[ 
https://issues.apache.org/jira/browse/FINERACT-2650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Adam Saghy updated FINERACT-2650:
---------------------------------
    Fix Version/s: 1.15.0

> Client search API: sanitise orderBy, sortOrder inputs
> -----------------------------------------------------
>
>                 Key: FINERACT-2650
>                 URL: https://issues.apache.org/jira/browse/FINERACT-2650
>             Project: Apache Fineract
>          Issue Type: Bug
>    Affects Versions: 1.14.0
>            Reporter: Terence Monteiro
>            Assignee: Terence Monteiro
>            Priority: Major
>             Fix For: 1.15.0
>
>
> The {{orderBy}} and {{sortOrder}} parameters on the Client Search API 
> ({{{}GET /api/v1/clients{}}}) are currently validated against a keyword 
> denylist before being used to construct the result ordering clause. This 
> should be replaced with a strict allowlist validation, consistent with the 
> approach already used elsewhere in the codebase ({{{}InputValidator{}}}).
> Proposed change:
>  * Restrict {{orderBy}} to the documented set of sortable fields ({{{}id, 
> displayName{}}}, {{{}accountNo{}}}, {{{}officeId{}}}, {{{}officeName{}}})
>  * Restrict {{sortOrder}} to {{{}ASC{}}}/{{{}DESC{}}}
>  * Add a new {{InputValidator}} profile ({{{}client-order-by{}}}) with a 
> configurable pattern, defaulting to the strict allowlist above
>  * Add integration test coverage for both valid and invalid input combinations
> This brings the client search endpoint in line with the stricter input 
> handling pattern adopted in recent hardening work, and closes a gap where 
> unexpected characters/expressions in these parameters were not fully rejected.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to