diff options
author | Byron Jones <glob@mozilla.com> | 2015-01-27 04:47:42 +0100 |
---|---|---|
committer | Byron Jones <glob@mozilla.com> | 2015-01-27 04:47:42 +0100 |
commit | a748745d3eb9110b0c6bcd803d8d86db8951ad43 (patch) | |
tree | ca477a3af19b85db7c546bace4ce9e93186a3b21 | |
parent | cd92366e1a3a89228917140e9c2f8747a17509b3 (diff) | |
download | bugzilla-a748745d3eb9110b0c6bcd803d8d86db8951ad43.tar.gz bugzilla-a748745d3eb9110b0c6bcd803d8d86db8951ad43.tar.xz |
Bug 1124437: Backport upstream bug 1090275 to bmo/4.2 to whitelist webservice api methods
-rw-r--r-- | Bugzilla/WebService.pm | 4 | ||||
-rw-r--r-- | Bugzilla/WebService/Bug.pm | 20 | ||||
-rw-r--r-- | Bugzilla/WebService/BugUserLastVisit.pm | 5 | ||||
-rw-r--r-- | Bugzilla/WebService/Bugzilla.pm | 7 | ||||
-rw-r--r-- | Bugzilla/WebService/Classification.pm | 4 | ||||
-rw-r--r-- | Bugzilla/WebService/Group.pm | 6 | ||||
-rw-r--r-- | Bugzilla/WebService/Product.pm | 8 | ||||
-rw-r--r-- | Bugzilla/WebService/Server/JSONRPC.pm | 6 | ||||
-rw-r--r-- | Bugzilla/WebService/Server/XMLRPC.pm | 11 | ||||
-rw-r--r-- | Bugzilla/WebService/User.pm | 10 | ||||
-rw-r--r-- | extensions/BMO/lib/WebService.pm | 5 | ||||
-rw-r--r-- | extensions/Bitly/lib/WebService.pm | 5 | ||||
-rw-r--r-- | extensions/EditComments/lib/WebService.pm | 4 | ||||
-rw-r--r-- | extensions/Ember/lib/WebService.pm | 8 | ||||
-rw-r--r-- | extensions/Example/lib/WebService.pm | 5 | ||||
-rw-r--r-- | extensions/MyDashboard/lib/WebService.pm | 7 | ||||
-rw-r--r-- | extensions/ProdCompSearch/lib/WebService.pm | 4 | ||||
-rw-r--r-- | extensions/Review/lib/WebService.pm | 7 |
18 files changed, 125 insertions, 1 deletions
diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm index 86fbe1fe3..beed7b63f 100644 --- a/Bugzilla/WebService.pm +++ b/Bugzilla/WebService.pm @@ -33,6 +33,10 @@ use constant LOGIN_EXEMPT => { }; # Methods that can modify data MUST not be listed here. use constant READ_ONLY => (); +# Whitelist of methods that a client is allowed to access when making +# an API call. +use constant PUBLIC_METHODS => (); + sub login_exempt { my ($class, $method) = @_; return $class->LOGIN_EXEMPT->{$method}; diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index 4f5b4c39c..9491a7938 100644 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -88,6 +88,26 @@ use constant READ_ONLY => qw( search ); +use constant PUBLIC_METHODS => qw( + add_attachment + add_comment + attachments + comments + create + fields + get + history + legal_values + possible_duplicates + render_comment + search + search_comment_tags + update + update_attachment + update_comment_tags + update_see_also +); + use constant ATTACHMENT_MAPPED_SETTERS => { file_name => 'filename', summary => 'description', diff --git a/Bugzilla/WebService/BugUserLastVisit.pm b/Bugzilla/WebService/BugUserLastVisit.pm index 89a1aedd1..4bab9eb7b 100644 --- a/Bugzilla/WebService/BugUserLastVisit.pm +++ b/Bugzilla/WebService/BugUserLastVisit.pm @@ -17,6 +17,11 @@ use Bugzilla::Error; use Bugzilla::WebService::Util qw( validate filter ); use Bugzilla::Constants; +use constant PUBLIC_METHODS => qw( + get + update +); + sub update { my ($self, $params) = validate(@_, 'ids'); my $user = Bugzilla->user; diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm index 1fc15c3c3..7d0b5473b 100644 --- a/Bugzilla/WebService/Bugzilla.pm +++ b/Bugzilla/WebService/Bugzilla.pm @@ -38,6 +38,13 @@ use constant READ_ONLY => qw( version ); +use constant PUBLIC_METHODS => qw( + extensions + time + timezone + version +); + sub version { my $self = shift; return { version => $self->type('string', BUGZILLA_VERSION) }; diff --git a/Bugzilla/WebService/Classification.pm b/Bugzilla/WebService/Classification.pm index 1c4226fd6..1b084eabb 100644 --- a/Bugzilla/WebService/Classification.pm +++ b/Bugzilla/WebService/Classification.pm @@ -20,6 +20,10 @@ use constant READ_ONLY => qw( get ); +use constant PUBLIC_METHODS => qw( + get +); + sub get { my ($self, $params) = validate(@_, 'names', 'ids'); diff --git a/Bugzilla/WebService/Group.pm b/Bugzilla/WebService/Group.pm index d6e5a7833..7518433af 100644 --- a/Bugzilla/WebService/Group.pm +++ b/Bugzilla/WebService/Group.pm @@ -16,6 +16,12 @@ use Bugzilla::Constants; use Bugzilla::Error; use Bugzilla::WebService::Util qw(validate translate params_to_objects); +use constant PUBLIC_METHODS => qw( + create + get + update +); + use constant MAPPED_RETURNS => { userregexp => 'user_regexp', isactive => 'is_active' diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index 3be46bd6d..be082c778 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -34,6 +34,14 @@ use constant READ_ONLY => qw( get_selectable_products ); +use constant PUBLIC_METHODS => qw( + create + get + get_accessible_products + get_enterable_products + get_selectable_products +); + use constant FIELD_MAP => { has_unconfirmed => 'allows_unconfirmed', is_open => 'isactive', diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 0df4240e0..b0928960b 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -42,6 +42,7 @@ use Bugzilla::Util; use HTTP::Message; use MIME::Base64 qw(decode_base64 encode_base64); +use List::MoreUtils qw(none); ##################################### # Public JSON::RPC Method Overrides # @@ -415,6 +416,11 @@ sub _argument_type_check { } } + # Only allowed methods to be used from our whitelist + if (none { $_ eq $method} $pkg->PUBLIC_METHODS) { + ThrowCodeError('unknown_method', { method => $self->_bz_method_name }); + } + # This is the best time to do login checks. $self->handle_login(); diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index f56fa3439..94b751c9d 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -30,8 +30,11 @@ if ($ENV{MOD_PERL}) { } use Bugzilla::WebService::Constants; +use Bugzilla::Error; use Bugzilla::Util; +use List::MoreUtils qw(none); + BEGIN { # Allow WebService methods to call XMLRPC::Lite's type method directly *Bugzilla::WebService::type = sub { @@ -106,6 +109,14 @@ sub handle_login { my ($self, $classes, $action, $uri, $method) = @_; my $class = $classes->{$uri}; my $full_method = $uri . "." . $method; + # Only allowed methods to be used from the module's whitelist + my $file = $class; + $file =~ s{::}{/}g; + $file .= ".pm"; + require $file; + if (none { $_ eq $method } $class->PUBLIC_METHODS) { + ThrowCodeError('unknown_method', { method => $full_method }); + } $self->SUPER::handle_login($class, $method, $full_method); return; } diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index b6351635c..2f38446b8 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -44,6 +44,16 @@ use constant READ_ONLY => qw( get ); +use constant PUBLIC_METHODS => qw( + create + get + login + logout + offer_account_by_email + update + valid_login +); + use constant MAPPED_FIELDS => { email => 'login', full_name => 'name', diff --git a/extensions/BMO/lib/WebService.pm b/extensions/BMO/lib/WebService.pm index ed94aabfc..d31811de4 100644 --- a/extensions/BMO/lib/WebService.pm +++ b/extensions/BMO/lib/WebService.pm @@ -30,6 +30,11 @@ use Bugzilla::Util qw(detaint_natural trick_taint); use Bugzilla::WebService::Util qw(validate); use Bugzilla::Field; +use constant PUBLIC_METHODS => qw( + getBugsConfirmer + getBugsVerifier +); + sub getBugsConfirmer { my ($self, $params) = validate(@_, 'names'); my $dbh = Bugzilla->dbh; diff --git a/extensions/Bitly/lib/WebService.pm b/extensions/Bitly/lib/WebService.pm index e721103b0..b47accda6 100644 --- a/extensions/Bitly/lib/WebService.pm +++ b/extensions/Bitly/lib/WebService.pm @@ -25,6 +25,11 @@ use URI; use URI::Escape; use URI::QueryParam; +use constant PUBLIC_METHODS => qw( + list + shorten +); + sub _validate_uri { my ($self, $params) = @_; diff --git a/extensions/EditComments/lib/WebService.pm b/extensions/EditComments/lib/WebService.pm index 9213f0407..2621e5f4a 100644 --- a/extensions/EditComments/lib/WebService.pm +++ b/extensions/EditComments/lib/WebService.pm @@ -16,6 +16,10 @@ use Bugzilla::Error; use Bugzilla::Util qw(trim); use Bugzilla::WebService::Util qw(validate); +use constant PUBLIC_METHODS => qw( + comments +); + sub comments { my ($self, $params) = validate(@_, 'comment_ids'); my $dbh = Bugzilla->switch_to_shadow_db(); diff --git a/extensions/Ember/lib/WebService.pm b/extensions/Ember/lib/WebService.pm index 7a037e654..10c828537 100644 --- a/extensions/Ember/lib/WebService.pm +++ b/extensions/Ember/lib/WebService.pm @@ -28,6 +28,14 @@ use Bugzilla::Extension::Ember::FakeBug; use Scalar::Util qw(blessed); use Storable qw(dclone); +use constant PUBLIC_METHODS => qw( + bug + create + get_attachments + search + show +); + use constant DATE_FIELDS => { show => ['last_updated'], }; diff --git a/extensions/Example/lib/WebService.pm b/extensions/Example/lib/WebService.pm index 8563ec7f0..bb83436e3 100644 --- a/extensions/Example/lib/WebService.pm +++ b/extensions/Example/lib/WebService.pm @@ -24,6 +24,11 @@ use warnings; use base qw(Bugzilla::WebService); use Bugzilla::Error; +use constant PUBLIC_METHODS => qw( + hello + throw_an_error +); + # This can be called as Example.hello() from the WebService. sub hello { return 'Hello!'; } diff --git a/extensions/MyDashboard/lib/WebService.pm b/extensions/MyDashboard/lib/WebService.pm index 9e9de42be..c93553146 100644 --- a/extensions/MyDashboard/lib/WebService.pm +++ b/extensions/MyDashboard/lib/WebService.pm @@ -24,6 +24,13 @@ use constant READ_ONLY => qw( run_flag_query ); +use constant PUBLIC_METHODS => qw( + bug_interest_unmark + run_bug_query + run_flag_query + run_last_changes +); + sub run_last_changes { my ($self, $params) = @_; diff --git a/extensions/ProdCompSearch/lib/WebService.pm b/extensions/ProdCompSearch/lib/WebService.pm index d668809f6..b9a03eb27 100644 --- a/extensions/ProdCompSearch/lib/WebService.pm +++ b/extensions/ProdCompSearch/lib/WebService.pm @@ -15,6 +15,10 @@ use base qw(Bugzilla::WebService); use Bugzilla::Error; use Bugzilla::Util qw(detaint_natural trick_taint trim); +use constant PUBLIC_METHODS => qw( + prod_comp_search +); + sub prod_comp_search { my ($self, $params) = @_; my $user = Bugzilla->user; diff --git a/extensions/Review/lib/WebService.pm b/extensions/Review/lib/WebService.pm index d16ab3dd8..24d38b2f1 100644 --- a/extensions/Review/lib/WebService.pm +++ b/extensions/Review/lib/WebService.pm @@ -18,6 +18,11 @@ use Bugzilla::Error; use Bugzilla::Util qw(detaint_natural trick_taint); use Bugzilla::WebService::Util 'filter'; +use constant PUBLIC_METHODS => qw( + flag_activity + suggestions +); + sub suggestions { my ($self, $params) = @_; my $dbh = Bugzilla->switch_to_shadow_db(); @@ -55,7 +60,7 @@ sub suggestions { if ($component) { push @reviewers, @{ $component->reviewers_objs }; } - if (!@{ $component->reviewers_objs }) { + if (!$component || !@{ $component->reviewers_objs }) { push @reviewers, @{ $product->reviewers_objs }; } |