Repository: fineract Updated Branches: refs/heads/develop 17fd243ae -> 1d38bd25d
Injection fix Project: http://git-wip-us.apache.org/repos/asf/fineract/repo Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/e7035d1f Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/e7035d1f Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/e7035d1f Branch: refs/heads/develop Commit: e7035d1f394bd4f65603cc9a31d79d44f1dc73ef Parents: 17fd243 Author: Avik Ganguly <avikganguly...@gmail.com> Authored: Sat Jan 20 10:00:51 2018 +0530 Committer: Avik Ganguly <avikganguly...@gmail.com> Committed: Sat Jan 20 10:00:51 2018 +0530 ---------------------------------------------------------------------- .../JournalEntryReadPlatformServiceImpl.java | 11 +++++-- .../service/AuditReadPlatformServiceImpl.java | 2 ++ .../SchedulerJobRunnerReadServiceImpl.java | 9 ++++-- ...ReportMailingJobReadPlatformServiceImpl.java | 9 ++++-- ...ingJobRunHistoryReadPlatformServiceImpl.java | 9 ++++-- .../security/utils/ColumnValidator.java | 30 +++++++++++--------- .../security/utils/SQLInjectionValidator.java | 2 +- .../sms/service/SmsReadPlatformServiceImpl.java | 9 ++++-- .../NotificationReadPlatformServiceImpl.java | 26 +++++++++++------ .../service/OfficeReadPlatformServiceImpl.java | 10 +++++-- ...AccountTransfersReadPlatformServiceImpl.java | 12 ++++++-- ...structionHistoryReadPlatformServiceImpl.java | 9 ++++-- ...ndingInstructionReadPlatformServiceImpl.java | 9 ++++-- .../service/ClientReadPlatformServiceImpl.java | 3 +- .../service/CenterReadPlatformServiceImpl.java | 5 ++++ .../service/GroupReadPlatformServiceImpl.java | 4 +++ .../service/LoanReadPlatformServiceImpl.java | 2 ++ ...nHoldTransactionReadPlatformServiceImpl.java | 8 +++++- .../SavingsAccountReadPlatformServiceImpl.java | 4 ++- ...eAccountDividendReadPlatformServiceImpl.java | 11 +++++-- ...eProductDividendReadPlatformServiceImpl.java | 12 ++++++-- 21 files changed, 146 insertions(+), 50 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java index 49efaa0..928ed40 100755 --- a/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/accounting/journalentry/service/JournalEntryReadPlatformServiceImpl.java @@ -49,6 +49,7 @@ import org.apache.fineract.infrastructure.core.service.Page; import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.organisation.monetary.data.CurrencyData; import org.apache.fineract.organisation.office.data.OfficeData; import org.apache.fineract.organisation.office.service.OfficeReadPlatformService; @@ -74,18 +75,22 @@ public class JournalEntryReadPlatformServiceImpl implements JournalEntryReadPlat private final JdbcTemplate jdbcTemplate; private final GLAccountReadPlatformService glAccountReadPlatformService; private final OfficeReadPlatformService officeReadPlatformService; + private final ColumnValidator columnValidator; private final FinancialActivityAccountRepositoryWrapper financialActivityAccountRepositoryWrapper; private final PaginationHelper<JournalEntryData> paginationHelper = new PaginationHelper<>(); @Autowired public JournalEntryReadPlatformServiceImpl(final RoutingDataSource dataSource, - final GLAccountReadPlatformService glAccountReadPlatformService, final OfficeReadPlatformService officeReadPlatformService, + final GLAccountReadPlatformService glAccountReadPlatformService, + final ColumnValidator columnValidator, + final OfficeReadPlatformService officeReadPlatformService, final FinancialActivityAccountRepositoryWrapper financialActivityAccountRepositoryWrapper) { this.jdbcTemplate = new JdbcTemplate(dataSource); this.glAccountReadPlatformService = glAccountReadPlatformService; this.officeReadPlatformService = officeReadPlatformService; this.financialActivityAccountRepositoryWrapper = financialActivityAccountRepositoryWrapper; + this.columnValidator = columnValidator; } private static final class GLJournalEntryMapper implements RowMapper<JournalEntryData> { @@ -356,9 +361,11 @@ public class JournalEntryReadPlatformServiceImpl implements JournalEntryReadPlat if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); + if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); } } else { sqlBuilder.append(" order by journalEntry.entry_date, journalEntry.id"); http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java index 1315055..447fbb5 100755 --- a/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/commands/service/AuditReadPlatformServiceImpl.java @@ -218,12 +218,14 @@ public class AuditReadPlatformServiceImpl implements AuditReadPlatformService { this.columnValidator.validateSqlInjection(sqlBuilder.toString(), extraCriteria); if (parameters.isOrderByRequested()) { sqlBuilder.append(' ').append(parameters.orderBySql()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.orderBySql()); } else { sqlBuilder.append(' ').append(' ').append(" order by aud.id DESC"); } if (parameters.isLimited()) { sqlBuilder.append(' ').append(parameters.limitSql()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.limitSql()); } logger.info("sql: " + sqlBuilder.toString()); http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java index b61b8da..f692fe6 100755 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/jobs/service/SchedulerJobRunnerReadServiceImpl.java @@ -31,6 +31,7 @@ import org.apache.fineract.infrastructure.jobs.data.JobDetailData; import org.apache.fineract.infrastructure.jobs.data.JobDetailHistoryData; import org.apache.fineract.infrastructure.jobs.exception.JobNotFoundException; import org.apache.fineract.infrastructure.jobs.exception.OperationNotAllowedException; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.dao.EmptyResultDataAccessException; import org.springframework.jdbc.core.JdbcTemplate; @@ -41,12 +42,15 @@ import org.springframework.stereotype.Service; public class SchedulerJobRunnerReadServiceImpl implements SchedulerJobRunnerReadService { private final JdbcTemplate jdbcTemplate; + private final ColumnValidator columnValidator; private final PaginationHelper<JobDetailHistoryData> paginationHelper = new PaginationHelper<>(); @Autowired - public SchedulerJobRunnerReadServiceImpl(final RoutingDataSource dataSource) { + public SchedulerJobRunnerReadServiceImpl(final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); + this.columnValidator = columnValidator; } @Override @@ -79,9 +83,10 @@ public class SchedulerJobRunnerReadServiceImpl implements SchedulerJobRunnerRead sqlBuilder.append(" where job.id=?"); if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java index afec180..4e20d4a 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobReadPlatformServiceImpl.java @@ -36,6 +36,7 @@ import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJob import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobStretchyReportParamDateOption; import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobTimelineData; import org.apache.fineract.infrastructure.reportmailingjob.exception.ReportMailingJobNotFoundException; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.joda.time.DateTime; import org.joda.time.LocalDate; import org.springframework.beans.factory.annotation.Autowired; @@ -47,10 +48,13 @@ import org.springframework.stereotype.Service; @Service public class ReportMailingJobReadPlatformServiceImpl implements ReportMailingJobReadPlatformService { private final JdbcTemplate jdbcTemplate; + private final ColumnValidator columnValidator; @Autowired - public ReportMailingJobReadPlatformServiceImpl(final RoutingDataSource dataSource) { + public ReportMailingJobReadPlatformServiceImpl(final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); + this.columnValidator = columnValidator; } @Override @@ -66,9 +70,10 @@ public class ReportMailingJobReadPlatformServiceImpl implements ReportMailingJob if (searchParameters.isOrderByRequested()) { sqlStringBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlStringBuilder.append(" ").append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getSortOrder()); } } else { sqlStringBuilder.append(" order by rmj.name "); http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java index 4aeb68f..01002d6 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/reportmailingjob/service/ReportMailingJobRunHistoryReadPlatformServiceImpl.java @@ -29,6 +29,7 @@ import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; import org.apache.fineract.infrastructure.reportmailingjob.data.ReportMailingJobRunHistoryData; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.joda.time.DateTime; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.jdbc.core.JdbcTemplate; @@ -39,12 +40,15 @@ import org.springframework.stereotype.Service; public class ReportMailingJobRunHistoryReadPlatformServiceImpl implements ReportMailingJobRunHistoryReadPlatformService { private final JdbcTemplate jdbcTemplate; private final ReportMailingJobRunHistoryMapper reportMailingJobRunHistoryMapper; + private final ColumnValidator columnValidator; private final PaginationHelper<ReportMailingJobRunHistoryData> paginationHelper = new PaginationHelper<>(); @Autowired - public ReportMailingJobRunHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource) { + public ReportMailingJobRunHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); this.reportMailingJobRunHistoryMapper = new ReportMailingJobRunHistoryMapper(); + this.columnValidator = columnValidator; } @Override @@ -63,9 +67,10 @@ public class ReportMailingJobRunHistoryReadPlatformServiceImpl implements Report if (searchParameters.isOrderByRequested()) { sqlStringBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlStringBuilder.append(" ").append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlStringBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java index c2a261a..e109687 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/ColumnValidator.java @@ -90,21 +90,23 @@ public class ColumnValidator { return columns; } - public void validateSqlInjection(String schema, String condition) { - SQLInjectionValidator.validateSQLInput(condition); - List<String> operator = new ArrayList<>(Arrays.asList("=", ">", "<", - "> =", "< =", "! =", "!=", ">=", "<=")); - condition = condition.trim().replace("( ", "(").replace(" )", ")") - .toLowerCase(); - for (String op : operator) { - condition = replaceAll(condition, op).replaceAll(" +", " "); + public void validateSqlInjection(String schema, String... conditions) { + for(String condition: conditions) { + SQLInjectionValidator.validateSQLInput(condition); + List<String> operator = new ArrayList<>(Arrays.asList("=", ">", "<", + "> =", "< =", "! =", "!=", ">=", "<=")); + condition = condition.trim().replace("( ", "(").replace(" )", ")") + .toLowerCase(); + for (String op : operator) { + condition = replaceAll(condition, op).replaceAll(" +", " "); + } + Set<String> operands = getOperand(condition); + schema = schema.trim().replaceAll(" +", " ").toLowerCase(); + Map<String, Set<String>> tableColumnAliasMap = getTableColumnAliasMap(operands); + Map<String, Set<String>> tableColumnMap = getTableColumnMap(schema, + tableColumnAliasMap); + validateColumn(tableColumnMap); } - Set<String> operands = getOperand(condition); - schema = schema.trim().replaceAll(" +", " ").toLowerCase(); - Map<String, Set<String>> tableColumnAliasMap = getTableColumnAliasMap(operands); - Map<String, Set<String>> tableColumnMap = getTableColumnMap(schema, - tableColumnAliasMap); - validateColumn(tableColumnMap); } private static Map<String, Set<String>> getTableColumnMap(String schema, http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java index d03b2f4..2fd6746 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java @@ -24,7 +24,7 @@ import java.util.regex.Pattern; public class SQLInjectionValidator { - private final static String[] DDL_COMMANDS = { "create", "drop", "alter", "truncate", "comment" }; + private final static String[] DDL_COMMANDS = { "create", "drop", "alter", "truncate", "comment", "sleep" }; private final static String[] DML_COMMANDS = { "select", "insert", "update", "delete", "merge", "upsert", "call" }; http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java index 5ad0eac..dfd82c8 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/sms/service/SmsReadPlatformServiceImpl.java @@ -33,6 +33,7 @@ import org.apache.fineract.infrastructure.core.service.Page; import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.infrastructure.sms.data.SmsData; import org.apache.fineract.infrastructure.sms.domain.SmsMessageEnumerations; import org.apache.fineract.infrastructure.sms.domain.SmsMessageStatusType; @@ -49,11 +50,14 @@ public class SmsReadPlatformServiceImpl implements SmsReadPlatformService { private final JdbcTemplate jdbcTemplate; private final SmsMapper smsRowMapper; private final PaginationHelper<SmsData> paginationHelper = new PaginationHelper<>(); + private final ColumnValidator columnValidator; @Autowired - public SmsReadPlatformServiceImpl(final RoutingDataSource dataSource) { + public SmsReadPlatformServiceImpl(final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); this.smsRowMapper = new SmsMapper(); + this.columnValidator = columnValidator; } private static final class SmsMapper implements RowMapper<SmsData> { @@ -224,9 +228,10 @@ public class SmsReadPlatformServiceImpl implements SmsReadPlatformService { if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } else { sqlBuilder.append(" order by smo.submittedon_date, smo.id"); http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java index 799fddf..4d3dc6a 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/notification/service/NotificationReadPlatformServiceImpl.java @@ -18,8 +18,18 @@ */ package org.apache.fineract.notification.service; -import org.apache.fineract.infrastructure.core.service.*; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.util.HashMap; +import java.util.List; + +import org.apache.fineract.infrastructure.core.service.Page; +import org.apache.fineract.infrastructure.core.service.PaginationHelper; +import org.apache.fineract.infrastructure.core.service.RoutingDataSource; +import org.apache.fineract.infrastructure.core.service.SearchParameters; +import org.apache.fineract.infrastructure.core.service.ThreadLocalContextUtil; import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.notification.cache.CacheNotificationResponseHeader; import org.apache.fineract.notification.data.NotificationData; import org.apache.fineract.notification.data.NotificationMapperData; @@ -28,16 +38,12 @@ import org.springframework.jdbc.core.JdbcTemplate; import org.springframework.jdbc.core.RowMapper; import org.springframework.stereotype.Service; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.util.HashMap; -import java.util.List; - @Service public class NotificationReadPlatformServiceImpl implements NotificationReadPlatformService { private final JdbcTemplate jdbcTemplate; private final PlatformSecurityContext context; + private final ColumnValidator columnValidator; private final PaginationHelper<NotificationData> paginationHelper = new PaginationHelper<>(); private final NotificationDataRow notificationDataRow = new NotificationDataRow(); private final NotificationMapperRow notificationMapperRow = new NotificationMapperRow(); @@ -45,9 +51,12 @@ public class NotificationReadPlatformServiceImpl implements NotificationReadPlat tenantNotificationResponseHeaderCache = new HashMap<>(); @Autowired - public NotificationReadPlatformServiceImpl(final RoutingDataSource dataSource, final PlatformSecurityContext context) { + public NotificationReadPlatformServiceImpl(final RoutingDataSource dataSource, + final PlatformSecurityContext context, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); this.context = context; + this.columnValidator = columnValidator; } @Override @@ -139,9 +148,10 @@ public class NotificationReadPlatformServiceImpl implements NotificationReadPlat if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java index 769b2a1..ffc9f57 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/organisation/office/service/OfficeReadPlatformServiceImpl.java @@ -28,6 +28,7 @@ import org.apache.fineract.infrastructure.core.domain.JdbcSupport; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.organisation.monetary.data.CurrencyData; import org.apache.fineract.organisation.monetary.service.CurrencyReadPlatformService; import org.apache.fineract.organisation.office.data.OfficeData; @@ -48,13 +49,17 @@ public class OfficeReadPlatformServiceImpl implements OfficeReadPlatformService private final JdbcTemplate jdbcTemplate; private final PlatformSecurityContext context; private final CurrencyReadPlatformService currencyReadPlatformService; + private final ColumnValidator columnValidator; private final static String nameDecoratedBaseOnHierarchy = "concat(substring('........................................', 1, ((LENGTH(o.hierarchy) - LENGTH(REPLACE(o.hierarchy, '.', '')) - 1) * 4)), o.name)"; @Autowired public OfficeReadPlatformServiceImpl(final PlatformSecurityContext context, - final CurrencyReadPlatformService currencyReadPlatformService, final RoutingDataSource dataSource) { + final CurrencyReadPlatformService currencyReadPlatformService, + final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.context = context; this.currencyReadPlatformService = currencyReadPlatformService; + this.columnValidator = columnValidator; this.jdbcTemplate = new JdbcTemplate(dataSource); } @@ -159,9 +164,10 @@ public class OfficeReadPlatformServiceImpl implements OfficeReadPlatformService if(searchParameters!=null) { if (searchParameters.isOrderByRequested()) { sqlBuilder.append("order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } else { sqlBuilder.append("order by o.hierarchy"); http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java index 08af091..ebe5eb7 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/AccountTransfersReadPlatformServiceImpl.java @@ -33,6 +33,7 @@ import org.apache.fineract.infrastructure.core.service.Page; import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.organisation.monetary.data.CurrencyData; import org.apache.fineract.organisation.office.data.OfficeData; import org.apache.fineract.organisation.office.service.OfficeReadPlatformService; @@ -62,6 +63,7 @@ public class AccountTransfersReadPlatformServiceImpl implements private final ClientReadPlatformService clientReadPlatformService; private final OfficeReadPlatformService officeReadPlatformService; private final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService; + private final ColumnValidator columnValidator; // mapper private final AccountTransfersMapper accountTransfersMapper; @@ -76,11 +78,13 @@ public class AccountTransfersReadPlatformServiceImpl implements final RoutingDataSource dataSource, final ClientReadPlatformService clientReadPlatformService, final OfficeReadPlatformService officeReadPlatformService, - final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService) { + final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); this.clientReadPlatformService = clientReadPlatformService; this.officeReadPlatformService = officeReadPlatformService; this.portfolioAccountReadPlatformService = portfolioAccountReadPlatformService; + this.columnValidator = columnValidator; this.accountTransfersMapper = new AccountTransfersMapper(); } @@ -259,9 +263,10 @@ public class AccountTransfersReadPlatformServiceImpl implements if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append( searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } @@ -514,10 +519,11 @@ public class AccountTransfersReadPlatformServiceImpl implements if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append( searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append( searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java index d0df176..0307b47 100755 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionHistoryReadPlatformServiceImpl.java @@ -34,6 +34,7 @@ import org.apache.fineract.infrastructure.core.service.Page; import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.organisation.office.data.OfficeData; import org.apache.fineract.portfolio.account.PortfolioAccountType; import org.apache.fineract.portfolio.account.data.PortfolioAccountData; @@ -50,6 +51,7 @@ import org.springframework.stereotype.Service; public class StandingInstructionHistoryReadPlatformServiceImpl implements StandingInstructionHistoryReadPlatformService { private final JdbcTemplate jdbcTemplate; + private final ColumnValidator columnValidator; // mapper private final StandingInstructionHistoryMapper standingInstructionHistoryMapper; @@ -58,9 +60,11 @@ public class StandingInstructionHistoryReadPlatformServiceImpl implements Standi private final PaginationHelper<StandingInstructionHistoryData> paginationHelper = new PaginationHelper<>(); @Autowired - public StandingInstructionHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource) { + public StandingInstructionHistoryReadPlatformServiceImpl(final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); this.standingInstructionHistoryMapper = new StandingInstructionHistoryMapper(); + this.columnValidator = columnValidator; } @Override @@ -139,9 +143,10 @@ public class StandingInstructionHistoryReadPlatformServiceImpl implements Standi final SearchParameters searchParameters = standingInstructionDTO.searchParameters(); if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java index 9c35c4f..b5b9f22 100755 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/account/service/StandingInstructionReadPlatformServiceImpl.java @@ -40,6 +40,7 @@ import org.apache.fineract.infrastructure.core.service.Page; import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.organisation.office.data.OfficeData; import org.apache.fineract.organisation.office.service.OfficeReadPlatformService; import org.apache.fineract.portfolio.account.PortfolioAccountType; @@ -71,6 +72,7 @@ import org.springframework.util.CollectionUtils; public class StandingInstructionReadPlatformServiceImpl implements StandingInstructionReadPlatformService { private final JdbcTemplate jdbcTemplate; + private final ColumnValidator columnValidator; private final ClientReadPlatformService clientReadPlatformService; private final OfficeReadPlatformService officeReadPlatformService; private final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService; @@ -86,13 +88,15 @@ public class StandingInstructionReadPlatformServiceImpl implements StandingInstr public StandingInstructionReadPlatformServiceImpl(final RoutingDataSource dataSource, final ClientReadPlatformService clientReadPlatformService, final OfficeReadPlatformService officeReadPlatformService, final PortfolioAccountReadPlatformService portfolioAccountReadPlatformService, - final DropdownReadPlatformService dropdownReadPlatformService) { + final DropdownReadPlatformService dropdownReadPlatformService, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); this.clientReadPlatformService = clientReadPlatformService; this.officeReadPlatformService = officeReadPlatformService; this.portfolioAccountReadPlatformService = portfolioAccountReadPlatformService; this.dropdownReadPlatformService = dropdownReadPlatformService; this.standingInstructionMapper = new StandingInstructionMapper(); + this.columnValidator = columnValidator; } @Override @@ -309,9 +313,10 @@ public class StandingInstructionReadPlatformServiceImpl implements StandingInstr final SearchParameters searchParameters = standingInstructionDTO.searchParameters(); if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java index ede17f6..4b1313b 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/client/service/ClientReadPlatformServiceImpl.java @@ -204,9 +204,10 @@ public class ClientReadPlatformServiceImpl implements ClientReadPlatformService if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java index 38823fb..0b75d75 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/CenterReadPlatformServiceImpl.java @@ -393,6 +393,9 @@ public class CenterReadPlatformServiceImpl implements CenterReadPlatformService if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(), + searchParameters.getSortOrder()); + } if (searchParameters.isLimited()) { @@ -431,6 +434,8 @@ public class CenterReadPlatformServiceImpl implements CenterReadPlatformService if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(), + searchParameters.getSortOrder()); } if (searchParameters.isLimited()) { http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java index 2caf668..72f044c 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/GroupReadPlatformServiceImpl.java @@ -162,6 +162,8 @@ public class GroupReadPlatformServiceImpl implements GroupReadPlatformService { if (parameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()).append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy(), + searchParameters.getSortOrder()); } if (parameters.isLimited()) { @@ -198,10 +200,12 @@ public class GroupReadPlatformServiceImpl implements GroupReadPlatformService { if (parameters!=null) { if (parameters.isOrderByRequested()) { sqlBuilder.append(parameters.orderBySql()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.orderBySql()); } if (parameters.isLimited()) { sqlBuilder.append(parameters.limitSql()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), parameters.limitSql()); } } return this.jdbcTemplate.query(sqlBuilder.toString(), this.allGroupTypesDataMapper, paramList.toArray()); http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java index 4fc15ad..0fcacf6 100755 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/loanaccount/service/LoanReadPlatformServiceImpl.java @@ -330,9 +330,11 @@ public class LoanReadPlatformServiceImpl implements LoanReadPlatformService { if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java index 9be2258..2677bd2 100755 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/DepositAccountOnHoldTransactionReadPlatformServiceImpl.java @@ -30,6 +30,7 @@ import org.apache.fineract.infrastructure.core.service.Page; import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.portfolio.savings.data.DepositAccountOnHoldTransactionData; import org.joda.time.LocalDate; import org.springframework.beans.factory.annotation.Autowired; @@ -41,13 +42,16 @@ import org.springframework.stereotype.Service; public class DepositAccountOnHoldTransactionReadPlatformServiceImpl implements DepositAccountOnHoldTransactionReadPlatformService { private final JdbcTemplate jdbcTemplate; + private final ColumnValidator columnValidator; private final PaginationHelper<DepositAccountOnHoldTransactionData> paginationHelper = new PaginationHelper<>(); private final DepositAccountOnHoldTransactionsMapper mapper; @Autowired - public DepositAccountOnHoldTransactionReadPlatformServiceImpl(final RoutingDataSource dataSource) { + public DepositAccountOnHoldTransactionReadPlatformServiceImpl(final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); mapper = new DepositAccountOnHoldTransactionsMapper(); + this.columnValidator = columnValidator; } @Override @@ -66,9 +70,11 @@ public class DepositAccountOnHoldTransactionReadPlatformServiceImpl implements D if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java index c728ca3..6bb4fd1 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/savings/service/SavingsAccountReadPlatformServiceImpl.java @@ -198,9 +198,11 @@ public class SavingsAccountReadPlatformServiceImpl implements SavingsAccountRead } if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); + if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java index 1be1eac..440d2f0 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareaccounts/service/ShareAccountDividendReadPlatformServiceImpl.java @@ -31,8 +31,9 @@ import org.apache.fineract.infrastructure.core.service.Page; import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; -import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountData; +import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData; import org.apache.fineract.portfolio.shareaccounts.domain.ShareAccountDividendStatusType; import org.apache.fineract.portfolio.shareproducts.domain.ShareProductDividendStatusType; import org.springframework.beans.factory.annotation.Autowired; @@ -44,11 +45,14 @@ import org.springframework.stereotype.Service; public class ShareAccountDividendReadPlatformServiceImpl implements ShareAccountDividendReadPlatformService { private final JdbcTemplate jdbcTemplate; + private final ColumnValidator columnValidator; private final PaginationHelper<ShareAccountDividendData> paginationHelper = new PaginationHelper<>(); @Autowired - public ShareAccountDividendReadPlatformServiceImpl(final RoutingDataSource dataSource) { + public ShareAccountDividendReadPlatformServiceImpl(final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); + this.columnValidator = columnValidator; } @Override @@ -80,9 +84,12 @@ public class ShareAccountDividendReadPlatformServiceImpl implements ShareAccount } if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); + } } http://git-wip-us.apache.org/repos/asf/fineract/blob/e7035d1f/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java index 6760ef9..afb9b9b 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/portfolio/shareproducts/service/ShareProductDividendReadPlatformServiceImpl.java @@ -31,10 +31,11 @@ import org.apache.fineract.infrastructure.core.service.Page; import org.apache.fineract.infrastructure.core.service.PaginationHelper; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; import org.apache.fineract.infrastructure.core.service.SearchParameters; +import org.apache.fineract.infrastructure.security.utils.ColumnValidator; import org.apache.fineract.portfolio.shareaccounts.data.ShareAccountDividendData; import org.apache.fineract.portfolio.shareaccounts.service.SharesEnumerations; -import org.apache.fineract.portfolio.shareproducts.data.ShareProductDividendPayOutData; import org.apache.fineract.portfolio.shareproducts.data.ShareProductData; +import org.apache.fineract.portfolio.shareproducts.data.ShareProductDividendPayOutData; import org.joda.time.LocalDate; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.jdbc.core.JdbcTemplate; @@ -45,11 +46,14 @@ import org.springframework.stereotype.Service; public class ShareProductDividendReadPlatformServiceImpl implements ShareProductDividendReadPlatformService { private final JdbcTemplate jdbcTemplate; + private final ColumnValidator columnValidator; private final PaginationHelper<ShareProductDividendPayOutData> paginationHelper = new PaginationHelper<>(); @Autowired - public ShareProductDividendReadPlatformServiceImpl(final RoutingDataSource dataSource) { + public ShareProductDividendReadPlatformServiceImpl(final RoutingDataSource dataSource, + final ColumnValidator columnValidator) { this.jdbcTemplate = new JdbcTemplate(dataSource); + this.columnValidator = columnValidator; } @Override @@ -68,9 +72,11 @@ public class ShareProductDividendReadPlatformServiceImpl implements ShareProduct } if (searchParameters.isOrderByRequested()) { sqlBuilder.append(" order by ").append(searchParameters.getOrderBy()); - + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getOrderBy()); + if (searchParameters.isSortOrderProvided()) { sqlBuilder.append(' ').append(searchParameters.getSortOrder()); + this.columnValidator.validateSqlInjection(sqlBuilder.toString(), searchParameters.getSortOrder()); } }
