[jira] (FINERACT-2662) Office search API: sanitise orderBy parameter

[Adam Monsen (Jira)]

    [ https://issues.apache.org/jira/browse/FINERACT-2662 ]


    Adam Monsen deleted comment on FINERACT-2662:
    ---------------------------------------

was (Author: meonkeys):
Please also start a PR to update 
[https://github.com/apache/fineract-site/blob/asf-site/site-src/data/security.yml]
 , to be merged into asf-site

I think we're supposed update https://fineract.apache.org/security.html after 
1.15.0 is released? I forget the process exactly.

> Office search API: sanitise orderBy parameter
> ---------------------------------------------
>
>                 Key: FINERACT-2662
>                 URL: https://issues.apache.org/jira/browse/FINERACT-2662
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Organization
>            Reporter: Terence Monteiro
>            Priority: Critical
>              Labels: security, sql
>
> h2. Summary
> The {{orderBy}} query parameter on {{GET /api/v1/offices}} is not adequately
> validated, allowing malformed input to reach SQL execution. The 
> ColumnValidator
> introduced as the CVE-2024-32838 fix does not cover all injection patterns
> applicable to ORDER BY clauses.
> h2. Root Cause
> In {{OfficeReadPlatformServiceImpl.java}} (lines 162–163), {{orderBy}} input 
> is
> concatenated into the SQL string before {{ColumnValidator}} runs. The 
> validator
> was designed for WHERE-clause injection patterns; for ORDER BY input it 
> extracts
> no operands and passes silently. Certain ORDER BY payloads carrying no 
> semicolons,
> no AND/OR prefixes, and no comparison operators match none of the defined 
> regex
> patterns.
> h2. Affected Files
>  * {{fineract-provider/.../office/service/OfficeReadPlatformServiceImpl.java}}
>  * {{fineract-core/.../api/paging/PaginationParameters.java}}
>  * {{fineract-core/.../security/utils/ColumnValidator.java}}
> h2. Proposed Fix
> Replace blacklist-based validation with a strict column-name allowlist using 
> the
> InputValidator framework already in place for the client search endpoint. 
> Allowed
> values correspond to the fields present in the {{GET /api/v1/offices}} 
> response
> payload; anything outside this set is rejected with HTTP 403 before reaching
> {{{}OfficeReadPlatformServiceImpl{}}}.
> h2. Cross-Endpoint Note
> Validation coverage for {{orderBy}} is inconsistent across endpoints that use
> {{{}PaginationParameters.orderBySql(){}}}. A follow-up audit of remaining 
> callers
> is recommended under a separate ticket.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)