summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorByron Jones <glob@mozilla.com>2015-01-27 04:47:42 +0100
committerByron Jones <glob@mozilla.com>2015-01-27 04:47:42 +0100
commita748745d3eb9110b0c6bcd803d8d86db8951ad43 (patch)
treeca477a3af19b85db7c546bace4ce9e93186a3b21
parentcd92366e1a3a89228917140e9c2f8747a17509b3 (diff)
downloadbugzilla-a748745d3eb9110b0c6bcd803d8d86db8951ad43.tar.gz
bugzilla-a748745d3eb9110b0c6bcd803d8d86db8951ad43.tar.xz
Bug 1124437: Backport upstream bug 1090275 to bmo/4.2 to whitelist webservice api methods
-rw-r--r--Bugzilla/WebService.pm4
-rw-r--r--Bugzilla/WebService/Bug.pm20
-rw-r--r--Bugzilla/WebService/BugUserLastVisit.pm5
-rw-r--r--Bugzilla/WebService/Bugzilla.pm7
-rw-r--r--Bugzilla/WebService/Classification.pm4
-rw-r--r--Bugzilla/WebService/Group.pm6
-rw-r--r--Bugzilla/WebService/Product.pm8
-rw-r--r--Bugzilla/WebService/Server/JSONRPC.pm6
-rw-r--r--Bugzilla/WebService/Server/XMLRPC.pm11
-rw-r--r--Bugzilla/WebService/User.pm10
-rw-r--r--extensions/BMO/lib/WebService.pm5
-rw-r--r--extensions/Bitly/lib/WebService.pm5
-rw-r--r--extensions/EditComments/lib/WebService.pm4
-rw-r--r--extensions/Ember/lib/WebService.pm8
-rw-r--r--extensions/Example/lib/WebService.pm5
-rw-r--r--extensions/MyDashboard/lib/WebService.pm7
-rw-r--r--extensions/ProdCompSearch/lib/WebService.pm4
-rw-r--r--extensions/Review/lib/WebService.pm7
18 files changed, 125 insertions, 1 deletions
diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm
index 86fbe1fe3..beed7b63f 100644
--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -33,6 +33,10 @@ use constant LOGIN_EXEMPT => { };
# Methods that can modify data MUST not be listed here.
use constant READ_ONLY => ();
+# Whitelist of methods that a client is allowed to access when making
+# an API call.
+use constant PUBLIC_METHODS => ();
+
sub login_exempt {
my ($class, $method) = @_;
return $class->LOGIN_EXEMPT->{$method};
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index 4f5b4c39c..9491a7938 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -88,6 +88,26 @@ use constant READ_ONLY => qw(
search
);
+use constant PUBLIC_METHODS => qw(
+ add_attachment
+ add_comment
+ attachments
+ comments
+ create
+ fields
+ get
+ history
+ legal_values
+ possible_duplicates
+ render_comment
+ search
+ search_comment_tags
+ update
+ update_attachment
+ update_comment_tags
+ update_see_also
+);
+
use constant ATTACHMENT_MAPPED_SETTERS => {
file_name => 'filename',
summary => 'description',
diff --git a/Bugzilla/WebService/BugUserLastVisit.pm b/Bugzilla/WebService/BugUserLastVisit.pm
index 89a1aedd1..4bab9eb7b 100644
--- a/Bugzilla/WebService/BugUserLastVisit.pm
+++ b/Bugzilla/WebService/BugUserLastVisit.pm
@@ -17,6 +17,11 @@ use Bugzilla::Error;
use Bugzilla::WebService::Util qw( validate filter );
use Bugzilla::Constants;
+use constant PUBLIC_METHODS => qw(
+ get
+ update
+);
+
sub update {
my ($self, $params) = validate(@_, 'ids');
my $user = Bugzilla->user;
diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm
index 1fc15c3c3..7d0b5473b 100644
--- a/Bugzilla/WebService/Bugzilla.pm
+++ b/Bugzilla/WebService/Bugzilla.pm
@@ -38,6 +38,13 @@ use constant READ_ONLY => qw(
version
);
+use constant PUBLIC_METHODS => qw(
+ extensions
+ time
+ timezone
+ version
+);
+
sub version {
my $self = shift;
return { version => $self->type('string', BUGZILLA_VERSION) };
diff --git a/Bugzilla/WebService/Classification.pm b/Bugzilla/WebService/Classification.pm
index 1c4226fd6..1b084eabb 100644
--- a/Bugzilla/WebService/Classification.pm
+++ b/Bugzilla/WebService/Classification.pm
@@ -20,6 +20,10 @@ use constant READ_ONLY => qw(
get
);
+use constant PUBLIC_METHODS => qw(
+ get
+);
+
sub get {
my ($self, $params) = validate(@_, 'names', 'ids');
diff --git a/Bugzilla/WebService/Group.pm b/Bugzilla/WebService/Group.pm
index d6e5a7833..7518433af 100644
--- a/Bugzilla/WebService/Group.pm
+++ b/Bugzilla/WebService/Group.pm
@@ -16,6 +16,12 @@ use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::WebService::Util qw(validate translate params_to_objects);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ update
+);
+
use constant MAPPED_RETURNS => {
userregexp => 'user_regexp',
isactive => 'is_active'
diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm
index 3be46bd6d..be082c778 100644
--- a/Bugzilla/WebService/Product.pm
+++ b/Bugzilla/WebService/Product.pm
@@ -34,6 +34,14 @@ use constant READ_ONLY => qw(
get_selectable_products
);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ get_accessible_products
+ get_enterable_products
+ get_selectable_products
+);
+
use constant FIELD_MAP => {
has_unconfirmed => 'allows_unconfirmed',
is_open => 'isactive',
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 0df4240e0..b0928960b 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -42,6 +42,7 @@ use Bugzilla::Util;
use HTTP::Message;
use MIME::Base64 qw(decode_base64 encode_base64);
+use List::MoreUtils qw(none);
#####################################
# Public JSON::RPC Method Overrides #
@@ -415,6 +416,11 @@ sub _argument_type_check {
}
}
+ # Only allowed methods to be used from our whitelist
+ if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
+ ThrowCodeError('unknown_method', { method => $self->_bz_method_name });
+ }
+
# This is the best time to do login checks.
$self->handle_login();
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index f56fa3439..94b751c9d 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -30,8 +30,11 @@ if ($ENV{MOD_PERL}) {
}
use Bugzilla::WebService::Constants;
+use Bugzilla::Error;
use Bugzilla::Util;
+use List::MoreUtils qw(none);
+
BEGIN {
# Allow WebService methods to call XMLRPC::Lite's type method directly
*Bugzilla::WebService::type = sub {
@@ -106,6 +109,14 @@ sub handle_login {
my ($self, $classes, $action, $uri, $method) = @_;
my $class = $classes->{$uri};
my $full_method = $uri . "." . $method;
+ # Only allowed methods to be used from the module's whitelist
+ my $file = $class;
+ $file =~ s{::}{/}g;
+ $file .= ".pm";
+ require $file;
+ if (none { $_ eq $method } $class->PUBLIC_METHODS) {
+ ThrowCodeError('unknown_method', { method => $full_method });
+ }
$self->SUPER::handle_login($class, $method, $full_method);
return;
}
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index b6351635c..2f38446b8 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -44,6 +44,16 @@ use constant READ_ONLY => qw(
get
);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ login
+ logout
+ offer_account_by_email
+ update
+ valid_login
+);
+
use constant MAPPED_FIELDS => {
email => 'login',
full_name => 'name',
diff --git a/extensions/BMO/lib/WebService.pm b/extensions/BMO/lib/WebService.pm
index ed94aabfc..d31811de4 100644
--- a/extensions/BMO/lib/WebService.pm
+++ b/extensions/BMO/lib/WebService.pm
@@ -30,6 +30,11 @@ use Bugzilla::Util qw(detaint_natural trick_taint);
use Bugzilla::WebService::Util qw(validate);
use Bugzilla::Field;
+use constant PUBLIC_METHODS => qw(
+ getBugsConfirmer
+ getBugsVerifier
+);
+
sub getBugsConfirmer {
my ($self, $params) = validate(@_, 'names');
my $dbh = Bugzilla->dbh;
diff --git a/extensions/Bitly/lib/WebService.pm b/extensions/Bitly/lib/WebService.pm
index e721103b0..b47accda6 100644
--- a/extensions/Bitly/lib/WebService.pm
+++ b/extensions/Bitly/lib/WebService.pm
@@ -25,6 +25,11 @@ use URI;
use URI::Escape;
use URI::QueryParam;
+use constant PUBLIC_METHODS => qw(
+ list
+ shorten
+);
+
sub _validate_uri {
my ($self, $params) = @_;
diff --git a/extensions/EditComments/lib/WebService.pm b/extensions/EditComments/lib/WebService.pm
index 9213f0407..2621e5f4a 100644
--- a/extensions/EditComments/lib/WebService.pm
+++ b/extensions/EditComments/lib/WebService.pm
@@ -16,6 +16,10 @@ use Bugzilla::Error;
use Bugzilla::Util qw(trim);
use Bugzilla::WebService::Util qw(validate);
+use constant PUBLIC_METHODS => qw(
+ comments
+);
+
sub comments {
my ($self, $params) = validate(@_, 'comment_ids');
my $dbh = Bugzilla->switch_to_shadow_db();
diff --git a/extensions/Ember/lib/WebService.pm b/extensions/Ember/lib/WebService.pm
index 7a037e654..10c828537 100644
--- a/extensions/Ember/lib/WebService.pm
+++ b/extensions/Ember/lib/WebService.pm
@@ -28,6 +28,14 @@ use Bugzilla::Extension::Ember::FakeBug;
use Scalar::Util qw(blessed);
use Storable qw(dclone);
+use constant PUBLIC_METHODS => qw(
+ bug
+ create
+ get_attachments
+ search
+ show
+);
+
use constant DATE_FIELDS => {
show => ['last_updated'],
};
diff --git a/extensions/Example/lib/WebService.pm b/extensions/Example/lib/WebService.pm
index 8563ec7f0..bb83436e3 100644
--- a/extensions/Example/lib/WebService.pm
+++ b/extensions/Example/lib/WebService.pm
@@ -24,6 +24,11 @@ use warnings;
use base qw(Bugzilla::WebService);
use Bugzilla::Error;
+use constant PUBLIC_METHODS => qw(
+ hello
+ throw_an_error
+);
+
# This can be called as Example.hello() from the WebService.
sub hello { return 'Hello!'; }
diff --git a/extensions/MyDashboard/lib/WebService.pm b/extensions/MyDashboard/lib/WebService.pm
index 9e9de42be..c93553146 100644
--- a/extensions/MyDashboard/lib/WebService.pm
+++ b/extensions/MyDashboard/lib/WebService.pm
@@ -24,6 +24,13 @@ use constant READ_ONLY => qw(
run_flag_query
);
+use constant PUBLIC_METHODS => qw(
+ bug_interest_unmark
+ run_bug_query
+ run_flag_query
+ run_last_changes
+);
+
sub run_last_changes {
my ($self, $params) = @_;
diff --git a/extensions/ProdCompSearch/lib/WebService.pm b/extensions/ProdCompSearch/lib/WebService.pm
index d668809f6..b9a03eb27 100644
--- a/extensions/ProdCompSearch/lib/WebService.pm
+++ b/extensions/ProdCompSearch/lib/WebService.pm
@@ -15,6 +15,10 @@ use base qw(Bugzilla::WebService);
use Bugzilla::Error;
use Bugzilla::Util qw(detaint_natural trick_taint trim);
+use constant PUBLIC_METHODS => qw(
+ prod_comp_search
+);
+
sub prod_comp_search {
my ($self, $params) = @_;
my $user = Bugzilla->user;
diff --git a/extensions/Review/lib/WebService.pm b/extensions/Review/lib/WebService.pm
index d16ab3dd8..24d38b2f1 100644
--- a/extensions/Review/lib/WebService.pm
+++ b/extensions/Review/lib/WebService.pm
@@ -18,6 +18,11 @@ use Bugzilla::Error;
use Bugzilla::Util qw(detaint_natural trick_taint);
use Bugzilla::WebService::Util 'filter';
+use constant PUBLIC_METHODS => qw(
+ flag_activity
+ suggestions
+);
+
sub suggestions {
my ($self, $params) = @_;
my $dbh = Bugzilla->switch_to_shadow_db();
@@ -55,7 +60,7 @@ sub suggestions {
if ($component) {
push @reviewers, @{ $component->reviewers_objs };
}
- if (!@{ $component->reviewers_objs }) {
+ if (!$component || !@{ $component->reviewers_objs }) {
push @reviewers, @{ $product->reviewers_objs };
}