SONAR-8474 securing SQL request on Component tree regarding organization

author Sébastien Lesaint <sebastien.lesaint@sonarsource.com>

Mon, 9 Jan 2017 10:06:48 +0000 (11:06 +0100)

committer Sébastien Lesaint <sebastien.lesaint@sonarsource.com>

Mon, 16 Jan 2017 10:38:43 +0000 (11:38 +0100)
author Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Mon, 9 Jan 2017 10:06:48 +0000 (11:06 +0100)
committer Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Mon, 16 Jan 2017 10:38:43 +0000 (11:38 +0100)
diff --git a/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml b/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml

index 61b345d49815af12495e667e0fa4d5c05dfc121b..72722aa0ad0f47a81bd3f840cec1bfb2f2f642b2 100644 (file)
--- a/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml
+++ b/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml
@@ -65,12 +65,12 @@
    </select>
  
    <select id="selectByProjectUuid" parameterType="string" resultType="Component">
-    SELECT
+    select
      <include refid="componentColumns"/>
-    FROM projects p
-    <where>
-      p.project_uuid=#{projectUuid}
-    </where>
+    from projects root
+    inner join projects p on p.project_uuid=root.uuid and p.organization_uuid=root.organization_uuid
+    where
+      root.uuid=#{projectUuid}
    </select>
  
    <select id="countById" parameterType="long" resultType="long">
@@ -134,15 +134,17 @@
      SELECT
      <include refid="componentColumns"/>
      FROM projects p
-    INNER JOIN projects child ON child.root_uuid=p.uuid AND child.enabled=${_true}
-    <where>
-      AND p.enabled=${_true}
-      AND p.scope='PRJ'
-      AND child.uuid in
-      <foreach collection="uuids" open="(" close=")" item="uuid" separator=",">
-        #{uuid}
-      </foreach>
-    </where>
+    INNER JOIN projects child ON
+      child.root_uuid=p.uuid
+      and child.enabled=${_true}
+      and child.organization_uuid=p.organization_uuid
+    where
+      p.enabled=${_true}
+      and p.scope='PRJ'
+      and child.uuid in
+        <foreach collection="uuids" open="(" close=")" item="uuid" separator=",">
+          #{uuid}
+        </foreach>
    </select>
  
    <select id="selectDescendantModules" parameterType="map" resultType="Component">
@@ -153,8 +155,11 @@
    </select>
  
    <sql id="modulesTreeQuery">
-    INNER JOIN projects module ON module.project_uuid = p.project_uuid AND module.uuid = #{moduleUuid} AND
-    module.scope='PRJ' AND module.enabled = ${_true}
+    INNER JOIN projects module ON
+      module.project_uuid = p.project_uuid
+      and module.organization_uuid = p.organization_uuid
+      and module.uuid = #{moduleUuid}
+      and module.scope='PRJ' AND module.enabled = ${_true}
      <where>
        <if test="excludeDisabled">
          p.enabled = ${_true}
@@ -176,20 +181,36 @@
    </sql>
  
    <select id="selectEnabledFilesFromProject" parameterType="map" resultType="FilePathWithHash">
-    SELECT p.uuid, p.path, p.module_uuid as moduleUuid, fs.src_hash as srcHash, fs.revision
-    FROM projects p
-    INNER JOIN file_sources fs ON fs.file_uuid=p.uuid and fs.data_type='SOURCE'
-    <where>
-      AND p.project_uuid=#{projectUuid}
-      AND p.enabled=${_true}
-      AND p.scope='FIL'
-    </where>
+    SELECT
+      p.uuid,
+      p.path,
+      p.module_uuid as moduleUuid,
+      fs.src_hash as srcHash,
+      fs.revision
+    FROM projects root
+    INNER JOIN projects p on
+      p.project_uuid=root.uuid
+      and p.organization_uuid=root.organization_uuid
+      and p.enabled=${_true}
+      and p.scope='FIL'
+    INNER JOIN file_sources fs ON
+      fs.file_uuid=p.uuid
+      and fs.data_type='SOURCE'
+    where
+      root.uuid=#{projectUuid}
    </select>
  
    <select id="selectDescendantFiles" parameterType="map" resultType="FilePathWithHash">
-    SELECT p.uuid, p.path, p.module_uuid as moduleUuid, fs.src_hash as srcHash, fs.revision
+    SELECT
+      p.uuid,
+      p.path,
+      p.module_uuid as moduleUuid,
+      fs.src_hash as srcHash,
+      fs.revision
      FROM projects p
-    INNER JOIN file_sources fs ON fs.file_uuid=p.uuid and fs.data_type='SOURCE'
+    INNER JOIN file_sources fs ON
+      fs.file_uuid=p.uuid
+      and fs.data_type='SOURCE'
      <include refid="modulesTreeQuery"/>
    </select>
  
diff --git a/sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java b/sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java

index d050137ed47d2468add827f1d8efb7107b9872dc..accc345bea9dd4b5cf5efc5c0c0fd5b75be3e3de 100644 (file)
--- a/sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java
+++ b/sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java
@@ -78,8 +78,8 @@ public class ComponentDaoTest {
      assertThat(result.getUuidPath()).isEqualTo("uuid_path_of_U1");
      assertThat(result.moduleUuid()).isEqualTo("module_uuid_of_U1");
      assertThat(result.moduleUuidPath()).isEqualTo("module_uuid_path_of_U1");
-    assertThat(result.getRootUuid()).isEqualTo("root_uuid_of_U1");
-    assertThat(result.projectUuid()).isEqualTo("project_uuid_of_U1");
+    assertThat(result.getRootUuid()).isEqualTo("U1");
+    assertThat(result.projectUuid()).isEqualTo("U1");
      assertThat(result.key()).isEqualTo("org.struts:struts");
      assertThat(result.path()).isEqualTo("path_of_U1");
      assertThat(result.name()).isEqualTo("Struts");
@@ -195,7 +195,8 @@ public class ComponentDaoTest {
      assertThat(result.description()).isEqualTo("the description");
      assertThat(result.qualifier()).isEqualTo("TRK");
      assertThat(result.scope()).isEqualTo("PRJ");
-    assertThat(result.getRootUuid()).isEqualTo("root_uuid_of_U1");
+    assertThat(result.getRootUuid()).isEqualTo("U1");
+    assertThat(result.projectUuid()).isEqualTo("U1");
      assertThat(result.getAuthorizationUpdatedAt()).isEqualTo(123_456_789L);
    }
  
@@ -556,7 +557,7 @@ public class ComponentDaoTest {
  
      List<ComponentDto> components = underTest.selectByProjectUuid("U1", dbSession);
  
-    assertThat(components).extracting("id").containsOnly(2l, 3l, 4l);
+    assertThat(components).extracting("id").containsOnly(1L, 2L, 3L, 4L);
    }
  
    @Test
diff --git a/sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml b/sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml

index 9b0ad38df79a86c0c467c05c7d59a11b66c04926..604d6a816589124d2a2643006650188967843cd1 100644 (file)
--- a/sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml
+++ b/sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml
@@ -18,8 +18,8 @@
              name="Struts"
              uuid="U1"
              uuid_path="uuid_path_of_U1"
-            root_uuid="root_uuid_of_U1"
-            project_uuid="project_uuid_of_U1"
+            root_uuid="U1"
+            project_uuid="U1"
              module_uuid="module_uuid_of_U1"
              module_uuid_path="module_uuid_path_of_U1"
              description="the description"
author	Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
	Mon, 9 Jan 2017 10:06:48 +0000 (11:06 +0100)
committer	Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
	Mon, 16 Jan 2017 10:38:43 +0000 (11:38 +0100)
sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml		patch \| blob \| history
sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java		patch \| blob \| history
sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml		patch \| blob \| history