IDEMPIERE-1784 SQL injection via ModelADService is possible / committing this patch until a better approach is implemented as suggested in meetings
This commit is contained in:
Carlos Ruiz
parent
b392cc090c
commit
ed0eee0faf
|
|
@ -20,6 +20,11 @@
|
|||
<arguments>
|
||||
</arguments>
|
||||
</buildCommand>
|
||||
<buildCommand>
|
||||
<name>org.eclipse.pde.ds.core.builder</name>
|
||||
<arguments>
|
||||
</arguments>
|
||||
</buildCommand>
|
||||
</buildSpec>
|
||||
<natures>
|
||||
<nature>org.eclipse.pde.PluginNature</nature>
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ Bundle-SymbolicName: org.idempiere.webservices;singleton:=true
|
|||
Bundle-Version: 2.0.0.qualifier
|
||||
Bundle-Activator: org.idempiere.webservices.Activator
|
||||
Bundle-RequiredExecutionEnvironment: JavaSE-1.6
|
||||
Service-Component: OSGI-INF/ws_modelfactory.xml
|
||||
Import-Package: javax.activation;version="1.1.1",
|
||||
javax.mail.internet;version="1.4.5",
|
||||
javax.servlet;version="3.0.0",
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<scr:component xmlns:scr="http://www.osgi.org/xmlns/scr/v1.1.0" name="org.compiere.model.WS_ModelFactory">
|
||||
<implementation class="org.compiere.model.WS_ModelFactory"/>
|
||||
<property name="service.ranking" type="Integer" value="5"/>
|
||||
<service>
|
||||
<provide interface="org.adempiere.base.IModelFactory"/>
|
||||
</service>
|
||||
</scr:component>
|
||||
|
|
@ -0,0 +1,85 @@
|
|||
/***********************************************************************
|
||||
* This file is part of iDempiere ERP Bazaar *
|
||||
* http://www.idempiere.org *
|
||||
* *
|
||||
* Copyright (C) Carlos Ruiz - globalqss *
|
||||
* Copyright (C) Contributors *
|
||||
* *
|
||||
* This program is free software; you can redistribute it and/or *
|
||||
* modify it under the terms of the GNU General Public License *
|
||||
* as published by the Free Software Foundation; either version 2 *
|
||||
* of the License, or (at your option) any later version. *
|
||||
* *
|
||||
* This program is distributed in the hope that it will be useful, *
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
||||
* GNU General Public License for more details. *
|
||||
* *
|
||||
* You should have received a copy of the GNU General Public License *
|
||||
* along with this program; if not, write to the Free Software *
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, *
|
||||
* MA 02110-1301, USA. *
|
||||
* *
|
||||
* Contributors: *
|
||||
* - Carlos Ruiz (globalqss@users.sourceforge.net) *
|
||||
* *
|
||||
* Sponsors: *
|
||||
* - GlobalQSS (http://www.globalqss.com) *
|
||||
***********************************************************************/
|
||||
|
||||
package org.compiere.model;
|
||||
|
||||
import java.sql.ResultSet;
|
||||
import java.util.Properties;
|
||||
|
||||
/**
|
||||
* Web Services Parameters Model
|
||||
*
|
||||
* @author Carlos Ruiz
|
||||
*/
|
||||
public class MWebServicePara extends X_WS_WebService_Para
|
||||
{
|
||||
/**
|
||||
*
|
||||
*/
|
||||
private static final long serialVersionUID = 3561409141850981248L;
|
||||
|
||||
/**************************************************************************
|
||||
* Standard Constructor
|
||||
* @param ctx context
|
||||
* @param WS_WebService_Para_ID
|
||||
* @param trxName transaction
|
||||
*/
|
||||
public MWebServicePara (Properties ctx, int WS_WebService_Para_ID, String trxName)
|
||||
{
|
||||
super (ctx, WS_WebService_Para_ID, trxName);
|
||||
/** if (WS_WebService_Para_ID == 0)
|
||||
{
|
||||
setName (null);
|
||||
setValue (null);
|
||||
WS_WebService_Para_ID (0);
|
||||
} */
|
||||
} // MWebServicePara
|
||||
|
||||
/**
|
||||
* Load Constructor
|
||||
* @param ctx context
|
||||
* @param rs result set
|
||||
* @param trxName transaction
|
||||
*/
|
||||
public MWebServicePara (Properties ctx, ResultSet rs, String trxName)
|
||||
{
|
||||
super(ctx, rs, trxName);
|
||||
} // MWebServicePara
|
||||
|
||||
@Override
|
||||
protected boolean beforeSave(boolean newRecord) {
|
||||
if ( "Filter".equalsIgnoreCase(getParameterName())
|
||||
&& PARAMETERTYPE_Free.equals(getParameterType())) {
|
||||
log.saveError("Error", "Type Free not allowed for parameter Filter (security issue)"); // IDEMPIERE-1784
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
} // MWebServicePara
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
/**********************************************************************
|
||||
* This file is part of iDempiere ERP Open Source *
|
||||
* http://www.idempiere.org *
|
||||
* *
|
||||
* Copyright (C) Contributors *
|
||||
* *
|
||||
* This program is free software; you can redistribute it and/or *
|
||||
* modify it under the terms of the GNU General Public License *
|
||||
* as published by the Free Software Foundation; either version 2 *
|
||||
* of the License, or (at your option) any later version. *
|
||||
* *
|
||||
* This program is distributed in the hope that it will be useful, *
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
||||
* GNU General Public License for more details. *
|
||||
* *
|
||||
* You should have received a copy of the GNU General Public License *
|
||||
* along with this program; if not, write to the Free Software *
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, *
|
||||
* MA 02110-1301, USA. *
|
||||
* *
|
||||
* Contributors: *
|
||||
* - Carlos Ruiz - globalqss *
|
||||
**********************************************************************/
|
||||
|
||||
package org.compiere.model;
|
||||
|
||||
import java.sql.ResultSet;
|
||||
|
||||
import org.adempiere.base.IModelFactory;
|
||||
import org.compiere.model.PO;
|
||||
import org.compiere.util.Env;
|
||||
|
||||
public class WS_ModelFactory implements IModelFactory {
|
||||
|
||||
@Override
|
||||
public Class<?> getClass(String tableName) {
|
||||
if (X_WS_WebService_Para.Table_Name.equals(tableName))
|
||||
return MWebServicePara.class;
|
||||
if (X_WS_WebServiceType.Table_Name.equals(tableName))
|
||||
return MWebServiceType.class;
|
||||
if (X_WS_WebService.Table_Name.equals(tableName))
|
||||
return MWebService.class;
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public PO getPO(String tableName, int Record_ID, String trxName) {
|
||||
if (X_WS_WebService_Para.Table_Name.equals(tableName))
|
||||
return new MWebServicePara(Env.getCtx(), Record_ID, trxName);
|
||||
if (X_WS_WebServiceType.Table_Name.equals(tableName))
|
||||
return new MWebServiceType(Env.getCtx(), Record_ID, trxName);
|
||||
if (X_WS_WebService.Table_Name.equals(tableName))
|
||||
return new MWebService(Env.getCtx(), Record_ID, trxName);
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public PO getPO(String tableName, ResultSet rs, String trxName) {
|
||||
if (X_WS_WebService_Para.Table_Name.equals(tableName))
|
||||
return new MWebServicePara(Env.getCtx(), rs, trxName);
|
||||
if (X_WS_WebServiceType.Table_Name.equals(tableName))
|
||||
return new MWebServiceType(Env.getCtx(), rs, trxName);
|
||||
if (X_WS_WebService.Table_Name.equals(tableName))
|
||||
return new MWebService(Env.getCtx(), rs, trxName);
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue