Project:
View Revisions: Issue #29157 | [ All Revisions ] [ Back to Issue ] | ||
Summary | 0029157: code review issues for Process Definition Reporting Tool project | ||
Revision | 2015-03-06 08:46 by alostale | ||
Description | Reviewing the code of Process Definition Reporting Tool project, it has some parts to fix/improve: * Security: prevent traversal attack. BaseReportActionHandler could be invoked to download any file in the system. Fixed by: - Now it only accepts file name instead of full path, looking for this file in the temporary directory. - File name is parsed to ensure it is a valid generated jasper file name, preventing in this manner downloads of any arbitrary file in the temporary directory. * ReportSemaphoreHandling changes: - Modified to make use of standard java.util.concurrent.Semaphore implementation rather than implementing its own semaphore. - Property to read maximum number of concurrent executions is read on initialization instead of when acquiring. This way acquisition is faster. * When a Jasper report is generated with a virtualizer, it's finally cleaned up. * When downloading a report, temporary file is deleted on a finally block to ensure deletion even on failure. * Changes in javadoc to fix some typos + prevent undocumented parameters. * Defensive coding: when generating/downloading a report, don't assume if type is not pdf then it is xls, but do check all the types and raise an exception in case of unsupported type. * UI: in process definition window, don't show Can Add Records flag for process definitions of type report |
||
Revision | 2015-03-06 08:38 by alostale | ||
Description | Reviewing the code of Process Definition Reporting Tool project, it has some parts to fix/improve: * Security: prevent traversal attack. BaseReportActionHandler could be invoked to download any file in the system. Fixed by: - Now it only accepts file name instead of full path, looking for this file in the temporary directory. - Filename is parsed to ensure it is a valid generated jasper file name, preventing in this manner downloads of any arbitrary file in the temporary directory. * ReportSemaphoreHandling changes: - Modified to make use of standard java.util.concurrent.Semaphore implemenation rather than implementing its own semaphore. - Property to read maximum number of concurrent executions is read on initialization instead of when acquiring. This way acquisition is faster. * When a Jasper report is generated with a virtualizer, it's finally cleaned up. * When downloading a report, temporary file is deleted on a finally block to ensure deletion even on failure. * Changes in javadoc to fix some typos + prevent undocumented parameters. |
Copyright © 2000 - 2009 MantisBT Group |