0032139: Prevent sql injection in SimpleQueryBuilder - Openbravo Issue Tracking System

Openbravo Issue Tracking System - Retail Modules

View Issue Details

ID

Project

Category

View Status

Date Submitted

Last Update

0032139

Retail Modules

Web POS

public

2015-10-27 08:45

2016-03-09 18:33

Reporter

mtaal

Assigned To

Sandrahuguet

Priority

normal

Severity

major

Reproducibility

have not tried

Status

closed

Resolution

fixed

Platform

OS

5

OS Version

Product Version

Target Version

RR16Q1

Fixed in Version

RR16Q1

Merge Request Status

Review Assigned To

marvintm

OBNetwork customer

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

No

Summary

0032139: Prevent sql injection in SimpleQueryBuilder

Description

As far as I can see there is a risk of sql injection in the SimpleQueryBuilder. Particularly through this commit:
https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/diff/02a66121f70c/src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java#l1.31 [^]

(but also previous commits included this)

Steps To Reproduce

Check the code here:
https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/file/tip/src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java [^]

Proposed Solution

Parameters all have to be handled as real parameters in the HQL query and not inlined as strings in the query.

Additional Information

Tags

No tags attached.

Relationships

related to	backport	0032566	RR16Q1.1	closed	Sandrahuguet	Improvements in SimpleQueryBuilder
blocks	defect	0031257	RR16Q2	closed	Sandrahuguet	Prevent sql injection in SimpleQueryBuilder
blocks	defect	0032551		closed	Sandrahuguet	Filter by stockcriteria and pricecriteria in the same query does not work

Attached Files

Issue History

Date Modified

Username

Field

Change

2016-02-05 08:27

Type

defect => backport

2016-02-05 08:27

Target Version

RR16Q2 => RR16Q1

2016-02-09 16:55

Checkin

2016-02-09 16:55

Note Added: 0084059

2016-02-09 16:55

Status

scheduled => resolved

2016-02-09 16:55

Resolution

open => fixed

2016-02-09 16:55

Fixed in SCM revision

=> http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/8fc1645d949121a1fad530efbd2db845f168e45d [^]

2016-02-09 16:56

Status

resolved => new

2016-02-09 16:56

Resolution

fixed => open

2016-02-09 16:56

Status

new => scheduled

2016-02-09 16:56

Note Deleted: 0084059

2016-02-22 20:12

Checkin

2016-02-22 20:12

Note Added: 0084412

2016-02-22 20:12

Status

scheduled => resolved

2016-02-22 20:12

Resolution

open => fixed

2016-02-22 20:12

Fixed in SCM revision

http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/8fc1645d949121a1fad530efbd2db845f168e45d [^] => http://code.openbravo.com/retail/backports/3.0RR16Q1/org.openbravo.mobile.core/rev/1f9bf9d06de9e5724fe7dd2d68faf8327e7c2ac6 [^]

2016-02-22 20:13

Assigned To

Sandrahuguet => guilleaer

2016-02-26 13:41

Assigned To

guilleaer => Sandrahuguet

2016-02-26 13:41

Note Added: 0084568

2016-02-26 13:41

Status

resolved => new

2016-02-26 13:41

Resolution

fixed => open

2016-03-07 11:31

Checkin

2016-03-07 11:31

Note Added: 0084760

2016-03-07 11:31

Status

new => scheduled

2016-03-07 11:31

Status

scheduled => resolved

2016-03-07 11:31

Resolution

open => fixed

2016-03-07 11:31

Checkin

2016-03-07 11:31

Note Added: 0084761

2016-03-07 13:41

Checkin

2016-03-07 13:41

Note Added: 0084774

2016-03-07 13:42

Checkin

2016-03-07 13:42

Note Added: 0084775

2016-03-09 18:33

Review Assigned To

mtaal => marvintm

2016-03-09 18:33

Status

resolved => closed

2016-03-09 18:33

Fixed in Version

=> RR16Q1

2016-03-29 17:49

Relationship added

blocks 0032551

2016-03-31 14:43

Relationship added

related to 0032566

Notes