Repository: fineract Updated Branches: refs/heads/develop f28aadf31 -> d2b341159
CVE-2018-1290-1291-1292 Project: http://git-wip-us.apache.org/repos/asf/fineract/repo Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/8c60476b Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/8c60476b Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/8c60476b Branch: refs/heads/develop Commit: 8c60476bd1445674072b54cef9c4c1e91c3feaa1 Parents: f28aadf Author: Avik Ganguly <avikganguly...@gmail.com> Authored: Mon Mar 5 06:14:10 2018 +0530 Committer: Avik Ganguly <avikganguly...@gmail.com> Committed: Mon Mar 5 06:14:10 2018 +0530 ---------------------------------------------------------------------- .../infrastructure/core/api/ApiParameterHelper.java | 4 ++++ .../dataqueries/service/ReadReportingServiceImpl.java | 9 +++++++-- .../service/ReadWriteNonCoreDataServiceImpl.java | 7 ++++++- 3 files changed, 17 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java index 2828f5b..62ac666 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java @@ -18,6 +18,7 @@ */ package org.apache.fineract.infrastructure.core.api; +import java.util.ArrayList; import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; @@ -30,6 +31,7 @@ import javax.ws.rs.core.MultivaluedMap; import org.apache.commons.lang.StringUtils; import org.apache.fineract.infrastructure.core.serialization.JsonParserHelper; +import org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator; public class ApiParameterHelper { @@ -166,8 +168,10 @@ public class ApiParameterHelper { public static String sqlEncodeString(final String str) { final String singleQuote = "'"; final String twoSingleQuotes = "''"; + SQLInjectionValidator.validateSQLInput(str); return singleQuote + StringUtils.replace(str, singleQuote, twoSingleQuotes, -1) + singleQuote; } + public static Map<String, String> asMap(final MultivaluedMap<String, String> queryParameters) { http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java index b7cd352..c732f0d 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java @@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.dataqueries.exception.ReportNotFoundEx import org.apache.fineract.infrastructure.documentmanagement.contentrepository.FileSystemContentRepository; import org.apache.fineract.infrastructure.report.provider.ReportingProcessServiceProvider; import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.useradministration.domain.AppUser; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -73,16 +74,19 @@ public class ReadReportingServiceImpl implements ReadReportingService { private final PlatformSecurityContext context; private final GenericDataService genericDataService; private final ReportingProcessServiceProvider reportingProcessServiceProvider; + private final ColumnValidator columnValidator; @Autowired public ReadReportingServiceImpl(final PlatformSecurityContext context, final RoutingDataSource dataSource, - final GenericDataService genericDataService, final ReportingProcessServiceProvider reportingProcessServiceProvider) { + final GenericDataService genericDataService, final ReportingProcessServiceProvider reportingProcessServiceProvider, + final ColumnValidator columnValidator) { this.context = context; this.dataSource = dataSource; this.jdbcTemplate = new JdbcTemplate(this.dataSource); this.genericDataService = genericDataService; this.reportingProcessServiceProvider = reportingProcessServiceProvider; + this.columnValidator = columnValidator; } @Override @@ -221,7 +225,8 @@ public class ReadReportingServiceImpl implements ReadReportingService { public String getReportType(final String reportName) { final String sql = "SELECT ifnull(report_type,'') as report_type FROM `stretchy_report` where report_name = '" + reportName + "'"; - + this.columnValidator.validateSqlInjection(sql, reportName); + final String sqlWrapped = this.genericDataService.wrapSQL(sql); final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sqlWrapped); http://git-wip-us.apache.org/repos/asf/fineract/blob/8c60476b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java index e5b7055..31fdfca 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java @@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.dataqueries.exception.DatatableEntryRe import org.apache.fineract.infrastructure.dataqueries.exception.DatatableNotFoundException; import org.apache.fineract.infrastructure.dataqueries.exception.DatatableSystemErrorException; import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator; import org.apache.fineract.useradministration.domain.AppUser; import org.joda.time.LocalDate; @@ -106,6 +107,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ private final ConfigurationDomainService configurationDomainService; private final CodeReadPlatformService codeReadPlatformService; private final DataTableValidator dataTableValidator; + private final ColumnValidator columnValidator; // private final GlobalConfigurationWritePlatformServiceJpaRepositoryImpl // configurationWriteService; @@ -114,7 +116,8 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ public ReadWriteNonCoreDataServiceImpl(final RoutingDataSource dataSource, final PlatformSecurityContext context, final FromJsonHelper fromJsonHelper, final GenericDataService genericDataService, final DatatableCommandFromApiJsonDeserializer fromApiJsonDeserializer, final CodeReadPlatformService codeReadPlatformService, - final ConfigurationDomainService configurationDomainService, final DataTableValidator dataTableValidator) { + final ConfigurationDomainService configurationDomainService, final DataTableValidator dataTableValidator, + final ColumnValidator columnValidator) { this.dataSource = dataSource; this.jdbcTemplate = new JdbcTemplate(this.dataSource); this.context = context; @@ -125,6 +128,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ this.codeReadPlatformService = codeReadPlatformService; this.configurationDomainService = configurationDomainService; this.dataTableValidator = dataTableValidator; + this.columnValidator = columnValidator; // this.configurationWriteService = configurationWriteService; } @@ -1183,6 +1187,7 @@ public class ReadWriteNonCoreDataServiceImpl implements ReadWriteNonCoreDataServ sql = sql + "select * from `" + dataTableName + "` where id = " + id; } + this.columnValidator.validateSqlInjection(sql, order); if (order != null) { sql = sql + " order by " + order; }