Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0041942
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformminorhave not tried2019-10-08 08:212019-12-16 12:37
ReportercbernerView Statuspublic 
Assigned Tocberner 
PrioritynormalResolutionfixedFixed in Version3.0PR20Q1
StatusclosedFix in branchFixed in SCM revisionc47b63fff577
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0041942: Apply new HQL Style to platform classes

DescriptionStringBuffer/Builder in platform HQL/SQL should be replaced by String.
Possible HQL injections from both dynamic and static HQL queries should be minimized and if possible entirely removed.

A list of files that need to be modified to comply with this can be found in this spreadsheet[1].

[1]https://docs.google.com/spreadsheets/d/1WDm5MLQlWU98YjTbFRFs_fgDX5IDirvPe9nUXC-hU5o [^]
Steps To ReproduceIn description.
Proposed SolutionChange all StringBuffers and StringBuilders used for HQL to Strings. Remove possible HQL injections from both dynamic and static HQL queries.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to design defect 0041287 acknowledgedTriage Platform Base Tracking issue: Convert HQL to apply new style 
related to defect 0042432 closedcberner API Change: Changed StringBuffer parameter to String in method clause 
causes defect 0043272 closedcberner When importing translation for no longer existing elements -> INFO message is missing all necessary details 

-  Notes
(0115951)
hgbot (developer)
2019-11-28 16:21

 Repository: erp/pmods/org.openbravo.mobile.core
Changeset: e18eb55dc9330d7fb306f04cf195b2b19d984d7c
Author: Cristian Berner <cristian.berner <at> openbravo.com>
Date: Tue Nov 12 16:20:41 2019 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/e18eb55dc9330d7fb306f04cf195b2b19d984d7c [^]

Related to issue 41942: Applies new HQL style to query

---
M src/org/openbravo/mobile/core/listener/InitializeLastPingFromCentralServer.java
M src/org/openbravo/mobile/core/listener/StatusBackgroundProcessScheduler.java
M src/org/openbravo/mobile/core/servercontroller/MobileServerController.java
---
(0115954)
hgbot (developer)
2019-11-28 17:06

 Repository: erp/devel/pi
Changeset: c47b63fff5775ab73ce8072af4fa6fd6c13d197e
Author: Cristian Berner <cristian.berner <at> openbravo.com>
Date: Tue Oct 08 11:48:18 2019 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/c47b63fff5775ab73ce8072af4fa6fd6c13d197e [^]

Fixes issue 41942: Apply new HQL Style to platform classes

StringBuffers and StringBuilders have been changed to String.
Some queries have been modified to use PreparedStatement, as this is not
prone to SQL Injection.
Some dynamic HQL queries have been modified to remove possible injections. Behaviour is the same as before.

Some refactoring was made in older classes.
New HQL convention has been applied to all modified classes.

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/ParametersActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/attachment/AttachmentUtils.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/event/AcctSchemaEventHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/navigationbarcomponents/RoleInfo.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/navigationbarcomponents/UserInfoComponent.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/personalization/PersonalizationActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/personalization/PersonalizationHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/ApplicationDictionaryCachedStructures.java
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOBUtils.java
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoComponent.java
M modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/HQLDataSourceService.java
M modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/LinkToParentTreeDatasourceService.java
M modules/org.openbravo.userinterface.selector/src/org/openbravo/userinterface/selector/CustomQuerySelectorDatasource.java
M modules/org.openbravo.userinterface.selector/src/org/openbravo/userinterface/selector/model/domaintype/SelectorDomainType.java
M src/org/openbravo/base/model/ModelProvider.java
M src/org/openbravo/base/model/Property.java
M src/org/openbravo/base/model/domaintype/TreeDomainType.java
M src/org/openbravo/base/secureApp/DefaultValuesData.java
M src/org/openbravo/base/secureApp/UserLock.java
M src/org/openbravo/base/structure/BaseOBObject.java
M src/org/openbravo/cluster/ClusterServiceManager.java
M src/org/openbravo/dal/security/OrganizationStructureProvider.java
M src/org/openbravo/dal/service/DataPoolChecker.java
M src/org/openbravo/dal/service/OBQuery.java
M src/org/openbravo/erpCommon/ad_forms/TranslationHandler.java
M src/org/openbravo/erpCommon/ad_forms/TranslationManager.java
M src/org/openbravo/erpCommon/ad_process/HeartbeatProcess.java
M src/org/openbravo/erpCommon/businessUtility/Preferences.java
M src/org/openbravo/erpCommon/obps/ActivationKey.java
M src/org/openbravo/erpCommon/utility/SystemInfo.java
M src/org/openbravo/erpCommon/utility/Utility.java
M src/org/openbravo/service/dataset/DataSetService.java
M src/org/openbravo/service/rest/DalWebService.java
---
(0116293)
hudsonbot (developer)
2019-12-12 23:01

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/954d2b7a66fb [^]
Maturity status: Test
(0116341)
AugustoMauch (administrator)
2019-12-16 12:37

 Code reviewed and verified

- Issue History
Date Modified Username Field Change
2019-10-08 08:21 cberner New Issue
2019-10-08 08:21 cberner Assigned To => cberner
2019-10-08 08:21 cberner Modules => Core
2019-10-08 08:21 cberner Triggers an Emergency Pack => No
2019-10-08 08:21 cberner Status new => acknowledged
2019-10-15 09:18 cberner Relationship added related to 0041287
2019-10-15 09:39 cberner Summary StringBuffer/Builder in platform HQL/SQL should be replaced by String => Apply new HQL Style to platform classes
2019-10-15 09:39 cberner Description Updated View Revisions
2019-10-15 09:39 cberner Proposed Solution updated
2019-11-11 12:37 cberner Status acknowledged => scheduled
2019-11-28 11:00 cberner Relationship added related to 0042432
2019-11-28 16:21 hgbot Checkin
2019-11-28 16:21 hgbot Note Added: 0115951
2019-11-28 17:06 hgbot Checkin
2019-11-28 17:06 hgbot Note Added: 0115954
2019-11-28 17:06 hgbot Status scheduled => resolved
2019-11-28 17:06 hgbot Resolution open => fixed
2019-11-28 17:06 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/c47b63fff5775ab73ce8072af4fa6fd6c13d197e [^]
2019-11-28 19:25 AugustoMauch Review Assigned To => AugustoMauch
2019-12-12 23:01 hudsonbot Checkin
2019-12-12 23:01 hudsonbot Note Added: 0116293
2019-12-16 12:37 AugustoMauch Note Added: 0116341
2019-12-16 12:37 AugustoMauch Status resolved => closed
2019-12-16 12:37 AugustoMauch Fixed in Version => 3.0PR20Q1
2020-02-19 17:47 shuehner Relationship added causes 0043272

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker