You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@olingo.apache.org by "Bernd Fuhrmann (JIRA)" <ji...@apache.org> on 2019/01/19 20:32:00 UTC
[jira] [Created] (OLINGO-1331) Should
org.apache.olingo.server.api.uri.UriHelper.parseEntityId accept EntitySets
without keys?
Bernd Fuhrmann created OLINGO-1331:
--------------------------------------
Summary: Should org.apache.olingo.server.api.uri.UriHelper.parseEntityId accept EntitySets without keys?
Key: OLINGO-1331
URL: https://issues.apache.org/jira/browse/OLINGO-1331
Project: Olingo
Issue Type: Bug
Components: odata4-server
Affects Versions: (Java) V4 4.5.0, (Java) V4 4.6.0
Reporter: Bernd Fuhrmann
According to the JavaDoc of {{org.apache.olingo.server.api.uri.UriHelper.parseEntityId}}, this method parses Entity IDs. It is noted, that there must be a key present in the parameter {{entityid}}. However, in the implementation in {{UriHelperImpl}} that key is not required. That seems to be wrong and this might be bad for the user of the Olingo library:
The parameter {{entityId}} is probably coming via HTTP and can thus be anything. It might even be carefully selected by some attacker.
The current implementation just delegates parsing to the class {{Parser}}. Then it is checked how many resource parts are returned and of what type the first part is, but not whether there are any keys.
So you could do this, e.g. in an {{odata.bind}}:
{{entitysetname}} instead of {{entitysetname(23)}}.
Maybe that is intentionally permitted, but I don't know OData enough to be absolutely sure.
If desirable, I could write a patch and a unit test for that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)