SQL injection via ModelADService is possible

Marking as resolved as implemented the context and now is possible to have "variable" filter via context variables

A better approach that we have commented is about implementing the ability to set context variables in webservices and the filter can use the context variable as a constant.

Another approach commented was to use a read-only connection for this query, but I think the first is better.

The validateParameter will always be short (or potentially short) for example oracle has the statements MERGE, RENAME. Or a call to a function that executes the statements can be introduced.

IDEMPIERE-1784_v2.patch could partly solve problem with sql injection. I removed before save validation for Filter WS parameter. So Filter can be again set as free. SQL injection is simply checked in ModelADServiceImpl.validateParameter method.

Exception is throwed when string containt one of these commands: insert, create, update, drop, delete or alter.

WDYT?

Hi , do you know if anybody started with util class to validate read-only sql syntax? I think that actual fix is very limiting - how can i call web service with condition? For example i have WS for exporting products and i want to filter by product category or tax group. Maybe is enought if sql select doesn't include any of INSERT, UPDATE, DELETE, DROP, CREATE or ALTER commands.

Affected Installs

Adempiere versions with webservices installed
iDempiere versions

Mitigation

on Adempiere restrict access to Web Services Security window (on iDempiere the access is already restricted)
Do not configure a queryData webservice with Filter as Free

Solution

A commit was made on march 26 preventing the configuration of Filter as Free.