Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0052289 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Retail Modules] Web POS | minor | have not tried | 2023-04-27 18:20 | 2023-05-05 09:08 | |||
| Reporter | AugustoMauch | View Status | public | |||||
| Assigned To | AugustoMauch | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | ||||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Merge Request Status | approved | |||||||
| Review Assigned To | ||||||||
| OBNetwork customer | No | |||||||
| Support ticket | ||||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0052289: SimpleQueryBuilder improvements | |||||||
| Description | See https://docs.google.com/document/d/1D6fbsv4Ulx0j6VrVKnoSmhX5VW10tbk9yn3AsjA75Z4/edit [^] | |||||||
| Steps To Reproduce | - | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||
|
|||||||||||||||
 Relationships |
|
Notes |
|
|
(0149039) hgbot (developer) 2023-04-27 18:21 |
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/505 [^] |
|
(0149319) hgbot (developer) 2023-05-05 09:01 |
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/505 [^] |
|
(0149320) hgbot (developer) 2023-05-05 09:01 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core [^] Changeset: 9080e3a04f06bb8c53bc6fd5be59bd0b3a7179f4 Author: Augusto Mauch <augusto.mauch@openbravo.com> Date: 05-05-2023 07:01:50 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/commit/9080e3a04f06bb8c53bc6fd5be59bd0b3a7179f4 [^] Fixes ISSUE-52289: Validates attributes of OrderByCriteria to prevent HQL injection The OrderByCriteria criteria class accepts two different ways of defining the order by clause: a string and a JSONArray that contains pairs of properties-sorting directions. Both were vulnerable to HQL injection attacks. To prevent them, now we are: - transforming the string param to a JSONArray, checking that the format is the expected one - validating the JSONArray to check that both properties and sorting directions have the format expected --- A src-test/org/openbravo/mobile/core/process/OrderByCriteriaValidatorTest.java A src/org/openbravo/mobile/core/process/OrderByCriteriaValidator.java M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java --- |
|
(0149321) AugustoMauch (administrator) 2023-05-05 09:02 |
Reopened to create backports |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2023-04-27 18:20 | AugustoMauch | New Issue | |
| 2023-04-27 18:20 | AugustoMauch | Assigned To | => AugustoMauch |
| 2023-04-27 18:20 | AugustoMauch | OBNetwork customer | => No |
| 2023-04-27 18:20 | AugustoMauch | Triggers an Emergency Pack | => No |
| 2023-04-27 18:20 | AugustoMauch | Status | new => scheduled |
| 2023-04-27 18:21 | hgbot | Merge Request Status | => open |
| 2023-04-27 18:21 | hgbot | Note Added: 0149039 | |
| 2023-05-04 14:37 | hgbot | Merge Request Status | open => approved |
| 2023-05-05 09:01 | hgbot | Resolution | open => fixed |
| 2023-05-05 09:01 | hgbot | Status | scheduled => closed |
| 2023-05-05 09:01 | hgbot | Note Added: 0149319 | |
| 2023-05-05 09:01 | hgbot | Fixed in Version | => RR23Q3 |
| 2023-05-05 09:01 | hgbot | Note Added: 0149320 | |
| 2023-05-05 09:02 | AugustoMauch | Note Added: 0149321 | |
| 2023-05-05 09:02 | AugustoMauch | Status | closed => new |
| 2023-05-05 09:02 | AugustoMauch | Resolution | fixed => open |
| 2023-05-05 09:02 | AugustoMauch | Fixed in Version | RR23Q3 => |
| 2023-05-05 09:08 | AugustoMauch | Status | new => scheduled |
| 2023-05-05 09:08 | AugustoMauch | Status | scheduled => resolved |
| 2023-05-05 09:08 | AugustoMauch | Resolution | open => fixed |
| 2023-05-05 09:08 | AugustoMauch | Status | resolved => closed |
| 2023-05-05 09:08 | AugustoMauch | Status | closed => new |
| 2023-05-05 09:08 | AugustoMauch | Resolution | fixed => open |
| 2023-05-05 09:08 | AugustoMauch | Status | new => scheduled |
| 2023-05-05 09:08 | AugustoMauch | Status | scheduled => resolved |
| 2023-05-05 09:08 | AugustoMauch | Resolution | open => fixed |
| 2023-05-05 09:08 | AugustoMauch | Status | resolved => closed |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |