From: Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Date: Mon, 9 Jan 2017 10:06:48 +0000 (+0100)
Subject: SONAR-8474 securing SQL request on Component tree regarding organization
X-Git-Tag: 6.3-RC1~539
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=e0038b980c552dc86f66c32df6dfe74d4a287beb;p=sonarqube.git

SONAR-8474 securing SQL request on Component tree regarding organization

altered SQL requests on Component tree to not leak out of organization of root
---

diff --git a/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml b/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml
index 61b345d4981..72722aa0ad0 100644
--- a/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml
+++ b/sonar-db/src/main/resources/org/sonar/db/component/ComponentMapper.xml
@@ -65,12 +65,12 @@
   </select>
 
   <select id="selectByProjectUuid" parameterType="string" resultType="Component">
-    SELECT
+    select
     <include refid="componentColumns"/>
-    FROM projects p
-    <where>
-      p.project_uuid=#{projectUuid}
-    </where>
+    from projects root
+    inner join projects p on p.project_uuid=root.uuid and p.organization_uuid=root.organization_uuid
+    where
+      root.uuid=#{projectUuid}
   </select>
 
   <select id="countById" parameterType="long" resultType="long">
@@ -134,15 +134,17 @@
     SELECT
     <include refid="componentColumns"/>
     FROM projects p
-    INNER JOIN projects child ON child.root_uuid=p.uuid AND child.enabled=${_true}
-    <where>
-      AND p.enabled=${_true}
-      AND p.scope='PRJ'
-      AND child.uuid in
-      <foreach collection="uuids" open="(" close=")" item="uuid" separator=",">
-        #{uuid}
-      </foreach>
-    </where>
+    INNER JOIN projects child ON
+      child.root_uuid=p.uuid
+      and child.enabled=${_true}
+      and child.organization_uuid=p.organization_uuid
+    where
+      p.enabled=${_true}
+      and p.scope='PRJ'
+      and child.uuid in
+        <foreach collection="uuids" open="(" close=")" item="uuid" separator=",">
+          #{uuid}
+        </foreach>
   </select>
 
   <select id="selectDescendantModules" parameterType="map" resultType="Component">
@@ -153,8 +155,11 @@
   </select>
 
   <sql id="modulesTreeQuery">
-    INNER JOIN projects module ON module.project_uuid = p.project_uuid AND module.uuid = #{moduleUuid} AND
-    module.scope='PRJ' AND module.enabled = ${_true}
+    INNER JOIN projects module ON
+      module.project_uuid = p.project_uuid
+      and module.organization_uuid = p.organization_uuid
+      and module.uuid = #{moduleUuid}
+      and module.scope='PRJ' AND module.enabled = ${_true}
     <where>
       <if test="excludeDisabled">
         p.enabled = ${_true}
@@ -176,20 +181,36 @@
   </sql>
 
   <select id="selectEnabledFilesFromProject" parameterType="map" resultType="FilePathWithHash">
-    SELECT p.uuid, p.path, p.module_uuid as moduleUuid, fs.src_hash as srcHash, fs.revision
-    FROM projects p
-    INNER JOIN file_sources fs ON fs.file_uuid=p.uuid and fs.data_type='SOURCE'
-    <where>
-      AND p.project_uuid=#{projectUuid}
-      AND p.enabled=${_true}
-      AND p.scope='FIL'
-    </where>
+    SELECT
+      p.uuid,
+      p.path,
+      p.module_uuid as moduleUuid,
+      fs.src_hash as srcHash,
+      fs.revision
+    FROM projects root
+    INNER JOIN projects p on
+      p.project_uuid=root.uuid
+      and p.organization_uuid=root.organization_uuid
+      and p.enabled=${_true}
+      and p.scope='FIL'
+    INNER JOIN file_sources fs ON
+      fs.file_uuid=p.uuid
+      and fs.data_type='SOURCE'
+    where
+      root.uuid=#{projectUuid}
   </select>
 
   <select id="selectDescendantFiles" parameterType="map" resultType="FilePathWithHash">
-    SELECT p.uuid, p.path, p.module_uuid as moduleUuid, fs.src_hash as srcHash, fs.revision
+    SELECT
+      p.uuid,
+      p.path,
+      p.module_uuid as moduleUuid,
+      fs.src_hash as srcHash,
+      fs.revision
     FROM projects p
-    INNER JOIN file_sources fs ON fs.file_uuid=p.uuid and fs.data_type='SOURCE'
+    INNER JOIN file_sources fs ON
+      fs.file_uuid=p.uuid
+      and fs.data_type='SOURCE'
     <include refid="modulesTreeQuery"/>
   </select>
 
diff --git a/sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java b/sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java
index d050137ed47..accc345bea9 100644
--- a/sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java
+++ b/sonar-db/src/test/java/org/sonar/db/component/ComponentDaoTest.java
@@ -78,8 +78,8 @@ public class ComponentDaoTest {
     assertThat(result.getUuidPath()).isEqualTo("uuid_path_of_U1");
     assertThat(result.moduleUuid()).isEqualTo("module_uuid_of_U1");
     assertThat(result.moduleUuidPath()).isEqualTo("module_uuid_path_of_U1");
-    assertThat(result.getRootUuid()).isEqualTo("root_uuid_of_U1");
-    assertThat(result.projectUuid()).isEqualTo("project_uuid_of_U1");
+    assertThat(result.getRootUuid()).isEqualTo("U1");
+    assertThat(result.projectUuid()).isEqualTo("U1");
     assertThat(result.key()).isEqualTo("org.struts:struts");
     assertThat(result.path()).isEqualTo("path_of_U1");
     assertThat(result.name()).isEqualTo("Struts");
@@ -195,7 +195,8 @@ public class ComponentDaoTest {
     assertThat(result.description()).isEqualTo("the description");
     assertThat(result.qualifier()).isEqualTo("TRK");
     assertThat(result.scope()).isEqualTo("PRJ");
-    assertThat(result.getRootUuid()).isEqualTo("root_uuid_of_U1");
+    assertThat(result.getRootUuid()).isEqualTo("U1");
+    assertThat(result.projectUuid()).isEqualTo("U1");
     assertThat(result.getAuthorizationUpdatedAt()).isEqualTo(123_456_789L);
   }
 
@@ -556,7 +557,7 @@ public class ComponentDaoTest {
 
     List<ComponentDto> components = underTest.selectByProjectUuid("U1", dbSession);
 
-    assertThat(components).extracting("id").containsOnly(2l, 3l, 4l);
+    assertThat(components).extracting("id").containsOnly(1L, 2L, 3L, 4L);
   }
 
   @Test
diff --git a/sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml b/sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml
index 9b0ad38df79..604d6a81658 100644
--- a/sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml
+++ b/sonar-db/src/test/resources/org/sonar/db/component/ComponentDaoTest/shared.xml
@@ -18,8 +18,8 @@
             name="Struts"
             uuid="U1"
             uuid_path="uuid_path_of_U1"
-            root_uuid="root_uuid_of_U1"
-            project_uuid="project_uuid_of_U1"
+            root_uuid="U1"
+            project_uuid="U1"
             module_uuid="module_uuid_of_U1"
             module_uuid_path="module_uuid_path_of_U1"
             description="the description"