0029157: code review issues for Process Definition Reporting Tool project

Openbravo Issue Tracking System - Openbravo ERP

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0029157

Openbravo ERP

A. Platform

public

2015-03-06 08:38

2015-03-09 17:49

Reporter

alostale

Assigned To

alostale

Priority

urgent

Severity

major

Reproducibility

N/A

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

3.0PR15Q2

Fixed in Version

3.0PR15Q2

Merge Request Status

Review Assigned To

AugustoMauch

OBNetwork customer

Web browser

Modules

Core

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0029157: code review issues for Process Definition Reporting Tool project

Description

Reviewing the code of Process Definition Reporting Tool project, it has some parts to fix/improve:

  * Security: prevent traversal attack. BaseReportActionHandler could be invoked
    to download any file in the system. Fixed by:
      - Now it only accepts file name instead of full path, looking for this file
        in the temporary directory.
      - File name is parsed to ensure it is a valid generated jasper file name,
        preventing in this manner downloads of any arbitrary file in the temporary
        directory.
  * ReportSemaphoreHandling changes:
      - Modified to make use of standard java.util.concurrent.Semaphore
        implementation rather than implementing its own semaphore.
      - Property to read maximum number of concurrent executions is read on
        initialization instead of when acquiring. This way acquisition is faster.
  * When a Jasper report is generated with a virtualizer, it's finally cleaned
    up.
  * When downloading a report, temporary file is deleted on a finally block to
    ensure deletion even on failure.
  * Changes in javadoc to fix some typos + prevent undocumented parameters.
  * Defensive coding: when generating/downloading a report, don't assume if type
    is not pdf then it is xls, but do check all the types and raise an exception
    in case of unsupported type.
  * UI: in process definition window, don't show Can Add Records flag for process
    definitions of type report

Steps To Reproduce

N/A: code review, check description.

Proposed Solution

Additional Information

Tags

No tags attached.

Relationships

related to	feature request	0026763		closed	gorkaion	Ability to launch reports from process definitions
causes	defect	0029441		closed	NaroaIriarte	Exporting to XLS does not work in the new ReportingUtils class

Attached Files

Issue History

Date Modified

Username

Field

Change

2015-03-06 08:38

alostale

New Issue

2015-03-06 08:38

alostale

Assigned To

=> alostale

2015-03-06 08:38

alostale

Modules

=> Core

2015-03-06 08:38

alostale

Triggers an Emergency Pack

=> No

2015-03-06 08:38

alostale

Relationship added

related to 0026763

2015-03-06 08:46

alostale

Description Updated

bug_revision_view_page.php?rev_id=7872#r7872

2015-03-06 10:48

hgbot

Checkin

2015-03-06 10:48

hgbot

Note Added: 0075231

2015-03-06 10:48

hgbot

Status

new => resolved

2015-03-06 10:48

hgbot

Resolution

open => fixed

2015-03-06 10:48

hgbot

Fixed in SCM revision

=> http://code.openbravo.com/erp/devel/pi/rev/d8ec9347e127febd5961acedac70ff0cfe52e5b6 [^]

2015-03-09 09:29

alostale

Review Assigned To

=> AugustoMauch

2015-03-09 11:00

AugustoMauch

Note Added: 0075299

2015-03-09 11:00

AugustoMauch

Status

resolved => closed

2015-03-09 11:00

AugustoMauch

Fixed in Version

=> 3.0PR15Q2

2015-03-09 17:49

hudsonbot

Checkin

2015-03-09 17:49

hudsonbot

Note Added: 0075330

2015-03-30 10:45

alostale

Relationship added

causes 0029441

Notes

Repository: erp/devel/pi
Changeset: d8ec9347e127febd5961acedac70ff0cfe52e5b6
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Fri Mar 06 08:51:40 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/d8ec9347e127febd5961acedac70ff0cfe52e5b6 [^]

fixed issue 29157: code review issues for Process Definition Reporting Tool

Fixes include:
  * Security: prevent traversal attack. BaseReportActionHandler could be invoked
    to download any file in the system. Fixed by:
      - Now it only accepts file name instead of full path, looking for this file
        in the temporary directory.
      - Filename is parsed to ensure it is a valid generated jasper file name,
        preventing in this manner downloads of any arbitrary file in the temporary
        directory.
  * ReportSemaphoreHandling changes:
      - Modified to make use of standard java.util.concurrent.Semaphore
        implementation rather than implementing its own semaphore.
      - Property to read maximum number of concurrent executions is read on
        initialization instead of when acquiring. This way acquisition is faster.
  * When a Jasper report is generated with a virtualizer, it's finally cleaned
    up.
  * When downloading a report, temporary file is deleted on a finally block to
    ensure deletion even on failure.
  * Changes in javadoc to fix some typos + prevent undocumented parameters.
  * Defensive coding: when generating/downloading a report, don't assume if type
    is not pdf then it is xls, but do check all the types and raise an exception
    in case of unsupported type.
  * UI: in process definition window, don't show Can Add Records flag for process
    definitions of type report

---
M modules/org.openbravo.client.application/src-db/database/sourcedata/AD_FIELD.xml
M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/BaseReportActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/ReportSemaphoreHandling.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/ReportingUtils.java
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/utilities/ob-utilities-action-def.js
---