aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Lawrence <dkl@mozilla.com>2015-01-21 20:40:07 +0000
committerDavid Lawrence <dkl@mozilla.com>2015-01-21 20:40:07 +0000
commit211464d955dc76a67afcda8e87a1462e28dbbb83 (patch)
treeef3b63c936833cb2e1cd78438f37a67824f5b24b
parentBug 1079065: [SECURITY] Always use the 3 arguments form for open() to prevent... (diff)
downloadbugzilla-211464d955dc76a67afcda8e87a1462e28dbbb83.tar.gz
bugzilla-211464d955dc76a67afcda8e87a1462e28dbbb83.tar.bz2
bugzilla-211464d955dc76a67afcda8e87a1462e28dbbb83.zip
Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of allowing access to any function imported into its namespace
r=dylan,a=glob
-rw-r--r--Bugzilla/WebService.pm4
-rw-r--r--Bugzilla/WebService/Bug.pm21
-rw-r--r--Bugzilla/WebService/BugUserLastVisit.pm5
-rw-r--r--Bugzilla/WebService/Bugzilla.pm9
-rw-r--r--Bugzilla/WebService/Classification.pm4
-rw-r--r--Bugzilla/WebService/Component.pm4
-rw-r--r--Bugzilla/WebService/FlagType.pm6
-rw-r--r--Bugzilla/WebService/Group.pm6
-rw-r--r--Bugzilla/WebService/Product.pm9
-rw-r--r--Bugzilla/WebService/Server/JSONRPC.pm6
-rw-r--r--Bugzilla/WebService/Server/XMLRPC.pm11
-rw-r--r--Bugzilla/WebService/User.pm10
-rw-r--r--extensions/Example/lib/WebService.pm5
13 files changed, 100 insertions, 0 deletions
diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm
index 1bdeb49d1..f80813744 100644
--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -27,6 +27,10 @@ use constant LOGIN_EXEMPT => { };
# Methods that can modify data MUST not be listed here.
use constant READ_ONLY => ();
+# Whitelist of methods that a client is allowed to access when making
+# an API call.
+use constant PUBLIC_METHODS => ();
+
sub login_exempt {
my ($class, $method) = @_;
return $class->LOGIN_EXEMPT->{$method};
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index 45110cc67..60ca6b6c3 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -62,6 +62,27 @@ use constant READ_ONLY => qw(
search
);
+use constant PUBLIC_METHODS => qw(
+ add_attachment
+ add_comment
+ attachments
+ comments
+ create
+ fields
+ get
+ history
+ legal_values
+ possible_duplicates
+ render_comment
+ search
+ search_comment_tags
+ update
+ update_attachment
+ update_comment_tags
+ update_see_also
+ update_tags
+);
+
use constant ATTACHMENT_MAPPED_SETTERS => {
file_name => 'filename',
summary => 'description',
diff --git a/Bugzilla/WebService/BugUserLastVisit.pm b/Bugzilla/WebService/BugUserLastVisit.pm
index a29d2633b..19a56ff46 100644
--- a/Bugzilla/WebService/BugUserLastVisit.pm
+++ b/Bugzilla/WebService/BugUserLastVisit.pm
@@ -18,6 +18,11 @@ use Bugzilla::Error;
use Bugzilla::WebService::Util qw( validate filter );
use Bugzilla::Constants;
+use constant PUBLIC_METHODS => qw(
+ get
+ update
+);
+
sub update {
my ($self, $params) = validate(@_, 'ids');
my $user = Bugzilla->user;
diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm
index 8333f99c4..ad2bf32de 100644
--- a/Bugzilla/WebService/Bugzilla.pm
+++ b/Bugzilla/WebService/Bugzilla.pm
@@ -34,6 +34,15 @@ use constant READ_ONLY => qw(
version
);
+use constant PUBLIC_METHODS => qw(
+ extensions
+ last_audit_time
+ parameters
+ time
+ timezone
+ version
+);
+
# Logged-out users do not need to know more than that.
use constant PARAMETERS_LOGGED_OUT => qw(
maintainer
diff --git a/Bugzilla/WebService/Classification.pm b/Bugzilla/WebService/Classification.pm
index 8e1b3ae8a..cee597b68 100644
--- a/Bugzilla/WebService/Classification.pm
+++ b/Bugzilla/WebService/Classification.pm
@@ -21,6 +21,10 @@ use constant READ_ONLY => qw(
get
);
+use constant PUBLIC_METHODS => qw(
+ get
+);
+
sub get {
my ($self, $params) = validate(@_, 'names', 'ids');
diff --git a/Bugzilla/WebService/Component.pm b/Bugzilla/WebService/Component.pm
index 893e244b8..4d6723d8b 100644
--- a/Bugzilla/WebService/Component.pm
+++ b/Bugzilla/WebService/Component.pm
@@ -19,6 +19,10 @@ use Bugzilla::Error;
use Bugzilla::WebService::Constants;
use Bugzilla::WebService::Util qw(translate params_to_objects validate);
+use constant PUBLIC_METHODS => qw(
+ create
+);
+
use constant MAPPED_FIELDS => {
default_assignee => 'initialowner',
default_qa_contact => 'initialqacontact',
diff --git a/Bugzilla/WebService/FlagType.pm b/Bugzilla/WebService/FlagType.pm
index cf654e659..9723d4735 100644
--- a/Bugzilla/WebService/FlagType.pm
+++ b/Bugzilla/WebService/FlagType.pm
@@ -21,6 +21,12 @@ use Bugzilla::Util qw(trim);
use List::MoreUtils qw(uniq);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ update
+);
+
sub get {
my ($self, $params) = @_;
my $dbh = Bugzilla->switch_to_shadow_db();
diff --git a/Bugzilla/WebService/Group.pm b/Bugzilla/WebService/Group.pm
index d0ee6fdba..468575a35 100644
--- a/Bugzilla/WebService/Group.pm
+++ b/Bugzilla/WebService/Group.pm
@@ -16,6 +16,12 @@ use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::WebService::Util qw(validate translate params_to_objects);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ update
+);
+
use constant MAPPED_RETURNS => {
userregexp => 'user_regexp',
isactive => 'is_active'
diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm
index 0e78836bf..f38972bc1 100644
--- a/Bugzilla/WebService/Product.pm
+++ b/Bugzilla/WebService/Product.pm
@@ -26,6 +26,15 @@ use constant READ_ONLY => qw(
get_selectable_products
);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ get_accessible_products
+ get_enterable_products
+ get_selectable_products
+ update
+);
+
use constant MAPPED_FIELDS => {
has_unconfirmed => 'allows_unconfirmed',
is_open => 'is_active',
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 6cda47480..0b2995a66 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -31,6 +31,7 @@ use Bugzilla::Util;
use HTTP::Message;
use MIME::Base64 qw(decode_base64 encode_base64);
+use List::MoreUtils qw(none);
#####################################
# Public JSON::RPC Method Overrides #
@@ -404,6 +405,11 @@ sub _argument_type_check {
}
}
+ # Only allowed methods to be used from our whitelist
+ if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
+ ThrowUserError('unknown_method', { method => $self->bz_method_name });
+ }
+
# This is the best time to do login checks.
$self->handle_login();
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index 56b31ffef..a49ac2033 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -20,8 +20,11 @@ if ($ENV{MOD_PERL}) {
}
use Bugzilla::WebService::Constants;
+use Bugzilla::Error;
use Bugzilla::Util;
+use List::MoreUtils qw(none);
+
BEGIN {
# Allow WebService methods to call XMLRPC::Lite's type method directly
*Bugzilla::WebService::type = sub {
@@ -96,6 +99,14 @@ sub handle_login {
my ($self, $classes, $action, $uri, $method) = @_;
my $class = $classes->{$uri};
my $full_method = $uri . "." . $method;
+ # Only allowed methods to be used from the module's whitelist
+ my $file = $class;
+ $file =~ s{::}{/}g;
+ $file .= ".pm";
+ require $file;
+ if (none { $_ eq $method } $class->PUBLIC_METHODS) {
+ ThrowCodeError('unknown_method', { method => $full_method });
+ }
$self->SUPER::handle_login($class, $method, $full_method);
return;
}
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index f3b8bf703..06698668c 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -32,6 +32,16 @@ use constant READ_ONLY => qw(
get
);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ login
+ logout
+ offer_account_by_email
+ update
+ valid_login
+);
+
use constant MAPPED_FIELDS => {
email => 'login',
full_name => 'name',
diff --git a/extensions/Example/lib/WebService.pm b/extensions/Example/lib/WebService.pm
index c8c120616..d8a96b5f5 100644
--- a/extensions/Example/lib/WebService.pm
+++ b/extensions/Example/lib/WebService.pm
@@ -13,6 +13,11 @@ use warnings;
use parent qw(Bugzilla::WebService);
use Bugzilla::Error;
+use constant PUBLIC_METHODS => qw(
+ hello
+ throw_an_error
+);
+
# This can be called as Example.hello() from the WebService.
sub hello { return 'Hello!'; }