Terence Monteiro created FINERACT-2650:
------------------------------------------
Summary: Client search API: sanitise orderBy, sortOrder inputs
Key: FINERACT-2650
URL: https://issues.apache.org/jira/browse/FINERACT-2650
Project: Apache Fineract
Issue Type: Bug
Affects Versions: 1.14.0
Reporter: Terence Monteiro
The {{orderBy}} and {{sortOrder}} parameters on the Client Search API ({{{}GET
/api/v1/clients{}}}) are currently validated against a keyword denylist before
being used to construct the result ordering clause. This should be replaced
with a strict allowlist validation, consistent with the approach already used
elsewhere in the codebase ({{{}InputValidator{}}}).
Proposed change:
* Restrict {{orderBy}} to the documented set of sortable fields ({{{}id,
displayName{}}}, {{{}accountNo{}}}, {{{}officeId{}}}, {{{}officeName{}}})
* Restrict {{sortOrder}} to {{{}ASC{}}}/{{{}DESC{}}}
* Add a new {{InputValidator}} profile ({{{}client-order-by{}}}) with a
configurable pattern, defaulting to the strict allowlist above
* Add integration test coverage for both valid and invalid input combinations
This brings the client search endpoint in line with the stricter input handling
pattern adopted in recent hardening work, and closes a gap where unexpected
characters/expressions in these parameters were not fully rejected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
