Re: [PR] [SYNCOPE-1874] Realm attributes [syncope]

Wed, 30 Apr 2025 08:10:01 -0700 


github-advanced-security[bot] commented on code in PR #1064:
URL: https://github.com/apache/syncope/pull/1064#discussion_r2068874732


##########
core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/repo/MariaDBPlainSchemaRepoExtImpl.java:
##########
@@ -55,6 +56,25 @@
         return ((Number) query.getSingleResult()).intValue() > 0;
     }
 
+    @Override
+    public boolean existsPlainAttrUniqueValue(
+            final String realmKey,
+            final PlainSchema schema,
+            final PlainAttrValue attrValue) {
+
+        PlainAttr attr = new PlainAttr();
+        attr.setSchema(schema.getKey());
+        attr.setUniqueValue(attrValue);
+
+        Query query = entityManager.createNativeQuery(
+                "SELECT COUNT(id) FROM " + JPARealm.TABLE
+                + " WHERE JSON_CONTAINS(plainAttrs, '" + 
POJOHelper.serialize(List.of(attr)).replace("'", "''") + "')"
+                + " AND id <> ?1");

Review Comment:
   ## Query built by concatenation with a possibly-untrusted string
   
   Query built by concatenation with [this expression](1), which may be 
untrusted.
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/2232)



##########
core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/repo/MySQLPlainSchemaRepoExtImpl.java:
##########
@@ -55,6 +56,25 @@
         return ((Number) query.getSingleResult()).intValue() > 0;
     }
 
+    @Override
+    public boolean existsPlainAttrUniqueValue(
+            final String realmKey,
+            final PlainSchema schema,
+            final PlainAttrValue attrValue) {
+
+        PlainAttr attr = new PlainAttr();
+        attr.setSchema(schema.getKey());
+        attr.setUniqueValue(attrValue);
+
+        Query query = entityManager.createNativeQuery(
+                "SELECT COUNT(id) FROM " + JPARealm.TABLE
+                + " WHERE JSON_CONTAINS(plainAttrs, '" + 
POJOHelper.serialize(List.of(attr)).replace("'", "''") + "')"
+                + " AND id <> ?1");

Review Comment:
   ## Query built by concatenation with a possibly-untrusted string
   
   Query built by concatenation with [this expression](1), which may be 
untrusted.
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/2233)



##########
core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPARealmDAO.java:
##########
@@ -203,6 +210,24 @@
 
     @Override
     public <S extends Realm> S save(final S realm) {
+        // check UNIQUE constraints
+        new ArrayList<>(((JPARealm) realm).getPlainAttrsList()).stream().
+                filter(attr -> attr.getUniqueValue() != null).
+                forEach(attr -> {
+                    if (plainSchemaDAO.existsPlainAttrUniqueValue(
+                            realm.getKey(),
+                            plainSchemaDAO.findById(attr.getSchema()).
+                                    orElseThrow(() -> new 
NotFoundException("PlainSchema " + attr.getSchema())),
+                            attr.getUniqueValue())) {
+
+                        throw new DuplicateException("Duplicate value found 
for "
+                                + attr.getSchema() + "=" + 
attr.getUniqueValue().getValueAsString());
+                    } else {
+                        LOG.debug("No duplicate value found for {}={}",
+                                attr.getSchema(), 
attr.getUniqueValue().getValueAsString());

Review Comment:
   ## Log Injection
   
   This log entry depends on a [user-provided value](1).
   This log entry depends on a [user-provided value](2).
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/2231)



##########
core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/repo/PGPlainSchemaRepoExtImpl.java:
##########
@@ -55,6 +56,25 @@
         return ((Number) query.getSingleResult()).intValue() > 0;
     }
 
+    @Override
+    public boolean existsPlainAttrUniqueValue(
+            final String realmKey,
+            final PlainSchema schema,
+            final PlainAttrValue attrValue) {
+
+        PlainAttr attr = new PlainAttr();
+        attr.setSchema(schema.getKey());
+        attr.setUniqueValue(attrValue);
+
+        Query query = entityManager.createNativeQuery(
+                "SELECT COUNT(id) FROM " + JPARealm.TABLE
+                + " WHERE plainAttrs::jsonb @> '" + 
POJOHelper.serialize(List.of(attr)).replace("'", "''") + "'::jsonb"
+                + " AND id <> ?1");

Review Comment:
   ## Query built by concatenation with a possibly-untrusted string
   
   Query built by concatenation with [this expression](1), which may be 
untrusted.
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/2234)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@syncope.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to