You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2013/12/20 09:33:43 UTC
svn commit: r1552532 - in
/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl:
AbstractDAOImpl.java ReportDAOImpl.java RoleDAOImpl.java TaskDAOImpl.java
Author: ilgrosso
Date: Fri Dec 20 08:33:42 2013
New Revision: 1552532
URL: http://svn.apache.org/r1552532
Log:
[SYNCOPE-349] More input sanitizing
Modified:
syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AbstractDAOImpl.java
syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/ReportDAOImpl.java
syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/RoleDAOImpl.java
syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/TaskDAOImpl.java
Modified: syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AbstractDAOImpl.java
URL: http://svn.apache.org/viewvc/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AbstractDAOImpl.java?rev=1552532&r1=1552531&r2=1552532&view=diff
==============================================================================
--- syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AbstractDAOImpl.java (original)
+++ syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/AbstractDAOImpl.java Fri Dec 20 08:33:42 2013
@@ -33,6 +33,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Configurable;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.util.ReflectionUtils;
@Configurable
public abstract class AbstractDAOImpl implements DAO {
@@ -74,14 +75,19 @@ public abstract class AbstractDAOImpl im
}
}
- protected String toOrderByStatement(final String prefix, final List<OrderByClause> orderByClauses) {
+ protected String toOrderByStatement(final Class<? extends AbstractBaseBean> beanClass, final String prefix,
+ final List<OrderByClause> orderByClauses) {
+
StringBuilder statement = new StringBuilder();
for (OrderByClause clause : orderByClauses) {
- if (StringUtils.isNotBlank(prefix)) {
- statement.append(prefix).append('.');
+ String field = clause.getField().trim();
+ if (ReflectionUtils.findField(beanClass, field) != null) {
+ if (StringUtils.isNotBlank(prefix)) {
+ statement.append(prefix).append('.');
+ }
+ statement.append(field).append(' ').append(clause.getDirection().name());
}
- statement.append(clause.getField().trim()).append(' ').append(clause.getDirection().name());
}
if (statement.length() > 0) {
Modified: syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/ReportDAOImpl.java
URL: http://svn.apache.org/viewvc/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/ReportDAOImpl.java?rev=1552532&r1=1552531&r2=1552532&view=diff
==============================================================================
--- syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/ReportDAOImpl.java (original)
+++ syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/ReportDAOImpl.java Fri Dec 20 08:33:42 2013
@@ -48,8 +48,8 @@ public class ReportDAOImpl extends Abstr
@Override
public List<Report> findAll(final int page, final int itemsPerPage, final List<OrderByClause> orderByClauses) {
final TypedQuery<Report> query = entityManager.createQuery(
- "SELECT e FROM " + Report.class.getSimpleName() + " e " + toOrderByStatement("e", orderByClauses),
- Report.class);
+ "SELECT e FROM " + Report.class.getSimpleName() + " e "
+ + toOrderByStatement(Report.class, "e", orderByClauses), Report.class);
query.setFirstResult(itemsPerPage * (page <= 0
? 0
Modified: syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/RoleDAOImpl.java
URL: http://svn.apache.org/viewvc/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/RoleDAOImpl.java?rev=1552532&r1=1552531&r2=1552532&view=diff
==============================================================================
--- syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/RoleDAOImpl.java (original)
+++ syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/RoleDAOImpl.java Fri Dec 20 08:33:42 2013
@@ -284,8 +284,8 @@ public class RoleDAOImpl extends Abstrac
@Override
public List<SyncopeRole> findAll(final int page, final int itemsPerPage, final List<OrderByClause> orderBy) {
TypedQuery<SyncopeRole> query = entityManager.createQuery(
- "SELECT e FROM " + SyncopeRole.class.getSimpleName() + " e " + toOrderByStatement("e", orderBy),
- SyncopeRole.class);
+ "SELECT e FROM " + SyncopeRole.class.getSimpleName() + " e "
+ + toOrderByStatement(SyncopeRole.class, "e", orderBy), SyncopeRole.class);
query.setFirstResult(itemsPerPage * (page <= 0
? 0
Modified: syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/TaskDAOImpl.java
URL: http://svn.apache.org/viewvc/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/TaskDAOImpl.java?rev=1552532&r1=1552531&r2=1552532&view=diff
==============================================================================
--- syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/TaskDAOImpl.java (original)
+++ syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/dao/impl/TaskDAOImpl.java Fri Dec 20 08:33:42 2013
@@ -105,7 +105,7 @@ public class TaskDAOImpl extends Abstrac
StringBuilder queryString = buildfindAllQuery(reference);
queryString.append(orderByClauses.isEmpty()
? "ORDER BY e.id DESC"
- : toOrderByStatement("e", orderByClauses));
+ : toOrderByStatement(reference, "e", orderByClauses));
final TypedQuery<T> query = entityManager.createQuery(queryString.toString(), reference);