CVE-2018-1290-1291-1292
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
index 2828f5b..62ac666 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/api/ApiParameterHelper.java
@@ -18,6 +18,7 @@
*/
package org.apache.fineract.infrastructure.core.api;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
@@ -30,6 +31,7 @@
import org.apache.commons.lang.StringUtils;
import org.apache.fineract.infrastructure.core.serialization.JsonParserHelper;
+import org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator;
public class ApiParameterHelper {
@@ -166,8 +168,10 @@
public static String sqlEncodeString(final String str) {
final String singleQuote = "'";
final String twoSingleQuotes = "''";
+ SQLInjectionValidator.validateSQLInput(str);
return singleQuote + StringUtils.replace(str, singleQuote, twoSingleQuotes, -1) + singleQuote;
}
+
public static Map<String, String> asMap(final MultivaluedMap<String, String> queryParameters) {
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
index b7cd352..c732f0d 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java
@@ -49,6 +49,7 @@
import org.apache.fineract.infrastructure.documentmanagement.contentrepository.FileSystemContentRepository;
import org.apache.fineract.infrastructure.report.provider.ReportingProcessServiceProvider;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.useradministration.domain.AppUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -73,16 +74,19 @@
private final PlatformSecurityContext context;
private final GenericDataService genericDataService;
private final ReportingProcessServiceProvider reportingProcessServiceProvider;
+ private final ColumnValidator columnValidator;
@Autowired
public ReadReportingServiceImpl(final PlatformSecurityContext context, final RoutingDataSource dataSource,
- final GenericDataService genericDataService, final ReportingProcessServiceProvider reportingProcessServiceProvider) {
+ final GenericDataService genericDataService, final ReportingProcessServiceProvider reportingProcessServiceProvider,
+ final ColumnValidator columnValidator) {
this.context = context;
this.dataSource = dataSource;
this.jdbcTemplate = new JdbcTemplate(this.dataSource);
this.genericDataService = genericDataService;
this.reportingProcessServiceProvider = reportingProcessServiceProvider;
+ this.columnValidator = columnValidator;
}
@Override
@@ -221,7 +225,8 @@
public String getReportType(final String reportName) {
final String sql = "SELECT ifnull(report_type,'') as report_type FROM `stretchy_report` where report_name = '" + reportName + "'";
-
+ this.columnValidator.validateSqlInjection(sql, reportName);
+
final String sqlWrapped = this.genericDataService.wrapSQL(sql);
final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sqlWrapped);
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
index e5b7055..31fdfca 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadWriteNonCoreDataServiceImpl.java
@@ -49,6 +49,7 @@
import org.apache.fineract.infrastructure.dataqueries.exception.DatatableNotFoundException;
import org.apache.fineract.infrastructure.dataqueries.exception.DatatableSystemErrorException;
import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext;
+import org.apache.fineract.infrastructure.security.utils.ColumnValidator;
import org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator;
import org.apache.fineract.useradministration.domain.AppUser;
import org.joda.time.LocalDate;
@@ -106,6 +107,7 @@
private final ConfigurationDomainService configurationDomainService;
private final CodeReadPlatformService codeReadPlatformService;
private final DataTableValidator dataTableValidator;
+ private final ColumnValidator columnValidator;
// private final GlobalConfigurationWritePlatformServiceJpaRepositoryImpl
// configurationWriteService;
@@ -114,7 +116,8 @@
public ReadWriteNonCoreDataServiceImpl(final RoutingDataSource dataSource, final PlatformSecurityContext context,
final FromJsonHelper fromJsonHelper, final GenericDataService genericDataService,
final DatatableCommandFromApiJsonDeserializer fromApiJsonDeserializer, final CodeReadPlatformService codeReadPlatformService,
- final ConfigurationDomainService configurationDomainService, final DataTableValidator dataTableValidator) {
+ final ConfigurationDomainService configurationDomainService, final DataTableValidator dataTableValidator,
+ final ColumnValidator columnValidator) {
this.dataSource = dataSource;
this.jdbcTemplate = new JdbcTemplate(this.dataSource);
this.context = context;
@@ -125,6 +128,7 @@
this.codeReadPlatformService = codeReadPlatformService;
this.configurationDomainService = configurationDomainService;
this.dataTableValidator = dataTableValidator;
+ this.columnValidator = columnValidator;
// this.configurationWriteService = configurationWriteService;
}
@@ -1183,6 +1187,7 @@
sql = sql + "select * from `" + dataTableName + "` where id = " + id;
}
+ this.columnValidator.validateSqlInjection(sql, order);
if (order != null) {
sql = sql + " order by " + order;
}
