diff --git a/fineract-provider/src/main/java/org/apache/fineract/accounting/provisioning/service/ProvisioningEntriesReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/accounting/provisioning/service/ProvisioningEntriesReadPlatformServiceImpl.java index 69ec7286566..bb8994d3fb9 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/accounting/provisioning/service/ProvisioningEntriesReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/accounting/provisioning/service/ProvisioningEntriesReadPlatformServiceImpl.java @@ -57,28 +57,27 @@ public ProvisioningEntriesReadPlatformServiceImpl(final RoutingDataSource dataSo @Override public Collection retrieveLoanProductsProvisioningData(Date date) { String formattedDate = new SimpleDateFormat("yyyy-MM-dd").format(date); - formattedDate = "'" + formattedDate + "'"; - LoanProductProvisioningEntryMapper mapper = new LoanProductProvisioningEntryMapper(formattedDate); + LoanProductProvisioningEntryMapper mapper = new LoanProductProvisioningEntryMapper(); final String sql = mapper.schema(); - return this.jdbcTemplate.query(sql, mapper, new Object[] {}); + return this.jdbcTemplate.query(sql, mapper, new Object[] { formattedDate, formattedDate, formattedDate }); } private static final class LoanProductProvisioningEntryMapper implements RowMapper { private final StringBuilder sqlQuery; - private LoanProductProvisioningEntryMapper(String formattedDate) { + private LoanProductProvisioningEntryMapper() { sqlQuery = new StringBuilder().append( "select if(loan.loan_type_enum=1, mclient.office_id, mgroup.office_id) as office_id, loan.loan_type_enum, pcd.criteria_id as criteriaid, loan.product_id,loan.currency_code,") - .append("GREATEST(datediff(").append(formattedDate) + .append("GREATEST(datediff(?") .append(",sch.duedate),0) as numberofdaysoverdue,sch.duedate, pcd.category_id, pcd.provision_percentage,") .append("loan.total_outstanding_derived as outstandingbalance, pcd.liability_account, pcd.expense_account from m_loan_repayment_schedule sch") .append(" LEFT JOIN m_loan loan on sch.loan_id = loan.id") .append(" JOIN m_loanproduct_provisioning_mapping lpm on lpm.product_id = loan.product_id") .append(" JOIN m_provisioning_criteria_definition pcd on pcd.criteria_id = lpm.criteria_id and ") - .append("(pcd.min_age <= GREATEST(datediff(").append(formattedDate).append(",sch.duedate),0) and ") - .append("GREATEST(datediff(").append(formattedDate).append(",sch.duedate),0) <= pcd.max_age) and ") - .append("pcd.criteria_id is not null ").append("LEFT JOIN m_client mclient ON mclient.id = loan.client_id ") + .append("(pcd.min_age <= GREATEST(datediff(?,sch.duedate),0) and GREATEST(datediff(?") + .append(",sch.duedate),0) <= pcd.max_age) and pcd.criteria_id is not null ") + .append("LEFT JOIN m_client mclient ON mclient.id = loan.client_id ") .append("LEFT JOIN m_group mgroup ON mgroup.id = loan.group_id ") .append("where loan.loan_status_id=300 and sch.duedate = ") .append("(select MIN(sch1.duedate) from m_loan_repayment_schedule sch1 where sch1.loan_id=loan.id and sch1.completed_derived=false)"); diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/campaigns/email/service/EmailReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/campaigns/email/service/EmailReadPlatformServiceImpl.java index 7465a48e2be..71b83328409 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/campaigns/email/service/EmailReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/campaigns/email/service/EmailReadPlatformServiceImpl.java @@ -130,46 +130,41 @@ public EmailData retrieveOne(final Long resourceId) { @Override public Collection retrieveAllPending(final SearchParameters searchParameters) { final String sqlPlusLimit = (searchParameters.getLimit() > 0) ? " limit 0, " + searchParameters.getLimit() : ""; - final String sql = "select " + this.emailRowMapper.schema() + " where emo.status_enum = " - + EmailMessageStatusType.PENDING.getValue() + sqlPlusLimit; + final String sql = "select " + this.emailRowMapper.schema() + " where emo.status_enum =? " + sqlPlusLimit; - return this.jdbcTemplate.query(sql, this.emailRowMapper, new Object[] {}); + return this.jdbcTemplate.query(sql, this.emailRowMapper, EmailMessageStatusType.PENDING.getValue()); } @Override public Collection retrieveAllSent(final SearchParameters searchParameters) { final String sqlPlusLimit = (searchParameters.getLimit() > 0) ? " limit 0, " + searchParameters.getLimit() : ""; - final String sql = "select " + this.emailRowMapper.schema() + " where emo.status_enum = " + EmailMessageStatusType.SENT.getValue() - + sqlPlusLimit; + final String sql = "select " + this.emailRowMapper.schema() + " where emo.status_enum = ?" + sqlPlusLimit; - return this.jdbcTemplate.query(sql, this.emailRowMapper, new Object[] {}); + return this.jdbcTemplate.query(sql, this.emailRowMapper, EmailMessageStatusType.SENT.getValue()); } @Override public List retrieveExternalIdsOfAllSent(final Integer limit) { final String sqlPlusLimit = (limit > 0) ? " limit 0, " + limit : ""; - final String sql = "select external_id from " + this.emailRowMapper.tableName() + " where status_enum = " - + EmailMessageStatusType.SENT.getValue() + sqlPlusLimit; + final String sql = "select external_id from " + this.emailRowMapper.tableName() + " where status_enum =? " + sqlPlusLimit; - return this.jdbcTemplate.queryForList(sql, Long.class); + return this.jdbcTemplate.queryForList(sql, Long.class, EmailMessageStatusType.SENT.getValue()); } @Override public Collection retrieveAllDelivered(final Integer limit) { final String sqlPlusLimit = (limit > 0) ? " limit 0, " + limit : ""; - final String sql = "select " + this.emailRowMapper.schema() + " where emo.status_enum = " - + EmailMessageStatusType.DELIVERED.getValue() + sqlPlusLimit; + final String sql = "select " + this.emailRowMapper.schema() + " where emo.status_enum = ?" + sqlPlusLimit; - return this.jdbcTemplate.query(sql, this.emailRowMapper, new Object[] {}); + return this.jdbcTemplate.query(sql, this.emailRowMapper, EmailMessageStatusType.DELIVERED.getValue()); } @Override public Collection retrieveAllFailed(final SearchParameters searchParameters) { final String sqlPlusLimit = (searchParameters.getLimit() > 0) ? " limit 0, " + searchParameters.getLimit() : ""; - final String sql = "select " + this.emailRowMapper.schema() + " where emo.status_enum = " + EmailMessageStatusType.FAILED.getValue() - + sqlPlusLimit; + final String sql = "select " + this.emailRowMapper.schema() + " where emo.status_enum = ?" + sqlPlusLimit; - return this.jdbcTemplate.query(sql, this.emailRowMapper, new Object[] {}); + return this.jdbcTemplate.query(sql, this.emailRowMapper, EmailMessageStatusType.FAILED.getValue()); } @Override diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/configuration/service/ConfigurationReadPlatformServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/configuration/service/ConfigurationReadPlatformServiceImpl.java index 1034401ded7..65eaec1f7dd 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/configuration/service/ConfigurationReadPlatformServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/configuration/service/ConfigurationReadPlatformServiceImpl.java @@ -56,12 +56,13 @@ public GlobalConfigurationData retrieveGlobalConfiguration(final boolean survey) if (survey) { sql += " JOIN x_registered_table on x_registered_table.registered_table_name = c.name "; - sql += " WHERE x_registered_table.category =" + DataTableApiConstant.CATEGORY_PPI; + sql += " WHERE x_registered_table.category = ?"; } sql += " order by c.id"; - final List globalConfiguration = this.jdbcTemplate.query(sql, this.rm, new Object[] {}); + final List globalConfiguration = this.jdbcTemplate.query(sql, this.rm, + survey ? new Object[] { DataTableApiConstant.CATEGORY_PPI } : new Object[] {}); return new GlobalConfigurationData(globalConfiguration); } diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java index 43584f3588e..cd538e33c79 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/ReadReportingServiceImpl.java @@ -38,7 +38,6 @@ import java.util.Set; import javax.sql.DataSource; import javax.ws.rs.core.StreamingOutput; -import org.apache.commons.lang3.StringUtils; import org.apache.fineract.infrastructure.core.domain.JdbcSupport; import org.apache.fineract.infrastructure.core.exception.PlatformDataIntegrityException; import org.apache.fineract.infrastructure.core.service.RoutingDataSource; @@ -51,8 +50,6 @@ import org.apache.fineract.infrastructure.dataqueries.exception.ReportNotFoundException; import org.apache.fineract.infrastructure.documentmanagement.contentrepository.FileSystemContentRepository; import org.apache.fineract.infrastructure.security.service.PlatformSecurityContext; -import org.apache.fineract.infrastructure.security.utils.ColumnValidator; -import org.apache.fineract.infrastructure.security.utils.SQLInjectionException; import org.apache.fineract.useradministration.domain.AppUser; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -66,22 +63,19 @@ public class ReadReportingServiceImpl implements ReadReportingService { private static final Logger LOG = LoggerFactory.getLogger(ReadReportingServiceImpl.class); - private static final String REPORT_NAME_REGEX_PATTERN = "^[a-zA-Z][a-zA-Z0-9\\-_\\s]{0,48}[a-zA-Z0-9\\s](\\([a-zA-Z]*\\))?$"; private final JdbcTemplate jdbcTemplate; private final DataSource dataSource; private final PlatformSecurityContext context; private final GenericDataService genericDataService; - private final ColumnValidator columnValidator; @Autowired public ReadReportingServiceImpl(final PlatformSecurityContext context, final RoutingDataSource dataSource, - final GenericDataService genericDataService, final ColumnValidator columnValidator) { + final GenericDataService genericDataService) { this.context = context; this.dataSource = dataSource; this.jdbcTemplate = new JdbcTemplate(this.dataSource); this.genericDataService = genericDataService; - this.columnValidator = columnValidator; } @Override @@ -204,13 +198,12 @@ private String getSQLtoRun(final String name, final String type, final Map retrieveReports(final Long id) { final String sql = rm.schema(id); - final Collection rpJoins = this.jdbcTemplate.query(sql, rm); + final Collection rpJoins = this.jdbcTemplate.query(sql, rm, + id != null ? new Object[] { id } : new Object[] {}); final Collection reportList = new ArrayList<>(); if (rpJoins == null || rpJoins.size() == 0) { @@ -416,7 +407,7 @@ public String schema(final Long reportId) { sql += " from stretchy_report r" + " left join stretchy_report_parameter rp on rp.report_id = r.id" + " left join stretchy_parameter p on p.id = rp.parameter_id"; if (reportId != null) { - sql += " where r.id = " + reportId; + sql += " where r.id = ?"; } else { sql += " order by r.id, rp.parameter_id"; } @@ -498,7 +489,6 @@ private String sqlToRunForSmsEmailCampaign(final String name, final String type, final Set keys = queryParams.keySet(); for (String key : keys) { final String pValue = queryParams.get(key); - // LOG.info("(" + key + " : " + pValue + ")"); key = "${" + key + "}"; sql = this.genericDataService.replace(sql, key, pValue); } @@ -568,10 +558,4 @@ public ByteArrayOutputStream generatePentahoReportAsOutputStream(final String re */ return null; } - - private void validateReportName(final String name) { - if (!StringUtils.isBlank(name) && !name.matches(REPORT_NAME_REGEX_PATTERN)) { - throw new SQLInjectionException(); - } - } } diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/BasicAuthTenantDetailsServiceJdbc.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/BasicAuthTenantDetailsServiceJdbc.java index c0783d6aac1..bbbff0af544 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/BasicAuthTenantDetailsServiceJdbc.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/BasicAuthTenantDetailsServiceJdbc.java @@ -138,7 +138,7 @@ public FineractPlatformTenant loadTenantById(final String tenantIdentifier, fina try { final TenantMapper rm = new TenantMapper(isReport); - final String sql = "select " + rm.schema() + " where t.identifier like ?"; + final String sql = "select " + rm.schema() + " where t.identifier = ?"; return this.jdbcTemplate.queryForObject(sql, rm, new Object[] { tenantIdentifier }); } catch (final EmptyResultDataAccessException e) { diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/JdbcTenantDetailsService.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/JdbcTenantDetailsService.java index dd1551a149b..4e645bf49c5 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/JdbcTenantDetailsService.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/JdbcTenantDetailsService.java @@ -131,7 +131,7 @@ public FineractPlatformTenant loadTenantById(final String tenantIdentifier) { try { final TenantMapper rm = new TenantMapper(); - final String sql = "select " + rm.schema() + " where t.identifier like ?"; + final String sql = "select " + rm.schema() + " where t.identifier = ?"; return this.jdbcTemplate.queryForObject(sql, rm, new Object[] { tenantIdentifier }); } catch (final EmptyResultDataAccessException e) { diff --git a/fineract-provider/src/main/resources/sql/migrations/list_db/V6__add_unique_tenant_identifier.sql b/fineract-provider/src/main/resources/sql/migrations/list_db/V6__add_unique_tenant_identifier.sql new file mode 100644 index 00000000000..f94da8fa353 --- /dev/null +++ b/fineract-provider/src/main/resources/sql/migrations/list_db/V6__add_unique_tenant_identifier.sql @@ -0,0 +1,20 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one +-- or more contributor license agreements. See the NOTICE file +-- distributed with this work for additional information +-- regarding copyright ownership. The ASF licenses this file +-- to you under the Apache License, Version 2.0 (the +-- "License"); you may not use this file except in compliance +-- with the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, +-- software distributed under the License is distributed on an +-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +-- KIND, either express or implied. See the License for the +-- specific language governing permissions and limitations +-- under the License. +-- + +ALTER TABLE tenants ADD UNIQUE (identifier);