Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0029718
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Retail Modules] Web POSmajorhave not tried2015-04-28 16:072017-09-01 10:50
ReporteradrianromeroView Statuspublic 
Assigned ToSandrahuguet 
PriorityurgentResolutionfixedFixed in VersionRR16Q4
StatusclosedFix in branchFixed in SCM revisionc123693032b4
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Tomarvintm
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0029718: SQL Injection issues

DescriptionThere are several places in the code where HQL sentences are built that has SQL Injection problems.
Steps To ReproduceFor example:

https://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/file/064f74fcf503/src/org/openbravo/retail/posterminal/term/Terminal.java#l128 [^]
https://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/file/064f74fcf503/src/org/openbravo/retail/posterminal/term/Terminal.java#l133 [^]
https://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/file/064f74fcf503/src/org/openbravo/retail/posterminal/master/TaxZone.java#l83 [^]
https://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/file/064f74fcf503/src/org/openbravo/retail/posterminal/term/Terminal.java#l143 [^]
Proposed SolutionAttached proposal for "LoadedCustomer"
TagsNo tags attached.
Attached Filesdiff file icon refactorPosterminalModule.diff [^] (2,550 bytes) 2016-03-31 17:20 [Show Content]

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0029668 closedadrianromero NOt possible to login on webpos if the address of the organization has a simple quote on the name 
related to defect 0031257RR16Q2 closedSandrahuguet Prevent sql injection in SimpleQueryBuilder 

-  Notes
(0088428)
hgbot (developer)
2016-07-13 10:16

 Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 4ee3eed43218b96dbc2ebe55ccd38723cbf16780
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:05:34 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/4ee3eed43218b96dbc2ebe55ccd38723cbf16780 [^]

Fixed issue 29718 prevent sql injection

Prevent sql injection: use namedparameters instead literals.

---
M src/org/openbravo/mobile/core/login/Context.java
M src/org/openbravo/mobile/core/login/ContextInformation.java
M src/org/openbravo/mobile/core/process/ProcessHQLQuery.java
M src/org/openbravo/mobile/core/process/SecuredJSONProcess.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0088430)
hgbot (developer)
2016-07-13 10:17

 Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: ae0faa1ab92bdd3952739132476b06a412d26bd5
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:04:39 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/ae0faa1ab92bdd3952739132476b06a412d26bd5 [^]

Fixed issue 29718 prevent sql injection

Prevent sql injection: use namedparameters instead literals.

---
M src/org/openbravo/retail/posterminal/PaidReceiptsHeader.java
M src/org/openbravo/retail/posterminal/master/Brand.java
M src/org/openbravo/retail/posterminal/master/Cashup.java
M src/org/openbravo/retail/posterminal/master/Category.java
M src/org/openbravo/retail/posterminal/master/CategoryTree.java
M src/org/openbravo/retail/posterminal/master/Discount.java
M src/org/openbravo/retail/posterminal/master/LoadedCustomer.java
M src/org/openbravo/retail/posterminal/master/PriceList.java
M src/org/openbravo/retail/posterminal/master/Product.java
M src/org/openbravo/retail/posterminal/master/ProductCharacteristicValue.java
M src/org/openbravo/retail/posterminal/master/ProductPrice.java
M src/org/openbravo/retail/posterminal/master/ServicePriceRuleRangePrices.java
M src/org/openbravo/retail/posterminal/master/TaxRate.java
M src/org/openbravo/retail/posterminal/master/TaxZone.java
M src/org/openbravo/retail/posterminal/process/HasServices.java
M src/org/openbravo/retail/posterminal/stock/StoreDetailedStock.java
M src/org/openbravo/retail/posterminal/term/Payments.java
M src/org/openbravo/retail/posterminal/term/Terminal.java
---
(0088431)
hgbot (developer)
2016-07-13 10:17

 Repository: erp/pmods/org.openbravo.retail.stockcriteria
Changeset: f9169ee4dbe4611722420237318782886a97ff0b
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:10:48 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.stockcriteria/rev/f9169ee4dbe4611722420237318782886a97ff0b [^]

related to issue 29718 prevent sql injection

Prevent sql injection: there is one parenthesis no needed

---
M src/org/openbravo/retail/stockcriteria/BrandHQLCriteria.java
---
(0088432)
hgbot (developer)
2016-07-13 10:18

 Repository: erp/pmods/org.openbravo.retail.loyalty
Changeset: 66921d8b0f13692dfc7009b3e80d206142281620
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:14:17 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.loyalty/rev/66921d8b0f13692dfc7009b3e80d206142281620 [^]

Fixed issue 29718 prevent sql injection

use getDalQuery() instead the deprecated function getHQLQuery()

---
M src/org/openbravo/retail/loyalty/master/AccumulationRules.java
M src/org/openbravo/retail/loyalty/master/LoyaltyManagement.java
M src/org/openbravo/retail/loyalty/master/LoyaltyProgram.java
M src/org/openbravo/retail/loyalty/master/RedemptionRules.java
---
(0088433)
hgbot (developer)
2016-07-13 10:19

 Repository: erp/pmods/org.openbravo.mobile.warehouse.physicalinventory
Changeset: 4bd92ce27c95ade953aea5d0a13f50a314ea481d
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:15:54 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.warehouse.physicalinventory/rev/4bd92ce27c95ade953aea5d0a13f50a314ea481d [^]

Fixed issue 29718 prevent sql injection

use getDalQuery() instead the deprecated function getHQLQuery()

---
M src/org/openbravo/mobile/warehouse/physicalinventory/ProcessPhysicalInventory.java
---
(0088434)
hgbot (developer)
2016-07-13 10:45

 Repository: erp/pmods/org.openbravo.retail.discounts.combo
Changeset: c123693032b4f123ffe2f97b75ad37d7c1495389
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 10:45:09 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.discounts.combo/rev/c123693032b4f123ffe2f97b75ad37d7c1495389 [^]

Fixed issue 29718 prevent sql injection

use getDalQuery() instead the deprecated function getHQLQuery()

---
M src/org/openbravo/retail/discounts/combo/master/DiscountComboValidation.java
---
(0088440)
hgbot (developer)
2016-07-13 13:04

 Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 111cfc98e74aacd1ee1f30c144621ec2ca639070
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Jul 13 13:04:03 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/111cfc98e74aacd1ee1f30c144621ec2ca639070 [^]

related to issue 29718 prevent sql injection

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0088517)
hgbot (developer)
2016-07-15 11:25

 Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: 38c842902831ddb8e9c67ca4b9a18ad31093cbcc
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Fri Jul 15 11:25:23 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/38c842902831ddb8e9c67ca4b9a18ad31093cbcc [^]

related to issue 29718 code review. added log

---
M src/org/openbravo/retail/posterminal/PaidReceiptsHeader.java
---

- Issue History
Date Modified Username Field Change
2015-04-28 16:07 adrianromero New Issue
2015-04-28 16:07 adrianromero Assigned To => Retail
2015-04-28 16:07 adrianromero Triggers an Emergency Pack => No
2015-04-28 16:09 adrianromero Steps to Reproduce Updated View Revisions
2015-05-20 09:29 marvintm Relationship added related to 0029668
2016-03-14 16:04 Orekaria Relationship added related to 0031257
2016-03-31 17:20 adrianromero File Added: refactorPosterminalModule.diff
2016-03-31 17:21 adrianromero Proposed Solution updated
2016-07-13 10:00 Sandrahuguet Assigned To Retail => Sandrahuguet
2016-07-13 10:01 Sandrahuguet Status new => scheduled
2016-07-13 10:16 hgbot Checkin
2016-07-13 10:16 hgbot Note Added: 0088428
2016-07-13 10:16 hgbot Status scheduled => resolved
2016-07-13 10:16 hgbot Resolution open => fixed
2016-07-13 10:16 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/4ee3eed43218b96dbc2ebe55ccd38723cbf16780 [^]
2016-07-13 10:17 hgbot Checkin
2016-07-13 10:17 hgbot Note Added: 0088430
2016-07-13 10:17 hgbot Fixed in SCM revision http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/4ee3eed43218b96dbc2ebe55ccd38723cbf16780 [^] => http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/ae0faa1ab92bdd3952739132476b06a412d26bd5 [^]
2016-07-13 10:17 hgbot Checkin
2016-07-13 10:17 hgbot Note Added: 0088431
2016-07-13 10:18 hgbot Checkin
2016-07-13 10:18 hgbot Note Added: 0088432
2016-07-13 10:18 hgbot Fixed in SCM revision http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/ae0faa1ab92bdd3952739132476b06a412d26bd5 [^] => http://code.openbravo.com/erp/pmods/org.openbravo.retail.loyalty/rev/66921d8b0f13692dfc7009b3e80d206142281620 [^]
2016-07-13 10:19 hgbot Checkin
2016-07-13 10:19 hgbot Note Added: 0088433
2016-07-13 10:19 hgbot Fixed in SCM revision http://code.openbravo.com/erp/pmods/org.openbravo.retail.loyalty/rev/66921d8b0f13692dfc7009b3e80d206142281620 [^] => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.warehouse.physicalinventory/rev/4bd92ce27c95ade953aea5d0a13f50a314ea481d [^]
2016-07-13 10:19 Sandrahuguet Review Assigned To => marvintm
2016-07-13 10:45 hgbot Checkin
2016-07-13 10:45 hgbot Note Added: 0088434
2016-07-13 10:45 hgbot Fixed in SCM revision http://code.openbravo.com/erp/pmods/org.openbravo.mobile.warehouse.physicalinventory/rev/4bd92ce27c95ade953aea5d0a13f50a314ea481d [^] => http://code.openbravo.com/erp/pmods/org.openbravo.retail.discounts.combo/rev/c123693032b4f123ffe2f97b75ad37d7c1495389 [^]
2016-07-13 13:04 hgbot Checkin
2016-07-13 13:04 hgbot Note Added: 0088440
2016-07-15 11:25 hgbot Checkin
2016-07-15 11:25 hgbot Note Added: 0088517
2016-07-15 11:53 marvintm Status resolved => closed
2017-09-01 10:50 shuehner Fixed in Version => RR16Q4

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker