You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by av...@apache.org on 2018/03/05 01:09:18 UTC
[1/2] fineract git commit: CVE-2018-1290-1291-1292
Repository: fineract
Updated Branches:
refs/heads/develop f28aadf31 -> d2b341159
CVE-2018-1290-1291-1292
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/8c60476b
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/8c60476b
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/8c60476b
Branch: refs/heads/develop
Commit: 8c60476bd1445674072b54cef9c4c1e91c3feaa1
Parents: f28aadf
Author: Avik Ganguly <av...@gmail.com>
Authored: Mon Mar 5 06:14:10 2018 +0530
Committer: Avik Ganguly <av...@gmail.com>
Committed: Mon Mar 5 06:14:10 2018 +0530
----------------------------------------------------------------------
.../infrastructure/core/api/ApiParameterHelper.java | 4 ++++
.../dataqueries/service/ReadReportingServiceImpl.java | 9 +++++++--
.../service/ReadWriteNonCoreDataServiceImpl.java | 7 ++++++-
3 files changed, 17 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
index 2828f5b..62ac666 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
@@ -18,6 +18,7 @@
*/
package org.apache.fineract.infrastructure.core.api;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
@@ -30,6 +31,7 @@ import javax.ws.rs.core.MultivaluedMap;
import org.apache.commons.lang.StringUtils;
import org.apache.fineract.infrastructure.core.serialization.JsonParserHelper;
+import org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator;
public class ApiParameterHelper {
@@ -166,8 +168,10 @@ public class ApiParameterHelper {
public static String sqlEncodeString(final String str) {
final String singleQuote = "'";
final String twoSingleQuotes = "''";
+ SQLInjectionValidator.validateSQLInput(str);
return singleQuote + StringUtils.replace(str, singleQuote, twoSingleQuotes, -1) + singleQuote;
}
+
public static Map<String, String> asMap(final MultivaluedMap<String, String> queryParameters) {
http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
index b7cd352..c732f0d 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
@@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.dataqueries.exception.ReportNotFoundEx
import org.apache.fineract.infrastructure.documentmanagement.contentrepository.FileSystemContentRepository;
import org.apache.fineract.infrastructure.report.provider.ReportingProcessServiceProvider;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.useradministration.domain.AppUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -73,16 +74,19 @@ public class ReadReportingServiceImpl implements ReadReportingService {
private final PlatformSecurityContext context;
private final GenericDataService genericDataService;
private final ReportingProcessServiceProvider reportingProcessServiceProvider;
+ private final ColumnValidator columnValidator;
@Autowired
public ReadReportingServiceImpl(final PlatformSecurityContext context, final RoutingDataSource dataSource,
- final GenericDataService genericDataService, final ReportingProcessServiceProvider reportingProcessServiceProvider) {
+ final GenericDataService genericDataService, final ReportingProcessServiceProvider reportingProcessServiceProvider,
+ final ColumnValidator columnValidator) {
this.context = context;
this.dataSource = dataSource;
this.jdbcTemplate = new JdbcTemplate(this.dataSource);
this.genericDataService = genericDataService;
this.reportingProcessServiceProvider = reportingProcessServiceProvider;
+ this.columnValidator = columnValidator;
}
@Override
@@ -221,7 +225,8 @@ public class ReadReportingServiceImpl implements ReadReportingService {
public String getReportType(final String reportName) {
final String sql = "SELECT ifnull(report_type,'') as report_type FROM `stretchy_report` where report_name = '" + reportName + "'";
-
+ this.columnValidator.validateSqlInjection(sql, reportName);
+
final String sqlWrapped = this.genericDataService.wrapSQL(sql);
final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sqlWrapped);
http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
index e5b7055..31fdfca 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
@@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.dataqueries.exception.DatatableEntryRe
import org.apache.fineract.infrastructure.dataqueries.exception.DatatableNotFoundException;
import org.apache.fineract.infrastructure.dataqueries.exception.DatatableSystemErrorException;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator;
import org.apache.fineract.useradministration.domain.AppUser;
import org.joda.time.LocalDate;
@@ -106,6 +107,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ
private final ConfigurationDomainService configurationDomainService;
private final CodeReadPlatformService codeReadPlatformService;
private final DataTableValidator dataTableValidator;
+ private final ColumnValidator columnValidator;
// private final GlobalConfigurationWritePlatformServiceJpaRepositoryImpl
// configurationWriteService;
@@ -114,7 +116,8 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ
public ReadWriteNonCoreDataServiceImpl(final RoutingDataSource dataSource, final PlatformSecurityContext context,
final FromJsonHelper fromJsonHelper, final GenericDataService genericDataService,
final DatatableCommandFromApiJsonDeserializer fromApiJsonDeserializer, final CodeReadPlatformService codeReadPlatformService,
- final ConfigurationDomainService configurationDomainService, final DataTableValidator dataTableValidator) {
+ final ConfigurationDomainService configurationDomainService, final DataTableValidator dataTableValidator,
+ final ColumnValidator columnValidator) {
this.dataSource = dataSource;
this.jdbcTemplate = new JdbcTemplate(this.dataSource);
this.context = context;
@@ -125,6 +128,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ
this.codeReadPlatformService = codeReadPlatformService;
this.configurationDomainService = configurationDomainService;
this.dataTableValidator = dataTableValidator;
+ this.columnValidator = columnValidator;
// this.configurationWriteService = configurationWriteService;
}
@@ -1183,6 +1187,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ
sql = sql + "select * from `" + dataTableName + "` where id = " + id;
}
+ this.columnValidator.validateSqlInjection(sql, order);
if (order != null) {
sql = sql + " order by " + order;
}
[2/2] fineract git commit: Merge branch 'injection' into develop
Posted by av...@apache.org.
Merge branch 'injection' into develop
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/d2b34115
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/d2b34115
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/d2b34115
Branch: refs/heads/develop
Commit: d2b341159c2b8bc27a16212ebe326dd7bdc4566f
Parents: f28aadf 8c60476
Author: Avik Ganguly <av...@gmail.com>
Authored: Mon Mar 5 06:38:31 2018 +0530
Committer: Avik Ganguly <av...@gmail.com>
Committed: Mon Mar 5 06:38:31 2018 +0530
----------------------------------------------------------------------
.../infrastructure/core/api/ApiParameterHelper.java | 4 ++++
.../dataqueries/service/ReadReportingServiceImpl.java | 9 +++++++--
.../service/ReadWriteNonCoreDataServiceImpl.java | 7 ++++++-
3 files changed, 17 insertions(+), 3 deletions(-)
----------------------------------------------------------------------