You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by ta...@apache.org on 2016/01/16 01:22:27 UTC
svn commit: r1724898 - in
/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest:
AbstractRestService.java UserManagerService.java
Author: taylor
Date: Sat Jan 16 00:22:27 2016
New Revision: 1724898
URL: http://svn.apache.org/viewvc?rev=1724898&view=rev
Log:
further tightening security around new user manager service for sql injections. Fixing bug in new user manager where the security behavior was getting overriden with an empty policy
Modified:
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java?rev=1724898&r1=1724897&r2=1724898&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java Sat Jan 16 00:22:27 2016
@@ -23,13 +23,15 @@ import org.apache.jetspeed.services.bean
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
+import java.util.ArrayList;
+import java.util.List;
/**
* Created by dtaylor on 5/2/15.
*/
public class AbstractRestService {
- private PortletActionSecurityBehavior securityBehavior;
+ protected PortletActionSecurityBehavior securityBehavior;
protected AbstractRestService(PortletActionSecurityBehavior securityBehavior) {
this.securityBehavior = securityBehavior;
@@ -47,4 +49,22 @@ public class AbstractRestService {
}
}
+ protected String stripSQLInjection(String in) {
+ if (in == null) {
+ return null;
+ }
+ return in.replaceAll("['\"]", "");
+ }
+
+ protected List<String> stripSQLInjection(List<String> in) {
+ if (in == null) {
+ return null;
+ }
+ ArrayList<String> out = new ArrayList<>();
+ for (String s : in) {
+ out.add(stripSQLInjection(s));
+ }
+ return out;
+ }
+
}
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java?rev=1724898&r1=1724897&r2=1724898&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java Sat Jan 16 00:22:27 2016
@@ -82,7 +82,6 @@ public class UserManagerService extends
private GroupManager groupManager;
private Profiler profiler;
private PageManager pageManager;
- private PortletActionSecurityBehavior securityBehavior;
public UserManagerService(UserManager userManager, RoleManager roleManager, GroupManager groupManager, Profiler profiler, PageManager pageManager,
PortletActionSecurityBehavior securityBehavior)
@@ -118,7 +117,14 @@ public class UserManagerService extends
@QueryParam("attribute_key") List<String> attributeKeys, @QueryParam("attribute_value") List<String> attributeValues)
{
checkPrivilege(servletRequest, JetspeedActions.VIEW);
-
+
+ userName = stripSQLInjection(userName);
+ sortDirection = stripSQLInjection(sortDirection);
+ roles = stripSQLInjection(roles);
+ groups = stripSQLInjection(groups);
+ attributeKeys = stripSQLInjection(attributeKeys);
+ attributeValues = stripSQLInjection(attributeValues);
+
Map<String, String> attributeMap = null;
if (attributeKeys != null && attributeKeys.size() > 0 && attributeKeys.size() == attributeValues.size())
@@ -568,4 +574,5 @@ public class UserManagerService extends
throw new WebApplicationException(new JetspeedException("Insufficient privilege to access this REST service."));
}
}
+
}
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org