[#5616] - Validation fails on valid queries (org.owasp.esapi in jasperserver 4.5)

Posted by kcd on January 30, 2012 - 5:12pm
Category:
Bug report
 Priority:
Urgent
 Status:
New
Project:
JasperReports® Server
 Severity:
Major
 Resolution:
Open
Component: Reproducibility:
Always
 Assigned to:
Subscribe

Please move this to JasperReports Server bug tracker. Resolution below.
----
Any report with a stored procedure throws error since upgrading from 4.2.1 to 4.5.0. The UI says "An error has occurred. Please contact your system administrator. (6632)"

Stored procedures are valid and arguably more secure however they do not match ^\s*((?i)select)\s+[^;]+$

Users need to be able to disable or edit such security measures. Apologize if this is already possible but I haven't found it documented.

kcd's picture
kcd
864
Joined: Jul 26 2011 - 1:51am
Last seen: 8 years 10 months ago

9 Comments:

#1Posted by glen_l on February 1, 2012 - 9:23am

I am getting the same error under a different circumstance.

The pattern does not allow me to use a "with" clause followed by a select that uses a sub-query count for a column.

eg

with groups as ( some query )

select table1.*,(select count(*) from groups where table1.id = groups.1) as usage_count from table1;

#2Posted by trx1217 on February 8, 2012 - 3:51pm

Any Idea when the will be solved? We want to introduce 4.5 put we have the known Bug.

#3Posted by lesegomot on February 8, 2012 - 5:59pm

for some reason I do not seem to see this issue's id number in the "view issues" page, what does this mean? Is what kcd reported not an issue?

Thanks
L

#4Posted by kcd on February 8, 2012 - 6:07pm

This issue is still present on the issues page, perhaps vote for it and try to get the priority increased.

This bug is still a deal breaker for us because we don't allow/maintain queries in reports only stored procedures. Anyone looked at the source?

#5Posted by lucianc on February 9, 2012 - 7:23am

This bug actually belongs to the JasperReports Server project (http://jasperforge.org/projects/jasperserver), it's not a JasperReports library problem.

Regards,
Lucian

#6Posted by mmanica on February 14, 2012 - 2:18pm

it work!
modify file
\apache-tomcat\webapps\jasperserver\WEB-INF\classes\esapi\security-config.properties:

security.validation.sql.on=false

and file
\apache-tomcat\webapps\jasperserver\WEB-INF\classes\esapi\security-config.properties\validation.properties:

Validator.ValidSQL=^\\s*((?i)with\\s+.*)?((?i)select)\\s+[^;]+$

#7Posted by kcd on February 14, 2012 - 8:48pm

Thank you mmanica, this is exactly what I was looking for when I first posted on the forum!

To clarify the following regex fix should work for most cases.

webapps\jasperserver\WEB-INF\classes\esapi\security-config.properties\validation.properties
Validator.ValidSQL=^\\s*(?i)(with\\s+.*)?(select|call|exec(ute)?)\\s+[^;]+$

Alternatively turn off validation - security.validation.sql.on=false

Lucian, I hadn't realised I landed in the library bug tracker and unfortunately I don't see how to move this bug.

#8Posted by ruthran on February 22, 2017 - 2:03am

Hi,

how to fix this error in the Jasper Studio tool ?

#9Posted by ruthran on February 22, 2017 - 2:09am
  • Priority:Low» Urgent

Hi,

How to fix this error in Jasper studio tool ? I don't see any such property in the tool.

Feedback