[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-3550) EntityQuery and ordering issue

Norman Richards (JIRA) jira-events at lists.jboss.org
Mon Oct 13 12:59:20 EDT 2008


     [ https://jira.jboss.org/jira/browse/JBSEAM-3550?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Norman Richards closed JBSEAM-3550.
-----------------------------------

    Resolution: Done


This was implemented independently to this issue, so I'm marking it as done.  I would like to comment on a few issues with this, because we really need to exercise extreme caution here.

First, when configuring the order in code or in XML, the order property can be used.  This should you full control over the order clause with no checking being done.  Using the orderColumn and orderDirection properties are for UI binding purposes.  We have to impose extremely strict constraints on this for security reasons.   

I'm not even comfortable with the way things worked before the change because it already has a very subtle vulnerability.  The problem isn't just injection.  Let's say you have a user list and you expose order column the way it is in seam-gen.   You want to allow sorting by name, email etc..., but every person also has a salary column.  (which you have edited out of the seam-gen screen)  If you bind orderColumn to the UI, the user could sort the people based on salary, exposing information about people that you probably don't want exposed.


I really don't like that.  Allowing "." in the bindable order column field increases the magnitude of the vulnerability, exposing even more fields to the vulnerability.  This can't be considered a good thing.

I don't have a solution for this short of requiring explicit configuration of each sortable column value, either a white list of valid values or a mapping for names to query strings.  This would impose a bit of a burden on seam-gen, but it would be doable.

Comments?

> EntityQuery and ordering issue
> ------------------------------
>
>                 Key: JBSEAM-3550
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3550
>             Project: Seam
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.1.0.CR1
>            Reporter: Jarek Gilewski
>            Assignee: Norman Richards
>             Fix For: 2.1.0.GA
>
>
> I cannot call
> setOrderColumn("pi.payment.name"); // for joined tables
> for EntityQuery.
> I got 
> java.lang.IllegalArgumentException: invalid order column
> 	at org.jboss.seam.framework.Query.sanitizeOrderColumn(Query.java:445)
> 	at org.jboss.seam.framework.Query.setOrderColumn(Query.java:436)
> I can see at Query.java that the column name is checked with pattern "\\w*$" (ORDER_COLUMN_PATTERN) wich i guess don't allowe the dot in the order column name. 
> Can we chcenge the ORDER_COLUMN_PATTERN to allow ordering by related columns? 
> I think it should be something like this '^(\w+)(\.\w+)*$'.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the seam-issues mailing list