fixed issue 41412: incorrect attachment key management
authorAsier Lostalé <asier.lostale@openbravo.com>
Mon, 22 Jul 2019 13:10:02 +0200
changeset 36265 431ffa6714d0
parent 36261 a1b4e7777553
child 36266 59f670b19433
fixed issue 41412: incorrect attachment key management

The changeset includes:
* Checking key sent from customer is a valid ID
* Check the record is readable when uploading files
* Check there is an acutal record for a given key
modules/org.openbravo.client.application/src/org/openbravo/client/application/attachment/AttachImplementationManager.java
src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
--- a/modules/org.openbravo.client.application/src/org/openbravo/client/application/attachment/AttachImplementationManager.java	Thu Jul 18 12:00:43 2019 +0000
+++ b/modules/org.openbravo.client.application/src/org/openbravo/client/application/attachment/AttachImplementationManager.java	Mon Jul 22 13:10:02 2019 +0200
@@ -11,7 +11,7 @@
  * under the License.
  * The Original Code is Openbravo ERP.
  * The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2015-2018 Openbravo SLU
+ * All portions are Copyright (C) 2015-2019 Openbravo SLU
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -46,6 +46,7 @@
 import org.hibernate.HibernateException;
 import org.hibernate.criterion.Restrictions;
 import org.openbravo.base.exception.OBException;
+import org.openbravo.base.exception.OBSecurityException;
 import org.openbravo.base.model.Entity;
 import org.openbravo.base.model.ModelProvider;
 import org.openbravo.base.provider.OBProvider;
@@ -168,6 +169,8 @@
         attachment.setDataType(strDataType);
       }
 
+      checkReadableAccess(attachment);
+
       OBDal.getInstance().save(attachment);
 
       AttachImplementation handler = getHandler(attachMethod.getValue());
@@ -471,6 +474,10 @@
       Object object = OBDal.getInstance().get(entity.getMappingClass(), attachment.getRecord());
       if (object instanceof OrganizationEnabled) {
         SecurityChecker.getInstance().checkReadableAccess((OrganizationEnabled) object);
+      } else if (object == null) {
+        throw new OBSecurityException(
+            "Trying to create an attachment in table " + attachment.getTable()
+                + " for a record with ID " + attachment.getRecord() + " that does not exists.");
       }
     }
   }
--- a/src/org/openbravo/erpCommon/businessUtility/TabAttachments.java	Thu Jul 18 12:00:43 2019 +0000
+++ b/src/org/openbravo/erpCommon/businessUtility/TabAttachments.java	Mon Jul 22 13:10:02 2019 +0200
@@ -11,7 +11,7 @@
  * under the License.
  * The Original Code is Openbravo ERP.
  * The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2001-2017 Openbravo SLU
+ * All portions are Copyright (C) 2001-2019 Openbravo SLU
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -38,6 +38,8 @@
 import org.codehaus.jettison.json.JSONException;
 import org.codehaus.jettison.json.JSONObject;
 import org.openbravo.base.exception.OBException;
+import org.openbravo.base.exception.OBSecurityException;
+import org.openbravo.base.filter.IsIDFilter;
 import org.openbravo.base.secureApp.HttpSecureAppServlet;
 import org.openbravo.base.secureApp.VariablesSecureApp;
 import org.openbravo.base.weld.WeldUtils;
@@ -95,6 +97,10 @@
         final String strTab = paramValues.getString("inpTabId");
         tab = adcs.getTab(strTab);
         key = paramValues.getString("inpKey");
+        if (!IsIDFilter.instance.accept(key)) {
+          throw new OBSecurityException("Invalid key for attachement in tab " + tab + " ID:" + key);
+        }
+
         final String strDocumentOrganization = paramValues.getString("inpDocumentOrg");
         final FileItem file = vars.getMultiFile("inpname");
         if (file == null) {