From: David Lawrence Date: Wed, 21 Jan 2015 20:42:46 +0000 (+0000) Subject: Bug 1090275: WebServices modules should maintain a whitelist of methods that are... X-Git-Tag: bugzilla-4.0.16~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=828e407526c7bd0d8ffdea6a0b2f2558fd11b9a9;p=thirdparty%2Fbugzilla.git Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of allowing access to any function imported into its namespace r=dylan,a=glob --- diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm index 0ca5da267d..8bc3f713b4 100644 --- a/Bugzilla/WebService.pm +++ b/Bugzilla/WebService.pm @@ -35,6 +35,10 @@ use constant LOGIN_EXEMPT => { }; # Methods that can modify data MUST not be listed here. use constant READ_ONLY => (); +# Whitelist of methods that a client is allowed to access when making +# an API call. +use constant PUBLIC_METHODS => (); + sub login_exempt { my ($class, $method) = @_; return $class->LOGIN_EXEMPT->{$method}; diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index ffa1852d0b..38665bbcbd 100644 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -64,6 +64,22 @@ use constant READ_ONLY => qw( search ); +use constant PUBLIC_METHODS => qw( + add_attachment + add_comment + attachments + comments + create + fields + get + history + legal_values + possible_duplicates + search + update + update_see_also +); + ###################################################### # Add aliases here for old method name compatibility # ###################################################### diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm index efc8223112..f2acdbe7e5 100644 --- a/Bugzilla/WebService/Bugzilla.pm +++ b/Bugzilla/WebService/Bugzilla.pm @@ -38,6 +38,13 @@ use constant READ_ONLY => qw( version ); +use constant PUBLIC_METHODS => qw( + extensions + time + timezone + version +); + sub version { my $self = shift; return { version => $self->type('string', BUGZILLA_VERSION) }; diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index b25226a45d..70f525909b 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -30,6 +30,13 @@ use constant READ_ONLY => qw( get_selectable_products ); ++use constant PUBLIC_METHODS => qw( ++ get ++ get_accessible_products ++ get_enterable_products ++ get_selectable_products ++); + ################################################## # Add aliases here for method name compatibility # ################################################## diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 90334fc7f3..1f1840d4b2 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -42,6 +42,7 @@ use Bugzilla::Util qw(correct_urlbase trim disable_utf8); use HTTP::Message; use MIME::Base64 qw(decode_base64 encode_base64); +use List::MoreUtils qw(none); ##################################### # Public JSON::RPC Method Overrides # @@ -387,6 +388,11 @@ sub _argument_type_check { } } + # Only allowed methods to be used from our whitelist + if (none { $_ eq $method} $pkg->PUBLIC_METHODS) { + ThrowUserError('unknown_method', { method => $self->bz_method_name }); + } + # This is the best time to do login checks. $self->handle_login(); diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index d237d83ec7..2e8feb045a 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -30,6 +30,9 @@ if ($ENV{MOD_PERL}) { } use Bugzilla::WebService::Constants; +use Bugzilla::Error; + +use List::MoreUtils qw(none); sub initialize { my $self = shift; @@ -64,6 +67,14 @@ sub handle_login { my ($self, $classes, $action, $uri, $method) = @_; my $class = $classes->{$uri}; my $full_method = $uri . "." . $method; + # Only allowed methods to be used from the module's whitelist + my $file = $class; + $file =~ s{::}{/}g; + $file .= ".pm"; + require $file; + if (none { $_ eq $method } $class->PUBLIC_METHODS) { + ThrowCodeError('unknown_method', { method => $full_method }); + } $self->SUPER::handle_login($class, $method, $full_method); return; } diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index 1d8c7f892c..0d4dcaf3bf 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -40,6 +40,14 @@ use constant READ_ONLY => qw( get ); +use constant PUBLIC_METHODS => qw( + create + get + login + logout + offer_account_by_email +); + ############## # User Login # ############## diff --git a/extensions/Example/lib/WebService.pm b/extensions/Example/lib/WebService.pm index 8563ec7f07..bb83436e3e 100644 --- a/extensions/Example/lib/WebService.pm +++ b/extensions/Example/lib/WebService.pm @@ -24,6 +24,11 @@ use warnings; use base qw(Bugzilla::WebService); use Bugzilla::Error; +use constant PUBLIC_METHODS => qw( + hello + throw_an_error +); + # This can be called as Example.hello() from the WebService. sub hello { return 'Hello!'; }