Spring Data REST #13373
Spring Data REST #13373
Conversation
ghost
added
area/core
area/dependencies
|
The quickstart PR quarkusio/quarkus-quickstarts#714 |
...ain/java/io/quarkus/rest/data/panache/deployment/properties/ResourcePropertiesBuildItem.java
Show resolved
Hide resolved
| getRepositoriesToImplement(index, PAGING_AND_SORTING_REPOSITORY_INTERFACE, JPA_REPOSITORY_INTERFACE)); | ||
| } | ||
|
|
||
| private void implementResources(BuildProducer<GeneratedBeanBuildItem> implementationsProducer, |
There was a problem hiding this comment.
I'd like to have a comment on this method describing what steps it performs and why they are needed
ghost
added
the
area/infra-automation
gytis
force-pushed
the
spring-data-rest
branch
2 times, most recently
from
6b8eed6 to
fe0fc4d
Compare
|
Mind rebasing onto master to pick up some CI fixes? |
gytis
force-pushed
the
spring-data-rest
branch
from
fe0fc4d to
889f9d3
Compare
|
Done |
geoand
added
the
triage/waiting-for-ci
|
Seems like there is a compilation failure now |
|
Also, it would be best to rebase onto master again, as there were more changes that should make CI happier. Thanks |
| <dependency><!-- TODO create Quarkus Spring Data REST API jar --> | ||
| <groupId>org.springframework.data</groupId> | ||
| <artifactId>spring-data-rest-core</artifactId> | ||
| <version>3.3.0.RELEASE</version> |
There was a problem hiding this comment.
This should be in the BOM once you have created the artifact.
extensions/spring-data-rest/runtime/src/main/resources/META-INF/quarkus-extension.yaml
Show resolved
Hide resolved
|
|
||
| ResultHandle page = methodCreator.getMethodParam(0); | ||
| ResultHandle sort = methodCreator.getMethodParam(1); | ||
| ResultHandle pageable = toPageable(methodCreator, page, sort); |
There was a problem hiding this comment.
Given we are taking the sort parameter from the REST URL, can we check it's not sensitive to SQL injections?
There was a problem hiding this comment.
Here page and sort are already io.quarkus.panache.common.Page and io.quarkus.panache.common.Sort. They're instantiated from the query parameters by rest-data-panache extension.
This extension (same as Hibernate and MongoDB Data REST alternatives) handle only data access logic. JAX-RS resource is handled in the same way for all of them by the rest-data-panache.
There was a problem hiding this comment.
I disagree with that.
Your extension makes it visible and applies absolutely no checks on the content coming from the URL. It's different when it's just Panache API, people can do their own checks.
So we need to check it's not sensitive to SQL injections otherwise you have a big security risk.
There was a problem hiding this comment.
I'm not saying that it shouldn't be checked. I'm saying that this is not the place to do it. This extension does not handle the JAX-RS logic. It only implements user defined interface that extends https://github.com/quarkusio/quarkus/blob/master/extensions/panache/rest-data-panache/runtime/src/main/java/io/quarkus/rest/data/panache/RestDataResource.java.
rest-data-panache generates the JAX-RS resource and then calls spring-data-rest generated method for data access. So these two page and sort parameters are already instances of io.quarkus.panache.common.Page and io.quarkus.panache.common.Sort.
If we need to add query parameter validation we need to add it here https://github.com/quarkusio/quarkus/blob/master/extensions/panache/rest-data-panache/deployment/src/main/java/io/quarkus/rest/data/panache/deployment/methods/ListMethodImplementor.java#L104. However, wouldn't Panache Query builder escape all the query parameters automatically?
There was a problem hiding this comment.
I'm not saying that it shouldn't be checked. I'm saying that this is not the place to do it.
Well, I haven't really reviewed the other extension so I see it now for this one. I still think this should carefully be addressed.
However, wouldn't Panache Query builder escape all the query parameters automatically?
It didn't a while ago. That's why I think we should check if it's safe or not.
There was a problem hiding this comment.
@FroMage maybe you know how unsafe it is to pass arbitrary parameters to the Panache Sort object? Are they somehow parsed down the line by Panache or Hibernate/Mongo? If this is unsafe, do you have a recommendation on what type of validation is needed?
In any case, I don't think that this issue should holdup this PR. If the validation has to be added, it will be added to the rest-data-panache extension.
There was a problem hiding this comment.
It's indeed unsafe because we end up generating an HQL query in PanacheJpaUtil.toOrderBy (not sure about Mongo but probably it is too).
Indeed the check really belongs in the REST layer as you say, especially wrt error handling. As to what you can check, here's what HQL allows:
orderByClause
// todo (6.0) : null precedence
: ORDER BY sortSpecification (COMMA sortSpecification)*
;
sortSpecification
: expression collationSpecification? orderingSpecification?
;
collationSpecification
: COLLATE collateName
;
collateName
: dotIdentifierSequence
;
orderingSpecification
: ASC
| DESC
;
expression is particularly nasty because it's pretty much a free for all.
OTOH if your REST API specifies that the supported set of sort options is limited, then you can probably limit it to:
IDENTIFIER
: ('a'..'z'|'A'..'Z'|'_'|'$'|'\u0080'..'\ufffe')('a'..'z'|'A'..'Z'|'_'|'$'|'0'..'9'|'\u0080'..'\ufffe')*
HTH :)
There was a problem hiding this comment.
BTW, all this is from the panacheql extension, you have the lexer and parser files there with all the info you need ;)
There was a problem hiding this comment.
Thanks @FroMage, this is very helpful. I'll add a query parameter validator to the rest-data-extension and will raise a new PR with it.
There was a problem hiding this comment.
I've created a separate pull request to add a sort parameter validation #13514
gytis
force-pushed
the
spring-data-rest
branch
3 times, most recently
from
1e017ce to
16a005d
Compare
|
CI is reporting some NPEs |
Seems that the problem is with |
|
Seems that the method is not available in Java 8. I'll replace it. |
gytis
force-pushed
the
spring-data-rest
branch
from
16a005d to
7579a10
Compare
|
Minimised API JAR PR quarkusio/quarkus-spring-data-api#5 |
|
@gytis you haven't taken into account all my review comments (probably because some are hidden by GH by default). Could you adjust? |
|
@gsmet you're right, I didn't see them. Thanks! |
gytis
force-pushed
the
spring-data-rest
branch
from
da7e56b to
ed784d1
Compare
gytis
force-pushed
the
spring-data-rest
branch
from
ed784d1 to
e29b917
Compare
gytis
force-pushed
the
spring-data-rest
branch
from
e29b917 to
d6d5200
Compare
|
Merged, thanks! |
cc @geoand