You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by vi...@apache.org on 2018/02/02 23:41:42 UTC
[1/2] fineract git commit: Injection fix
Repository: fineract
Updated Branches:
refs/heads/develop 17fd243ae -> 1d38bd25d
Injection fix
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/e7035d1f
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/e7035d1f
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/e7035d1f
Branch: refs/heads/develop
Commit: e7035d1f394bd4f65603cc9a31d79d44f1dc73ef
Parents: 17fd243
Author: Avik Ganguly <av...@gmail.com>
Authored: Sat Jan 20 10:00:51 2018 +0530
Committer: Avik Ganguly <av...@gmail.com>
Committed: Sat Jan 20 10:00:51 2018 +0530
----------------------------------------------------------------------
.../JournalEntryReadPlatformServiceImpl.java | 11 +++++--
.../service/AuditReadPlatformServiceImpl.java | 2 ++
.../SchedulerJobRunnerReadServiceImpl.java | 9 ++++--
...ReportMailingJobReadPlatformServiceImpl.java | 9 ++++--
...ingJobRunHistoryReadPlatformServiceImpl.java | 9 ++++--
.../security/utils/ColumnValidator.java | 30 +++++++++++---------
.../security/utils/SQLInjectionValidator.java | 2 +-
.../sms/service/SmsReadPlatformServiceImpl.java | 9 ++++--
.../NotificationReadPlatformServiceImpl.java | 26 +++++++++++------
.../service/OfficeReadPlatformServiceImpl.java | 10 +++++--
...AccountTransfersReadPlatformServiceImpl.java | 12 ++++++--
...structionHistoryReadPlatformServiceImpl.java | 9 ++++--
...ndingInstructionReadPlatformServiceImpl.java | 9 ++++--
.../service/ClientReadPlatformServiceImpl.java | 3 +-
.../service/CenterReadPlatformServiceImpl.java | 5 ++++
.../service/GroupReadPlatformServiceImpl.java | 4 +++
.../service/LoanReadPlatformServiceImpl.java | 2 ++
...nHoldTransactionReadPlatformServiceImpl.java | 8 +++++-
.../SavingsAccountReadPlatformServiceImpl.java | 4 ++-
...eAccountDividendReadPlatformServiceImpl.java | 11 +++++--
...eProductDividendReadPlatformServiceImpl.java | 12 ++++++--
21 files changed, 146 insertions(+), 50 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java
index 49efaa0..928ed40 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java
@@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.monetary.data.CurrencyData;
import org.apache.fineract.organisation.office.data.OfficeData;
import org.apache.fineract.organisation.office.service.OfficeReadPlatformService;
@@ -74,18 +75,22 @@ public class JournalEntryReadPlatformServiceImpl implements JournalEntryReadPlat
private final JdbcTemplate jdbcTemplate;
private final GLAccountReadPlatformService glAccountReadPlatformService;
private final OfficeReadPlatformService officeReadPlatformService;
+ private final ColumnValidator columnValidator;
private final FinancialActivityAccountRepositoryWrapper financialActivityAccountRepositoryWrapper;
private final PaginationHelper<JournalEntryData> paginationHelper = new PaginationHelper<>();
@Autowired
public JournalEntryReadPlatformServiceImpl(final RoutingDataSource dataSource,
- final GLAccountReadPlatformService glAccountReadPlatformService, final OfficeReadPlatformService officeReadPlatformService,
+ final GLAccountReadPlatformService glAccountReadPlatformService,
+ final ColumnValidator columnValidator,
+ final OfficeReadPlatformService officeReadPlatformService,
final FinancialActivityAccountRepositoryWrapper financialActivityAccountRepositoryWrapper) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.glAccountReadPlatformService = glAccountReadPlatformService;
this.officeReadPlatformService = officeReadPlatformService;
this.financialActivityAccountRepositoryWrapper = financialActivityAccountRepositoryWrapper;
+ this.columnValidator = columnValidator;
}
private static final class GLJournalEntryMapper implements RowMapper<JournalEntryData> {
@@ -356,9 +361,11 @@ public class JournalEntryReadPlatformServiceImpl implements JournalEntryReadPlat
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
+
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
}
} else {
sqlBuilder.append(" order by journalEntry.entry_date, journalEntry.id");
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java
index 1315055..447fbb5 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java
@@ -218,12 +218,14 @@ public class AuditReadPlatformServiceImpl implements AuditReadPlatformService {
this.columnValidator.validateSqlInjection(sqlBuilder.toString(), extraCriteria);
if (parameters.isOrderByRequested()) {
sqlBuilder.append(' ').append(parameters.orderBySql());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.orderBySql());
} else {
sqlBuilder.append(' ').append(' ').append(" order by aud.id DESC");
}
if (parameters.isLimited()) {
sqlBuilder.append(' ').append(parameters.limitSql());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.limitSql());
}
logger.info("sql: " + sqlBuilder.toString());
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java
index b61b8da..f692fe6 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java
@@ -31,6 +31,7 @@ import org.apache.fineract.infrastructure.jobs.data.JobDetailData;
import org.apache.fineract.infrastructure.jobs.data.JobDetailHistoryData;
import org.apache.fineract.infrastructure.jobs.exception.JobNotFoundException;
import org.apache.fineract.infrastructure.jobs.exception.OperationNotAllowedException;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.jdbc.core.JdbcTemplate;
@@ -41,12 +42,15 @@ import org.springframework.stereotype.Service;
public class SchedulerJobRunnerReadServiceImpl implements SchedulerJobRunnerReadService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<JobDetailHistoryData> paginationHelper = new PaginationHelper<>();
@Autowired
- public SchedulerJobRunnerReadServiceImpl(final RoutingDataSource dataSource) {
+ public SchedulerJobRunnerReadServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
+ this.columnValidator = columnValidator;
}
@Override
@@ -79,9 +83,10 @@ public class SchedulerJobRunnerReadServiceImpl implements SchedulerJobRunnerRead
sqlBuilder.append(" where job.id=?");
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java
index afec180..4e20d4a 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java
@@ -36,6 +36,7 @@ import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJob
import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobStretchyReportParamDateOption;
import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobTimelineData;
import org.apache.fineract.infrastructure.reportmailingjob.exception.ReportMailingJobNotFoundException;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.joda.time.DateTime;
import org.joda.time.LocalDate;
import org.springframework.beans.factory.annotation.Autowired;
@@ -47,10 +48,13 @@ import org.springframework.stereotype.Service;
@Service
public class ReportMailingJobReadPlatformServiceImpl implements ReportMailingJobReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
@Autowired
- public ReportMailingJobReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public ReportMailingJobReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
+ this.columnValidator = columnValidator;
}
@Override
@@ -66,9 +70,10 @@ public class ReportMailingJobReadPlatformServiceImpl implements ReportMailingJob
if (searchParameters.isOrderByRequested()) {
sqlStringBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlStringBuilder.append(" ").append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getSortOrder());
}
} else {
sqlStringBuilder.append(" order by rmj.name ");
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java
index 4aeb68f..01002d6 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java
@@ -29,6 +29,7 @@ import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobRunHistoryData;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.joda.time.DateTime;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
@@ -39,12 +40,15 @@ import org.springframework.stereotype.Service;
public class ReportMailingJobRunHistoryReadPlatformServiceImpl implements ReportMailingJobRunHistoryReadPlatformService {
private final JdbcTemplate jdbcTemplate;
private final ReportMailingJobRunHistoryMapper reportMailingJobRunHistoryMapper;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<ReportMailingJobRunHistoryData> paginationHelper = new PaginationHelper<>();
@Autowired
- public ReportMailingJobRunHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public ReportMailingJobRunHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.reportMailingJobRunHistoryMapper = new ReportMailingJobRunHistoryMapper();
+ this.columnValidator = columnValidator;
}
@Override
@@ -63,9 +67,10 @@ public class ReportMailingJobRunHistoryReadPlatformServiceImpl implements Report
if (searchParameters.isOrderByRequested()) {
sqlStringBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlStringBuilder.append(" ").append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
index c2a261a..e109687 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java
@@ -90,21 +90,23 @@ public class ColumnValidator {
return columns;
}
- public void validateSqlInjection(String schema, String condition) {
- SQLInjectionValidator.validateSQLInput(condition);
- List<String> operator = new ArrayList<>(Arrays.asList("=", ">", "<",
- "> =", "< =", "! =", "!=", ">=", "<="));
- condition = condition.trim().replace("( ", "(").replace(" )", ")")
- .toLowerCase();
- for (String op : operator) {
- condition = replaceAll(condition, op).replaceAll(" +", " ");
+ public void validateSqlInjection(String schema, String... conditions) {
+ for(String condition: conditions) {
+ SQLInjectionValidator.validateSQLInput(condition);
+ List<String> operator = new ArrayList<>(Arrays.asList("=", ">", "<",
+ "> =", "< =", "! =", "!=", ">=", "<="));
+ condition = condition.trim().replace("( ", "(").replace(" )", ")")
+ .toLowerCase();
+ for (String op : operator) {
+ condition = replaceAll(condition, op).replaceAll(" +", " ");
+ }
+ Set<String> operands = getOperand(condition);
+ schema = schema.trim().replaceAll(" +", " ").toLowerCase();
+ Map<String, Set<String>> tableColumnAliasMap = getTableColumnAliasMap(operands);
+ Map<String, Set<String>> tableColumnMap = getTableColumnMap(schema,
+ tableColumnAliasMap);
+ validateColumn(tableColumnMap);
}
- Set<String> operands = getOperand(condition);
- schema = schema.trim().replaceAll(" +", " ").toLowerCase();
- Map<String, Set<String>> tableColumnAliasMap = getTableColumnAliasMap(operands);
- Map<String, Set<String>> tableColumnMap = getTableColumnMap(schema,
- tableColumnAliasMap);
- validateColumn(tableColumnMap);
}
private static Map<String, Set<String>> getTableColumnMap(String schema,
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
index d03b2f4..2fd6746 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java
@@ -24,7 +24,7 @@ import java.util.regex.Pattern;
public class SQLInjectionValidator {
- private final static String[] DDL_COMMANDS = { "create", "drop", "alter", "truncate", "comment" };
+ private final static String[] DDL_COMMANDS = { "create", "drop", "alter", "truncate", "comment", "sleep" };
private final static String[] DML_COMMANDS = { "select", "insert", "update", "delete", "merge", "upsert", "call" };
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java
index 5ad0eac..dfd82c8 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java
@@ -33,6 +33,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.infrastructure.sms.data.SmsData;
import org.apache.fineract.infrastructure.sms.domain.SmsMessageEnumerations;
import org.apache.fineract.infrastructure.sms.domain.SmsMessageStatusType;
@@ -49,11 +50,14 @@ public class SmsReadPlatformServiceImpl implements SmsReadPlatformService {
private final JdbcTemplate jdbcTemplate;
private final SmsMapper smsRowMapper;
private final PaginationHelper<SmsData> paginationHelper = new PaginationHelper<>();
+ private final ColumnValidator columnValidator;
@Autowired
- public SmsReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public SmsReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.smsRowMapper = new SmsMapper();
+ this.columnValidator = columnValidator;
}
private static final class SmsMapper implements RowMapper<SmsData> {
@@ -224,9 +228,10 @@ public class SmsReadPlatformServiceImpl implements SmsReadPlatformService {
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
} else {
sqlBuilder.append(" order by smo.submittedon_date, smo.id");
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java
index 799fddf..4d3dc6a 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java
@@ -18,8 +18,18 @@
*/
package org.apache.fineract.notification.service;
-import org.apache.fineract.infrastructure.core.service.*;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.List;
+
+import org.apache.fineract.infrastructure.core.service.Page;
+import org.apache.fineract.infrastructure.core.service.PaginationHelper;
+import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
+import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.core.service.ThreadLocalContextUtil;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.notification.cache.CacheNotificationResponseHeader;
import org.apache.fineract.notification.data.NotificationData;
import org.apache.fineract.notification.data.NotificationMapperData;
@@ -28,16 +38,12 @@ import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.stereotype.Service;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.util.HashMap;
-import java.util.List;
-
@Service
public class NotificationReadPlatformServiceImpl implements NotificationReadPlatformService {
private final JdbcTemplate jdbcTemplate;
private final PlatformSecurityContext context;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<NotificationData> paginationHelper = new PaginationHelper<>();
private final NotificationDataRow notificationDataRow = new NotificationDataRow();
private final NotificationMapperRow notificationMapperRow = new NotificationMapperRow();
@@ -45,9 +51,12 @@ public class NotificationReadPlatformServiceImpl implements NotificationReadPlat
tenantNotificationResponseHeaderCache = new HashMap<>();
@Autowired
- public NotificationReadPlatformServiceImpl(final RoutingDataSource dataSource, final PlatformSecurityContext context) {
+ public NotificationReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final PlatformSecurityContext context,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.context = context;
+ this.columnValidator = columnValidator;
}
@Override
@@ -139,9 +148,10 @@ public class NotificationReadPlatformServiceImpl implements NotificationReadPlat
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java
index 769b2a1..ffc9f57 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java
@@ -28,6 +28,7 @@ import org.apache.fineract.infrastructure.core.domain.JdbcSupport;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.monetary.data.CurrencyData;
import org.apache.fineract.organisation.monetary.service.CurrencyReadPlatformService;
import org.apache.fineract.organisation.office.data.OfficeData;
@@ -48,13 +49,17 @@ public class OfficeReadPlatformServiceImpl implements OfficeReadPlatformService
private final JdbcTemplate jdbcTemplate;
private final PlatformSecurityContext context;
private final CurrencyReadPlatformService currencyReadPlatformService;
+ private final ColumnValidator columnValidator;
private final static String nameDecoratedBaseOnHierarchy = "concat(substring('........................................', 1, ((LENGTH(o.hierarchy) - LENGTH(REPLACE(o.hierarchy, '.', '')) - 1) * 4)), o.name)";
@Autowired
public OfficeReadPlatformServiceImpl(final PlatformSecurityContext context,
- final CurrencyReadPlatformService currencyReadPlatformService, final RoutingDataSource dataSource) {
+ final CurrencyReadPlatformService currencyReadPlatformService,
+ final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.context = context;
this.currencyReadPlatformService = currencyReadPlatformService;
+ this.columnValidator = columnValidator;
this.jdbcTemplate = new JdbcTemplate(dataSource);
}
@@ -159,9 +164,10 @@ public class OfficeReadPlatformServiceImpl implements OfficeReadPlatformService
if(searchParameters!=null) {
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append("order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
} else {
sqlBuilder.append("order by o.hierarchy");
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java
index 08af091..ebe5eb7 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java
@@ -33,6 +33,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.monetary.data.CurrencyData;
import org.apache.fineract.organisation.office.data.OfficeData;
import org.apache.fineract.organisation.office.service.OfficeReadPlatformService;
@@ -62,6 +63,7 @@ public class AccountTransfersReadPlatformServiceImpl implements
private final ClientReadPlatformService clientReadPlatformService;
private final OfficeReadPlatformService officeReadPlatformService;
private final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService;
+ private final ColumnValidator columnValidator;
// mapper
private final AccountTransfersMapper accountTransfersMapper;
@@ -76,11 +78,13 @@ public class AccountTransfersReadPlatformServiceImpl implements
final RoutingDataSource dataSource,
final ClientReadPlatformService clientReadPlatformService,
final OfficeReadPlatformService officeReadPlatformService,
- final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService) {
+ final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.clientReadPlatformService = clientReadPlatformService;
this.officeReadPlatformService = officeReadPlatformService;
this.portfolioAccountReadPlatformService = portfolioAccountReadPlatformService;
+ this.columnValidator = columnValidator;
this.accountTransfersMapper = new AccountTransfersMapper();
}
@@ -259,9 +263,10 @@ public class AccountTransfersReadPlatformServiceImpl implements
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(
searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
@@ -514,10 +519,11 @@ public class AccountTransfersReadPlatformServiceImpl implements
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(
searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(
searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java
index d0df176..0307b47 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java
@@ -34,6 +34,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.office.data.OfficeData;
import org.apache.fineract.portfolio.account.PortfolioAccountType;
import org.apache.fineract.portfolio.account.data.PortfolioAccountData;
@@ -50,6 +51,7 @@ import org.springframework.stereotype.Service;
public class StandingInstructionHistoryReadPlatformServiceImpl implements StandingInstructionHistoryReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
// mapper
private final StandingInstructionHistoryMapper standingInstructionHistoryMapper;
@@ -58,9 +60,11 @@ public class StandingInstructionHistoryReadPlatformServiceImpl implements Standi
private final PaginationHelper<StandingInstructionHistoryData> paginationHelper = new PaginationHelper<>();
@Autowired
- public StandingInstructionHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public StandingInstructionHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.standingInstructionHistoryMapper = new StandingInstructionHistoryMapper();
+ this.columnValidator = columnValidator;
}
@Override
@@ -139,9 +143,10 @@ public class StandingInstructionHistoryReadPlatformServiceImpl implements Standi
final SearchParameters searchParameters = standingInstructionDTO.searchParameters();
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java
index 9c35c4f..b5b9f22 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java
@@ -40,6 +40,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.organisation.office.data.OfficeData;
import org.apache.fineract.organisation.office.service.OfficeReadPlatformService;
import org.apache.fineract.portfolio.account.PortfolioAccountType;
@@ -71,6 +72,7 @@ import org.springframework.util.CollectionUtils;
public class StandingInstructionReadPlatformServiceImpl implements StandingInstructionReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final ClientReadPlatformService clientReadPlatformService;
private final OfficeReadPlatformService officeReadPlatformService;
private final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService;
@@ -86,13 +88,15 @@ public class StandingInstructionReadPlatformServiceImpl implements StandingInstr
public StandingInstructionReadPlatformServiceImpl(final RoutingDataSource dataSource,
final ClientReadPlatformService clientReadPlatformService, final OfficeReadPlatformService officeReadPlatformService,
final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService,
- final DropdownReadPlatformService dropdownReadPlatformService) {
+ final DropdownReadPlatformService dropdownReadPlatformService,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.clientReadPlatformService = clientReadPlatformService;
this.officeReadPlatformService = officeReadPlatformService;
this.portfolioAccountReadPlatformService = portfolioAccountReadPlatformService;
this.dropdownReadPlatformService = dropdownReadPlatformService;
this.standingInstructionMapper = new StandingInstructionMapper();
+ this.columnValidator = columnValidator;
}
@Override
@@ -309,9 +313,10 @@ public class StandingInstructionReadPlatformServiceImpl implements StandingInstr
final SearchParameters searchParameters = standingInstructionDTO.searchParameters();
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java
index ede17f6..4b1313b 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java
@@ -204,9 +204,10 @@ public class ClientReadPlatformServiceImpl implements ClientReadPlatformService
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java
index 38823fb..0b75d75 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java
@@ -393,6 +393,9 @@ public class CenterReadPlatformServiceImpl implements CenterReadPlatformService
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(),
+ searchParameters.getSortOrder());
+
}
if (searchParameters.isLimited()) {
@@ -431,6 +434,8 @@ public class CenterReadPlatformServiceImpl implements CenterReadPlatformService
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(),
+ searchParameters.getSortOrder());
}
if (searchParameters.isLimited()) {
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java
index 2caf668..72f044c 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java
@@ -162,6 +162,8 @@ public class GroupReadPlatformServiceImpl implements GroupReadPlatformService {
if (parameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(),
+ searchParameters.getSortOrder());
}
if (parameters.isLimited()) {
@@ -198,10 +200,12 @@ public class GroupReadPlatformServiceImpl implements GroupReadPlatformService {
if (parameters!=null) {
if (parameters.isOrderByRequested()) {
sqlBuilder.append(parameters.orderBySql());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.orderBySql());
}
if (parameters.isLimited()) {
sqlBuilder.append(parameters.limitSql());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.limitSql());
}
}
return this.jdbcTemplate.query(sqlBuilder.toString(), this.allGroupTypesDataMapper, paramList.toArray());
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java
index 4fc15ad..0fcacf6 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java
@@ -330,9 +330,11 @@ public class LoanReadPlatformServiceImpl implements LoanReadPlatformService {
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java
index 9be2258..2677bd2 100755
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java
@@ -30,6 +30,7 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.portfolio.savings.data.DepositAccountOnHoldTransactionData;
import org.joda.time.LocalDate;
import org.springframework.beans.factory.annotation.Autowired;
@@ -41,13 +42,16 @@ import org.springframework.stereotype.Service;
public class DepositAccountOnHoldTransactionReadPlatformServiceImpl implements DepositAccountOnHoldTransactionReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<DepositAccountOnHoldTransactionData> paginationHelper = new PaginationHelper<>();
private final DepositAccountOnHoldTransactionsMapper mapper;
@Autowired
- public DepositAccountOnHoldTransactionReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public DepositAccountOnHoldTransactionReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
mapper = new DepositAccountOnHoldTransactionsMapper();
+ this.columnValidator = columnValidator;
}
@Override
@@ -66,9 +70,11 @@ public class DepositAccountOnHoldTransactionReadPlatformServiceImpl implements D
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java
index c728ca3..6bb4fd1 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java
@@ -198,9 +198,11 @@ public class SavingsAccountReadPlatformServiceImpl implements SavingsAccountRead
}
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
+
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java
index 1be1eac..440d2f0 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java
@@ -31,8 +31,9 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
-import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountData;
+import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData;
import org.apache.fineract.portfolio.shareaccounts.domain.ShareAccountDividendStatusType;
import org.apache.fineract.portfolio.shareproducts.domain.ShareProductDividendStatusType;
import org.springframework.beans.factory.annotation.Autowired;
@@ -44,11 +45,14 @@ import org.springframework.stereotype.Service;
public class ShareAccountDividendReadPlatformServiceImpl implements ShareAccountDividendReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<ShareAccountDividendData> paginationHelper = new PaginationHelper<>();
@Autowired
- public ShareAccountDividendReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public ShareAccountDividendReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
+ this.columnValidator = columnValidator;
}
@Override
@@ -80,9 +84,12 @@ public class ShareAccountDividendReadPlatformServiceImpl implements ShareAccount
}
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
+
}
}
http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java
----------------------------------------------------------------------
diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java
index 6760ef9..afb9b9b 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java
@@ -31,10 +31,11 @@ import org.apache.fineract.infrastructure.core.service.Page;
import org.apache.fineract.infrastructure.core.service.PaginationHelper;
import org.apache.fineract.infrastructure.core.service.RoutingDataSource;
import org.apache.fineract.infrastructure.core.service.SearchParameters;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData;
import org.apache.fineract.portfolio.shareaccounts.service.SharesEnumerations;
-import org.apache.fineract.portfolio.shareproducts.data.ShareProductDividendPayOutData;
import org.apache.fineract.portfolio.shareproducts.data.ShareProductData;
+import org.apache.fineract.portfolio.shareproducts.data.ShareProductDividendPayOutData;
import org.joda.time.LocalDate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
@@ -45,11 +46,14 @@ import org.springframework.stereotype.Service;
public class ShareProductDividendReadPlatformServiceImpl implements ShareProductDividendReadPlatformService {
private final JdbcTemplate jdbcTemplate;
+ private final ColumnValidator columnValidator;
private final PaginationHelper<ShareProductDividendPayOutData> paginationHelper = new PaginationHelper<>();
@Autowired
- public ShareProductDividendReadPlatformServiceImpl(final RoutingDataSource dataSource) {
+ public ShareProductDividendReadPlatformServiceImpl(final RoutingDataSource dataSource,
+ final ColumnValidator columnValidator) {
this.jdbcTemplate = new JdbcTemplate(dataSource);
+ this.columnValidator = columnValidator;
}
@Override
@@ -68,9 +72,11 @@ public class ShareProductDividendReadPlatformServiceImpl implements ShareProduct
}
if (searchParameters.isOrderByRequested()) {
sqlBuilder.append(" order by ").append(searchParameters.getOrderBy());
-
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy());
+
if (searchParameters.isSortOrderProvided()) {
sqlBuilder.append(' ').append(searchParameters.getSortOrder());
+ this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder());
}
}
[2/2] fineract git commit: fixes for CVE-2018-1289
Posted by vi...@apache.org.
fixes for CVE-2018-1289
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo
Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/1d38bd25
Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/1d38bd25
Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/1d38bd25
Branch: refs/heads/develop
Commit: 1d38bd25d0b90e6260b9d24d37d77bc50055b8bb
Parents: 17fd243 e7035d1
Author: Vishwas Babu A J <vi...@confluxtechnologies.com>
Authored: Fri Feb 2 15:36:07 2018 -0800
Committer: Vishwas Babu A J <vi...@confluxtechnologies.com>
Committed: Fri Feb 2 15:36:07 2018 -0800
----------------------------------------------------------------------
.../JournalEntryReadPlatformServiceImpl.java | 11 +++++--
.../service/AuditReadPlatformServiceImpl.java | 2 ++
.../SchedulerJobRunnerReadServiceImpl.java | 9 ++++--
...ReportMailingJobReadPlatformServiceImpl.java | 9 ++++--
...ingJobRunHistoryReadPlatformServiceImpl.java | 9 ++++--
.../security/utils/ColumnValidator.java | 30 +++++++++++---------
.../security/utils/SQLInjectionValidator.java | 2 +-
.../sms/service/SmsReadPlatformServiceImpl.java | 9 ++++--
.../NotificationReadPlatformServiceImpl.java | 26 +++++++++++------
.../service/OfficeReadPlatformServiceImpl.java | 10 +++++--
...AccountTransfersReadPlatformServiceImpl.java | 12 ++++++--
...structionHistoryReadPlatformServiceImpl.java | 9 ++++--
...ndingInstructionReadPlatformServiceImpl.java | 9 ++++--
.../service/ClientReadPlatformServiceImpl.java | 3 +-
.../service/CenterReadPlatformServiceImpl.java | 5 ++++
.../service/GroupReadPlatformServiceImpl.java | 4 +++
.../service/LoanReadPlatformServiceImpl.java | 2 ++
...nHoldTransactionReadPlatformServiceImpl.java | 8 +++++-
.../SavingsAccountReadPlatformServiceImpl.java | 4 ++-
...eAccountDividendReadPlatformServiceImpl.java | 11 +++++--
...eProductDividendReadPlatformServiceImpl.java | 12 ++++++--
21 files changed, 146 insertions(+), 50 deletions(-)
----------------------------------------------------------------------