Openbravo Issue Tracking System - Retail Modules
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0031257Retail ModulesWeb POSpublic2015-10-27 08:452016-03-30 10:02
Reportermtaal 
Assigned ToSandrahuguet 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionRR16Q2Fixed in VersionRR16Q2 
Merge Request Status
Review Assigned Tomtaal
OBNetwork customer
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0031257: Prevent sql injection in SimpleQueryBuilder
DescriptionAs far as I can see there is a risk of sql injection in the SimpleQueryBuilder. Particularly through this commit:
https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/diff/02a66121f70c/src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java#l1.31 [^]

(but also previous commits included this)

Steps To ReproduceCheck the code here:
https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/file/tip/src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java [^]
Proposed SolutionParameters all have to be handled as real parameters in the HQL query and not inlined as strings in the query.
Additional Information
TagsNo tags attached.
Relationships
related to defect 0032017 closed Sandrahuguet [HGVOL] When searching for a BP using HV preferences error is shown with a name having " ' " character 
depends on backport 0032139RR16Q1 closed Sandrahuguet Prevent sql injection in SimpleQueryBuilder 
related to defect 0031106 closed Sandrahuguet [Price criteria] Products out of the limit will not be filtered by price criteria in remote model 
related to defect 0029718 closed Sandrahuguet SQL Injection issues 
related to backport 0032566RR16Q1.1 closed Sandrahuguet Improvements in SimpleQueryBuilder 
blocks defect 0032551 closed Sandrahuguet Filter by stockcriteria and pricecriteria in the same query does not work 
causes defect 0032727 closed Sandrahuguet Error thrown when finding related services for a list of lines 
Attached Filesdiff review.diff (2,664) 2016-03-23 09:38
https://issues.openbravo.com/file_download.php?file_id=9200&type=bug
Issue History
Date ModifiedUsernameFieldChange
2015-10-27 08:45mtaalNew Issue
2015-10-27 08:45mtaalAssigned To => Sandrahuguet
2015-10-27 08:45mtaalTriggers an Emergency Pack => No
2015-10-27 08:45mtaalRelationship addedrelated to 0031106
2015-11-09 09:55SandrahuguetStatusnew => scheduled
2015-12-22 17:45OrekariaTarget VersionRR16Q1 => RR16Q2
2016-01-29 14:25SandrahuguetRelationship addedrelated to 0032017
2016-02-05 08:23SandrahuguetReview Assigned To => mtaal
2016-02-05 08:24SandrahuguetStatusscheduled => acknowledged
2016-02-05 08:27SandrahuguetStatusacknowledged => scheduled
2016-02-09 16:56SandrahuguetNote Added: 0084060
2016-02-09 16:57SandrahuguetStatusscheduled => resolved
2016-02-09 16:57SandrahuguetResolutionopen => fixed
2016-02-09 17:00hgbotCheckin
2016-02-09 17:00hgbotNote Added: 0084061
2016-02-09 17:02hgbotCheckin
2016-02-09 17:02hgbotNote Added: 0084062
2016-02-09 17:03hgbotCheckin
2016-02-09 17:03hgbotNote Added: 0084063
2016-02-09 17:04hgbotCheckin
2016-02-09 17:04hgbotNote Added: 0084064
2016-02-12 12:00mtaalReview Assigned Tomtaal => migueldejuana
2016-02-14 14:47OrekariaNote Added: 0084171
2016-02-14 14:47OrekariaStatusresolved => new
2016-02-14 14:47OrekariaResolutionfixed => open
2016-02-14 14:47OrekariaStatusnew => feedback
2016-02-14 15:17OrekariaStatusfeedback => scheduled
2016-02-14 16:50hgbotCheckin
2016-02-14 16:50hgbotNote Added: 0084172
2016-02-15 10:36SandrahuguetStatusscheduled => resolved
2016-02-15 10:36SandrahuguetResolutionopen => fixed
2016-02-16 11:26migueldejuanaNote Added: 0084234
2016-02-16 11:26migueldejuanaStatusresolved => closed
2016-02-26 13:40SandrahuguetNote Added: 0084567
2016-02-26 13:40SandrahuguetStatusclosed => new
2016-02-26 13:40SandrahuguetResolutionfixed => open
2016-03-07 11:27hgbotCheckin
2016-03-07 11:27hgbotNote Added: 0084758
2016-03-07 11:28hgbotCheckin
2016-03-07 11:28hgbotNote Added: 0084759
2016-03-07 11:29SandrahuguetStatusnew => scheduled
2016-03-07 11:29SandrahuguetStatusscheduled => resolved
2016-03-07 11:29SandrahuguetResolutionopen => fixed
2016-03-07 17:10hgbotCheckin
2016-03-07 17:10hgbotNote Added: 0084786
2016-03-07 20:22mtaalReview Assigned Tomigueldejuana => mtaal
2016-03-08 16:44hgbotCheckin
2016-03-08 16:44hgbotNote Added: 0084826
2016-03-08 16:46hgbotCheckin
2016-03-08 16:46hgbotNote Added: 0084827
2016-03-14 16:04OrekariaRelationship addedrelated to 0029718
2016-03-16 17:18hgbotCheckin
2016-03-16 17:18hgbotNote Added: 0085015
2016-03-16 17:19hgbotCheckin
2016-03-16 17:19hgbotNote Added: 0085016
2016-03-21 12:14dmitry_mezentsevNote Added: 0085240
2016-03-23 09:38mtaalFile Added: review.diff
2016-03-23 09:39mtaalNote Added: 0085283
2016-03-23 15:20hgbotCheckin
2016-03-23 15:20hgbotNote Added: 0085291
2016-03-29 17:49SandrahuguetRelationship addedblocks 0032551
2016-03-29 18:26mtaalNote Added: 0085319
2016-03-29 18:26mtaalStatusresolved => closed
2016-03-29 18:26mtaalFixed in Version => RR16Q2
2016-03-30 09:21hgbotCheckin
2016-03-30 09:21hgbotNote Added: 0085326
2016-03-30 10:02mtaalNote Added: 0085327
2016-03-31 14:36SandrahuguetRelationship addedrelated to 0032566
2016-04-20 13:10adrianromeroRelationship addedcauses 0032727

Notes
(0084060)
Sandrahuguet   
2016-02-09 16:56   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 8fc1645d949121a1fad530efbd2db845f168e45d
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 16:54:58 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/8fc1645d949121a1fad530efbd2db845f168e45d [^] [^]

Fixed issue 32139: Prevent sql injection in SimpleQueryBuilder

Refactor in SimpleQueryBuilder, parameters all have to be handled as
real parameters in the HQL query and not as strings in the query.

---
M src/org/openbravo/mobile/core/process/ProcessHQLQuery.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
M web/org.openbravo.mobile.core/source/retail/component/ob-retail-searchproductcharacteristic.js
---
(0084061)
hgbot   
2016-02-09 17:00   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: 254d92cbd7ccca124362c7fd2b1d794f42c4e89e
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 16:59:52 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/254d92cbd7ccca124362c7fd2b1d794f42c4e89e [^]

related to issue 31257 make remote filters properly

---
M web/org.openbravo.retail.posterminal/js/components/servicesfilter.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/toolbar-left.js
---
(0084062)
hgbot   
2016-02-09 17:02   
Repository: erp/pmods/org.openbravo.retail.complementary
Changeset: 91f9ac0c362556e303eca1dbbba68f04a24fb9c8
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 17:02:26 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.complementary/rev/91f9ac0c362556e303eca1dbbba68f04a24fb9c8 [^]

related to issue 31257 make remote filters properly

---
M web/org.openbravo.retail.complementary/js/filterComplementaryProduct.js
---
(0084063)
hgbot   
2016-02-09 17:03   
Repository: erp/pmods/org.openbravo.retail.stockcriteria
Changeset: a859ca84e0fe03f1dcccb547c89061f85d9ba0e4
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 17:03:17 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.stockcriteria/rev/a859ca84e0fe03f1dcccb547c89061f85d9ba0e4 [^]

related to issue 31257 make remote filters properly

---
M web/org.openbravo.retail.stockcriteria/js/hookStockCriteria.js
---
(0084064)
hgbot   
2016-02-09 17:04   
Repository: erp/pmods/org.openbravo.retail.pricecriteria
Changeset: 514a3e39c978a3a9a3bffc12c7cf77092a126935
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 17:04:24 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.pricecriteria/rev/514a3e39c978a3a9a3bffc12c7cf77092a126935 [^]

related to issue 31257 make remote filters properly

---
M web/org.openbravo.retail.pricecriteria/js/hookPriceCriteria.js
---
(0084171)
Orekaria   
2016-02-14 14:47   
Breaking integration
(0084172)
hgbot   
2016-02-14 16:50   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: af2f38b4505a5c0a1fb61d7d0e4448a843742cc6
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Fri Feb 12 12:40:20 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/af2f38b4505a5c0a1fb61d7d0e4448a843742cc6 [^]

Related to issue 31257: Parse to BigDecimal instead of to Double

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0084234)
migueldejuana   
2016-02-16 11:26   
Tested and reviewed
(0084567)
Sandrahuguet   
2016-02-26 13:40   
Prevent sql injection in HQLCriteria
(0084758)
hgbot   
2016-03-07 11:27   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: 0cfe618cf6f780c18745528c807ea36574114e84
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 10:32:55 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/0cfe618cf6f780c18745528c807ea36574114e84 [^]

Related to issue 31257 Prevent sql injection in HQLCriteria part

---
M src/org/openbravo/retail/posterminal/BrandChHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandChValueHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandHQLCriteria.java
M src/org/openbravo/retail/posterminal/ChHQLCriteria.java
M src/org/openbravo/retail/posterminal/CharacteristicHQLCriteria.java
M src/org/openbravo/retail/posterminal/ChvHQLCriteria.java
M web/org.openbravo.retail.posterminal/js/components/modalproductcharacteristic.js
---
(0084759)
hgbot   
2016-03-07 11:28   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 0e9112f9a67603cbdffe1e5c4aba3b6aabdaa41e
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 10:33:49 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/0e9112f9a67603cbdffe1e5c4aba3b6aabdaa41e [^]

Related to issue 31257 Prevent sql injection in HQLCriteria part

---
M src/org/openbravo/mobile/core/process/HQLCriteriaProcess.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
M web/org.openbravo.mobile.core/source/retail/component/ob-retail-searchproductcharacteristic.js
---
(0084786)
hgbot   
2016-03-07 17:10   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: d8595941527d0412d0705618cf86bc83f525e87c
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 17:10:10 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/d8595941527d0412d0705618cf86bc83f525e87c [^]

related to issue 31257 delete commented code

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0084826)
hgbot   
2016-03-08 16:44   
Repository: erp/pmods/org.openbravo.retail.stockcriteria
Changeset: b0703b51702612b99549c93611281268843baba1
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Mar 08 16:44:21 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.stockcriteria/rev/b0703b51702612b99549c93611281268843baba1 [^]

Related to issue 31257 Prevent sql injection in stockcriteria

---
M src/org/openbravo/retail/stockcriteria/StockChHQLCriteria.java
M src/org/openbravo/retail/stockcriteria/StockChValueHQLCriteria.java
M src/org/openbravo/retail/stockcriteria/StockHQLCriteria.java
M web/org.openbravo.retail.stockcriteria/js/hookStockCriteria.js
---
(0084827)
hgbot   
2016-03-08 16:46   
Repository: erp/pmods/org.openbravo.retail.pricecriteria
Changeset: c599888d6791d5937e79b9a5a4be03ae38647cc3
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Mar 08 16:46:02 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.pricecriteria/rev/c599888d6791d5937e79b9a5a4be03ae38647cc3 [^]

Related to issue 31257 Prevent sql injection in pricecriteria

---
M src/org/openbravo/retail/pricecriteria/PriceChHQLCriteria.java
M src/org/openbravo/retail/pricecriteria/PriceChValueHQLCriteria.java
M web/org.openbravo.retail.pricecriteria/js/hookPriceCriteria.js
---
(0085015)
hgbot   
2016-03-16 17:18   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: b06c5054696d228e1ddc7cc8cfcada43fea7a680
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Mar 16 09:00:47 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/b06c5054696d228e1ddc7cc8cfcada43fea7a680 [^]

related to issue 31257 ability to support jsonarray in HQLCriteria

---
M src/org/openbravo/retail/posterminal/BrandChHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandChValueHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandsFilterByCHHQLCriteria.java
M src/org/openbravo/retail/posterminal/ChHQLCriteria.java
M src/org/openbravo/retail/posterminal/CharacteristicHQLCriteria.java
M src/org/openbravo/retail/posterminal/ChvHQLCriteria.java
M web/org.openbravo.retail.posterminal/js/components/modalproductbrand.js
M web/org.openbravo.retail.posterminal/js/components/modalproductcharacteristic.js
---
(0085016)
hgbot   
2016-03-16 17:19   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: f97478435c1d1aedffdd0e7f94a611c0e52c31f7
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Mar 16 08:58:39 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/f97478435c1d1aedffdd0e7f94a611c0e52c31f7 [^]

related to issue 31257 ability to support jsonarray in HQLCriteria

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
M web/org.openbravo.mobile.core/source/retail/component/ob-retail-searchproductcharacteristic.js
---
(0085240)
dmitry_mezentsev   
2016-03-21 12:14   
Not closed for 14 days!
(0085283)
mtaal   
2016-03-23 09:39   
I checked the code, I attached a diff to solve a specific issue that HQLCriteria and FiltersCriteria can have the same operators and therefore share possibly the same parameter aliases as created by the code.
(0085291)
hgbot   
2016-03-23 15:20   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 9294b7efe80ab545dffac4c8c7fea52eb11ab4bf
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Mar 23 15:18:52 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/9294b7efe80ab545dffac4c8c7fea52eb11ab4bf [^]

related to issue 31257 prevents operators have the same name

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0085319)
mtaal   
2016-03-29 18:26   
Reviewed and tested, remaining/found error is solved in separate mantis issue.
(0085326)
hgbot   
2016-03-30 09:21   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 2ed7975220d5225cb3464da84dad5c0d256e8040
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Wed Mar 30 00:16:02 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/2ed7975220d5225cb3464da84dad5c0d256e8040 [^]

Related to issue 31257: Prevent sql injection in SimpleQueryBuilder
Make a member private instead of protected

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0085327)
mtaal   
2016-03-30 10:02   
Last commit should have been committed before closing issue, but change is tiny and was noted and sent to try before closing.