Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Revisions: Issue #29157 Back to Issue ]
Summary 0029157: code review issues for Process Definition Reporting Tool project
Revision 2015-03-06 08:46 by alostale
Description Reviewing the code of Process Definition Reporting Tool project, it has some parts to fix/improve:

  * Security: prevent traversal attack. BaseReportActionHandler could be invoked
    to download any file in the system. Fixed by:
      - Now it only accepts file name instead of full path, looking for this file
        in the temporary directory.
      - File name is parsed to ensure it is a valid generated jasper file name,
        preventing in this manner downloads of any arbitrary file in the temporary
        directory.
  * ReportSemaphoreHandling changes:
      - Modified to make use of standard java.util.concurrent.Semaphore
        implementation rather than implementing its own semaphore.
      - Property to read maximum number of concurrent executions is read on
        initialization instead of when acquiring. This way acquisition is faster.
  * When a Jasper report is generated with a virtualizer, it's finally cleaned
    up.
  * When downloading a report, temporary file is deleted on a finally block to
    ensure deletion even on failure.
  * Changes in javadoc to fix some typos + prevent undocumented parameters.
  * Defensive coding: when generating/downloading a report, don't assume if type
    is not pdf then it is xls, but do check all the types and raise an exception
    in case of unsupported type.
  * UI: in process definition window, don't show Can Add Records flag for process
    definitions of type report
Revision 2015-03-06 08:38 by alostale
Description Reviewing the code of Process Definition Reporting Tool project, it has some parts to fix/improve:

  * Security: prevent traversal attack. BaseReportActionHandler could be invoked
    to download any file in the system. Fixed by:
      - Now it only accepts file name instead of full path, looking for this file
        in the temporary directory.
      - Filename is parsed to ensure it is a valid generated jasper file name,
        preventing in this manner downloads of any arbitrary file in the temporary
        directory.
  * ReportSemaphoreHandling changes:
      - Modified to make use of standard java.util.concurrent.Semaphore
        implemenation rather than implementing its own semaphore.
      - Property to read maximum number of concurrent executions is read on
        initialization instead of when acquiring. This way acquisition is faster.
  * When a Jasper report is generated with a virtualizer, it's finally cleaned
    up.
  * When downloading a report, temporary file is deleted on a finally block to
    ensure deletion even on failure.
  * Changes in javadoc to fix some typos + prevent undocumented parameters.


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker