Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0041942Openbravo ERPA. Platformpublic2019-10-08 08:212019-12-16 12:37
Reportercberner 
Assigned Tocberner 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version3.0PR20Q1 
Merge Request Status
Review Assigned ToAugustoMauch
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0041942: Apply new HQL Style to platform classes
DescriptionStringBuffer/Builder in platform HQL/SQL should be replaced by String.
Possible HQL injections from both dynamic and static HQL queries should be minimized and if possible entirely removed.

A list of files that need to be modified to comply with this can be found in this spreadsheet[1].

[1]https://docs.google.com/spreadsheets/d/1WDm5MLQlWU98YjTbFRFs_fgDX5IDirvPe9nUXC-hU5o [^]
Steps To ReproduceIn description.
Proposed SolutionChange all StringBuffers and StringBuilders used for HQL to Strings. Remove possible HQL injections from both dynamic and static HQL queries.
Additional Information
TagsNo tags attached.
Relationships
related to design defect 0041287 acknowledged Triage Platform Base Tracking issue: Convert HQL to apply new style 
related to defect 0042432 closed cberner API Change: Changed StringBuffer parameter to String in method clause 
causes defect 0043272 closed cberner When importing translation for no longer existing elements -> INFO message is missing all necessary details 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2019-10-08 08:21cbernerNew Issue
2019-10-08 08:21cbernerAssigned To => cberner
2019-10-08 08:21cbernerModules => Core
2019-10-08 08:21cbernerTriggers an Emergency Pack => No
2019-10-08 08:21cbernerStatusnew => acknowledged
2019-10-15 09:18cbernerRelationship addedrelated to 0041287
2019-10-15 09:39cbernerSummaryStringBuffer/Builder in platform HQL/SQL should be replaced by String => Apply new HQL Style to platform classes
2019-10-15 09:39cbernerDescription Updatedbug_revision_view_page.php?rev_id=19502#r19502
2019-10-15 09:39cbernerProposed Solution updated
2019-11-11 12:37cbernerStatusacknowledged => scheduled
2019-11-28 11:00cbernerRelationship addedrelated to 0042432
2019-11-28 16:21hgbotCheckin
2019-11-28 16:21hgbotNote Added: 0115951
2019-11-28 17:06hgbotCheckin
2019-11-28 17:06hgbotNote Added: 0115954
2019-11-28 17:06hgbotStatusscheduled => resolved
2019-11-28 17:06hgbotResolutionopen => fixed
2019-11-28 17:06hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/c47b63fff5775ab73ce8072af4fa6fd6c13d197e [^]
2019-11-28 19:25AugustoMauchReview Assigned To => AugustoMauch
2019-12-12 23:01hudsonbotCheckin
2019-12-12 23:01hudsonbotNote Added: 0116293
2019-12-16 12:37AugustoMauchNote Added: 0116341
2019-12-16 12:37AugustoMauchStatusresolved => closed
2019-12-16 12:37AugustoMauchFixed in Version => 3.0PR20Q1
2020-02-19 17:47shuehnerRelationship addedcauses 0043272

Notes
(0115951)
hgbot   
2019-11-28 16:21   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: e18eb55dc9330d7fb306f04cf195b2b19d984d7c
Author: Cristian Berner <cristian.berner <at> openbravo.com>
Date: Tue Nov 12 16:20:41 2019 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/e18eb55dc9330d7fb306f04cf195b2b19d984d7c [^]

Related to issue 41942: Applies new HQL style to query

---
M src/org/openbravo/mobile/core/listener/InitializeLastPingFromCentralServer.java
M src/org/openbravo/mobile/core/listener/StatusBackgroundProcessScheduler.java
M src/org/openbravo/mobile/core/servercontroller/MobileServerController.java
---
(0115954)
hgbot   
2019-11-28 17:06   
Repository: erp/devel/pi
Changeset: c47b63fff5775ab73ce8072af4fa6fd6c13d197e
Author: Cristian Berner <cristian.berner <at> openbravo.com>
Date: Tue Oct 08 11:48:18 2019 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/c47b63fff5775ab73ce8072af4fa6fd6c13d197e [^]

Fixes issue 41942: Apply new HQL Style to platform classes

StringBuffers and StringBuilders have been changed to String.
Some queries have been modified to use PreparedStatement, as this is not
prone to SQL Injection.
Some dynamic HQL queries have been modified to remove possible injections. Behaviour is the same as before.

Some refactoring was made in older classes.
New HQL convention has been applied to all modified classes.

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/ParametersActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/attachment/AttachmentUtils.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/event/AcctSchemaEventHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/navigationbarcomponents/RoleInfo.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/navigationbarcomponents/UserInfoComponent.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/personalization/PersonalizationActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/personalization/PersonalizationHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/ApplicationDictionaryCachedStructures.java
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOBUtils.java
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoComponent.java
M modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/HQLDataSourceService.java
M modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/LinkToParentTreeDatasourceService.java
M modules/org.openbravo.userinterface.selector/src/org/openbravo/userinterface/selector/CustomQuerySelectorDatasource.java
M modules/org.openbravo.userinterface.selector/src/org/openbravo/userinterface/selector/model/domaintype/SelectorDomainType.java
M src/org/openbravo/base/model/ModelProvider.java
M src/org/openbravo/base/model/Property.java
M src/org/openbravo/base/model/domaintype/TreeDomainType.java
M src/org/openbravo/base/secureApp/DefaultValuesData.java
M src/org/openbravo/base/secureApp/UserLock.java
M src/org/openbravo/base/structure/BaseOBObject.java
M src/org/openbravo/cluster/ClusterServiceManager.java
M src/org/openbravo/dal/security/OrganizationStructureProvider.java
M src/org/openbravo/dal/service/DataPoolChecker.java
M src/org/openbravo/dal/service/OBQuery.java
M src/org/openbravo/erpCommon/ad_forms/TranslationHandler.java
M src/org/openbravo/erpCommon/ad_forms/TranslationManager.java
M src/org/openbravo/erpCommon/ad_process/HeartbeatProcess.java
M src/org/openbravo/erpCommon/businessUtility/Preferences.java
M src/org/openbravo/erpCommon/obps/ActivationKey.java
M src/org/openbravo/erpCommon/utility/SystemInfo.java
M src/org/openbravo/erpCommon/utility/Utility.java
M src/org/openbravo/service/dataset/DataSetService.java
M src/org/openbravo/service/rest/DalWebService.java
---
(0116293)
hudsonbot   
2019-12-12 23:01   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/954d2b7a66fb [^]
Maturity status: Test
(0116341)
AugustoMauch   
2019-12-16 12:37   
Code reviewed and verified