Terence Monteiro created FINERACT-2662:
------------------------------------------
Summary: Office search API: sanitise orderBy parameter
Key: FINERACT-2662
URL: https://issues.apache.org/jira/browse/FINERACT-2662
Project: Apache Fineract
Issue Type: Bug
Components: Organization
Reporter: Terence Monteiro
h2. Summary
The {{orderBy}} query parameter on {{GET /api/v1/offices}} is not adequately
validated, allowing malformed input to reach SQL execution. The ColumnValidator
introduced as the CVE-2024-32838 fix does not cover all injection patterns
applicable to ORDER BY clauses.
h2. Root Cause
In {{OfficeReadPlatformServiceImpl.java}} (lines 162–163), {{orderBy}} input is
concatenated into the SQL string before {{ColumnValidator}} runs. The validator
was designed for WHERE-clause injection patterns; for ORDER BY input it extracts
no operands and passes silently. Certain ORDER BY payloads carrying no
semicolons,
no AND/OR prefixes, and no comparison operators match none of the defined regex
patterns.
h2. Affected Files
* {{fineract-provider/.../office/service/OfficeReadPlatformServiceImpl.java}}
* {{fineract-core/.../api/paging/PaginationParameters.java}}
* {{fineract-core/.../security/utils/ColumnValidator.java}}
h2. Proposed Fix
Replace blacklist-based validation with a strict column-name allowlist using the
InputValidator framework already in place for the client search endpoint.
Allowed
values correspond to the fields present in the {{GET /api/v1/offices}} response
payload; anything outside this set is rejected with HTTP 403 before reaching
{{{}OfficeReadPlatformServiceImpl{}}}.
h2. Cross-Endpoint Note
Validation coverage for {{orderBy}} is inconsistent across endpoints that use
{{{}PaginationParameters.orderBySql(){}}}. A follow-up audit of remaining
callers
is recommended under a separate ticket.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
