Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0031257
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Retail Modules] Web POSmajorhave not tried2015-10-27 08:452016-03-30 10:02
ReportermtaalView Statuspublic 
Assigned ToSandrahuguet 
PrioritynormalResolutionfixedFixed in VersionRR16Q2
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget VersionRR16Q2
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Tomtaal
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0031257: Prevent sql injection in SimpleQueryBuilder

DescriptionAs far as I can see there is a risk of sql injection in the SimpleQueryBuilder. Particularly through this commit:
https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/diff/02a66121f70c/src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java#l1.31 [^]

(but also previous commits included this)

Steps To ReproduceCheck the code here:
https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/file/tip/src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java [^]
Proposed SolutionParameters all have to be handled as real parameters in the HQL query and not inlined as strings in the query.
TagsNo tags attached.
Attached Filesdiff file icon review.diff [^] (2,664 bytes) 2016-03-23 09:38 [Show Content]

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0032017 closedSandrahuguet [HGVOL] When searching for a BP using HV preferences error is shown with a name having " ' " character 
depends on backport 0032139RR16Q1 closedSandrahuguet Prevent sql injection in SimpleQueryBuilder 
related to defect 0031106 closedSandrahuguet [Price criteria] Products out of the limit will not be filtered by price criteria in remote model 
related to defect 0029718 closedSandrahuguet SQL Injection issues 
related to backport 0032566RR16Q1.1 closedSandrahuguet Improvements in SimpleQueryBuilder 
blocks defect 0032551 closedSandrahuguet Filter by stockcriteria and pricecriteria in the same query does not work 
causes defect 0032727 closedSandrahuguet Error thrown when finding related services for a list of lines 

-  Notes
(0084060)
Sandrahuguet (developer)
2016-02-09 16:56

Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 8fc1645d949121a1fad530efbd2db845f168e45d
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 16:54:58 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/8fc1645d949121a1fad530efbd2db845f168e45d [^] [^]

Fixed issue 32139: Prevent sql injection in SimpleQueryBuilder

Refactor in SimpleQueryBuilder, parameters all have to be handled as
real parameters in the HQL query and not as strings in the query.

---
M src/org/openbravo/mobile/core/process/ProcessHQLQuery.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
M web/org.openbravo.mobile.core/source/retail/component/ob-retail-searchproductcharacteristic.js
---
(0084061)
hgbot (developer)
2016-02-09 17:00

Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: 254d92cbd7ccca124362c7fd2b1d794f42c4e89e
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 16:59:52 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/254d92cbd7ccca124362c7fd2b1d794f42c4e89e [^]

related to issue 31257 make remote filters properly

---
M web/org.openbravo.retail.posterminal/js/components/servicesfilter.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/toolbar-left.js
---
(0084062)
hgbot (developer)
2016-02-09 17:02

Repository: erp/pmods/org.openbravo.retail.complementary
Changeset: 91f9ac0c362556e303eca1dbbba68f04a24fb9c8
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 17:02:26 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.complementary/rev/91f9ac0c362556e303eca1dbbba68f04a24fb9c8 [^]

related to issue 31257 make remote filters properly

---
M web/org.openbravo.retail.complementary/js/filterComplementaryProduct.js
---
(0084063)
hgbot (developer)
2016-02-09 17:03

Repository: erp/pmods/org.openbravo.retail.stockcriteria
Changeset: a859ca84e0fe03f1dcccb547c89061f85d9ba0e4
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 17:03:17 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.stockcriteria/rev/a859ca84e0fe03f1dcccb547c89061f85d9ba0e4 [^]

related to issue 31257 make remote filters properly

---
M web/org.openbravo.retail.stockcriteria/js/hookStockCriteria.js
---
(0084064)
hgbot (developer)
2016-02-09 17:04

Repository: erp/pmods/org.openbravo.retail.pricecriteria
Changeset: 514a3e39c978a3a9a3bffc12c7cf77092a126935
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Feb 09 17:04:24 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.pricecriteria/rev/514a3e39c978a3a9a3bffc12c7cf77092a126935 [^]

related to issue 31257 make remote filters properly

---
M web/org.openbravo.retail.pricecriteria/js/hookPriceCriteria.js
---
(0084171)
Orekaria (administrator)
2016-02-14 14:47

Breaking integration
(0084172)
hgbot (developer)
2016-02-14 16:50

Repository: erp/pmods/org.openbravo.mobile.core
Changeset: af2f38b4505a5c0a1fb61d7d0e4448a843742cc6
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Fri Feb 12 12:40:20 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/af2f38b4505a5c0a1fb61d7d0e4448a843742cc6 [^]

Related to issue 31257: Parse to BigDecimal instead of to Double

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0084234)
migueldejuana (developer)
2016-02-16 11:26

Tested and reviewed
(0084567)
Sandrahuguet (developer)
2016-02-26 13:40

Prevent sql injection in HQLCriteria
(0084758)
hgbot (developer)
2016-03-07 11:27

Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: 0cfe618cf6f780c18745528c807ea36574114e84
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 10:32:55 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/0cfe618cf6f780c18745528c807ea36574114e84 [^]

Related to issue 31257 Prevent sql injection in HQLCriteria part

---
M src/org/openbravo/retail/posterminal/BrandChHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandChValueHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandHQLCriteria.java
M src/org/openbravo/retail/posterminal/ChHQLCriteria.java
M src/org/openbravo/retail/posterminal/CharacteristicHQLCriteria.java
M src/org/openbravo/retail/posterminal/ChvHQLCriteria.java
M web/org.openbravo.retail.posterminal/js/components/modalproductcharacteristic.js
---
(0084759)
hgbot (developer)
2016-03-07 11:28

Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 0e9112f9a67603cbdffe1e5c4aba3b6aabdaa41e
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 10:33:49 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/0e9112f9a67603cbdffe1e5c4aba3b6aabdaa41e [^]

Related to issue 31257 Prevent sql injection in HQLCriteria part

---
M src/org/openbravo/mobile/core/process/HQLCriteriaProcess.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
M web/org.openbravo.mobile.core/source/retail/component/ob-retail-searchproductcharacteristic.js
---
(0084786)
hgbot (developer)
2016-03-07 17:10

Repository: erp/pmods/org.openbravo.mobile.core
Changeset: d8595941527d0412d0705618cf86bc83f525e87c
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 17:10:10 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/d8595941527d0412d0705618cf86bc83f525e87c [^]

related to issue 31257 delete commented code

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0084826)
hgbot (developer)
2016-03-08 16:44

Repository: erp/pmods/org.openbravo.retail.stockcriteria
Changeset: b0703b51702612b99549c93611281268843baba1
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Mar 08 16:44:21 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.stockcriteria/rev/b0703b51702612b99549c93611281268843baba1 [^]

Related to issue 31257 Prevent sql injection in stockcriteria

---
M src/org/openbravo/retail/stockcriteria/StockChHQLCriteria.java
M src/org/openbravo/retail/stockcriteria/StockChValueHQLCriteria.java
M src/org/openbravo/retail/stockcriteria/StockHQLCriteria.java
M web/org.openbravo.retail.stockcriteria/js/hookStockCriteria.js
---
(0084827)
hgbot (developer)
2016-03-08 16:46

Repository: erp/pmods/org.openbravo.retail.pricecriteria
Changeset: c599888d6791d5937e79b9a5a4be03ae38647cc3
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Tue Mar 08 16:46:02 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.pricecriteria/rev/c599888d6791d5937e79b9a5a4be03ae38647cc3 [^]

Related to issue 31257 Prevent sql injection in pricecriteria

---
M src/org/openbravo/retail/pricecriteria/PriceChHQLCriteria.java
M src/org/openbravo/retail/pricecriteria/PriceChValueHQLCriteria.java
M web/org.openbravo.retail.pricecriteria/js/hookPriceCriteria.js
---
(0085015)
hgbot (developer)
2016-03-16 17:18

Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: b06c5054696d228e1ddc7cc8cfcada43fea7a680
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Mar 16 09:00:47 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/b06c5054696d228e1ddc7cc8cfcada43fea7a680 [^]

related to issue 31257 ability to support jsonarray in HQLCriteria

---
M src/org/openbravo/retail/posterminal/BrandChHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandChValueHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandsFilterByCHHQLCriteria.java
M src/org/openbravo/retail/posterminal/ChHQLCriteria.java
M src/org/openbravo/retail/posterminal/CharacteristicHQLCriteria.java
M src/org/openbravo/retail/posterminal/ChvHQLCriteria.java
M web/org.openbravo.retail.posterminal/js/components/modalproductbrand.js
M web/org.openbravo.retail.posterminal/js/components/modalproductcharacteristic.js
---
(0085016)
hgbot (developer)
2016-03-16 17:19

Repository: erp/pmods/org.openbravo.mobile.core
Changeset: f97478435c1d1aedffdd0e7f94a611c0e52c31f7
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Mar 16 08:58:39 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/f97478435c1d1aedffdd0e7f94a611c0e52c31f7 [^]

related to issue 31257 ability to support jsonarray in HQLCriteria

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
M web/org.openbravo.mobile.core/source/retail/component/ob-retail-searchproductcharacteristic.js
---
(0085240)
dmitry_mezentsev (developer)
2016-03-21 12:14

Not closed for 14 days!
(0085283)
mtaal (manager)
2016-03-23 09:39

I checked the code, I attached a diff to solve a specific issue that HQLCriteria and FiltersCriteria can have the same operators and therefore share possibly the same parameter aliases as created by the code.
(0085291)
hgbot (developer)
2016-03-23 15:20

Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 9294b7efe80ab545dffac4c8c7fea52eb11ab4bf
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Wed Mar 23 15:18:52 2016 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/9294b7efe80ab545dffac4c8c7fea52eb11ab4bf [^]

related to issue 31257 prevents operators have the same name

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0085319)
mtaal (manager)
2016-03-29 18:26

Reviewed and tested, remaining/found error is solved in separate mantis issue.
(0085326)
hgbot (developer)
2016-03-30 09:21

Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 2ed7975220d5225cb3464da84dad5c0d256e8040
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Wed Mar 30 00:16:02 2016 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/2ed7975220d5225cb3464da84dad5c0d256e8040 [^]

Related to issue 31257: Prevent sql injection in SimpleQueryBuilder
Make a member private instead of protected

---
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
---
(0085327)
mtaal (manager)
2016-03-30 10:02

Last commit should have been committed before closing issue, but change is tiny and was noted and sent to try before closing.

- Issue History
Date Modified Username Field Change
2015-10-27 08:45 mtaal New Issue
2015-10-27 08:45 mtaal Assigned To => Sandrahuguet
2015-10-27 08:45 mtaal Triggers an Emergency Pack => No
2015-10-27 08:45 mtaal Relationship added related to 0031106
2015-11-09 09:55 Sandrahuguet Status new => scheduled
2015-12-22 17:45 Orekaria Target Version RR16Q1 => RR16Q2
2016-01-29 14:25 Sandrahuguet Relationship added related to 0032017
2016-02-05 08:23 Sandrahuguet Review Assigned To => mtaal
2016-02-05 08:24 Sandrahuguet Status scheduled => acknowledged
2016-02-05 08:27 Sandrahuguet Status acknowledged => scheduled
2016-02-09 16:56 Sandrahuguet Note Added: 0084060
2016-02-09 16:57 Sandrahuguet Status scheduled => resolved
2016-02-09 16:57 Sandrahuguet Resolution open => fixed
2016-02-09 17:00 hgbot Checkin
2016-02-09 17:00 hgbot Note Added: 0084061
2016-02-09 17:02 hgbot Checkin
2016-02-09 17:02 hgbot Note Added: 0084062
2016-02-09 17:03 hgbot Checkin
2016-02-09 17:03 hgbot Note Added: 0084063
2016-02-09 17:04 hgbot Checkin
2016-02-09 17:04 hgbot Note Added: 0084064
2016-02-12 12:00 mtaal Review Assigned To mtaal => migueldejuana
2016-02-14 14:47 Orekaria Note Added: 0084171
2016-02-14 14:47 Orekaria Status resolved => new
2016-02-14 14:47 Orekaria Resolution fixed => open
2016-02-14 14:47 Orekaria Status new => feedback
2016-02-14 15:17 Orekaria Status feedback => scheduled
2016-02-14 16:50 hgbot Checkin
2016-02-14 16:50 hgbot Note Added: 0084172
2016-02-15 10:36 Sandrahuguet Status scheduled => resolved
2016-02-15 10:36 Sandrahuguet Resolution open => fixed
2016-02-16 11:26 migueldejuana Note Added: 0084234
2016-02-16 11:26 migueldejuana Status resolved => closed
2016-02-26 13:40 Sandrahuguet Note Added: 0084567
2016-02-26 13:40 Sandrahuguet Status closed => new
2016-02-26 13:40 Sandrahuguet Resolution fixed => open
2016-03-07 11:27 hgbot Checkin
2016-03-07 11:27 hgbot Note Added: 0084758
2016-03-07 11:28 hgbot Checkin
2016-03-07 11:28 hgbot Note Added: 0084759
2016-03-07 11:29 Sandrahuguet Status new => scheduled
2016-03-07 11:29 Sandrahuguet Status scheduled => resolved
2016-03-07 11:29 Sandrahuguet Resolution open => fixed
2016-03-07 17:10 hgbot Checkin
2016-03-07 17:10 hgbot Note Added: 0084786
2016-03-07 20:22 mtaal Review Assigned To migueldejuana => mtaal
2016-03-08 16:44 hgbot Checkin
2016-03-08 16:44 hgbot Note Added: 0084826
2016-03-08 16:46 hgbot Checkin
2016-03-08 16:46 hgbot Note Added: 0084827
2016-03-14 16:04 Orekaria Relationship added related to 0029718
2016-03-16 17:18 hgbot Checkin
2016-03-16 17:18 hgbot Note Added: 0085015
2016-03-16 17:19 hgbot Checkin
2016-03-16 17:19 hgbot Note Added: 0085016
2016-03-21 12:14 dmitry_mezentsev Note Added: 0085240
2016-03-23 09:38 mtaal File Added: review.diff
2016-03-23 09:39 mtaal Note Added: 0085283
2016-03-23 15:20 hgbot Checkin
2016-03-23 15:20 hgbot Note Added: 0085291
2016-03-29 17:49 Sandrahuguet Relationship added blocks 0032551
2016-03-29 18:26 mtaal Note Added: 0085319
2016-03-29 18:26 mtaal Status resolved => closed
2016-03-29 18:26 mtaal Fixed in Version => RR16Q2
2016-03-30 09:21 hgbot Checkin
2016-03-30 09:21 hgbot Note Added: 0085326
2016-03-30 10:02 mtaal Note Added: 0085327
2016-03-31 14:36 Sandrahuguet Relationship added related to 0032566
2016-04-20 13:10 adrianromero Relationship added causes 0032727


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker