Bernd Fuhrmann created OLINGO-1331:
--------------------------------------
Summary: Should
org.apache.olingo.server.api.uri.UriHelper.parseEntityId accept EntitySets
without keys?
Key: OLINGO-1331
URL: https://issues.apache.org/jira/browse/OLINGO-1331
Project: Olingo
Issue Type: Bug
Components: odata4-server
Affects Versions: (Java) V4 4.5.0, (Java) V4 4.6.0
Reporter: Bernd Fuhrmann
According to the JavaDoc of
{{org.apache.olingo.server.api.uri.UriHelper.parseEntityId}}, this method
parses Entity IDs. It is noted, that there must be a key present in the
parameter {{entityid}}. However, in the implementation in {{UriHelperImpl}}
that key is not required. That seems to be wrong and this might be bad for the
user of the Olingo library:
The parameter {{entityId}} is probably coming via HTTP and can thus be
anything. It might even be carefully selected by some attacker.
The current implementation just delegates parsing to the class {{Parser}}.
Then it is checked how many resource parts are returned and of what type the
first part is, but not whether there are any keys.
So you could do this, e.g. in an {{odata.bind}}:
{{entitysetname}} instead of {{entitysetname(23)}}.
Maybe that is intentionally permitted, but I don't know OData enough to be
absolutely sure.
If desirable, I could write a patch and a unit test for that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
