Bug 1090275: WebServices modules should maintain a whitelist of methods that are...

r=dylan,a=glob

diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm
index 0ca5da267dfccf55540b281f187abb375af7cd88..8bc3f713b49ef2cf82235eb3f523e608cb90220f 100644 (file)
--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -35,6 +35,10 @@ use constant LOGIN_EXEMPT => { };
 # Methods that can modify data MUST not be listed here.
 use constant READ_ONLY => ();
 
+# Whitelist of methods that a client is allowed to access when making
+# an API call.
+use constant PUBLIC_METHODS => ();
+
 sub login_exempt {
     my ($class, $method) = @_;
     return $class->LOGIN_EXEMPT->{$method};

diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index ffa1852d0b475a0abba6fa5de379b3920b45ca23..38665bbcbd3966f782854260f6f394d54d0161bd 100644 (file)
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -64,6 +64,22 @@ use constant READ_ONLY => qw(
     search
 );
 
+use constant PUBLIC_METHODS => qw(
+    add_attachment
+    add_comment
+    attachments
+    comments
+    create
+    fields
+    get
+    history
+    legal_values
+    possible_duplicates
+    search
+    update
+    update_see_also
+);
+
 ######################################################
 # Add aliases here for old method name compatibility #
 ######################################################

diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm
index efc82231122ba151b94dbd212d343d63d9c050a5..f2acdbe7e5cffa9655427da4119a4b59ca2c19b6 100644 (file)
--- a/Bugzilla/WebService/Bugzilla.pm
+++ b/Bugzilla/WebService/Bugzilla.pm
@@ -38,6 +38,13 @@ use constant READ_ONLY => qw(
     version
 );
 
+use constant PUBLIC_METHODS => qw(
+    extensions
+    time
+    timezone
+    version
+);
+
 sub version {
     my $self = shift;
     return { version => $self->type('string', BUGZILLA_VERSION) };

diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm
index b25226a45dd25c2bea8970e28cb0022192752aef..70f525909b6eb077e7ba91046f47f59ce8aeb02a 100644 (file)
--- a/Bugzilla/WebService/Product.pm
+++ b/Bugzilla/WebService/Product.pm
@@ -30,6 +30,13 @@ use constant READ_ONLY => qw(
     get_selectable_products
 );
 
++use constant PUBLIC_METHODS => qw(
++    get
++    get_accessible_products
++    get_enterable_products
++    get_selectable_products
++);
+
 ##################################################
 # Add aliases here for method name compatibility #
 ##################################################

diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 90334fc7f3c88af7edaa253c49f2ace19fb129ec..1f1840d4b205773961fc82665944c7d59153641d 100644 (file)
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -42,6 +42,7 @@ use Bugzilla::Util qw(correct_urlbase trim disable_utf8);
 
 use HTTP::Message;
 use MIME::Base64 qw(decode_base64 encode_base64);
+use List::MoreUtils qw(none);
 
 #####################################
 # Public JSON::RPC Method Overrides #
@@ -387,6 +388,11 @@ sub _argument_type_check {
         }
     }
 
+    # Only allowed methods to be used from our whitelist
+    if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
+        ThrowUserError('unknown_method', { method => $self->bz_method_name });
+    }
+
     # This is the best time to do login checks.
     $self->handle_login();
 

diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index d237d83ec7622b01af886dadd065823e8baba8b2..2e8feb045a7231ddf4a8b7f9ae4dab07d82b4685 100644 (file)
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -30,6 +30,9 @@ if ($ENV{MOD_PERL}) {
 }
 
 use Bugzilla::WebService::Constants;
+use Bugzilla::Error;
+
+use List::MoreUtils qw(none);
 
 sub initialize {
     my $self = shift;
@@ -64,6 +67,14 @@ sub handle_login {
     my ($self, $classes, $action, $uri, $method) = @_;
     my $class = $classes->{$uri};
     my $full_method = $uri . "." . $method;
+    # Only allowed methods to be used from the module's whitelist
+    my $file = $class;
+    $file =~ s{::}{/}g;
+    $file .= ".pm";
+    require $file;
+    if (none { $_ eq $method } $class->PUBLIC_METHODS) {
+        ThrowCodeError('unknown_method', { method => $full_method });
+    }
     $self->SUPER::handle_login($class, $method, $full_method);
     return;
 }

diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index 1d8c7f892c662b5410da91ffbdacc34f37023918..0d4dcaf3bf7d83a0d8ca9e93897605089dba069e 100644 (file)
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -40,6 +40,14 @@ use constant READ_ONLY => qw(
     get
 );
 
+use constant PUBLIC_METHODS => qw(
+    create
+    get
+    login
+    logout
+    offer_account_by_email
+);
+
 ##############
 # User Login #
 ##############

diff --git a/extensions/Example/lib/WebService.pm b/extensions/Example/lib/WebService.pm
index 8563ec7f07f238c9ba09f6946d67b05f679690b3..bb83436e3ef295fb874e339d198956022eb5b196 100644 (file)
--- a/extensions/Example/lib/WebService.pm
+++ b/extensions/Example/lib/WebService.pm
@@ -24,6 +24,11 @@ use warnings;
 use base qw(Bugzilla::WebService);
 use Bugzilla::Error;
 
+use constant PUBLIC_METHODS => qw(
+    hello
+    throw_an_error
+);
+
 # This can be called as Example.hello() from the WebService.
 sub hello { return 'Hello!'; }