Index: lams_common/src/java/org/lamsfoundation/lams/dao/hibernate/LAMSBaseDAO.java =================================================================== diff -u -rf7fae354123a6a697f51884253e0e8900c3bfcea -r3248d9808412f06775532829889bb22b76da3a9e --- lams_common/src/java/org/lamsfoundation/lams/dao/hibernate/LAMSBaseDAO.java (.../LAMSBaseDAO.java) (revision f7fae354123a6a697f51884253e0e8900c3bfcea) +++ lams_common/src/java/org/lamsfoundation/lams/dao/hibernate/LAMSBaseDAO.java (.../LAMSBaseDAO.java) (revision 3248d9808412f06775532829889bb22b76da3a9e) @@ -51,6 +51,8 @@ private static final String EQUAL_TO_WHAT = "=?"; private static final String LIKE_WHAT = " like ?"; + private static final String QUERY_PART_SANITISE_REGEX = "\\w+"; + private static Logger log = Logger.getLogger(LAMSBaseDAO.class); @Autowired @@ -618,10 +620,9 @@ getSessionFactory().getCurrentSession().evict(o); } - public static void sanitiseOrderBy(String sortOrder) { - if (StringUtils.isNotBlank(sortOrder) - && !(sortOrder.equalsIgnoreCase("asc") || sortOrder.equalsIgnoreCase("desc"))) { - throw new IllegalArgumentException("Sort order must be one of \"asc\" or \"desc\""); + public static void sanitiseQueryPart(String queryPart) { + if (StringUtils.isNotBlank(queryPart) && !queryPart.strip().matches(QUERY_PART_SANITISE_REGEX)) { + throw new IllegalArgumentException("Query part contains forbidden characters: " + queryPart); } } } \ No newline at end of file Index: lams_common/src/java/org/lamsfoundation/lams/qb/dao/hibernate/QbDAO.java =================================================================== diff -u -rf7fae354123a6a697f51884253e0e8900c3bfcea -r3248d9808412f06775532829889bb22b76da3a9e --- lams_common/src/java/org/lamsfoundation/lams/qb/dao/hibernate/QbDAO.java (.../QbDAO.java) (revision f7fae354123a6a697f51884253e0e8900c3bfcea) +++ lams_common/src/java/org/lamsfoundation/lams/qb/dao/hibernate/QbDAO.java (.../QbDAO.java) (revision 3248d9808412f06775532829889bb22b76da3a9e) @@ -294,7 +294,7 @@ bldr.append(ORDER_BY_NAME); } - LAMSBaseDAO.sanitiseOrderBy(sortOrder); + LAMSBaseDAO.sanitiseQueryPart(sortOrder); bldr.append(sortOrder); NativeQuery query = getSession().createNativeQuery(bldr.toString()); @@ -493,10 +493,11 @@ if (orderBy.equalsIgnoreCase("usage")) { queryBuilder = new StringBuilder(FIND_COLLECTION_QUESTIONS_BY_USAGE); } else { + LAMSBaseDAO.sanitiseQueryPart(orderBy); queryBuilder.append(" ORDER BY ").append(orderBy); } if (StringUtils.isNotBlank(orderDirection)) { - LAMSBaseDAO.sanitiseOrderBy(orderDirection); + LAMSBaseDAO.sanitiseQueryPart(orderDirection); queryBuilder.append(" ").append(orderDirection); } } Index: lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/dao/hibernate/GradebookDAO.java =================================================================== diff -u -rf7fae354123a6a697f51884253e0e8900c3bfcea -r3248d9808412f06775532829889bb22b76da3a9e --- lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/dao/hibernate/GradebookDAO.java (.../GradebookDAO.java) (revision f7fae354123a6a697f51884253e0e8900c3bfcea) +++ lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/dao/hibernate/GradebookDAO.java (.../GradebookDAO.java) (revision 3248d9808412f06775532829889bb22b76da3a9e) @@ -270,7 +270,7 @@ @Override public List getLessonsByGroupAndUser(final Integer userId, boolean staffOnly, final Integer orgId, int page, int size, String sortBy, String sortOrder, String searchString) { - LAMSBaseDAO.sanitiseOrderBy(sortOrder); + LAMSBaseDAO.sanitiseQueryPart(sortOrder); final String LOAD_LESSONS_ORDERED_BY_FIELDS = "SELECT DISTINCT lesson " + "FROM Lesson lesson, LearningDesign ld, {0} Organisation lo " @@ -339,7 +339,7 @@ @Override public List getUsersByLesson(Long lessonId, int page, int size, String sortBy, String sortOrder, String searchString) { - LAMSBaseDAO.sanitiseOrderBy(sortOrder); + LAMSBaseDAO.sanitiseQueryPart(sortOrder); final String LOAD_LEARNERS_ORDERED_BY_NAME = "SELECT DISTINCT user.* " + " FROM lams_lesson lesson, lams_group g, lams_user_group ug " @@ -407,7 +407,7 @@ @Override public List getUsersByActivity(Long lessonId, Long activityId, int page, int size, String sortBy, String sortOrder, String searchString) { - LAMSBaseDAO.sanitiseOrderBy(sortOrder); + LAMSBaseDAO.sanitiseQueryPart(sortOrder); final String LOAD_LEARNERS_ORDERED_BY_NAME = "SELECT DISTINCT user.* " + " FROM lams_lesson lesson, lams_group g, lams_user_group ug " @@ -468,7 +468,7 @@ @Override public List getUsersByGroup(Long lessonId, Long activityId, Long groupId, int page, int size, String sortBy, String sortOrder, String searchString) { - LAMSBaseDAO.sanitiseOrderBy(sortOrder); + LAMSBaseDAO.sanitiseQueryPart(sortOrder); final String LOAD_LEARNERS_ORDERED_BY_NAME = "SELECT DISTINCT user.* " + " FROM lams_user_group ug " + " INNER JOIN lams_user user ON ug.user_id=user.user_id " + " WHERE ug.group_id=:groupId " @@ -537,7 +537,7 @@ */ public List getUsersFromOrganisation(Integer orgId, int page, int size, String sortOrder, String searchString) { - LAMSBaseDAO.sanitiseOrderBy(sortOrder); + LAMSBaseDAO.sanitiseQueryPart(sortOrder); final String LOAD_LEARNERS_BY_ORG = "SELECT uo.user FROM UserOrganisation uo" + " WHERE uo.organisation.organisationId=:orgId" Index: lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/dao/hibernate/AssessmentUserDAOHibernate.java =================================================================== diff -u -rf7fae354123a6a697f51884253e0e8900c3bfcea -r3248d9808412f06775532829889bb22b76da3a9e --- lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/dao/hibernate/AssessmentUserDAOHibernate.java (.../AssessmentUserDAOHibernate.java) (revision f7fae354123a6a697f51884253e0e8900c3bfcea) +++ lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/dao/hibernate/AssessmentUserDAOHibernate.java (.../AssessmentUserDAOHibernate.java) (revision 3248d9808412f06775532829889bb22b76da3a9e) @@ -132,7 +132,7 @@ bldr.append(LOAD_USERS_ORDERED_ORDER_BY_NAME); } - LAMSBaseDAO.sanitiseOrderBy(sortOrder); + LAMSBaseDAO.sanitiseQueryPart(sortOrder); bldr.append(sortOrder); NativeQuery query = getSession().createNativeQuery(bldr.toString()); @@ -237,7 +237,7 @@ bldr.append(LOAD_USERS_ORDERED_ORDER_BY_NAME); } - LAMSBaseDAO.sanitiseOrderBy(sortOrder); + LAMSBaseDAO.sanitiseQueryPart(sortOrder); bldr.append(sortOrder); NativeQuery query = getSession().createNativeQuery(bldr.toString());