You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by ta...@apache.org on 2016/01/16 01:22:27 UTC

svn commit: r1724898 - in /portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest: AbstractRestService.java UserManagerService.java

Author: taylor
Date: Sat Jan 16 00:22:27 2016
New Revision: 1724898

URL: http://svn.apache.org/viewvc?rev=1724898&view=rev
Log:
further tightening security around new user manager service for sql injections. Fixing bug in new user manager where the security behavior was getting overriden with an empty policy

Modified:
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java?rev=1724898&r1=1724897&r2=1724898&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java Sat Jan 16 00:22:27 2016
@@ -23,13 +23,15 @@ import org.apache.jetspeed.services.bean
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * Created by dtaylor on 5/2/15.
  */
 public class AbstractRestService {
 
-    private PortletActionSecurityBehavior securityBehavior;
+    protected PortletActionSecurityBehavior securityBehavior;
 
     protected AbstractRestService(PortletActionSecurityBehavior securityBehavior) {
         this.securityBehavior = securityBehavior;
@@ -47,4 +49,22 @@ public class AbstractRestService {
         }
     }
 
+    protected String stripSQLInjection(String in) {
+        if (in == null) {
+            return null;
+        }
+        return in.replaceAll("['\"]", "");
+    }
+
+    protected List<String> stripSQLInjection(List<String> in) {
+        if (in == null) {
+            return null;
+        }
+        ArrayList<String> out = new ArrayList<>();
+        for (String s : in) {
+            out.add(stripSQLInjection(s));
+        }
+        return out;
+    }
+
 }

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java?rev=1724898&r1=1724897&r2=1724898&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java Sat Jan 16 00:22:27 2016
@@ -82,7 +82,6 @@ public class UserManagerService extends
     private GroupManager groupManager;
     private Profiler profiler;
     private PageManager pageManager;
-    private PortletActionSecurityBehavior securityBehavior;
 
     public UserManagerService(UserManager userManager, RoleManager roleManager, GroupManager groupManager, Profiler profiler, PageManager pageManager,
                               PortletActionSecurityBehavior securityBehavior)
@@ -118,7 +117,14 @@ public class UserManagerService extends
                                        @QueryParam("attribute_key") List<String> attributeKeys, @QueryParam("attribute_value") List<String> attributeValues)
     {
         checkPrivilege(servletRequest, JetspeedActions.VIEW);
-        
+
+        userName = stripSQLInjection(userName);
+        sortDirection = stripSQLInjection(sortDirection);
+        roles = stripSQLInjection(roles);
+        groups = stripSQLInjection(groups);
+        attributeKeys = stripSQLInjection(attributeKeys);
+        attributeValues = stripSQLInjection(attributeValues);
+
         Map<String, String> attributeMap = null;
         
         if (attributeKeys != null && attributeKeys.size() > 0 && attributeKeys.size() == attributeValues.size())
@@ -568,4 +574,5 @@ public class UserManagerService extends
             throw new WebApplicationException(new JetspeedException("Insufficient privilege to access this REST service."));
         }
     }
+
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org