IDEMPIERE-5450 Form SQL Process has security issues (#1528)
* IDEMPIERE-5450 Form SQL Process has security issues * - fix javadoc * - remove unnecessary code * - minor improvement * - improve discovery of single word commands - avoids the need of space in the SysConfig key
This commit is contained in:
parent
d421dba94e
commit
7ffb18b8e2
|
@ -0,0 +1,10 @@
|
|||
-- IDEMPIERE-5450 Form SQL Process has security issues
|
||||
SELECT register_migration_script('202210131724_IDEMPIERE-5450.sql') FROM dual;
|
||||
|
||||
SET SQLBLANKLINES ON
|
||||
SET DEFINE OFF
|
||||
|
||||
-- Oct 13, 2022, 5:24:11 PM CEST
|
||||
INSERT INTO AD_SysConfig (AD_SysConfig_ID,AD_Client_ID,AD_Org_ID,Created,Updated,CreatedBy,UpdatedBy,IsActive,Name,Value,Description,EntityType,ConfigurationLevel,AD_SysConfig_UU) VALUES (200209,0,0,TO_TIMESTAMP('2022-10-13 17:24:11','YYYY-MM-DD HH24:MI:SS'),TO_TIMESTAMP('2022-10-13 17:24:11','YYYY-MM-DD HH24:MI:SS'),100,100,'Y','ALLOWED_KEYWORDS_IN_SQL_FORM','ALTER,ANALYZE,COMMENT,CREATE,DELETE,DROP,GRANT,INSERT,REINDEX,REVOKE,SET,UPDATE,TRUNCATE,VACUUM','Comma separated list of commands allowed in the SQL Process form','D','S','52f9e30d-4a15-4a63-890c-c338e9f20f61')
|
||||
;
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
-- IDEMPIERE-5450 Form SQL Process has security issues
|
||||
SELECT register_migration_script('202210131724_IDEMPIERE-5450.sql') FROM dual;
|
||||
|
||||
-- Oct 13, 2022, 5:24:11 PM CEST
|
||||
INSERT INTO AD_SysConfig (AD_SysConfig_ID,AD_Client_ID,AD_Org_ID,Created,Updated,CreatedBy,UpdatedBy,IsActive,Name,Value,Description,EntityType,ConfigurationLevel,AD_SysConfig_UU) VALUES (200209,0,0,TO_TIMESTAMP('2022-10-13 17:24:11','YYYY-MM-DD HH24:MI:SS'),TO_TIMESTAMP('2022-10-13 17:24:11','YYYY-MM-DD HH24:MI:SS'),100,100,'Y','ALLOWED_KEYWORDS_IN_SQL_FORM','ALTER,ANALYZE,COMMENT,CREATE,DELETE,DROP,GRANT,INSERT,REINDEX,REVOKE,SET,UPDATE,TRUNCATE,VACUUM','Comma separated list of commands allowed in the SQL Process form','D','S','52f9e30d-4a15-4a63-890c-c338e9f20f61')
|
||||
;
|
||||
|
|
@ -44,12 +44,13 @@ public class MSysConfig extends X_AD_SysConfig
|
|||
/**
|
||||
*
|
||||
*/
|
||||
private static final long serialVersionUID = -5704354666566021353L;
|
||||
private static final long serialVersionUID = -5465323173669763683L;
|
||||
|
||||
public static final String ADDRESS_VALIDATION = "ADDRESS_VALIDATION";
|
||||
public static final String ALERT_SEND_ATTACHMENT_AS_XLS = "ALERT_SEND_ATTACHMENT_AS_XLS";
|
||||
public static final String ALLOCATION_DESCRIPTION = "ALLOCATION_DESCRIPTION";
|
||||
public static final String ALLOW_APPLY_PAYMENT_TO_CREDITMEMO = "ALLOW_APPLY_PAYMENT_TO_CREDITMEMO";
|
||||
public static final String ALLOWED_KEYWORDS_IN_SQL_FORM = "ALLOWED_KEYWORDS_IN_SQL_FORM";
|
||||
public static final String ALLOW_OVER_APPLIED_PAYMENT = "ALLOW_OVER_APPLIED_PAYMENT";
|
||||
public static final String ALLOW_REVERSAL_OF_RECONCILED_PAYMENT = "ALLOW_REVERSAL_OF_RECONCILED_PAYMENT";
|
||||
public static final String ALogin_ShowDate = "ALogin_ShowDate";
|
||||
|
|
|
@ -66,6 +66,7 @@ public class SystemIDs
|
|||
public final static int FORM_SETUP_WIZARD = 200000;
|
||||
public final static int FORM_ADD_AUTHORIZATION = 200016;
|
||||
public final static int FORM_MFA_REGISTER = 200017;
|
||||
public final static int FORM_SQL_PROCESS = 111;
|
||||
|
||||
public final static int MENU_NOTICE = 233;
|
||||
|
||||
|
|
|
@ -21,6 +21,7 @@
|
|||
|
||||
package org.adempiere.webui.apps.form;
|
||||
|
||||
import java.math.BigDecimal;
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
@ -36,6 +37,9 @@ import org.adempiere.webui.component.Textbox;
|
|||
import org.adempiere.webui.panel.ADForm;
|
||||
import org.adempiere.webui.theme.ThemeManager;
|
||||
import org.adempiere.webui.util.ZKUpdateUtil;
|
||||
import org.compiere.model.MIssue;
|
||||
import org.compiere.model.MSysConfig;
|
||||
import org.compiere.model.SystemIDs;
|
||||
import org.compiere.util.CLogger;
|
||||
import org.compiere.util.DB;
|
||||
import org.compiere.util.Env;
|
||||
|
@ -61,16 +65,11 @@ public class WSQLProcess extends ADForm implements EventListener<Event>
|
|||
/**
|
||||
*
|
||||
*/
|
||||
private static final long serialVersionUID = -2038792517003449189L;
|
||||
private static final long serialVersionUID = -4661224754061326223L;
|
||||
|
||||
/** Log. */
|
||||
private static final CLogger log = CLogger.getCLogger(WSQLProcess.class);
|
||||
|
||||
/** DML Statement */
|
||||
private static final String[] DML_KEYWORDS = new String[]{
|
||||
"SELECT", "UPDATE", "DELETE", "TRUNCATE"
|
||||
};
|
||||
|
||||
/** Grid used to layout components. */
|
||||
private Grid m_grdMain = new Grid();
|
||||
/** SQL label. */
|
||||
|
@ -82,17 +81,30 @@ public class WSQLProcess extends ADForm implements EventListener<Event>
|
|||
/** Field to hold result of SQL statement execution. */
|
||||
private Textbox m_txbResultField = new Textbox();
|
||||
|
||||
/**
|
||||
* REGEX_REMOVE_COMMENTS
|
||||
*/
|
||||
private static final String REGEX_REMOVE_COMMENTS = "/\\*(?:.|[\\n\\r])*?\\*/";
|
||||
|
||||
/**
|
||||
* REGEX_REMOVE_QUOTED_STRINGS
|
||||
*/
|
||||
private static final String REGEX_REMOVE_QUOTED_STRINGS = "'(?:.|[\\n\\r])*?'";
|
||||
|
||||
/**
|
||||
* REGEX_REMOVE_LEADING_SPACES
|
||||
*/
|
||||
private static final String REGEX_REMOVE_LEADING_SPACES = "^\\s+";
|
||||
|
||||
/**
|
||||
* Default constructor.
|
||||
*/
|
||||
public WSQLProcess()
|
||||
{
|
||||
public WSQLProcess() {
|
||||
super();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void initForm()
|
||||
{
|
||||
protected void initForm() {
|
||||
Row rwTop = new Row();
|
||||
Row rwBottom = new Row();
|
||||
Rows rows = new Rows();
|
||||
|
@ -151,8 +163,7 @@ public class WSQLProcess extends ADForm implements EventListener<Event>
|
|||
* Create Process Button.
|
||||
* @return button
|
||||
*/
|
||||
public static final Button createProcessButton()
|
||||
{
|
||||
public static final Button createProcessButton() {
|
||||
Button btnProcess = new Button();
|
||||
if(ThemeManager.isUseFontIconForImage())
|
||||
btnProcess.setIconSclass("z-icon-Process");
|
||||
|
@ -164,22 +175,20 @@ public class WSQLProcess extends ADForm implements EventListener<Event>
|
|||
} // createProcessButton
|
||||
|
||||
/**
|
||||
* Process a semicolon delimitted list of SQL Statements.
|
||||
* Process a semicolon delimited list of SQL Statements.
|
||||
*
|
||||
* @param sqlStatements one or more statements separated by a semicolon (';')
|
||||
* @param allowDML whether to allow DML statements
|
||||
* @return a string summarising the results
|
||||
* @return a string summarizing the results
|
||||
*/
|
||||
public static String processStatements (String sqlStatements, boolean allowDML)
|
||||
{
|
||||
public static String processStatements (String sqlStatements) {
|
||||
if (sqlStatements == null || sqlStatements.length() == 0)
|
||||
return "";
|
||||
StringBuilder result = new StringBuilder();
|
||||
//
|
||||
// TODO: known issue - the command cannot contain semicolon within quotes
|
||||
StringTokenizer st = new StringTokenizer(sqlStatements, ";", false);
|
||||
while (st.hasMoreTokens())
|
||||
{
|
||||
result.append(processStatement(st.nextToken(), allowDML));
|
||||
while (st.hasMoreTokens()) {
|
||||
result.append(processStatement(st.nextToken()));
|
||||
result.append(Env.NL);
|
||||
}
|
||||
//
|
||||
|
@ -190,82 +199,84 @@ public class WSQLProcess extends ADForm implements EventListener<Event>
|
|||
* Process SQL Statements.
|
||||
*
|
||||
* @param sqlStatement a single SQL statement
|
||||
* @param allowDML whether to allow DML statements
|
||||
* @return a string summarising the results
|
||||
* @return a string summarizing the results
|
||||
*/
|
||||
public static String processStatement (String sqlStatement, boolean allowDML)
|
||||
{
|
||||
public static String processStatement (String sqlStatement) {
|
||||
if (sqlStatement == null)
|
||||
return "";
|
||||
StringBuilder sb = new StringBuilder();
|
||||
char[] chars = sqlStatement.toCharArray();
|
||||
for (int i = 0; i < chars.length; i++)
|
||||
{
|
||||
for (int i = 0; i < chars.length; i++) {
|
||||
char c = chars[i];
|
||||
if (Character.isWhitespace(c))
|
||||
sb.append(' ');
|
||||
else
|
||||
sb.append(c);
|
||||
}
|
||||
String sql = sb.toString().trim();
|
||||
if (sql.length() == 0)
|
||||
String sql = sb.toString();
|
||||
if (sql.trim().length() == 0)
|
||||
return "";
|
||||
//
|
||||
StringBuffer result = new StringBuffer("SQL> ")
|
||||
.append(sql)
|
||||
.append(Env.NL);
|
||||
if (!allowDML)
|
||||
{
|
||||
boolean error = false;
|
||||
String SQL = sql.toUpperCase();
|
||||
for (int i = 0; i < DML_KEYWORDS.length; i++)
|
||||
{
|
||||
if (SQL.startsWith(DML_KEYWORDS[i] + " ")
|
||||
|| SQL.indexOf(" " + DML_KEYWORDS[i] + " ") != -1
|
||||
|| SQL.indexOf("(" + DML_KEYWORDS[i] + " ") != -1)
|
||||
{
|
||||
result.append("===> ERROR: Not Allowed Keyword ")
|
||||
.append(DML_KEYWORDS[i])
|
||||
.append(Env.NL);
|
||||
error = true;
|
||||
}
|
||||
if (!sql.contains(" ")) // command is a single word (f.e. ANALYZE), add space at the end
|
||||
sql += " ";
|
||||
StringBuilder result = new StringBuilder("SQL> ")
|
||||
.append(sql)
|
||||
.append(Env.NL);
|
||||
String SQL = sql.toUpperCase();
|
||||
String cleanSQL = SQL
|
||||
.replaceAll(REGEX_REMOVE_COMMENTS, "")
|
||||
.replaceAll(REGEX_REMOVE_QUOTED_STRINGS, "")
|
||||
.replaceFirst(REGEX_REMOVE_LEADING_SPACES, "");
|
||||
|
||||
String[] allowedKeywords = MSysConfig.getValue(MSysConfig.ALLOWED_KEYWORDS_IN_SQL_FORM, "ALTER,ANALYZE,COMMENT,CREATE,DELETE,DROP,GRANT,INSERT,REINDEX,REVOKE,SET,UPDATE,TRUNCATE,VACUUM").split(",");
|
||||
boolean error = true;
|
||||
for (int i = 0; i < allowedKeywords.length; i++) {
|
||||
if (cleanSQL.startsWith(allowedKeywords[i] + " ")) {
|
||||
error = false;
|
||||
break;
|
||||
}
|
||||
if (error)
|
||||
return result.toString();
|
||||
} // !allowDML
|
||||
}
|
||||
if (error) {
|
||||
result.append("===> ERROR: Not Allowed Command")
|
||||
.append(Env.NL);
|
||||
return result.toString();
|
||||
}
|
||||
|
||||
// Process
|
||||
Connection conn = DB.createConnection(true, Connection.TRANSACTION_READ_COMMITTED);
|
||||
Statement stmt = null;
|
||||
try
|
||||
{
|
||||
try {
|
||||
stmt = conn.createStatement();
|
||||
@SuppressWarnings("unused")
|
||||
boolean OK = stmt.execute(sql);
|
||||
long start = System.currentTimeMillis();
|
||||
stmt.execute(sql);
|
||||
long end = System.currentTimeMillis();
|
||||
BigDecimal durationSeconds = BigDecimal.valueOf(end).subtract(BigDecimal.valueOf(start)).divide(BigDecimal.valueOf(1000.0));
|
||||
int count = stmt.getUpdateCount();
|
||||
if (count == -1)
|
||||
{
|
||||
if (count == -1) {
|
||||
result.append("---> ResultSet");
|
||||
}
|
||||
else
|
||||
result.append("---> Result=").append(count);
|
||||
}
|
||||
catch (SQLException e)
|
||||
{
|
||||
MIssue issue = new MIssue(Env.getCtx(), 0, null);
|
||||
issue.setIssueSummary("SQL executed on SQL Process form");
|
||||
issue.setStackTrace(sql);
|
||||
issue.setResponseText(result.toString().replace("SQL> " + sql + Env.NL, ""));
|
||||
issue.setIssueSource(MIssue.ISSUESOURCE_Form);
|
||||
issue.setUserName(Env.getContext(Env.getCtx(), Env.AD_USER_NAME));
|
||||
issue.setAD_Form_ID(SystemIDs.FORM_SQL_PROCESS);
|
||||
issue.setProcessed(true);
|
||||
issue.setComments("Duration : " + durationSeconds + " seconds");
|
||||
issue.saveEx();
|
||||
} catch (SQLException e) {
|
||||
String exception = e.toString();
|
||||
log.log(Level.SEVERE, "process statement: " + sql + " - " + exception);
|
||||
result.append("===> ").append(exception);
|
||||
}
|
||||
finally
|
||||
{
|
||||
} finally {
|
||||
DB.close(stmt);
|
||||
stmt = null;
|
||||
try
|
||||
{
|
||||
try {
|
||||
conn.close();
|
||||
}
|
||||
catch (SQLException e2)
|
||||
{
|
||||
} catch (SQLException e2) {
|
||||
log.log(Level.SEVERE, "processStatement - close connection", e2);
|
||||
}
|
||||
conn = null;
|
||||
|
@ -275,14 +286,14 @@ public class WSQLProcess extends ADForm implements EventListener<Event>
|
|||
return result.toString();
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
* @see org.adempiere.webui.panel.ADForm#onEvent(org.zkoss.zk.ui.event.Event)
|
||||
/**
|
||||
* Process the events for this form
|
||||
* @param event
|
||||
*/
|
||||
public void onEvent(Event event) throws Exception
|
||||
{
|
||||
m_txbResultField.setText(processStatements (m_txbSqlField.getText(), false));
|
||||
public void onEvent(Event event) throws Exception {
|
||||
if (event.getTarget() == m_btnSql)
|
||||
m_txbResultField.setText(processStatements (m_txbSqlField.getText()));
|
||||
super.onEvent(event);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue