[#5616] - Validation fails on valid queries (org.owasp.esapi in jasperserver 4.5)

Category:
Bug report
Priority:
Urgent
Status:
New
Project: Severity:
Major
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
0

Please move this to JasperReports Server bug tracker. Resolution below.
----
Any report with a stored procedure throws error since upgrading from 4.2.1 to 4.5.0. The UI says "An error has occurred. Please contact your system administrator. (6632)"

Stored procedures are valid and arguably more secure however they do not match ^\s*((?i)select)\s+[^;]+$

Users need to be able to disable or edit such security measures. Apologize if this is already possible but I haven't found it documented.

kcd's picture
kcd
211
Joined: Jul 26 2011 - 1:51am
Last seen: 6 years 9 months ago

9 Comments:

#1

I am getting the same error under a different circumstance.

The pattern does not allow me to use a "with" clause followed by a select that uses a sub-query count for a column.

eg

with groups as ( some query )

select table1.*,(select count(*) from groups where table1.id = groups.1) as usage_count from table1;

#2

Any Idea when the will be solved? We want to introduce 4.5 put we have the known Bug.

#3

for some reason I do not seem to see this issue's id number in the "view issues" page, what does this mean? Is what kcd reported not an issue?

Thanks
L

#4

This issue is still present on the issues page, perhaps vote for it and try to get the priority increased.

This bug is still a deal breaker for us because we don't allow/maintain queries in reports only stored procedures. Anyone looked at the source?

#5

This bug actually belongs to the JasperReports Server project (http://jasperforge.org/projects/jasperserver), it's not a JasperReports library problem.

Regards,
Lucian

#6

it work!
modify file
\apache-tomcat\webapps\jasperserver\WEB-INF\classes\esapi\security-config.properties:

security.validation.sql.on=false

and file
\apache-tomcat\webapps\jasperserver\WEB-INF\classes\esapi\security-config.properties\validation.properties:

Validator.ValidSQL=^\\s*((?i)with\\s+.*)?((?i)select)\\s+[^;]+$

#7

Thank you mmanica, this is exactly what I was looking for when I first posted on the forum!

To clarify the following regex fix should work for most cases.

webapps\jasperserver\WEB-INF\classes\esapi\security-config.properties\validation.properties
Validator.ValidSQL=^\\s*(?i)(with\\s+.*)?(select|call|exec(ute)?)\\s+[^;]+$

Alternatively turn off validation - security.validation.sql.on=false

Lucian, I hadn't realised I landed in the library bug tracker and unfortunately I don't see how to move this bug.

#8

Hi,

how to fix this error in the Jasper Studio tool ?

#9
  • Priority:Low» Urgent

Hi,

How to fix this error in Jasper studio tool ? I don't see any such property in the tool.

Feedback