Openbravo Issue Tracking System - Retail Modules
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0029718Retail ModulesWeb POSpublic2015-04-28 16:072017-09-01 10:50
Reporteradrianromero 
Assigned ToSandrahuguet 
PriorityurgentSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in VersionRR16Q4 
Merge Request Status
Review Assigned Tomarvintm
OBNetwork customer
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0029718: SQL Injection issues
DescriptionThere are several places in the code where HQL sentences are built that has SQL Injection problems.
Steps To ReproduceFor example:

https://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/file/064f74fcf503/src/org/openbravo/retail/posterminal/term/Terminal.java#l128 [^]
https://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/file/064f74fcf503/src/org/openbravo/retail/posterminal/term/Terminal.java#l133 [^]
https://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/file/064f74fcf503/src/org/openbravo/retail/posterminal/master/TaxZone.java#l83 [^]
https://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/file/064f74fcf503/src/org/openbravo/retail/posterminal/term/Terminal.java#l143 [^]
Proposed SolutionAttached proposal for "LoadedCustomer"
Additional Information
TagsNo tags attached.
Relationships
related to defect 0029668 closed adrianromero NOt possible to login on webpos if the address of the organization has a simple quote on the name 
related to defect 0031257RR16Q2 closed Sandrahuguet Prevent sql injection in SimpleQueryBuilder 
Attached Filesdiff refactorPosterminalModule.diff (2,550) 2016-03-31 17:20
https://issues.openbravo.com/file_download.php?file_id=9233&type=bug
Issue History
Date ModifiedUsernameFieldChange
2015-04-28 16:07adrianromeroNew Issue
2015-04-28 16:07adrianromeroAssigned To => Retail
2015-04-28 16:07adrianromeroTriggers an Emergency Pack => No
2015-04-28 16:09adrianromeroSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=8361#r8361
2015-05-20 09:29marvintmRelationship addedrelated to 0029668
2016-03-14 16:04OrekariaRelationship addedrelated to 0031257
2016-03-31 17:20adrianromeroFile Added: refactorPosterminalModule.diff
2016-03-31 17:21adrianromeroProposed Solution updated
2016-07-13 10:00SandrahuguetAssigned ToRetail => Sandrahuguet
2016-07-13 10:01SandrahuguetStatusnew => scheduled
2016-07-13 10:16hgbotCheckin
2016-07-13 10:16hgbotNote Added: 0088428
2016-07-13 10:16hgbotStatusscheduled => resolved
2016-07-13 10:16hgbotResolutionopen => fixed
2016-07-13 10:16hgbotFixed in SCM revision => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/4ee3eed43218b96dbc2ebe55ccd38723cbf16780 [^]
2016-07-13 10:17hgbotCheckin
2016-07-13 10:17hgbotNote Added: 0088430
2016-07-13 10:17hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/4ee3eed43218b96dbc2ebe55ccd38723cbf16780 [^] => http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/ae0faa1ab92bdd3952739132476b06a412d26bd5 [^]
2016-07-13 10:17hgbotCheckin
2016-07-13 10:17hgbotNote Added: 0088431
2016-07-13 10:18hgbotCheckin
2016-07-13 10:18hgbotNote Added: 0088432
2016-07-13 10:18hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/ae0faa1ab92bdd3952739132476b06a412d26bd5 [^] => http://code.openbravo.com/erp/pmods/org.openbravo.retail.loyalty/rev/66921d8b0f13692dfc7009b3e80d206142281620 [^]
2016-07-13 10:19hgbotCheckin
2016-07-13 10:19hgbotNote Added: 0088433
2016-07-13 10:19hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/pmods/org.openbravo.retail.loyalty/rev/66921d8b0f13692dfc7009b3e80d206142281620 [^] => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.warehouse.physicalinventory/rev/4bd92ce27c95ade953aea5d0a13f50a314ea481d [^]
2016-07-13 10:19SandrahuguetReview Assigned To => marvintm
2016-07-13 10:45hgbotCheckin
2016-07-13 10:45hgbotNote Added: 0088434
2016-07-13 10:45hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/pmods/org.openbravo.mobile.warehouse.physicalinventory/rev/4bd92ce27c95ade953aea5d0a13f50a314ea481d [^] => http://code.openbravo.com/erp/pmods/org.openbravo.retail.discounts.combo/rev/c123693032b4f123ffe2f97b75ad37d7c1495389 [^]
2016-07-13 13:04hgbotCheckin
2016-07-13 13:04hgbotNote Added: 0088440
2016-07-15 11:25hgbotCheckin
2016-07-15 11:25hgbotNote Added: 0088517
2016-07-15 11:53marvintmStatusresolved => closed
2017-09-01 10:50shuehnerFixed in Version => RR16Q4

Notes
(0088428)
hgbot   
2016-07-13 10:16   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 4ee3eed43218b96dbc2ebe55ccd38723cbf16780
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:05:34 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/4ee3eed43218b96dbc2ebe55ccd38723cbf16780 [^]

Fixed issue 29718 prevent sql injection

Prevent sql injection: use namedparameters instead literals.

---
M src/org/openbravo/mobile/core/login/Context.java
M src/org/openbravo/mobile/core/login/ContextInformation.java
M src/org/openbravo/mobile/core/process/ProcessHQLQuery.java
M src/org/openbravo/mobile/core/process/SecuredJSONProcess.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0088430)
hgbot   
2016-07-13 10:17   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: ae0faa1ab92bdd3952739132476b06a412d26bd5
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:04:39 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/ae0faa1ab92bdd3952739132476b06a412d26bd5 [^]

Fixed issue 29718 prevent sql injection

Prevent sql injection: use namedparameters instead literals.

---
M src/org/openbravo/retail/posterminal/PaidReceiptsHeader.java
M src/org/openbravo/retail/posterminal/master/Brand.java
M src/org/openbravo/retail/posterminal/master/Cashup.java
M src/org/openbravo/retail/posterminal/master/Category.java
M src/org/openbravo/retail/posterminal/master/CategoryTree.java
M src/org/openbravo/retail/posterminal/master/Discount.java
M src/org/openbravo/retail/posterminal/master/LoadedCustomer.java
M src/org/openbravo/retail/posterminal/master/PriceList.java
M src/org/openbravo/retail/posterminal/master/Product.java
M src/org/openbravo/retail/posterminal/master/ProductCharacteristicValue.java
M src/org/openbravo/retail/posterminal/master/ProductPrice.java
M src/org/openbravo/retail/posterminal/master/ServicePriceRuleRangePrices.java
M src/org/openbravo/retail/posterminal/master/TaxRate.java
M src/org/openbravo/retail/posterminal/master/TaxZone.java
M src/org/openbravo/retail/posterminal/process/HasServices.java
M src/org/openbravo/retail/posterminal/stock/StoreDetailedStock.java
M src/org/openbravo/retail/posterminal/term/Payments.java
M src/org/openbravo/retail/posterminal/term/Terminal.java
---
(0088431)
hgbot   
2016-07-13 10:17   
Repository: erp/pmods/org.openbravo.retail.stockcriteria
Changeset: f9169ee4dbe4611722420237318782886a97ff0b
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:10:48 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.stockcriteria/rev/f9169ee4dbe4611722420237318782886a97ff0b [^]

related to issue 29718 prevent sql injection

Prevent sql injection: there is one parenthesis no needed

---
M src/org/openbravo/retail/stockcriteria/BrandHQLCriteria.java
---
(0088432)
hgbot   
2016-07-13 10:18   
Repository: erp/pmods/org.openbravo.retail.loyalty
Changeset: 66921d8b0f13692dfc7009b3e80d206142281620
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:14:17 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.loyalty/rev/66921d8b0f13692dfc7009b3e80d206142281620 [^]

Fixed issue 29718 prevent sql injection

use getDalQuery() instead the deprecated function getHQLQuery()

---
M src/org/openbravo/retail/loyalty/master/AccumulationRules.java
M src/org/openbravo/retail/loyalty/master/LoyaltyManagement.java
M src/org/openbravo/retail/loyalty/master/LoyaltyProgram.java
M src/org/openbravo/retail/loyalty/master/RedemptionRules.java
---
(0088433)
hgbot   
2016-07-13 10:19   
Repository: erp/pmods/org.openbravo.mobile.warehouse.physicalinventory
Changeset: 4bd92ce27c95ade953aea5d0a13f50a314ea481d
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:15:54 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.warehouse.physicalinventory/rev/4bd92ce27c95ade953aea5d0a13f50a314ea481d [^]

Fixed issue 29718 prevent sql injection

use getDalQuery() instead the deprecated function getHQLQuery()

---
M src/org/openbravo/mobile/warehouse/physicalinventory/ProcessPhysicalInventory.java
---
(0088434)
hgbot   
2016-07-13 10:45   
Repository: erp/pmods/org.openbravo.retail.discounts.combo
Changeset: c123693032b4f123ffe2f97b75ad37d7c1495389
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:45:09 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.discounts.combo/rev/c123693032b4f123ffe2f97b75ad37d7c1495389 [^]

Fixed issue 29718 prevent sql injection

use getDalQuery() instead the deprecated function getHQLQuery()

---
M src/org/openbravo/retail/discounts/combo/master/DiscountComboValidation.java
---
(0088440)
hgbot   
2016-07-13 13:04   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 111cfc98e74aacd1ee1f30c144621ec2ca639070
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 13:04:03 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/111cfc98e74aacd1ee1f30c144621ec2ca639070 [^]

related to issue 29718 prevent sql injection

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0088517)
hgbot   
2016-07-15 11:25   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: 38c842902831ddb8e9c67ca4b9a18ad31093cbcc
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Fri Jul 15 11:25:23 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/38c842902831ddb8e9c67ca4b9a18ad31093cbcc [^]

related to issue 29718 code review. added log

---
M src/org/openbravo/retail/posterminal/PaidReceiptsHeader.java
---