Openbravo Issue Tracking System - Retail Modules
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0052361Retail ModulesWeb POSpublic2023-04-27 18:202023-05-05 11:08
ReporterAugustoMauch 
Assigned ToAugustoMauch 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionRR23Q1.3Fixed in VersionRR23Q1.2 
Merge Request Status
Review Assigned To
OBNetwork customer
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0052361: SimpleQueryBuilder improvements
DescriptionSee https://docs.google.com/document/d/1D6fbsv4Ulx0j6VrVKnoSmhX5VW10tbk9yn3AsjA75Z4/edit [^]
Steps To Reproduce-
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
blocks defect 0052289 closed AugustoMauch SimpleQueryBuilder improvements 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2023-05-05 09:08AugustoMauchTypedefect => backport
2023-05-05 09:08AugustoMauchTarget Version => RR23Q1.3
2023-05-05 09:29hgbotNote Added: 0149327
2023-05-05 11:08hgbotResolutionopen => fixed
2023-05-05 11:08hgbotStatusscheduled => closed
2023-05-05 11:08hgbotFixed in Version => RR23Q1.2
2023-05-05 11:08hgbotNote Added: 0149339
2023-05-05 11:08hgbotNote Added: 0149340

Notes
(0149327)
hgbot   
2023-05-05 09:29   
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/513 [^]
(0149339)
hgbot   
2023-05-05 11:08   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core [^]
Changeset: 613ccf810d337a9e4aea7bd6cbfaede27c0fb773
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 05-05-2023 09:28:41
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/commit/613ccf810d337a9e4aea7bd6cbfaede27c0fb773 [^]

Fixes ISSUE-52361: Validates attributes of OrderByCriteria to prevent HQL injection

The OrderByCriteria criteria class accepts two different ways of defining the order by clause: a string
and a JSONArray that contains pairs of properties-sorting directions.

Both were vulnerable to HQL injection attacks. To prevent them, now we are:
- transforming the string param to a JSONArray, checking that the format is the expected one
- validating the JSONArray to check that both properties and sorting directions have the format expected

---
A src-test/org/openbravo/mobile/core/process/OrderByCriteriaValidatorTest.java
A src/org/openbravo/mobile/core/process/OrderByCriteriaValidator.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0149340)
hgbot   
2023-05-05 11:08   
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/513 [^]