isBefore(tellerFromDate)
|| endDate.isBefore(tellerFromDate)
- || (tellerEndDate != null && fromDate.isAfter(tellerEndDate) || endDate
- .isAfter(tellerEndDate))) {
+ || (tellerEndDate != null &&
+ (fromDate.isAfter(tellerEndDate)
+ || endDate.isAfter(tellerEndDate)))) {
throw new CashierDateRangeOutOfTellerDateRangeException();
}
/**