midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-1784 SQL injection via ModelADService is possible / committing this patch until a better approach is implemented as suggested in meetings

This commit is contained in:
Carlos Ruiz 2014-03-26 10:52:24 -05:00
parent b392cc090c
commit ed0eee0faf
5 changed files with 196 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
org.idempiere.webservices/.project
View File

@ -20,6 +20,11 @@
<arguments> <arguments>
</arguments> </arguments>
</buildCommand> </buildCommand>
<buildCommand>
<name>org.eclipse.pde.ds.core.builder</name>
<arguments>
</arguments>
</buildCommand>
</buildSpec> </buildSpec>
<natures> <natures>
<nature>org.eclipse.pde.PluginNature</nature> <nature>org.eclipse.pde.PluginNature</nature>

1
org.idempiere.webservices/META-INF/MANIFEST.MF
View File

@ -5,6 +5,7 @@ Bundle-SymbolicName: org.idempiere.webservices;singleton:=true
Bundle-Version: 2.0.0.qualifier Bundle-Version: 2.0.0.qualifier
Bundle-Activator: org.idempiere.webservices.Activator Bundle-Activator: org.idempiere.webservices.Activator
Bundle-RequiredExecutionEnvironment: JavaSE-1.6 Bundle-RequiredExecutionEnvironment: JavaSE-1.6
Service-Component: OSGI-INF/ws_modelfactory.xml
Import-Package: javax.activation;version="1.1.1", Import-Package: javax.activation;version="1.1.1",
javax.mail.internet;version="1.4.5", javax.mail.internet;version="1.4.5",
javax.servlet;version="3.0.0", javax.servlet;version="3.0.0",

8
org.idempiere.webservices/OSGI-INF/ws_modelfactory.xml Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<scr:component xmlns:scr="http://www.osgi.org/xmlns/scr/v1.1.0" name="org.compiere.model.WS_ModelFactory">
<implementation class="org.compiere.model.WS_ModelFactory"/>
<property name="service.ranking" type="Integer" value="5"/>
<service>
<provide interface="org.adempiere.base.IModelFactory"/>
</service>
</scr:component>

85
org.idempiere.webservices/WEB-INF/src/org/compiere/model/MWebServicePara.java Normal file
View File

@ -0,0 +1,85 @@
/***********************************************************************
* This file is part of iDempiere ERP Bazaar *
* http://www.idempiere.org *
* *
* Copyright (C) Carlos Ruiz - globalqss *
* Copyright (C) Contributors *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
* as published by the Free Software Foundation; either version 2 *
* of the License, or (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the Free Software *
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, *
* MA 02110-1301, USA. *
* *
* Contributors: *
* - Carlos Ruiz (globalqss@users.sourceforge.net) *
* *
* Sponsors: *
* - GlobalQSS (http://www.globalqss.com) *
***********************************************************************/
package org.compiere.model;
import java.sql.ResultSet;
import java.util.Properties;
/**
* Web Services Parameters Model
*
* @author Carlos Ruiz
*/
public class MWebServicePara extends X_WS_WebService_Para
{
/**
*
*/
private static final long serialVersionUID = 3561409141850981248L;
/**************************************************************************
* Standard Constructor
* @param ctx context
* @param WS_WebService_Para_ID
* @param trxName transaction
*/
public MWebServicePara (Properties ctx, int WS_WebService_Para_ID, String trxName)
{
super (ctx, WS_WebService_Para_ID, trxName);
/** if (WS_WebService_Para_ID == 0)
{
setName (null);
setValue (null);
WS_WebService_Para_ID (0);
} */
} // MWebServicePara
/**
* Load Constructor
* @param ctx context
* @param rs result set
* @param trxName transaction
*/
public MWebServicePara (Properties ctx, ResultSet rs, String trxName)
{
super(ctx, rs, trxName);
} // MWebServicePara
@Override
protected boolean beforeSave(boolean newRecord) {
if ( "Filter".equalsIgnoreCase(getParameterName())
&& PARAMETERTYPE_Free.equals(getParameterType())) {
log.saveError("Error", "Type Free not allowed for parameter Filter (security issue)"); // IDEMPIERE-1784
return false;
}
return true;
}
} // MWebServicePara

69
org.idempiere.webservices/WEB-INF/src/org/compiere/model/WS_ModelFactory.java Normal file
View File

@ -0,0 +1,69 @@
/**********************************************************************
* This file is part of iDempiere ERP Open Source *
* http://www.idempiere.org *
* *
* Copyright (C) Contributors *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
* as published by the Free Software Foundation; either version 2 *
* of the License, or (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the Free Software *
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, *
* MA 02110-1301, USA. *
* *
* Contributors: *
* - Carlos Ruiz - globalqss *
**********************************************************************/
package org.compiere.model;
import java.sql.ResultSet;
import org.adempiere.base.IModelFactory;
import org.compiere.model.PO;
import org.compiere.util.Env;
public class WS_ModelFactory implements IModelFactory {
@Override
public Class<?> getClass(String tableName) {
if (X_WS_WebService_Para.Table_Name.equals(tableName))
return MWebServicePara.class;
if (X_WS_WebServiceType.Table_Name.equals(tableName))
return MWebServiceType.class;
if (X_WS_WebService.Table_Name.equals(tableName))
return MWebService.class;
return null;
}
@Override
public PO getPO(String tableName, int Record_ID, String trxName) {
if (X_WS_WebService_Para.Table_Name.equals(tableName))
return new MWebServicePara(Env.getCtx(), Record_ID, trxName);
if (X_WS_WebServiceType.Table_Name.equals(tableName))
return new MWebServiceType(Env.getCtx(), Record_ID, trxName);
if (X_WS_WebService.Table_Name.equals(tableName))
return new MWebService(Env.getCtx(), Record_ID, trxName);
return null;
}
@Override
public PO getPO(String tableName, ResultSet rs, String trxName) {
if (X_WS_WebService_Para.Table_Name.equals(tableName))
return new MWebServicePara(Env.getCtx(), rs, trxName);
if (X_WS_WebServiceType.Table_Name.equals(tableName))
return new MWebServiceType(Env.getCtx(), rs, trxName);
if (X_WS_WebService.Table_Name.equals(tableName))
return new MWebService(Env.getCtx(), rs, trxName);
return null;
}
}