You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@olingo.apache.org by "Bernd Fuhrmann (JIRA)" <ji...@apache.org> on 2019/01/19 20:32:00 UTC

[jira] [Created] (OLINGO-1331) Should org.apache.olingo.server.api.uri.UriHelper.parseEntityId accept EntitySets without keys?

Bernd Fuhrmann created OLINGO-1331:
--------------------------------------

             Summary: Should org.apache.olingo.server.api.uri.UriHelper.parseEntityId accept EntitySets without keys?
                 Key: OLINGO-1331
                 URL: https://issues.apache.org/jira/browse/OLINGO-1331
             Project: Olingo
          Issue Type: Bug
          Components: odata4-server
    Affects Versions: (Java) V4 4.5.0, (Java) V4 4.6.0
            Reporter: Bernd Fuhrmann


According to the JavaDoc of {{org.apache.olingo.server.api.uri.UriHelper.parseEntityId}}, this method parses Entity IDs. It is noted, that there must be a key present in the parameter {{entityid}}. However, in the implementation in {{UriHelperImpl}} that key is not required. That seems to be wrong and this might be bad for the user of the Olingo library:
 The parameter {{entityId}} is probably coming via HTTP and can thus be anything. It might even be carefully selected by some attacker.
 The current implementation just delegates parsing to the class {{Parser}}. Then it is checked how many resource parts are returned and of what type the first part is, but not whether there are any keys.

So you could do this, e.g. in an {{odata.bind}}:
 {{entitysetname}} instead of {{entitysetname(23)}}.

Maybe that is intentionally permitted, but I don't know OData enough to be absolutely sure.
 If desirable, I could write a patch and a unit test for that.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)