[jira] [Updated] (OFBIZ-12839) [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack
[ https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-12839: Parent: OFBIZ-1525 Issue Type: Sub-task (was: Bug) > [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path > traversal attack > --- > > Key: OFBIZ-12839 > URL: https://issues.apache.org/jira/browse/OFBIZ-12839 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 22.01.01, Upcoming Branch, 18.12.09 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 22.01.01, 18.12.09 > > > Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path > traversal attack that results in an authentication bypass when used together > with APIs or other web frameworks that route requests based on non-normalized > requests. > Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. > Credit: Apache Shiro would like to thank swifty tk for reporting this issue. > -The Apache Shiro Team > Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo] > > jleroux: from the description I'm not sure OFBiz is concerned, anyway better > to be safe than sorry -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12836) Resource leaks in EntitySQLProcessor.groovy
[ https://issues.apache.org/jira/browse/OFBIZ-12836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745973#comment-17745973 ] Jacques Le Roux commented on OFBIZ-12836: - Hi Paul, >From a style perspective, you should rather write {code:java} try(SQLProcessor du = new SQLProcessor(delegator, delegator.getGroupHelperInfo(selGroup))) { {code} {code:java} try (SQLProcessor du = new SQLProcessor(delegator, delegator.getGroupHelperInfo(selGroup))) { {code} And {code:java} try(ResultSet rs = du.executeQuery(sqlCommand)) { {code} {code:java} try (ResultSet rs = du.executeQuery(sqlCommand)) { {code} But that's only the foam at the surface. When you try to use the feature in demos with "select * from OrderHeader" you get: * stable (18.12): "SQL Exception while executing the following:select * from OrderHeader (Table/View 'ORDERHEADER' does not exist.) " * next (22.012): "SQL Exception while executing the following:null (ERROR: relation "orderheader" does not exist Position: 15) " with this error: ...(SQL Exception while executing the following:null (ERROR: current transaction is aborted, commands ignored until end of transaction block))) * Same issue in trunk than in next With your patch we get the same issue than in stable. Based on your patch, I tried to get further. Deepak said the "sqlGroup and limit parameter already set in screen". Actually it's sqlCommand, selGroup and rowLimit that we are concerned with. But something has changed somewhere. As you did, we now need to get the parameters from the request. Note that you don't need to prefix the calls by context, the request is already in the context. You can refer to: [https://cwiki.apache.org/confluence/display/OFBIZ/Variables+always+available+in+screen+context] Worse, despite that {{String selGroup = request.getParameter('selGroup')}} does not work. I have no idea why yet. To continue I harcoded it to {{selGroup = 'org.apache.ofbiz'}} Then I get into the 1st try-with-resource. But it still does not work because I get the same message than in stable demo. The error appears in the 2nd try-with-resource when calling the line {{ps = connection.prepareStatement(sql);}} in SQLProcessor::prepareStatement an error appears. It could be due to the Derby version, but that's rather an hypothesis. That's all for today :) > Resource leaks in EntitySQLProcessor.groovy > --- > > Key: OFBIZ-12836 > URL: https://issues.apache.org/jira/browse/OFBIZ-12836 > Project: OFBiz > Issue Type: Bug > Components: webtools >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: EntitySQLProcessor-1.groovy, EntitySQLProcessor.groovy, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy-1.patch, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy-2.patch, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy.patch > > > In framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy at line > 35 > [https://github.com/apache/ofbiz-framework/blob/e080f0bfa657b8b6ffd4cbf5629e0c648440b5f0/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy#L35] > > it creates an SQLProcessor. SQLProcessor has a Close method and implements > AutoCloseable, but we're not using try-with-resources, nor directly calling > the Close method. > > Similarly, > > [https://github.com/apache/ofbiz-framework/blob/e080f0bfa657b8b6ffd4cbf5629e0c648440b5f0/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy#L38] > > obtains a java.sql.Resultset, which will be closed when everything works, but > would leak if there was an exception. Again, we should be using > try-with-resources. > > Note that according to > > [https://docs.oracle.com/en/java/javase/20/docs/api/java.sql/java/sql/ResultSet.html#close()] > > "Calling the method close on a ResultSet object that is already closed is a > no-op.", if you obtain a ResultSet from the SQLProcessor and directly close > that ResultSet, it's not a problem when the SQLProcessor.close also attempts > to close the ResultSet. > > The problem is minor, most of the time. The groovy script is in the webtools, > so used for developer tinkering and not production use. > > When you're doing a SELECT, the script is closing the ResultSet, so the > important resources are cleaned up (assuming no exception occurred). > > However, if you are doing INSERT, UPDATE or DELETE, the script creates a > prepared statement that is not closed, so there's a resource leak. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Closed] (OFBIZ-12839) [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack
[ https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-12839. --- Resolution: Fixed > [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path > traversal attack > --- > > Key: OFBIZ-12839 > URL: https://issues.apache.org/jira/browse/OFBIZ-12839 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: 22.01.01, Upcoming Branch, 18.12.09 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 22.01.01, 18.12.09 > > > Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path > traversal attack that results in an authentication bypass when used together > with APIs or other web frameworks that route requests based on non-normalized > requests. > Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. > Credit: Apache Shiro would like to thank swifty tk for reporting this issue. > -The Apache Shiro Team > Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo] > > jleroux: from the description I'm not sure OFBiz is concerned, anyway better > to be safe than sorry -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12839) [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack
[ https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745970#comment-17745970 ] ASF subversion and git services commented on OFBIZ-12839: - Commit a6d0c36d54417e4a0219b4ae7109b60930db5c2c in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=a6d0c36d54 ] Fixed: [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack (OFBIZ-12839) See https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo for details > [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path > traversal attack > --- > > Key: OFBIZ-12839 > URL: https://issues.apache.org/jira/browse/OFBIZ-12839 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: 22.01.01, Upcoming Branch, 18.12.09 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 22.01.01, 18.12.09 > > > Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path > traversal attack that results in an authentication bypass when used together > with APIs or other web frameworks that route requests based on non-normalized > requests. > Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. > Credit: Apache Shiro would like to thank swifty tk for reporting this issue. > -The Apache Shiro Team > Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo] > > jleroux: from the description I'm not sure OFBiz is concerned, anyway better > to be safe than sorry -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12839) [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack
[ https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745972#comment-17745972 ] ASF subversion and git services commented on OFBIZ-12839: - Commit 3d34f5be1ee0ce27eb3cc029baa961acf160dbbe in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3d34f5be1e ] Fixed: [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack (OFBIZ-12839) See https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo for details > [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path > traversal attack > --- > > Key: OFBIZ-12839 > URL: https://issues.apache.org/jira/browse/OFBIZ-12839 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: 22.01.01, Upcoming Branch, 18.12.09 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 22.01.01, 18.12.09 > > > Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path > traversal attack that results in an authentication bypass when used together > with APIs or other web frameworks that route requests based on non-normalized > requests. > Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. > Credit: Apache Shiro would like to thank swifty tk for reporting this issue. > -The Apache Shiro Team > Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo] > > jleroux: from the description I'm not sure OFBiz is concerned, anyway better > to be safe than sorry -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12839) [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack
[ https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745971#comment-17745971 ] ASF subversion and git services commented on OFBIZ-12839: - Commit 6b19c38b6f384a1ddc2f4917e329fb337c127dde in ofbiz-framework's branch refs/heads/release22.01 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=6b19c38b6f ] Fixed: [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack (OFBIZ-12839) See https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo for details > [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path > traversal attack > --- > > Key: OFBIZ-12839 > URL: https://issues.apache.org/jira/browse/OFBIZ-12839 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: 22.01.01, Upcoming Branch, 18.12.09 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 22.01.01, 18.12.09 > > > Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path > traversal attack that results in an authentication bypass when used together > with APIs or other web frameworks that route requests based on non-normalized > requests. > Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. > Credit: Apache Shiro would like to thank swifty tk for reporting this issue. > -The Apache Shiro Team > Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo] > > jleroux: from the description I'm not sure OFBiz is concerned, anyway better > to be safe than sorry -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (OFBIZ-12839) [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack
Jacques Le Roux created OFBIZ-12839: --- Summary: [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack Key: OFBIZ-12839 URL: https://issues.apache.org/jira/browse/OFBIZ-12839 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: 22.01.01, Upcoming Branch, 18.12.09 Reporter: Jacques Le Roux Assignee: Jacques Le Roux Fix For: 22.01.01, 18.12.09 Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. Credit: Apache Shiro would like to thank swifty tk for reporting this issue. -The Apache Shiro Team Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo] jleroux: from the description I'm not sure OFBiz is concerned, anyway better to be safe than sorry -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (OFBIZ-12837) Log SQL statement in exceptions in EntitySQLProcessor
[ https://issues.apache.org/jira/browse/OFBIZ-12837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Paul Foxworthy updated OFBIZ-12837: --- Affects Version/s: 22.01 > Log SQL statement in exceptions in EntitySQLProcessor > - > > Key: OFBIZ-12837 > URL: https://issues.apache.org/jira/browse/OFBIZ-12837 > Project: OFBiz > Issue Type: Bug > Components: framework/entity >Affects Versions: 22.01 >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor-1.patch, > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor.patch > > > The combination of OFBIZ-11926 and OFBIZ-12386 means the field > > {{SQLProcessor.sql}} > > is never set, but it is assumed to be there in several catches - see the > patch. > > If an exception occurs, you'll get a "null" and not the statement that caused > the exception. > > I had a bit to say about how the problem arose in a comment on OFBIZ-11926. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Closed] (OFBIZ-12837) Log SQL statement in exceptions in EntitySQLProcessor
[ https://issues.apache.org/jira/browse/OFBIZ-12837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Paul Foxworthy closed OFBIZ-12837. -- Resolution: Fixed > Log SQL statement in exceptions in EntitySQLProcessor > - > > Key: OFBIZ-12837 > URL: https://issues.apache.org/jira/browse/OFBIZ-12837 > Project: OFBiz > Issue Type: Bug > Components: framework/entity >Affects Versions: 22.01 >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor-1.patch, > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor.patch > > > The combination of OFBIZ-11926 and OFBIZ-12386 means the field > > {{SQLProcessor.sql}} > > is never set, but it is assumed to be there in several catches - see the > patch. > > If an exception occurs, you'll get a "null" and not the statement that caused > the exception. > > I had a bit to say about how the problem arose in a comment on OFBIZ-11926. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (OFBIZ-12837) Log SQL statement in exceptions in EntitySQLProcessor
[ https://issues.apache.org/jira/browse/OFBIZ-12837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17744826#comment-17744826 ] Paul Foxworthy edited comment on OFBIZ-12837 at 7/22/23 7:29 AM: - Committed to trunk in 404cb9fd0260778c801f6b7edaf7d810e4324fec Committed to release22.01 in 4ba4b965994ce39a0b64e08c40940a00bc5ff2c0 Problem was introduced after v18.12, no need for a fix there was (Author: paul_foxworthy): Yes, I'll commit > Log SQL statement in exceptions in EntitySQLProcessor > - > > Key: OFBIZ-12837 > URL: https://issues.apache.org/jira/browse/OFBIZ-12837 > Project: OFBiz > Issue Type: Bug > Components: framework/entity >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor-1.patch, > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor.patch > > > The combination of OFBIZ-11926 and OFBIZ-12386 means the field > > {{SQLProcessor.sql}} > > is never set, but it is assumed to be there in several catches - see the > patch. > > If an exception occurs, you'll get a "null" and not the statement that caused > the exception. > > I had a bit to say about how the problem arose in a comment on OFBIZ-11926. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-11926) Checkstyle: Variable name must match pattern
[ https://issues.apache.org/jira/browse/OFBIZ-11926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745882#comment-17745882 ] ASF subversion and git services commented on OFBIZ-11926: - Commit 4ba4b965994ce39a0b64e08c40940a00bc5ff2c0 in ofbiz-framework's branch refs/heads/release22.01 from paul [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=4ba4b96599 ] Fixed: Log SQL statement in exceptions in EntitySQLProcessor (OFBIZ-12837) The combination of OFBIZ-11926 and OFBIZ-12386 means the field SQLProcessor.sql is never set, but it was originally designed to cache the SQL command and is assumed to be there in several catches. If an exception occurs, you'll get a "null" and not the statement that caused the exception. > Checkstyle: Variable name must match pattern > > > Key: OFBIZ-11926 > URL: https://issues.apache.org/jira/browse/OFBIZ-11926 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Suraj Khurana >Assignee: Suraj Khurana >Priority: Major > Attachments: JsLanguageFilesMapping.patch, OFBIZ-11926-plugins.patch, > OFBIZ-11926.patch > > > All final data members of the class must match this naming pattern > '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$' -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12386) Fix some bugs SpotBugs reports
[ https://issues.apache.org/jira/browse/OFBIZ-12386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745883#comment-17745883 ] ASF subversion and git services commented on OFBIZ-12386: - Commit 4ba4b965994ce39a0b64e08c40940a00bc5ff2c0 in ofbiz-framework's branch refs/heads/release22.01 from paul [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=4ba4b96599 ] Fixed: Log SQL statement in exceptions in EntitySQLProcessor (OFBIZ-12837) The combination of OFBIZ-11926 and OFBIZ-12386 means the field SQLProcessor.sql is never set, but it was originally designed to cache the SQL command and is assumed to be there in several catches. If an exception occurs, you'll get a "null" and not the statement that caused the exception. > Fix some bugs SpotBugs reports > -- > > Key: OFBIZ-12386 > URL: https://issues.apache.org/jira/browse/OFBIZ-12386 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12837) Log SQL statement in exceptions in EntitySQLProcessor
[ https://issues.apache.org/jira/browse/OFBIZ-12837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745881#comment-17745881 ] ASF subversion and git services commented on OFBIZ-12837: - Commit 4ba4b965994ce39a0b64e08c40940a00bc5ff2c0 in ofbiz-framework's branch refs/heads/release22.01 from paul [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=4ba4b96599 ] Fixed: Log SQL statement in exceptions in EntitySQLProcessor (OFBIZ-12837) The combination of OFBIZ-11926 and OFBIZ-12386 means the field SQLProcessor.sql is never set, but it was originally designed to cache the SQL command and is assumed to be there in several catches. If an exception occurs, you'll get a "null" and not the statement that caused the exception. > Log SQL statement in exceptions in EntitySQLProcessor > - > > Key: OFBIZ-12837 > URL: https://issues.apache.org/jira/browse/OFBIZ-12837 > Project: OFBiz > Issue Type: Bug > Components: framework/entity >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor-1.patch, > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor.patch > > > The combination of OFBIZ-11926 and OFBIZ-12386 means the field > > {{SQLProcessor.sql}} > > is never set, but it is assumed to be there in several catches - see the > patch. > > If an exception occurs, you'll get a "null" and not the statement that caused > the exception. > > I had a bit to say about how the problem arose in a comment on OFBIZ-11926. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12386) Fix some bugs SpotBugs reports
[ https://issues.apache.org/jira/browse/OFBIZ-12386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745880#comment-17745880 ] ASF subversion and git services commented on OFBIZ-12386: - Commit 404cb9fd0260778c801f6b7edaf7d810e4324fec in ofbiz-framework's branch refs/heads/trunk from paul [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=404cb9fd02 ] Fixed: Log SQL statement in exceptions in EntitySQLProcessor (OFBIZ-12837) The combination of OFBIZ-11926 and OFBIZ-12386 means the field SQLProcessor.sql is never set, but it was originally designed to cache the SQL command and is assumed to be there in several catches. If an exception occurs, you'll get a "null" and not the statement that caused the exception. > Fix some bugs SpotBugs reports > -- > > Key: OFBIZ-12386 > URL: https://issues.apache.org/jira/browse/OFBIZ-12386 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12837) Log SQL statement in exceptions in EntitySQLProcessor
[ https://issues.apache.org/jira/browse/OFBIZ-12837?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745878#comment-17745878 ] ASF subversion and git services commented on OFBIZ-12837: - Commit 404cb9fd0260778c801f6b7edaf7d810e4324fec in ofbiz-framework's branch refs/heads/trunk from paul [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=404cb9fd02 ] Fixed: Log SQL statement in exceptions in EntitySQLProcessor (OFBIZ-12837) The combination of OFBIZ-11926 and OFBIZ-12386 means the field SQLProcessor.sql is never set, but it was originally designed to cache the SQL command and is assumed to be there in several catches. If an exception occurs, you'll get a "null" and not the statement that caused the exception. > Log SQL statement in exceptions in EntitySQLProcessor > - > > Key: OFBIZ-12837 > URL: https://issues.apache.org/jira/browse/OFBIZ-12837 > Project: OFBiz > Issue Type: Bug > Components: framework/entity >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor-1.patch, > OFBIZ-12837_log_sql_statement_in_exceptions_in_EntitySQLProcessor.patch > > > The combination of OFBIZ-11926 and OFBIZ-12386 means the field > > {{SQLProcessor.sql}} > > is never set, but it is assumed to be there in several catches - see the > patch. > > If an exception occurs, you'll get a "null" and not the statement that caused > the exception. > > I had a bit to say about how the problem arose in a comment on OFBIZ-11926. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-11926) Checkstyle: Variable name must match pattern
[ https://issues.apache.org/jira/browse/OFBIZ-11926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745879#comment-17745879 ] ASF subversion and git services commented on OFBIZ-11926: - Commit 404cb9fd0260778c801f6b7edaf7d810e4324fec in ofbiz-framework's branch refs/heads/trunk from paul [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=404cb9fd02 ] Fixed: Log SQL statement in exceptions in EntitySQLProcessor (OFBIZ-12837) The combination of OFBIZ-11926 and OFBIZ-12386 means the field SQLProcessor.sql is never set, but it was originally designed to cache the SQL command and is assumed to be there in several catches. If an exception occurs, you'll get a "null" and not the statement that caused the exception. > Checkstyle: Variable name must match pattern > > > Key: OFBIZ-11926 > URL: https://issues.apache.org/jira/browse/OFBIZ-11926 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Suraj Khurana >Assignee: Suraj Khurana >Priority: Major > Attachments: JsLanguageFilesMapping.patch, OFBIZ-11926-plugins.patch, > OFBIZ-11926.patch > > > All final data members of the class must match this naming pattern > '^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$' -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (OFBIZ-12836) Resource leaks in EntitySQLProcessor.groovy
[ https://issues.apache.org/jira/browse/OFBIZ-12836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745876#comment-17745876 ] Paul Foxworthy edited comment on OFBIZ-12836 at 7/22/23 6:55 AM: - [~deepak] you're right re rowLimit and selGroup. I did it for similarity with line 22, but I now think the idea is you can optionally supply a query to run using the sqlCommand. I have updated the patch. was (Author: paul_foxworthy): [~deepak] you're right. I did it for similarity with line 22, but I now think the idea is you can optionally supply a query to run iusing the sqlCommand. I have updated the patch. > Resource leaks in EntitySQLProcessor.groovy > --- > > Key: OFBIZ-12836 > URL: https://issues.apache.org/jira/browse/OFBIZ-12836 > Project: OFBiz > Issue Type: Bug > Components: webtools >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: EntitySQLProcessor-1.groovy, EntitySQLProcessor.groovy, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy-1.patch, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy-2.patch, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy.patch > > > In framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy at line > 35 > [https://github.com/apache/ofbiz-framework/blob/e080f0bfa657b8b6ffd4cbf5629e0c648440b5f0/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy#L35] > > it creates an SQLProcessor. SQLProcessor has a Close method and implements > AutoCloseable, but we're not using try-with-resources, nor directly calling > the Close method. > > Similarly, > > [https://github.com/apache/ofbiz-framework/blob/e080f0bfa657b8b6ffd4cbf5629e0c648440b5f0/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy#L38] > > obtains a java.sql.Resultset, which will be closed when everything works, but > would leak if there was an exception. Again, we should be using > try-with-resources. > > Note that according to > > [https://docs.oracle.com/en/java/javase/20/docs/api/java.sql/java/sql/ResultSet.html#close()] > > "Calling the method close on a ResultSet object that is already closed is a > no-op.", if you obtain a ResultSet from the SQLProcessor and directly close > that ResultSet, it's not a problem when the SQLProcessor.close also attempts > to close the ResultSet. > > The problem is minor, most of the time. The groovy script is in the webtools, > so used for developer tinkering and not production use. > > When you're doing a SELECT, the script is closing the ResultSet, so the > important resources are cleaned up (assuming no exception occurred). > > However, if you are doing INSERT, UPDATE or DELETE, the script creates a > prepared statement that is not closed, so there's a resource leak. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (OFBIZ-12836) Resource leaks in EntitySQLProcessor.groovy
[ https://issues.apache.org/jira/browse/OFBIZ-12836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Paul Foxworthy updated OFBIZ-12836: --- Attachment: EntitySQLProcessor-1.groovy Fixed__Resource_leaks_in_EntitySQLProcessor_groovy-2.patch > Resource leaks in EntitySQLProcessor.groovy > --- > > Key: OFBIZ-12836 > URL: https://issues.apache.org/jira/browse/OFBIZ-12836 > Project: OFBiz > Issue Type: Bug > Components: webtools >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: EntitySQLProcessor-1.groovy, EntitySQLProcessor.groovy, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy-1.patch, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy-2.patch, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy.patch > > > In framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy at line > 35 > [https://github.com/apache/ofbiz-framework/blob/e080f0bfa657b8b6ffd4cbf5629e0c648440b5f0/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy#L35] > > it creates an SQLProcessor. SQLProcessor has a Close method and implements > AutoCloseable, but we're not using try-with-resources, nor directly calling > the Close method. > > Similarly, > > [https://github.com/apache/ofbiz-framework/blob/e080f0bfa657b8b6ffd4cbf5629e0c648440b5f0/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy#L38] > > obtains a java.sql.Resultset, which will be closed when everything works, but > would leak if there was an exception. Again, we should be using > try-with-resources. > > Note that according to > > [https://docs.oracle.com/en/java/javase/20/docs/api/java.sql/java/sql/ResultSet.html#close()] > > "Calling the method close on a ResultSet object that is already closed is a > no-op.", if you obtain a ResultSet from the SQLProcessor and directly close > that ResultSet, it's not a problem when the SQLProcessor.close also attempts > to close the ResultSet. > > The problem is minor, most of the time. The groovy script is in the webtools, > so used for developer tinkering and not production use. > > When you're doing a SELECT, the script is closing the ResultSet, so the > important resources are cleaned up (assuming no exception occurred). > > However, if you are doing INSERT, UPDATE or DELETE, the script creates a > prepared statement that is not closed, so there's a resource leak. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-12836) Resource leaks in EntitySQLProcessor.groovy
[ https://issues.apache.org/jira/browse/OFBIZ-12836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745876#comment-17745876 ] Paul Foxworthy commented on OFBIZ-12836: [~deepak] you're right. I did it for similarity with line 22, but I now think the idea is you can optionally supply a query to run iusing the sqlCommand. I have updated the patch. > Resource leaks in EntitySQLProcessor.groovy > --- > > Key: OFBIZ-12836 > URL: https://issues.apache.org/jira/browse/OFBIZ-12836 > Project: OFBiz > Issue Type: Bug > Components: webtools >Reporter: Paul Foxworthy >Assignee: Paul Foxworthy >Priority: Minor > Attachments: EntitySQLProcessor.groovy, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy-1.patch, > Fixed__Resource_leaks_in_EntitySQLProcessor_groovy.patch > > > In framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy at line > 35 > [https://github.com/apache/ofbiz-framework/blob/e080f0bfa657b8b6ffd4cbf5629e0c648440b5f0/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy#L35] > > it creates an SQLProcessor. SQLProcessor has a Close method and implements > AutoCloseable, but we're not using try-with-resources, nor directly calling > the Close method. > > Similarly, > > [https://github.com/apache/ofbiz-framework/blob/e080f0bfa657b8b6ffd4cbf5629e0c648440b5f0/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy#L38] > > obtains a java.sql.Resultset, which will be closed when everything works, but > would leak if there was an exception. Again, we should be using > try-with-resources. > > Note that according to > > [https://docs.oracle.com/en/java/javase/20/docs/api/java.sql/java/sql/ResultSet.html#close()] > > "Calling the method close on a ResultSet object that is already closed is a > no-op.", if you obtain a ResultSet from the SQLProcessor and directly close > that ResultSet, it's not a problem when the SQLProcessor.close also attempts > to close the ResultSet. > > The problem is minor, most of the time. The groovy script is in the webtools, > so used for developer tinkering and not production use. > > When you're doing a SELECT, the script is closing the ResultSet, so the > important resources are cleaned up (assuming no exception occurred). > > However, if you are doing INSERT, UPDATE or DELETE, the script creates a > prepared statement that is not closed, so there's a resource leak. -- This message was sent by Atlassian Jira (v8.20.10#820010)