Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0032139
TypeCategorySeverityReproducibilityDate SubmittedLast Update
backport[Retail Modules] Web POSmajorhave not tried2015-10-27 08:452016-03-09 18:33
ReportermtaalView Statuspublic 
Assigned ToSandrahuguet 
PrioritynormalResolutionfixedFixed in VersionRR16Q1
StatusclosedFix in branchFixed in SCM revision1f9bf9d06de9
ProjectionnoneETAnoneTarget VersionRR16Q1
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Tomarvintm
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0032139: Prevent sql injection in SimpleQueryBuilder

DescriptionAs far as I can see there is a risk of sql injection in the SimpleQueryBuilder. Particularly through this commit:
https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/diff/02a66121f70c/src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java#l1.31 [^]

(but also previous commits included this)

Steps To ReproduceCheck the code here:
https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/file/tip/src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java [^]
Proposed SolutionParameters all have to be handled as real parameters in the HQL query and not inlined as strings in the query.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to backport 0032566RR16Q1.1 closedSandrahuguet Improvements in SimpleQueryBuilder 
blocks defect 0031257RR16Q2 closedSandrahuguet Prevent sql injection in SimpleQueryBuilder 
blocks defect 0032551 closedSandrahuguet Filter by stockcriteria and pricecriteria in the same query does not work 

-  Notes
(0084412)
hgbot (developer)
2016-02-22 20:12

Repository: retail/backports/3.0RR16Q1/org.openbravo.mobile.core
Changeset: 1f9bf9d06de9e5724fe7dd2d68faf8327e7c2ac6
Author: Guillermo Alvarez de Eulate <guillermo.alvarez <at> openbravo.com>
Date: Mon Feb 22 20:11:46 2016 +0100
URL: http://code.openbravo.com/retail/backports/3.0RR16Q1/org.openbravo.mobile.core/rev/1f9bf9d06de9e5724fe7dd2d68faf8327e7c2ac6 [^]

Fixes issue 32139 backport of 31257: Prevent HQL Injection

---
M src/org/openbravo/mobile/core/process/ProcessHQLQuery.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
M web/org.openbravo.mobile.core/source/retail/component/ob-retail-searchproductcharacteristic.js
---
(0084568)
Sandrahuguet (developer)
2016-02-26 13:41

Prevent sql injection in HQLCriteria
(0084760)
hgbot (developer)
2016-03-07 11:31

Repository: retail/backports/3.0RR16Q1/org.openbravo.mobile.core
Changeset: ca4993e4d2407ec80b48200dc357b199767761e7
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 11:30:29 2016 +0100
URL: http://code.openbravo.com/retail/backports/3.0RR16Q1/org.openbravo.mobile.core/rev/ca4993e4d2407ec80b48200dc357b199767761e7 [^]

Related to issue 32139 Prevent sql injection in HQLCriteria part

---
M src/org/openbravo/mobile/core/process/HQLCriteriaProcess.java
M src/org/openbravo/mobile/core/process/SimpleQueryBuilder.java
M web/org.openbravo.mobile.core/source/retail/component/ob-retail-searchproductcharacteristic.js
---
(0084761)
hgbot (developer)
2016-03-07 11:31

Repository: retail/backports/3.0RR16Q1/org.openbravo.retail.posterminal
Changeset: ec5454d821138c7cd8255a4e9c7ca36eac096958
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 11:29:44 2016 +0100
URL: http://code.openbravo.com/retail/backports/3.0RR16Q1/org.openbravo.retail.posterminal/rev/ec5454d821138c7cd8255a4e9c7ca36eac096958 [^]

Related to issue 32139 Prevent sql injection in HQLCriteria part

---
M src/org/openbravo/retail/posterminal/BrandChHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandChValueHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandHQLCriteria.java
M src/org/openbravo/retail/posterminal/CharacteristicHQLCriteria.java
M web/org.openbravo.retail.posterminal/js/components/modalproductcharacteristic.js
A src/org/openbravo/retail/posterminal/ChHQLCriteria.java
A src/org/openbravo/retail/posterminal/ChvHQLCriteria.java
---
(0084774)
hgbot (developer)
2016-03-07 13:41

Repository: retail/backports/3.0RR16Q1/org.openbravo.retail.posterminal
Changeset: 302190f210558b21c41dfee068f23b2c7837eddf
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 13:40:45 2016 +0100
URL: http://code.openbravo.com/retail/backports/3.0RR16Q1/org.openbravo.retail.posterminal/rev/302190f210558b21c41dfee068f23b2c7837eddf [^]

related to issue 32139 updated Copyright

---
M src/org/openbravo/retail/posterminal/BrandChValueHQLCriteria.java
M src/org/openbravo/retail/posterminal/BrandHQLCriteria.java
M src/org/openbravo/retail/posterminal/CharacteristicHQLCriteria.java
M web/org.openbravo.retail.posterminal/js/components/modalproductcharacteristic.js
---
(0084775)
hgbot (developer)
2016-03-07 13:42

Repository: retail/backports/3.0RR16Q1/org.openbravo.mobile.core
Changeset: e0a7f7d49b6ff0c830047c6eb4bce3608fec533b
Author: Sandra Huguet <sandra.huguet <at> openbravo.com>
Date: Mon Mar 07 13:42:32 2016 +0100
URL: http://code.openbravo.com/retail/backports/3.0RR16Q1/org.openbravo.mobile.core/rev/e0a7f7d49b6ff0c830047c6eb4bce3608fec533b [^]

related to issue 32139 updated Copyright

---
M src/org/openbravo/mobile/core/process/HQLCriteriaProcess.java
---

- Issue History
Date Modified Username Field Change
2016-02-05 08:27 Sandrahuguet Type defect => backport
2016-02-05 08:27 Sandrahuguet Target Version RR16Q2 => RR16Q1
2016-02-09 16:55 hgbot Checkin
2016-02-09 16:55 hgbot Note Added: 0084059
2016-02-09 16:55 hgbot Status scheduled => resolved
2016-02-09 16:55 hgbot Resolution open => fixed
2016-02-09 16:55 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/8fc1645d949121a1fad530efbd2db845f168e45d [^]
2016-02-09 16:56 Sandrahuguet Status resolved => new
2016-02-09 16:56 Sandrahuguet Resolution fixed => open
2016-02-09 16:56 Sandrahuguet Status new => scheduled
2016-02-09 16:56 Sandrahuguet Note Deleted: 0084059
2016-02-22 20:12 hgbot Checkin
2016-02-22 20:12 hgbot Note Added: 0084412
2016-02-22 20:12 hgbot Status scheduled => resolved
2016-02-22 20:12 hgbot Resolution open => fixed
2016-02-22 20:12 hgbot Fixed in SCM revision http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/8fc1645d949121a1fad530efbd2db845f168e45d [^] => http://code.openbravo.com/retail/backports/3.0RR16Q1/org.openbravo.mobile.core/rev/1f9bf9d06de9e5724fe7dd2d68faf8327e7c2ac6 [^]
2016-02-22 20:13 guilleaer Assigned To Sandrahuguet => guilleaer
2016-02-26 13:41 Sandrahuguet Assigned To guilleaer => Sandrahuguet
2016-02-26 13:41 Sandrahuguet Note Added: 0084568
2016-02-26 13:41 Sandrahuguet Status resolved => new
2016-02-26 13:41 Sandrahuguet Resolution fixed => open
2016-03-07 11:31 hgbot Checkin
2016-03-07 11:31 hgbot Note Added: 0084760
2016-03-07 11:31 Sandrahuguet Status new => scheduled
2016-03-07 11:31 Sandrahuguet Status scheduled => resolved
2016-03-07 11:31 Sandrahuguet Resolution open => fixed
2016-03-07 11:31 hgbot Checkin
2016-03-07 11:31 hgbot Note Added: 0084761
2016-03-07 13:41 hgbot Checkin
2016-03-07 13:41 hgbot Note Added: 0084774
2016-03-07 13:42 hgbot Checkin
2016-03-07 13:42 hgbot Note Added: 0084775
2016-03-09 18:33 marvintm Review Assigned To mtaal => marvintm
2016-03-09 18:33 marvintm Status resolved => closed
2016-03-09 18:33 marvintm Fixed in Version => RR16Q1
2016-03-29 17:49 Sandrahuguet Relationship added blocks 0032551
2016-03-31 14:43 Sandrahuguet Relationship added related to 0032566


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker