Thanks to Deepak with "Workflow run "CodeQL" failed!" (OFBIZ-13260) this is
fixed :)
As expected was a CodeQL bug.
Jacques
Le 31/12/2024 à 10:24, Jacques Le Roux a écrit :
I checked the warnings at
https://github.com/apache/ofbiz-framework/actions/runs/12549445963
we are up to date
Jaques
Le 30/12/2024 à 17:56, GitBox a écrit :
The GitHub Actions job "CodeQL" on ofbiz-framework.git has failed.
Run started by GitHub user nmalin (triggered by nmalin).
Head commit for run:
390a70356ab7d148bc7f647e50994d38ee15eb22 / Nicolas Malin
<nicolas.ma...@nereide.fr>
Improved: Improve validation method on service parameter (OFBIZ-13197)
Since the Remote Code Execution (File Upload) Vulnerability fixed by OFBIZ-11948, the class GroovyBaseScript.groovy contains a dependency with a
service definition 'createAnonFile' to control the security.
This solution works but break the dependency between each component and the
mandatory for a service to protect it himself.
Normally a service can secure each parameter with element type-validate unfortunately, this element can call only method with one parameter. In
your case the method to validate a file upload need to have the delegator.
To solve it, we improve the element type-validate to analyze the method call for validate the attribute value and pass the delegator or dispatcher
if it detected.
Like this we can move the code present on GroovyBaseScript to the service definition and offer the possibility to create more complex validate
method for custom site.
Report URL: https://github.com/apache/ofbiz-framework/actions/runs/12549445963
With regards,
GitHub Actions via GitBox
