Merge pull request #30 from uonafya/2.25-security-fixes

2.25 security fixes

.gitignore

@@ -29,3 +29,4 @@ overlays/
 dhis-2/projectFilesBackup
 coverage
 node_modules
+package-lock.json

dhis-2/.gitignore

@@ -0,0 +1 @@
+**/rebel.xml

dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseAnalyticalObject.java

@@ -55,7 +55,6 @@
 import org.hisp.dhis.period.Period;
 import org.hisp.dhis.period.RelativePeriodEnum;
 import org.hisp.dhis.period.RelativePeriods;
-import org.hisp.dhis.period.comparator.AscendingPeriodComparator;
 import org.hisp.dhis.schema.annotation.PropertyRange;
 import org.hisp.dhis.trackedentity.TrackedEntityAttributeDimension;
 import org.hisp.dhis.trackedentity.TrackedEntityDataElementDimension;
@@ -549,8 +548,6 @@ else if ( PERIOD_DIM_ID.equals( dimension ) )
                 }
             }
 
-            Collections.sort( periodList, new AscendingPeriodComparator() );
-
             return new BaseDimensionalObject( dimension, DimensionType.PERIOD, periodList );
         }
         else if ( ORGUNIT_DIM_ID.equals( dimension ) )

dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObjectUtils.java

@@ -102,7 +102,7 @@ public static String join( Collection<? extends IdentifiableObject> objects )
      */
     public static <T extends IdentifiableObject> List<String> getUids( Collection<T> objects )
     {
-        return objects != null ? objects.stream().map( o -> o.getUid() ).collect( Collectors.toList() ) : null;
+        return objects != null ? objects.stream().map( IdentifiableObject::getUid ).collect( Collectors.toList() ) : null;
     }
 
     /**
@@ -113,7 +113,7 @@ public static <T extends IdentifiableObject> List<String> getUids( Collection<T>
      */
     public static <T extends IdentifiableObject> List<Integer> getIdentifiers( Collection<T> objects )
     {
-        return objects != null ? objects.stream().map( o -> o.getId() ).collect( Collectors.toList() ) : null;
+        return objects != null ? objects.stream().map( IdentifiableObject::getId ).collect( Collectors.toList() ) : null;
     }
 
     /**
@@ -192,7 +192,7 @@ public static <T extends IdentifiableObject> List<T> filterNameByKey( List<T> id
             T object = iterator.next();
             String name = ignoreCase ? object.getDisplayName().toLowerCase() : object.getDisplayName();
 
-            if ( name.indexOf( key ) != -1 )
+            if ( name.contains( key ) )
             {
                 objects.add( object );
             }
@@ -244,7 +244,7 @@ public static <T extends IdentifiableObject> String getLastUpdatedTag( Collectio
             }
         }
 
-        return latest != null && objects != null ? objects.size() + SEPARATOR + LONG_DATE_FORMAT.print( new DateTime( latest ) ) : null;
+        return latest != null ? objects.size() + SEPARATOR + LONG_DATE_FORMAT.print( new DateTime( latest ) ) : null;
     }
 
     /**

dhis-2/dhis-api/src/main/java/org/hisp/dhis/i18n/I18nFormat.java

@@ -28,6 +28,12 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.hisp.dhis.calendar.DateTimeUnit;
+import org.hisp.dhis.period.Period;
+import org.hisp.dhis.period.PeriodType;
+import org.hisp.dhis.period.WeeklyPeriodType;
+import org.joda.time.DateTime;
+
 import java.text.DateFormat;
 import java.text.DateFormatSymbols;
 import java.text.DecimalFormat;
@@ -36,11 +42,6 @@
 import java.util.Date;
 import java.util.ResourceBundle;
 
-import org.hisp.dhis.calendar.DateTimeUnit;
-import org.hisp.dhis.period.Period;
-import org.hisp.dhis.period.PeriodType;
-import org.hisp.dhis.period.WeeklyPeriodType;
-
 /**
  * @author Pham Thi Thuy
  * @author Nguyen Dang Quang
@@ -222,9 +223,10 @@ public String formatPeriod( Period period )
 
         String typeName = period.getPeriodType().getName();
 
-        if ( typeName.equals( WeeklyPeriodType.NAME ) ) // Use ISO dates due to potential week confusion
+        if ( typeName.contains( WeeklyPeriodType.NAME ) ) // Use ISO dates due to potential week confusion
         {
-            return period.getIsoDate();
+            DateTime dateTime = new DateTime( period.getStartDate() );
+            return "W" + dateTime.weekOfWeekyear().getAsText() + " " + (typeName.equals( WeeklyPeriodType.NAME ) ? dateTime.year().getAsText() : dateTime.dayOfWeek().getAsShortText() + " " + dateTime.year().getAsText());
         }
 
         String keyStartDate = "format." + typeName + ".startDate";

dhis-2/dhis-api/src/main/java/org/hisp/dhis/period/comparator/AscendingPeriodComparator.java

@@ -28,9 +28,10 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-import java.util.Comparator;
-
 import org.hisp.dhis.period.Period;
+import org.hisp.dhis.period.PeriodType;
+
+import java.util.Comparator;
 
 /**
  * Sorts periods ascending based on the start date, then the end date.
@@ -45,31 +46,12 @@ public class AscendingPeriodComparator
     @Override
     public int compare( Period period1, Period period2 )
     {
-        if ( period1.getStartDate() == null )
-        {
-            return -1;
-        }
-
-        if ( period2.getStartDate() == null )
-        {
-            return 1;
-        }
-
-        if ( period1.getStartDate().compareTo( period2.getStartDate() ) != 0 )
-        {
-            return period1.getStartDate().compareTo( period2.getStartDate() );
-        }
-
-        if ( period1.getEndDate() == null )
-        {
-            return -1;
-        }
-
-        if ( period2.getEndDate() == null )
-        {
-            return 1;
-        }
-
-        return period1.getEndDate().compareTo( period2.getEndDate() );
+        PeriodType a = period1.getPeriodType();
+        PeriodType b = period2.getPeriodType();
+
+        int freqCompare = Integer.compare( a.getFrequencyOrder(), b.getFrequencyOrder() );
+        int nameCompare = a.getName().compareTo( b.getName() );
+
+        return freqCompare == 0 ? ( nameCompare == 0 ? period1.getStartDate().compareTo(period2.getStartDate() ) : nameCompare ) : freqCompare;
     }
 }

dhis-2/dhis-api/src/main/java/org/hisp/dhis/program/ProgramIndicator.java

@@ -33,7 +33,9 @@
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Sets;
+
 import org.hisp.dhis.analytics.AggregationType;
 import org.hisp.dhis.common.BaseDataDimensionalItemObject;
 import org.hisp.dhis.common.BaseIdentifiableObject;
@@ -44,6 +46,7 @@
 import org.hisp.dhis.common.RegexUtils;
 
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 import java.util.regex.Pattern;
 
@@ -101,6 +104,17 @@ public class ProgramIndicator
     public static final String INVALID_IDENTIFIERS_IN_EXPRESSION = "invalid_identifiers_in_expression";
     public static final String FILTER_NOT_EVALUATING_TO_TRUE_OR_FALSE = "filter_not_evaluating_to_true_or_false";
 
+    public static final String UNKNOWN_VARIABLE = "unknown_variable";
+
+    private static final Map<String, String> VARIABLE_COLUMNNAME_MAP = ImmutableMap.<String, String>builder().
+        put( ProgramIndicator.VAR_EXECUTION_DATE, "executiondate" ).
+        put( ProgramIndicator.VAR_DUE_DATE, "duedate" ).
+        put( ProgramIndicator.VAR_ENROLLMENT_DATE, "enrollmentdate" ).
+        put( ProgramIndicator.VAR_INCIDENT_DATE, "incidentdate" ).
+        put( ProgramIndicator.VAR_EVENT_COUNT, "psi" ).
+        put( ProgramIndicator.VAR_ENROLLMENT_COUNT, "pi" ).
+        put( ProgramIndicator.VAR_TEI_COUNT, "tei" ).build();
+
     private Program program;
 
     private String expression;
@@ -159,6 +173,42 @@ public static Set<String> getDataElementAndAttributeIdentifiers( String input )
             RegexUtils.getMatches( DATAELEMENT_PATTERN, input, 2 ),
             RegexUtils.getMatches( ATTRIBUTE_PATTERN, input, 1 ) );
     }
+
+    /**
+     * Returns a set of all analytics columns required for the variables used in the given expression
+     *
+     * @param expression the program indicator expression.
+     * @return a set of column names
+     */
+    public static Set<String> getVariableColumnNames( String expression )
+    {
+        Set<String> requiredColumns = new HashSet<String>();
+
+        Set<String> variables =
+            RegexUtils.getMatches( VARIABLE_PATTERN, expression, 1 );
+
+        for ( String variable : variables )
+        {
+            String columnName = getVariableColumnName( variable );
+            if ( null != columnName )
+            {
+                requiredColumns.add( columnName );
+            }
+        }
+
+        return requiredColumns;
+    }
+
+    /**
+     * Returns the analytics column name associated with the program indicator variable.
+     * 
+     * @param var the program indicator variable name
+     * @return the analytics column name, or null if there is no specific column used for the variable
+     */
+    public static String getVariableColumnName( String var ) 
+    {
+        return VARIABLE_COLUMNNAME_MAP.containsKey( var ) ? VARIABLE_COLUMNNAME_MAP.get( var ) : null;
+    }
 
     public void addProgramIndicatorGroup( ProgramIndicatorGroup group )
     {

dhis-2/dhis-services/dhis-service-administration/src/main/java/org/hisp/dhis/sqlview/DefaultSqlViewService.java

@@ -38,6 +38,8 @@
 import org.hisp.dhis.common.Grid;
 import org.hisp.dhis.common.IllegalQueryException;
 import org.hisp.dhis.commons.util.SqlHelper;
+import org.hisp.dhis.external.conf.ConfigurationKey;
+import org.hisp.dhis.external.conf.DhisConfigurationProvider;
 import org.hisp.dhis.jdbc.StatementBuilder;
 import org.hisp.dhis.system.grid.ListGrid;
 import org.springframework.transaction.annotation.Transactional;
@@ -70,6 +72,13 @@ public void setStatementBuilder( StatementBuilder statementBuilder )
     {
         this.statementBuilder = statementBuilder;
     }
+
+    private DhisConfigurationProvider config;
+
+    public void setConfig( DhisConfigurationProvider config )
+    {
+        this.config = config;
+    }
 
     // -------------------------------------------------------------------------
     // CRUD methods
@@ -250,6 +259,7 @@ public void validateSqlView( SqlView sqlView, Map<String, String> criteria, Map<
 
         final Set<String> sqlVars = SqlViewUtils.getVariables( sqlView.getSqlQuery() );
         final String sql = sqlView.getSqlQuery().replaceAll("\\r|\\n"," ").toLowerCase();
+        final boolean ignoreSqlViewTableProtection = config.isDisabled( ConfigurationKey.SYSTEM_SQL_VIEW_TABLE_PROTECTION );
 
         if ( !SELECT_PATTERN.matcher( sql ).matches() )
         {
@@ -296,7 +306,7 @@ public void validateSqlView( SqlView sqlView, Map<String, String> criteria, Map<
             violation = "Criteria values are invalid: " + SqlView.getInvalidQueryValues( criteria.values() );
         }
 
-        if ( sql.matches( SqlView.getProtectedTablesRegex() ) )
+        if (  !ignoreSqlViewTableProtection && sql.matches( SqlView.getProtectedTablesRegex() ) )
         {
             violation = "SQL query contains references to protected tables";
         }

dhis-2/dhis-services/dhis-service-administration/src/main/resources/META-INF/dhis/beans.xml

@@ -60,6 +60,7 @@
   <bean id="org.hisp.dhis.sqlview.SqlViewService" class="org.hisp.dhis.sqlview.DefaultSqlViewService">
     <property name="sqlViewStore" ref="org.hisp.dhis.sqlview.SqlViewStore" />
     <property name="statementBuilder" ref="statementBuilder" />
+    <property name="config" ref="dhisConfigurationProvider" />
   </bean>
 
   <!-- Scheduled tasks -->

dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/data/DefaultAnalyticsService.java

@@ -93,13 +93,33 @@
 import java.util.function.Function;
 
 import static org.hisp.dhis.analytics.AnalyticsTableManager.*;
-import static org.hisp.dhis.analytics.DataQueryParams.*;
-import static org.hisp.dhis.common.DataDimensionItemType.*;
-import static org.hisp.dhis.common.DimensionalObject.*;
+import static org.hisp.dhis.analytics.DataQueryParams.COMPLETENESS_DIMENSION_TYPES;
+import static org.hisp.dhis.analytics.DataQueryParams.DENOMINATOR_HEADER_NAME;
+import static org.hisp.dhis.analytics.DataQueryParams.DENOMINATOR_ID;
+import static org.hisp.dhis.analytics.DataQueryParams.DISPLAY_NAME_DATA_X;
+import static org.hisp.dhis.analytics.DataQueryParams.DX_INDEX;
+import static org.hisp.dhis.analytics.DataQueryParams.FACTOR_HEADER_NAME;
+import static org.hisp.dhis.analytics.DataQueryParams.FACTOR_ID;
+import static org.hisp.dhis.analytics.DataQueryParams.NUMERATOR_HEADER_NAME;
+import static org.hisp.dhis.analytics.DataQueryParams.NUMERATOR_ID;
+import static org.hisp.dhis.analytics.DataQueryParams.VALUE_HEADER_NAME;
+import static org.hisp.dhis.analytics.DataQueryParams.VALUE_ID;
+import static org.hisp.dhis.common.DataDimensionItemType.PROGRAM_ATTRIBUTE;
+import static org.hisp.dhis.common.DataDimensionItemType.PROGRAM_DATA_ELEMENT;
+import static org.hisp.dhis.common.DataDimensionItemType.PROGRAM_INDICATOR;
+import static org.hisp.dhis.common.DimensionalObject.CATEGORYOPTIONCOMBO_DIM_ID;
+import static org.hisp.dhis.common.DimensionalObject.DATA_X_DIM_ID;
+import static org.hisp.dhis.common.DimensionalObject.DIMENSION_SEP;
+import static org.hisp.dhis.common.DimensionalObject.ORGUNIT_DIM_ID;
+import static org.hisp.dhis.common.DimensionalObject.PERIOD_DIM_ID;
 import static org.hisp.dhis.common.DimensionalObjectUtils.asTypedList;
 import static org.hisp.dhis.common.DimensionalObjectUtils.getDimensionalItemIds;
 import static org.hisp.dhis.common.IdentifiableObjectUtils.getLocalPeriodIdentifiers;
-import static org.hisp.dhis.common.ReportingRateMetric.*;
+import static org.hisp.dhis.common.IdentifiableObjectUtils.getUids;
+import static org.hisp.dhis.common.ReportingRateMetric.ACTUAL_REPORTS;
+import static org.hisp.dhis.common.ReportingRateMetric.ACTUAL_REPORTS_ON_TIME;
+import static org.hisp.dhis.common.ReportingRateMetric.EXPECTED_REPORTS;
+import static org.hisp.dhis.common.ReportingRateMetric.REPORTING_RATE_ON_TIME;
 import static org.hisp.dhis.organisationunit.OrganisationUnit.getParentGraphMap;
 import static org.hisp.dhis.organisationunit.OrganisationUnit.getParentNameGraphMap;
 import static org.hisp.dhis.period.PeriodType.getPeriodTypeFromIsoString;
@@ -718,7 +738,7 @@ private void addMetaData( DataQueryParams params, Grid grid )
             Calendar calendar = PeriodType.getCalendar();
 
             List<String> periodUids = calendar.isIso8601() ?
-                getDimensionalItemIds( params.getDimensionOrFilterItems( PERIOD_DIM_ID ) ) :
+                getUids( params.getDimensionOrFilterItems( PERIOD_DIM_ID ) ) :
                 getLocalPeriodIdentifiers( params.getDimensionOrFilterItems( PERIOD_DIM_ID ), calendar );
 
             metaData.put( PERIOD_DIM_ID, periodUids );

dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/data/DefaultDataQueryService.java

@@ -67,7 +67,19 @@
 import org.hisp.dhis.analytics.DataQueryService;
 import org.hisp.dhis.analytics.OutputFormat;
 import org.hisp.dhis.calendar.Calendar;
-import org.hisp.dhis.common.*;
+import org.hisp.dhis.common.AnalyticalObject;
+import org.hisp.dhis.common.BaseDimensionalObject;
+import org.hisp.dhis.common.CodeGenerator;
+import org.hisp.dhis.common.DimensionService;
+import org.hisp.dhis.common.DimensionType;
+import org.hisp.dhis.common.DimensionalItemObject;
+import org.hisp.dhis.common.DimensionalObject;
+import org.hisp.dhis.common.DimensionalObjectUtils;
+import org.hisp.dhis.common.DisplayProperty;
+import org.hisp.dhis.common.IdScheme;
+import org.hisp.dhis.common.IdentifiableObjectManager;
+import org.hisp.dhis.common.IdentifiableProperty;
+import org.hisp.dhis.common.IllegalQueryException;
 import org.hisp.dhis.dataelement.DataElementCategoryOptionCombo;
 import org.hisp.dhis.dataelement.DataElementGroup;
 import org.hisp.dhis.i18n.I18nFormat;
@@ -80,6 +92,8 @@
 import org.hisp.dhis.period.PeriodType;
 import org.hisp.dhis.period.RelativePeriodEnum;
 import org.hisp.dhis.period.RelativePeriods;
+import org.hisp.dhis.period.WeeklyPeriodType;
+import org.hisp.dhis.period.comparator.AscendingPeriodComparator;
 import org.hisp.dhis.system.util.ReflectionUtils;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.util.ObjectUtils;
@@ -326,10 +340,12 @@ else if ( PERIOD_DIM_ID.equals( dimension ) )
 
             List<Period> periods = new ArrayList<>();
 
+            Boolean queryContainsRelativePeriods = false;
             for ( String isoPeriod : items )
             {
                 if ( RelativePeriodEnum.contains( isoPeriod ) )
                 {
+                    queryContainsRelativePeriods = true;
                     RelativePeriodEnum relativePeriod = RelativePeriodEnum.valueOf( isoPeriod );
                     List<Period> relativePeriods = RelativePeriods.getRelativePeriodsFromEnum( relativePeriod, relativePeriodDate, format, true );
                     periods.addAll( relativePeriods );
@@ -352,11 +368,20 @@ else if ( PERIOD_DIM_ID.equals( dimension ) )
                 throw new IllegalQueryException( "Dimension pe is present in query without any valid dimension options" );
             }
 
+            if ( queryContainsRelativePeriods )
+            {
+                periods.sort( new AscendingPeriodComparator() );
+            }
+
             for ( Period period : periods )
             {
                 String name = format != null ? format.formatPeriod( period ) : null;
+                if ( !period.getPeriodType().getName().contains( WeeklyPeriodType.NAME ) )
+                {
+                    period.setShortName( name );
+                }
                 period.setName( name );
-                period.setShortName( name );
+
 
                 if ( !calendar.isIso8601() )
                 {