rest: AbstractRestService.java UserManagerService.java

taylor Fri, 15 Jan 2016 16:23:29 -0800

Author: taylor
Date: Sat Jan 16 00:22:27 2016
New Revision: 1724898

URL: http://svn.apache.org/viewvc?rev=1724898&view=rev
Log:
further tightening security around new user manager service for sql injections. 
Fixing bug in new user manager where the security behavior was getting 
overriden with an empty policy


Modified:
    
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
    
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java

Modified: 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java?rev=1724898&r1=1724897&r2=1724898&view=diff
==============================================================================
--- 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
 (original)
+++ 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
 Sat Jan 16 00:22:27 2016
@@ -23,13 +23,15 @@ import org.apache.jetspeed.services.bean
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * Created by dtaylor on 5/2/15.
  */
 public class AbstractRestService {
 
-    private PortletActionSecurityBehavior securityBehavior;
+    protected PortletActionSecurityBehavior securityBehavior;
 
     protected AbstractRestService(PortletActionSecurityBehavior 
securityBehavior) {
         this.securityBehavior = securityBehavior;
@@ -47,4 +49,22 @@ public class AbstractRestService {
         }
     }
 
+    protected String stripSQLInjection(String in) {
+        if (in == null) {
+            return null;
+        }
+        return in.replaceAll("['\"]", "");
+    }
+
+    protected List<String> stripSQLInjection(List<String> in) {
+        if (in == null) {
+            return null;
+        }
+        ArrayList<String> out = new ArrayList<>();
+        for (String s : in) {
+            out.add(stripSQLInjection(s));
+        }
+        return out;
+    }
+
 }

Modified: 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java?rev=1724898&r1=1724897&r2=1724898&view=diff
==============================================================================
--- 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
 (original)
+++ 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
 Sat Jan 16 00:22:27 2016
@@ -82,7 +82,6 @@ public class UserManagerService extends
     private GroupManager groupManager;
     private Profiler profiler;
     private PageManager pageManager;
-    private PortletActionSecurityBehavior securityBehavior;
 
     public UserManagerService(UserManager userManager, RoleManager 
roleManager, GroupManager groupManager, Profiler profiler, PageManager 
pageManager,
                               PortletActionSecurityBehavior securityBehavior)
@@ -118,7 +117,14 @@ public class UserManagerService extends
                                        @QueryParam("attribute_key") 
List<String> attributeKeys, @QueryParam("attribute_value") List<String> 
attributeValues)
     {
         checkPrivilege(servletRequest, JetspeedActions.VIEW);
-        
+
+        userName = stripSQLInjection(userName);
+        sortDirection = stripSQLInjection(sortDirection);
+        roles = stripSQLInjection(roles);
+        groups = stripSQLInjection(groups);
+        attributeKeys = stripSQLInjection(attributeKeys);
+        attributeValues = stripSQLInjection(attributeValues);
+
         Map<String, String> attributeMap = null;
         
         if (attributeKeys != null && attributeKeys.size() > 0 && 
attributeKeys.size() == attributeValues.size())
@@ -568,4 +574,5 @@ public class UserManagerService extends
             throw new WebApplicationException(new 
JetspeedException("Insufficient privilege to access this REST service."));
         }
     }
+
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1724898 - in /portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest: AbstractRestService.java UserManagerService.java

Reply via email to