Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/svc/report
Aleisha Amohia 73880de0c4
Bug 37508: Throw error if password column is detected in SQL report 
This enhancement prevents SQL queries from being run if they would return a password field from the database table.

To test:

1. Run tests and notice they fail t/db_dependent/Reports/Guided.t

2. Apply patch and restart services

3. Create a public report with an SQL report which would access a password column in a database table
4. Try to run the report. Notice you are met with an error and the results are not shown.
5. Access the JSON URL, you should not get the results and should be shown an error
6. Confirm tests pass t/db_dependent/Reports/Guided.t

Sponsored-by: Reserve Bank of New Zealand
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2024-08-13 11:05:32 -03:00

101 lines
3 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
# This file is part of Koha.
#
# Copyright (C) 2011 Chris Cormack <chris@bigballofwax.co.nz>
# Copyright (C) 2013 Mark Tompsett
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use C4::Auth qw( get_template_and_user );
use C4::Reports::Guided qw( execute_query );
use Koha::Reports;
use JSON qw( encode_json decode_json );
use CGI qw ( -utf8 );
use Koha::Caches;
my $query = CGI->new();
my $report_id = $query->param('id');
my $report_name = $query->param('name');
my $report_annotation = $query->param('annotated');
my $report_recs = Koha::Reports->search( $report_name ? { 'report_name' => $report_name } : { 'id' => $report_id } );
if (!$report_recs || $report_recs->count == 0 ) { die "There is no such report.\n"; }
my $report_rec = $report_recs->next();
$report_id = $report_rec->id;
my @sql_params = $query->multi_param('sql_params');
my @param_names = $query->multi_param('param_names');
my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
{
template_name => "intranet-main.tt",
query => $query,
type => "intranet",
flagsrequired => { catalogue => 1, },
}
);
my $cache = Koha::Caches->get_instance();
my $cache_active = $cache->is_cache_active;
my ($cache_key, $json_text);
if ($cache_active) {
$cache_key = "intranet:report:".($report_name ? "report_name:$report_name:" : "id:$report_id:")
. join( '-', @sql_params )
. join( '_'. @param_names );
$json_text = $cache->get_from_cache($cache_key);
}
unless ($json_text) {
my $limit = C4::Context->preference("SvcMaxReportRows") || 10;
my ( $sql, undef ) = $report_rec->prep_report( \@param_names, \@sql_params );
my ( $sth, $errors ) = execute_query(
{
sql => $sql,
offset => 0,
limit => $limit,
report_id => $report_id,
}
);
if ($errors) {
$json_text = encode_json($errors);
} else {
my $lines;
if ($report_annotation) {
$lines = $sth->fetchall_arrayref({});
}
else {
$lines = $sth->fetchall_arrayref;
}
$json_text = encode_json($lines);
if ($cache_active) {
$cache->set_in_cache( $cache_key, $json_text, { expiry => $report_rec->cache_expiry } );
}
}
}
print $query->header(
-charset => 'UTF-8',
-type => 'application/json'
);
print $json_text;
View git blame Copy permalink