Skip to content

Commit

Permalink
XWIKI-19523: Unprivileged users can make arbitrary select queries usi…
Browse files Browse the repository at this point in the history
…ng DatabaseListProperty and suggest.vm

(cherry picked from commit 15cd567)
  • Loading branch information
tmortagne committed Nov 3, 2022
1 parent c2fbafd commit c68c0df
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,27 @@
*/
package org.xwiki.query.internal;

import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;

import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xwiki.component.manager.ComponentLookupException;
import org.xwiki.component.manager.ComponentManager;
import org.xwiki.model.reference.DocumentReference;
import org.xwiki.query.Query;
import org.xwiki.query.QueryException;
import org.xwiki.query.QueryFilter;
import org.xwiki.query.QueryManager;
import org.xwiki.query.QueryParameter;
import org.xwiki.query.SecureQuery;

import java.util.List;
import java.util.Map;
import org.xwiki.security.authorization.AccessDeniedException;
import org.xwiki.security.authorization.AuthorExecutor;
import org.xwiki.security.authorization.ContextualAuthorizationManager;
import org.xwiki.security.authorization.Right;

/**
* Query wrapper that allows to set filter from the filter component hint.
Expand All @@ -58,6 +64,12 @@ public class ScriptQuery implements SecureQuery
*/
private Query query;

private boolean switchAuthor;

private DocumentReference authorReference;

private DocumentReference sourceReference;

/**
* Constructor.
*
Expand Down Expand Up @@ -251,7 +263,18 @@ public int getOffset()
@Override
public <T> List<T> execute() throws QueryException
{
return this.query.execute();
if (this.switchAuthor) {
try {
AuthorExecutor authorExecutor = this.componentManager.getInstance(AuthorExecutor.class);
return authorExecutor.call(this.query::execute, this.authorReference, this.sourceReference);
} catch (QueryException e) {
throw e;
} catch (Exception e) {
throw new QueryException("Failed to execute query", this.query, e);
}
} else {
return this.query.execute();
}
}

@Override
Expand All @@ -260,6 +283,39 @@ public boolean isCurrentAuthorChecked()
return this.query instanceof SecureQuery ? ((SecureQuery) this.query).isCurrentAuthorChecked() : true;
}

/**
* Switch the author and reference to use to execute the query.
*
* @param authorReference the user to check rights on
* @param sourceReference the reference of the document associated with the {@link Callable} (which will be used to
* test the author right)
* @return this query.
* @throws AccessDeniedException when switching the query author is not allowed
* @since 14.10RC1
* @since 14.4.7
* @since 13.10.11
*/
public SecureQuery setQueryAuthor(DocumentReference authorReference, DocumentReference sourceReference)
throws AccessDeniedException
{
if (this.query instanceof SecureQuery) {
// Only author with programming right can switch the query author
try {
ContextualAuthorizationManager authorization =
this.componentManager.getInstance(ContextualAuthorizationManager.class);
authorization.checkAccess(Right.PROGRAM);

this.switchAuthor = true;
this.authorReference = authorReference;
this.sourceReference = sourceReference;
} catch (ComponentLookupException e) {
LOGGER.error("Failed to lookup authorization manager", e);
}
}

return this;
}

@Override
public SecureQuery checkCurrentAuthor(boolean checkCurrentAuthor)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
## ---------------------------------------------------------------------------
##
## @Deprecated since 9.8RC1 use the ClassPropertyValues REST resource instead.
## TODO: add a warning when the template is not used in XWiki Standard anymore
##
$response.setContentType("text/xml")
##
Expand All @@ -27,7 +28,8 @@ $response.setContentType("text/xml")
#set($firCol = "$!{request.get('firCol')}")
#set($secCol = "$!{request.get('secCol')}")
#set($templatename = $classname + 'Template')
#set($p = $xwiki.getDocument($classname).getxWikiClass().get($fieldname).getPropertyClass())
#set($classDocument = $xwiki.getDocument($classname))
#set($p = $classDocument.getxWikiClass().get($fieldname).getPropertyClass())
#set($hibquery = "$!p.getSql()")
##
## Determine what was the input. If the property accepts multiple values and has separators, then
Expand Down Expand Up @@ -64,7 +66,8 @@ $response.setContentType("text/xml")
#set($like = " lower("+ $likeCol.replaceAll("[^a-zA-Z0-9_.]", "") + ") like :input ESCAPE '!' and")
#set($hibquery = "${hibquery.substring(0, $whereidx)}${like}${hibquery.substring($whereidx)}")
#end
#set($results = $services.query.hql($hibquery).setLimit(30).bindValue('input', "%${input}%").execute())
## Make sure the query is executed with the right of its author
#set($results = $services.query.hql($hibquery).setQueryAuthor($classDocument.getAuthorReference(), $classDocument.getDocumentReference()).setLimit(30).bindValue('input', "%${input}%").execute())
<?xml version="1.0" encoding="UTF-8"?>
<results type="${resultsType}">
#foreach($res in $results)
Expand Down

0 comments on commit c68c0df

Please sign in to comment.