From ce85e36f16033d281acda5c128ab236ffe1e67fd Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Wed, 21 Jan 2015 20:41:11 +0000 Subject: [PATCH] Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of allowing access to any function imported into its namespace r=dylan,a=glob --- Bugzilla/WebService.pm | 4 ++++ Bugzilla/WebService/Bug.pm | 18 ++++++++++++++++++ Bugzilla/WebService/Bugzilla.pm | 9 +++++++++ Bugzilla/WebService/Classification.pm | 4 ++++ Bugzilla/WebService/Group.pm | 5 +++++ Bugzilla/WebService/Product.pm | 9 +++++++++ Bugzilla/WebService/Server/JSONRPC.pm | 6 ++++++ Bugzilla/WebService/Server/XMLRPC.pm | 11 +++++++++++ Bugzilla/WebService/User.pm | 9 +++++++++ extensions/Example/lib/WebService.pm | 5 +++++ 10 files changed, 80 insertions(+) diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm index ac4cd25ce5..5646e381d5 100644 --- a/Bugzilla/WebService.pm +++ b/Bugzilla/WebService.pm @@ -23,6 +23,10 @@ use constant LOGIN_EXEMPT => { }; # Methods that can modify data MUST not be listed here. use constant READ_ONLY => (); +# Whitelist of methods that a client is allowed to access when making +# an API call. +use constant PUBLIC_METHODS => (); + sub login_exempt { my ($class, $method) = @_; return $class->LOGIN_EXEMPT->{$method}; diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index 7dedc5badd..419e5aac6e 100644 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -49,6 +49,24 @@ use constant READ_ONLY => qw( search ); +use constant PUBLIC_METHODS => qw( + add_attachment + add_comment + attachments + comments + create + fields + get + history + legal_values + possible_duplicates + render_comment + search + update + update_see_also + update_tags +); + ###################################################### # Add aliases here for old method name compatibility # ###################################################### diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm index 9513e4183e..a6037e67ed 100644 --- a/Bugzilla/WebService/Bugzilla.pm +++ b/Bugzilla/WebService/Bugzilla.pm @@ -31,6 +31,15 @@ use constant READ_ONLY => qw( version ); +use constant PUBLIC_METHODS => qw( + extensions + last_audit_time + parameters + time + timezone + version +); + # Logged-out users do not need to know more than that. use constant PARAMETERS_LOGGED_OUT => qw( maintainer diff --git a/Bugzilla/WebService/Classification.pm b/Bugzilla/WebService/Classification.pm index 753b526382..f2c3ec51ec 100644 --- a/Bugzilla/WebService/Classification.pm +++ b/Bugzilla/WebService/Classification.pm @@ -19,6 +19,10 @@ use constant READ_ONLY => qw( get ); +use constant PUBLIC_METHODS => qw( + get +); + sub get { my ($self, $params) = validate(@_, 'names', 'ids'); diff --git a/Bugzilla/WebService/Group.pm b/Bugzilla/WebService/Group.pm index d7506aa3d9..72c948aa4e 100644 --- a/Bugzilla/WebService/Group.pm +++ b/Bugzilla/WebService/Group.pm @@ -13,6 +13,11 @@ use Bugzilla::Constants; use Bugzilla::Error; use Bugzilla::WebService::Util qw(validate translate params_to_objects); +use constant PUBLIC_METHODS => qw( + create + update +); + use constant MAPPED_RETURNS => { userregexp => 'user_regexp', isactive => 'is_active' diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index bb61ac434e..1c8d75bb4c 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -23,6 +23,15 @@ use constant READ_ONLY => qw( get_selectable_products ); +use constant PUBLIC_METHODS => qw( + create + get + get_accessible_products + get_enterable_products + get_selectable_products + update +); + use constant MAPPED_FIELDS => { has_unconfirmed => 'allows_unconfirmed', is_open => 'is_active', diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index c2d1e8c745..aba5d310b8 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -28,6 +28,7 @@ use Bugzilla::Util qw(correct_urlbase trim disable_utf8); use HTTP::Message; use MIME::Base64 qw(decode_base64 encode_base64); +use List::MoreUtils qw(none); ##################################### # Public JSON::RPC Method Overrides # @@ -378,6 +379,11 @@ sub _argument_type_check { } } + # Only allowed methods to be used from our whitelist + if (none { $_ eq $method} $pkg->PUBLIC_METHODS) { + ThrowUserError('unknown_method', { method => $self->bz_method_name }); + } + # This is the best time to do login checks. $self->handle_login(); diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index 03590bd1cd..5f9cb45157 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -17,6 +17,9 @@ if ($ENV{MOD_PERL}) { } use Bugzilla::WebService::Constants; +use Bugzilla::Error; + +use List::MoreUtils qw(none); # Allow WebService methods to call XMLRPC::Lite's type method directly BEGIN { @@ -65,6 +68,14 @@ sub handle_login { my ($self, $classes, $action, $uri, $method) = @_; my $class = $classes->{$uri}; my $full_method = $uri . "." . $method; + # Only allowed methods to be used from the module's whitelist + my $file = $class; + $file =~ s{::}{/}g; + $file .= ".pm"; + require $file; + if (none { $_ eq $method } $class->PUBLIC_METHODS) { + ThrowCodeError('unknown_method', { method => $full_method }); + } $self->SUPER::handle_login($class, $method, $full_method); return; } diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index 171017eb79..5a7f25036f 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -32,6 +32,15 @@ use constant READ_ONLY => qw( get ); +use constant PUBLIC_METHODS => qw( + create + get + login + logout + offer_account_by_email + update +); + use constant MAPPED_FIELDS => { email => 'login', full_name => 'name', diff --git a/extensions/Example/lib/WebService.pm b/extensions/Example/lib/WebService.pm index 659189d2f9..56adc8cb8d 100644 --- a/extensions/Example/lib/WebService.pm +++ b/extensions/Example/lib/WebService.pm @@ -11,6 +11,11 @@ use warnings; use base qw(Bugzilla::WebService); use Bugzilla::Error; +use constant PUBLIC_METHODS => qw( + hello + throw_an_error +); + # This can be called as Example.hello() from the WebService. sub hello { return 'Hello!'; } -- 2.47.2