[jira] [Updated] (FINERACT-2662) Office search API: sanitise orderBy parameter

[Adam Monsen (Jira)]

     [ 
https://issues.apache.org/jira/browse/FINERACT-2662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Adam Monsen updated FINERACT-2662:
----------------------------------
    Labels: security sql  (was: )

> Office search API: sanitise orderBy parameter
> ---------------------------------------------
>
>                 Key: FINERACT-2662
>                 URL: https://issues.apache.org/jira/browse/FINERACT-2662
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Organization
>            Reporter: Terence Monteiro
>            Priority: Critical
>              Labels: security, sql
>
> h2. Summary
> The {{orderBy}} query parameter on {{GET /api/v1/offices}} is not adequately
> validated, allowing malformed input to reach SQL execution. The 
> ColumnValidator
> introduced as the CVE-2024-32838 fix does not cover all injection patterns
> applicable to ORDER BY clauses.
> h2. Root Cause
> In {{OfficeReadPlatformServiceImpl.java}} (lines 162–163), {{orderBy}} input 
> is
> concatenated into the SQL string before {{ColumnValidator}} runs. The 
> validator
> was designed for WHERE-clause injection patterns; for ORDER BY input it 
> extracts
> no operands and passes silently. Certain ORDER BY payloads carrying no 
> semicolons,
> no AND/OR prefixes, and no comparison operators match none of the defined 
> regex
> patterns.
> h2. Affected Files
>  * {{fineract-provider/.../office/service/OfficeReadPlatformServiceImpl.java}}
>  * {{fineract-core/.../api/paging/PaginationParameters.java}}
>  * {{fineract-core/.../security/utils/ColumnValidator.java}}
> h2. Proposed Fix
> Replace blacklist-based validation with a strict column-name allowlist using 
> the
> InputValidator framework already in place for the client search endpoint. 
> Allowed
> values correspond to the fields present in the {{GET /api/v1/offices}} 
> response
> payload; anything outside this set is rejected with HTTP 403 before reaching
> {{{}OfficeReadPlatformServiceImpl{}}}.
> h2. Cross-Endpoint Note
> Validation coverage for {{orderBy}} is inconsistent across endpoints that use
> {{{}PaginationParameters.orderBySql(){}}}. A follow-up audit of remaining 
> callers
> is recommended under a separate ticket.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)