IDEMPIERE-1784 SQL injection via ModelADService is possible / committing this patch until a better approach is implemented as suggested in meetings
This commit is contained in:
parent
b392cc090c
commit
ed0eee0faf
|
@ -1,28 +1,33 @@
|
||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<projectDescription>
|
<projectDescription>
|
||||||
<name>org.idempiere.webservices</name>
|
<name>org.idempiere.webservices</name>
|
||||||
<comment></comment>
|
<comment></comment>
|
||||||
<projects>
|
<projects>
|
||||||
</projects>
|
</projects>
|
||||||
<buildSpec>
|
<buildSpec>
|
||||||
<buildCommand>
|
<buildCommand>
|
||||||
<name>org.eclipse.jdt.core.javabuilder</name>
|
<name>org.eclipse.jdt.core.javabuilder</name>
|
||||||
<arguments>
|
<arguments>
|
||||||
</arguments>
|
</arguments>
|
||||||
</buildCommand>
|
</buildCommand>
|
||||||
<buildCommand>
|
<buildCommand>
|
||||||
<name>org.eclipse.pde.ManifestBuilder</name>
|
<name>org.eclipse.pde.ManifestBuilder</name>
|
||||||
<arguments>
|
<arguments>
|
||||||
</arguments>
|
</arguments>
|
||||||
</buildCommand>
|
</buildCommand>
|
||||||
<buildCommand>
|
<buildCommand>
|
||||||
<name>org.eclipse.pde.SchemaBuilder</name>
|
<name>org.eclipse.pde.SchemaBuilder</name>
|
||||||
<arguments>
|
<arguments>
|
||||||
</arguments>
|
</arguments>
|
||||||
</buildCommand>
|
</buildCommand>
|
||||||
</buildSpec>
|
<buildCommand>
|
||||||
<natures>
|
<name>org.eclipse.pde.ds.core.builder</name>
|
||||||
<nature>org.eclipse.pde.PluginNature</nature>
|
<arguments>
|
||||||
<nature>org.eclipse.jdt.core.javanature</nature>
|
</arguments>
|
||||||
</natures>
|
</buildCommand>
|
||||||
</projectDescription>
|
</buildSpec>
|
||||||
|
<natures>
|
||||||
|
<nature>org.eclipse.pde.PluginNature</nature>
|
||||||
|
<nature>org.eclipse.jdt.core.javanature</nature>
|
||||||
|
</natures>
|
||||||
|
</projectDescription>
|
||||||
|
|
|
@ -5,6 +5,7 @@ Bundle-SymbolicName: org.idempiere.webservices;singleton:=true
|
||||||
Bundle-Version: 2.0.0.qualifier
|
Bundle-Version: 2.0.0.qualifier
|
||||||
Bundle-Activator: org.idempiere.webservices.Activator
|
Bundle-Activator: org.idempiere.webservices.Activator
|
||||||
Bundle-RequiredExecutionEnvironment: JavaSE-1.6
|
Bundle-RequiredExecutionEnvironment: JavaSE-1.6
|
||||||
|
Service-Component: OSGI-INF/ws_modelfactory.xml
|
||||||
Import-Package: javax.activation;version="1.1.1",
|
Import-Package: javax.activation;version="1.1.1",
|
||||||
javax.mail.internet;version="1.4.5",
|
javax.mail.internet;version="1.4.5",
|
||||||
javax.servlet;version="3.0.0",
|
javax.servlet;version="3.0.0",
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<scr:component xmlns:scr="http://www.osgi.org/xmlns/scr/v1.1.0" name="org.compiere.model.WS_ModelFactory">
|
||||||
|
<implementation class="org.compiere.model.WS_ModelFactory"/>
|
||||||
|
<property name="service.ranking" type="Integer" value="5"/>
|
||||||
|
<service>
|
||||||
|
<provide interface="org.adempiere.base.IModelFactory"/>
|
||||||
|
</service>
|
||||||
|
</scr:component>
|
|
@ -0,0 +1,85 @@
|
||||||
|
/***********************************************************************
|
||||||
|
* This file is part of iDempiere ERP Bazaar *
|
||||||
|
* http://www.idempiere.org *
|
||||||
|
* *
|
||||||
|
* Copyright (C) Carlos Ruiz - globalqss *
|
||||||
|
* Copyright (C) Contributors *
|
||||||
|
* *
|
||||||
|
* This program is free software; you can redistribute it and/or *
|
||||||
|
* modify it under the terms of the GNU General Public License *
|
||||||
|
* as published by the Free Software Foundation; either version 2 *
|
||||||
|
* of the License, or (at your option) any later version. *
|
||||||
|
* *
|
||||||
|
* This program is distributed in the hope that it will be useful, *
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
||||||
|
* GNU General Public License for more details. *
|
||||||
|
* *
|
||||||
|
* You should have received a copy of the GNU General Public License *
|
||||||
|
* along with this program; if not, write to the Free Software *
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, *
|
||||||
|
* MA 02110-1301, USA. *
|
||||||
|
* *
|
||||||
|
* Contributors: *
|
||||||
|
* - Carlos Ruiz (globalqss@users.sourceforge.net) *
|
||||||
|
* *
|
||||||
|
* Sponsors: *
|
||||||
|
* - GlobalQSS (http://www.globalqss.com) *
|
||||||
|
***********************************************************************/
|
||||||
|
|
||||||
|
package org.compiere.model;
|
||||||
|
|
||||||
|
import java.sql.ResultSet;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Web Services Parameters Model
|
||||||
|
*
|
||||||
|
* @author Carlos Ruiz
|
||||||
|
*/
|
||||||
|
public class MWebServicePara extends X_WS_WebService_Para
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
private static final long serialVersionUID = 3561409141850981248L;
|
||||||
|
|
||||||
|
/**************************************************************************
|
||||||
|
* Standard Constructor
|
||||||
|
* @param ctx context
|
||||||
|
* @param WS_WebService_Para_ID
|
||||||
|
* @param trxName transaction
|
||||||
|
*/
|
||||||
|
public MWebServicePara (Properties ctx, int WS_WebService_Para_ID, String trxName)
|
||||||
|
{
|
||||||
|
super (ctx, WS_WebService_Para_ID, trxName);
|
||||||
|
/** if (WS_WebService_Para_ID == 0)
|
||||||
|
{
|
||||||
|
setName (null);
|
||||||
|
setValue (null);
|
||||||
|
WS_WebService_Para_ID (0);
|
||||||
|
} */
|
||||||
|
} // MWebServicePara
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Load Constructor
|
||||||
|
* @param ctx context
|
||||||
|
* @param rs result set
|
||||||
|
* @param trxName transaction
|
||||||
|
*/
|
||||||
|
public MWebServicePara (Properties ctx, ResultSet rs, String trxName)
|
||||||
|
{
|
||||||
|
super(ctx, rs, trxName);
|
||||||
|
} // MWebServicePara
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected boolean beforeSave(boolean newRecord) {
|
||||||
|
if ( "Filter".equalsIgnoreCase(getParameterName())
|
||||||
|
&& PARAMETERTYPE_Free.equals(getParameterType())) {
|
||||||
|
log.saveError("Error", "Type Free not allowed for parameter Filter (security issue)"); // IDEMPIERE-1784
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
} // MWebServicePara
|
|
@ -0,0 +1,69 @@
|
||||||
|
/**********************************************************************
|
||||||
|
* This file is part of iDempiere ERP Open Source *
|
||||||
|
* http://www.idempiere.org *
|
||||||
|
* *
|
||||||
|
* Copyright (C) Contributors *
|
||||||
|
* *
|
||||||
|
* This program is free software; you can redistribute it and/or *
|
||||||
|
* modify it under the terms of the GNU General Public License *
|
||||||
|
* as published by the Free Software Foundation; either version 2 *
|
||||||
|
* of the License, or (at your option) any later version. *
|
||||||
|
* *
|
||||||
|
* This program is distributed in the hope that it will be useful, *
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
||||||
|
* GNU General Public License for more details. *
|
||||||
|
* *
|
||||||
|
* You should have received a copy of the GNU General Public License *
|
||||||
|
* along with this program; if not, write to the Free Software *
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, *
|
||||||
|
* MA 02110-1301, USA. *
|
||||||
|
* *
|
||||||
|
* Contributors: *
|
||||||
|
* - Carlos Ruiz - globalqss *
|
||||||
|
**********************************************************************/
|
||||||
|
|
||||||
|
package org.compiere.model;
|
||||||
|
|
||||||
|
import java.sql.ResultSet;
|
||||||
|
|
||||||
|
import org.adempiere.base.IModelFactory;
|
||||||
|
import org.compiere.model.PO;
|
||||||
|
import org.compiere.util.Env;
|
||||||
|
|
||||||
|
public class WS_ModelFactory implements IModelFactory {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Class<?> getClass(String tableName) {
|
||||||
|
if (X_WS_WebService_Para.Table_Name.equals(tableName))
|
||||||
|
return MWebServicePara.class;
|
||||||
|
if (X_WS_WebServiceType.Table_Name.equals(tableName))
|
||||||
|
return MWebServiceType.class;
|
||||||
|
if (X_WS_WebService.Table_Name.equals(tableName))
|
||||||
|
return MWebService.class;
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public PO getPO(String tableName, int Record_ID, String trxName) {
|
||||||
|
if (X_WS_WebService_Para.Table_Name.equals(tableName))
|
||||||
|
return new MWebServicePara(Env.getCtx(), Record_ID, trxName);
|
||||||
|
if (X_WS_WebServiceType.Table_Name.equals(tableName))
|
||||||
|
return new MWebServiceType(Env.getCtx(), Record_ID, trxName);
|
||||||
|
if (X_WS_WebService.Table_Name.equals(tableName))
|
||||||
|
return new MWebService(Env.getCtx(), Record_ID, trxName);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public PO getPO(String tableName, ResultSet rs, String trxName) {
|
||||||
|
if (X_WS_WebService_Para.Table_Name.equals(tableName))
|
||||||
|
return new MWebServicePara(Env.getCtx(), rs, trxName);
|
||||||
|
if (X_WS_WebServiceType.Table_Name.equals(tableName))
|
||||||
|
return new MWebServiceType(Env.getCtx(), rs, trxName);
|
||||||
|
if (X_WS_WebService.Table_Name.equals(tableName))
|
||||||
|
return new MWebService(Env.getCtx(), rs, trxName);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue