[bugzilla-gnome-org-upstream/4.4: 18/19] Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of

From: Krzesimir Nowak <krnowak src gnome org>
To: commits-list gnome org
Cc:
Subject: [bugzilla-gnome-org-upstream/4.4: 18/19] Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of
Date: Sun, 25 Jan 2015 22:55:04 +0000 (UTC)
commit ce85e36f16033d281acda5c128ab236ffe1e67fd
Author: David Lawrence <dkl mozilla com>
Date:   Wed Jan 21 20:41:11 2015 +0000

    Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of 
allowing access to any function imported into its namespace
    r=dylan,a=glob

 Bugzilla/WebService.pm                |    4 ++++
 Bugzilla/WebService/Bug.pm            |   18 ++++++++++++++++++
 Bugzilla/WebService/Bugzilla.pm       |    9 +++++++++
 Bugzilla/WebService/Classification.pm |    4 ++++
 Bugzilla/WebService/Group.pm          |    5 +++++
 Bugzilla/WebService/Product.pm        |    9 +++++++++
 Bugzilla/WebService/Server/JSONRPC.pm |    6 ++++++
 Bugzilla/WebService/Server/XMLRPC.pm  |   11 +++++++++++
 Bugzilla/WebService/User.pm           |    9 +++++++++
 extensions/Example/lib/WebService.pm  |    5 +++++
 10 files changed, 80 insertions(+), 0 deletions(-)
---
diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm
index ac4cd25..5646e38 100644
--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -23,6 +23,10 @@ use constant LOGIN_EXEMPT => { };
 # Methods that can modify data MUST not be listed here.
 use constant READ_ONLY => ();
 
+# Whitelist of methods that a client is allowed to access when making
+# an API call.
+use constant PUBLIC_METHODS => ();
+
 sub login_exempt {
     my ($class, $method) = @_;
     return $class->LOGIN_EXEMPT->{$method};
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index 7dedc5b..419e5aa 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -49,6 +49,24 @@ use constant READ_ONLY => qw(
     search
 );
 
+use constant PUBLIC_METHODS => qw(
+    add_attachment
+    add_comment
+    attachments
+    comments
+    create
+    fields
+    get
+    history
+    legal_values
+    possible_duplicates
+    render_comment
+    search
+    update
+    update_see_also
+    update_tags
+);
+
 ######################################################
 # Add aliases here for old method name compatibility #
 ######################################################
diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm
index 9513e41..a6037e6 100644
--- a/Bugzilla/WebService/Bugzilla.pm
+++ b/Bugzilla/WebService/Bugzilla.pm
@@ -31,6 +31,15 @@ use constant READ_ONLY => qw(
     version
 );
 
+use constant PUBLIC_METHODS => qw(
+    extensions
+    last_audit_time
+    parameters
+    time
+    timezone
+    version
+);
+
 # Logged-out users do not need to know more than that.
 use constant PARAMETERS_LOGGED_OUT => qw(
     maintainer
diff --git a/Bugzilla/WebService/Classification.pm b/Bugzilla/WebService/Classification.pm
index 753b526..f2c3ec5 100644
--- a/Bugzilla/WebService/Classification.pm
+++ b/Bugzilla/WebService/Classification.pm
@@ -19,6 +19,10 @@ use constant READ_ONLY => qw(
     get
 );
 
+use constant PUBLIC_METHODS => qw(
+    get
+);
+
 sub get {
     my ($self, $params) = validate(@_, 'names', 'ids');
 
diff --git a/Bugzilla/WebService/Group.pm b/Bugzilla/WebService/Group.pm
index d7506aa..72c948a 100644
--- a/Bugzilla/WebService/Group.pm
+++ b/Bugzilla/WebService/Group.pm
@@ -13,6 +13,11 @@ use Bugzilla::Constants;
 use Bugzilla::Error;
 use Bugzilla::WebService::Util qw(validate translate params_to_objects);
 
+use constant PUBLIC_METHODS => qw(
+    create
+    update
+);
+
 use constant MAPPED_RETURNS => {
     userregexp => 'user_regexp',
     isactive => 'is_active'
diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm
index bb61ac4..1c8d75b 100644
--- a/Bugzilla/WebService/Product.pm
+++ b/Bugzilla/WebService/Product.pm
@@ -23,6 +23,15 @@ use constant READ_ONLY => qw(
     get_selectable_products
 );
 
+use constant PUBLIC_METHODS => qw(
+    create
+    get
+    get_accessible_products
+    get_enterable_products
+    get_selectable_products
+    update
+);
+
 use constant MAPPED_FIELDS => {
     has_unconfirmed => 'allows_unconfirmed',
     is_open => 'is_active',
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index c2d1e8c..aba5d31 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -28,6 +28,7 @@ use Bugzilla::Util qw(correct_urlbase trim disable_utf8);
 
 use HTTP::Message;
 use MIME::Base64 qw(decode_base64 encode_base64);
+use List::MoreUtils qw(none);
 
 #####################################
 # Public JSON::RPC Method Overrides #
@@ -378,6 +379,11 @@ sub _argument_type_check {
         }
     }
 
+    # Only allowed methods to be used from our whitelist
+    if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
+        ThrowUserError('unknown_method', { method => $self->bz_method_name });
+    }
+
     # This is the best time to do login checks.
     $self->handle_login();
 
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index 03590bd..5f9cb45 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -17,6 +17,9 @@ if ($ENV{MOD_PERL}) {
 }
 
 use Bugzilla::WebService::Constants;
+use Bugzilla::Error;
+
+use List::MoreUtils qw(none);
 
 # Allow WebService methods to call XMLRPC::Lite's type method directly
 BEGIN {
@@ -65,6 +68,14 @@ sub handle_login {
     my ($self, $classes, $action, $uri, $method) = @_;
     my $class = $classes->{$uri};
     my $full_method = $uri . "." . $method;
+    # Only allowed methods to be used from the module's whitelist
+    my $file = $class;
+    $file =~ s{::}{/}g;
+    $file .= ".pm";
+    require $file;
+    if (none { $_ eq $method } $class->PUBLIC_METHODS) {
+        ThrowCodeError('unknown_method', { method => $full_method });
+    }
     $self->SUPER::handle_login($class, $method, $full_method);
     return;
 }
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index 171017e..5a7f250 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -32,6 +32,15 @@ use constant READ_ONLY => qw(
     get
 );
 
+use constant PUBLIC_METHODS => qw(
+    create
+    get
+    login
+    logout
+    offer_account_by_email
+    update
+);
+
 use constant MAPPED_FIELDS => {
     email => 'login',
     full_name => 'name',
diff --git a/extensions/Example/lib/WebService.pm b/extensions/Example/lib/WebService.pm
index 659189d..56adc8c 100644
--- a/extensions/Example/lib/WebService.pm
+++ b/extensions/Example/lib/WebService.pm
@@ -11,6 +11,11 @@ use warnings;
 use base qw(Bugzilla::WebService);
 use Bugzilla::Error;
 
+use constant PUBLIC_METHODS => qw(
+    hello
+    throw_an_error
+);
+
 # This can be called as Example.hello() from the WebService.
 sub hello { return 'Hello!'; }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]