New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(server): API query filter #8171
Conversation
* Extended the filtering feature to work with all data types, not only with String * Fixed an issue that was not allowing to use Object super type * Added test cases for ReflectionUtils * Added test cases for ReflectiveFilterer Closes ENTESB-13247
@squakez The bot could not transition the ticket automatically, please update this Jira ticket manually: https://issues.redhat.com/browse/ENTESB-13247 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Several issues with this:
- feature creep: this is a generic solution to non-generic problem, if use case requires filtering implement a filter with the logic that's required, don't make a generic solution that's going to be used for 1% of use cases
- uses more reflection: we need to minimize our use of reflection not expand it
- increases techdept: we don't want to extend our use of JSONDB we wish to minimise it as much as possible
- security issue: we need to be really careful about what methods get invoked and how we pass the data from the user, this could lead to arbitrary code execution, such as the one seen in CVE-2010-1622
I would also appreciate if you didn't create ENTESB issues for technical work, you're removing community from the discussion in doing so.
Thanks for you review @zregvart.
Just consider that I am not introducing anything new but leveraging an existing feature already provided by Syndesis. You can already provide the query parameter to all handlers implementing a Lister (see here). I fixed (or at least, tried to) something broken and was aiming to use it.
Not adding anything on that front, just fixing something as recently done for example with a sorting issue (see history)
Reusing what's already there, no new usage of JSONDB.
If there is some possible exploit we should log a separate issue and work to fix it.
Sure, I should have created and linked one. Just logged here #8177 |
@squakez can you give a bit of context around ENTESB-13247? It does not seem to be a Product requirement as you opened the issue yourself. |
@squakez your definition of broken is another persons definition of intentional limitation aimed at not allowing every possible scenario as that leads to more issues than solutions. This will introduce a security issue I suggest that you study the mentioned CVE. If you need certain type of filtering add it to the API that requires it. I will argue this no longer, do with the information I've given you as you wish. |
Thanks @KurtStam, that's a subtask of ENTESB-11534. I'd like to introduce a filter in order to ease the labour of UI and I thought leveraging existing Syndesis feature was better that reinventing the wheel. |
Thanks @KurtStam. Absolutely, I've requested a review for that reason. We should mark as @zregvart , I do understand your security concerns, there's no reason to assume that tone. I'm open to improve based on others experience and suggestions. In this case I think there is no risk of arbitrary execution, I've made some test, but I understand you're not open to exchange opinions. I will make an ad-hoc development or leave the UI to read the whole list of extensions as it's already doing. |
Fixes #8177 and closes ENTESB-13247
In order to ease the review, the idea is to be able to call an API by providing a query filter such as
api/v1/extensions?query=extensionType=Libraries,status=Installed
- this one, specifically was not working before this PR as the code only worked for String fields.