[ofbiz-plugins] branch trunk updated: Fixed: Execution of queries without authentication (OFBIZ-12857)

Fri, 22 Sep 2023 09:33:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 40434deb0 Fixed: Execution of queries without authentication 
(OFBIZ-12857)
40434deb0 is described below

commit 40434deb0e3e8dce16707bc43e2f33cbd8d3fc6a
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Sep 22 18:02:48 2023 +0200

    Fixed: Execution of queries without authentication (OFBIZ-12857)
    
    The problem lies with the Solr Plugin for OFBiz.
    It allows the execution of queries without authentication.
    
    This fixes it and, because it's more general, also fixes the CVE-2022-47501
    ("Arbitrary file reading vulnerability in Solr") that has been handled by
    OFBIZ-12792.
---
 .../ofbiz/solr/webapp/OFBizSolrContextFilter.java  | 25 ++++++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git 
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java 
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
index dfca386ce..d0af39ab8 100644
--- 
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
+++ 
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
@@ -23,6 +23,7 @@ import java.io.OutputStream;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Properties;
@@ -98,6 +99,13 @@ public class OFBizSolrContextFilter extends 
SolrDispatchFilter {
         config.getServletContext().setAttribute(SOLRHOME_ATTRIBUTE, ofbizHome 
+ props.getProperty("solr/home"));
         super.init(config);
     }
+
+    private boolean userIsUnauthorized(HttpServletRequest httpRequest) {
+        HttpSession session = httpRequest.getSession();
+        GenericValue userLogin = (GenericValue) 
session.getAttribute("userLogin");
+        return UtilValidate.isEmpty(userLogin) || 
!LoginWorker.hasBasePermission(userLogin, httpRequest);
+    }
+
     /** Do filter */
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain) throws IOException, ServletException {
@@ -107,18 +115,21 @@ public class OFBizSolrContextFilter extends 
SolrDispatchFilter {
 
         String servletPath = httpRequest.getServletPath();
 
-        if (servletPath.equals("/solrdefault/debug/dump")) {
+        List<String> solrCoreNames = getCores().getAllCoreNames();
+        boolean userTriesToAccessAnySolrCore = solrCoreNames.stream().anyMatch(
+                coreName -> servletPath.matches(String.format("/%s/.*", 
coreName)));
+
+        // check if the request is from an authorized user
+        if (userTriesToAccessAnySolrCore && userIsUnauthorized(httpRequest)) {
             sendJsonHeaderMessage(httpRequest, httpResponse, null, 
"SolrErrorUnauthorisedRequestForSecurityReason", null, locale);
             return;
         }
-
-        // check if the request is from an authorized user
         if (UtilValidate.isNotEmpty(servletPath) && 
(servletPath.startsWith("/admin/") || servletPath.endsWith("/update")
                 || servletPath.endsWith("/update/json") || 
servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract")
                 || servletPath.endsWith("/replication") || 
servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {
             HttpSession session = httpRequest.getSession();
             GenericValue userLogin = (GenericValue) 
session.getAttribute("userLogin");
-            if (servletPath.startsWith("/admin/") && 
(UtilValidate.isEmpty(userLogin) || !LoginWorker.hasBasePermission(userLogin, 
httpRequest))) {
+            if (servletPath.startsWith("/admin/") && 
!userIsUnauthorized(httpRequest)) {
                 response.setContentType("application/json");
                 MapToJSON mapToJson = new MapToJSON();
                 JSON json;
@@ -148,20 +159,20 @@ public class OFBizSolrContextFilter extends 
SolrDispatchFilter {
                     || servletPath.endsWith("/update/extract")) {
                 // NOTE: the update requests are defined in an index's 
solrconfig.xml
                 // get the Solr index name from the request
-                if (UtilValidate.isEmpty(userLogin) || 
!LoginWorker.hasBasePermission(userLogin, httpRequest)) {
+                if (UtilValidate.isEmpty(userLogin) || 
!userIsUnauthorized(httpRequest)) {
                     sendJsonHeaderMessage(httpRequest, httpResponse, 
userLogin, "SolrErrorUpdateLoginFirst", "SolrErrorNoUpdatePermission", locale);
                     return;
                 }
             } else if (servletPath.endsWith("/replication")) {
                 // get the Solr index name from the request
-                if (UtilValidate.isEmpty(userLogin) || 
!LoginWorker.hasBasePermission(userLogin, httpRequest)) {
+                if (UtilValidate.isEmpty(userLogin) || 
!userIsUnauthorized(httpRequest)) {
                     sendJsonHeaderMessage(httpRequest, httpResponse, 
userLogin, "SolrErrorReplicateLoginFirst", "SolrErrorNoReplicatePermission",
                             locale);
                     return;
                 }
             } else if (servletPath.endsWith("/file") || 
servletPath.endsWith("/file/")) {
                 // get the Solr index name from the request
-                if (UtilValidate.isEmpty(userLogin) || 
!LoginWorker.hasBasePermission(userLogin, httpRequest)) {
+                if (UtilValidate.isEmpty(userLogin) || 
!userIsUnauthorized(httpRequest)) {
                     sendJsonHeaderMessage(httpRequest, httpResponse, 
userLogin, "SolrErrorViewFileLoginFirst", "SolrErrorNoViewFilePermission",
                             locale);
                     return;

Reply via email to