Skip to content
Permalink
Browse files Browse the repository at this point in the history
XWIKI-19949: Livetable results allow reconstructing password hashes u…
…sing 768 requests
  • Loading branch information
manuelleduc committed Aug 18, 2022
1 parent d7ea663 commit 7f88255
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 2 deletions.
Expand Up @@ -73,7 +73,15 @@
##
#set($tablelist = [])
#foreach($colname in $collist)
#livetable_addColumnToQuery($colname)
## If a classname is defined and the class field corresponding to the column name,
## we check the type of the field and skip it if it's Password.
#if ($className != '' && $class.get($colname))
#if ($class.get($colname).classType != 'Password')
#livetable_addColumnToQuery($colname)
#end
#else
#livetable_addColumnToQuery($colname)
#end
#end
##
## Tag filtering
Expand Down
Expand Up @@ -20,6 +20,7 @@
package org.xwiki.livetable;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
Expand All @@ -44,6 +45,7 @@

import com.xpn.xwiki.XWikiContext;
import com.xpn.xwiki.doc.XWikiDocument;
import com.xpn.xwiki.objects.classes.BaseClass;
import com.xpn.xwiki.objects.classes.StaticListClass;
import com.xpn.xwiki.plugin.tag.TagPluginApi;

Expand Down Expand Up @@ -500,6 +502,35 @@ void removeObfuscatedResultsWhenLimitIs0() throws Exception
assertEquals(emptyList(), getRows());
}

@Test
void cleanupAccessToPasswordFields() throws Exception
{
// Initialize an XClass with a password field.
DocumentReference documentReference = new DocumentReference("xwiki", "XWiki", "MyClass");
XWikiDocument xwikiDocument = this.xwiki.getDocument(documentReference, this.context);
BaseClass xClass = xwikiDocument.getXClass();
xClass.addPasswordField("password", "Password", 30);
this.xwiki.saveDocument(xwikiDocument, this.context);

when(this.queryService.hql(anyString())).thenReturn(this.query);
when(this.query.setLimit(anyInt())).thenReturn(this.query);
when(this.query.setOffset(anyInt())).thenReturn(this.query);
when(this.query.bindValues(any(Map.class))).thenReturn(this.query);
when(this.query.count()).thenReturn(0L);
when(this.query.execute()).thenReturn(Collections.emptyList());

this.request.put("classname", "XWiki.MyClass");
this.request.put("password", "abcd");
this.request.put("collist", "password");

renderPage();

verify(this.queryService).hql(", BaseObject as obj "
+ "where obj.name=doc.fullName "
+ "and obj.className = :className "
+ "and doc.fullName not in (:classTemplate1, :classTemplate2) ");
}

//
// Helper methods
//
Expand Down
Expand Up @@ -57,7 +57,15 @@
##
#set($tablelist = [])
#foreach($colname in $collist)
#livetable_addColumnToQuery($colname)
## If a classname is defined and the class field corresponding to the column name,
## we check the type of the field and skip it if it's Password.
#if ($className != '' && $class.get($colname))
#if ($class.get($colname).classType != 'Password')
#livetable_addColumnToQuery($colname)
#end
#else
#livetable_addColumnToQuery($colname)
#end
#end
##
## Tag filtering
Expand Down

0 comments on commit 7f88255

Please sign in to comment.