Notes |
|
(0149039)
|
hgbot
|
2023-04-27 18:21
|
|
|
|
(0149319)
|
hgbot
|
2023-05-05 09:01
|
|
|
|
(0149320)
|
hgbot
|
2023-05-05 09:01
|
|
Directly closing issue as related merge request is already approved.
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core [^]
Changeset: 9080e3a04f06bb8c53bc6fd5be59bd0b3a7179f4
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 05-05-2023 07:01:50
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/commit/9080e3a04f06bb8c53bc6fd5be59bd0b3a7179f4 [^]
Fixes ISSUE-52289: Validates attributes of OrderByCriteria to prevent HQL injection
The OrderByCriteria criteria class accepts two different ways of defining the order by clause: a string
and a JSONArray that contains pairs of properties-sorting directions.
Both were vulnerable to HQL injection attacks. To prevent them, now we are:
- transforming the string param to a JSONArray, checking that the format is the expected one
- validating the JSONArray to check that both properties and sorting directions have the format expected
---
A src-test/org/openbravo/mobile/core/process/OrderByCriteriaValidatorTest.java
A src/org/openbravo/mobile/core/process/OrderByCriteriaValidator.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
|
|
|
|
Reopened to create backports |
|