Dpk376 opened a new pull request, #6052: URL: https://github.com/apache/fineract/pull/6052
## Description Closes [FINERACT-2662](https://issues.apache.org/jira/browse/FINERACT-2662) `GET /api/v1/offices` concatenated the `orderBy` query parameter into an `ORDER BY` clause after only a blacklist-based `ColumnValidator.validateSqlInjection()` check. Payloads that avoid the operator/keyword patterns (e.g. boolean-based `CASE WHEN` expressions) slip through, reaching SQL execution. ## Changes Mirrors the approach merged for the Client search endpoint in FINERACT-2650: - **Allowlist validation:** `OfficeReadPlatformServiceImpl` now validates `orderBy` via `InputValidator.validate("office-order-by", ...)` against a strict column-name allowlist (`id, name, nameDecorated, externalId, openingDate, hierarchy, parentId, parentName`). - **sortOrder:** restricted to `ASC`/`DESC` (case-insensitive), else `InputValidationException`. - **Config:** added `office-order-by-strict` pattern + `office-order-by` profile in `application.properties`. - **Wiring:** `OrganisationOfficeConfiguration` injects `InputValidator` (the now-unused `ColumnValidator` dependency removed from this service). ## Tests New `OfficeSearchTest` integration test with 10 cases: SQL-injection PoC, substring-bypass, case mismatch, snake_case column, comma-separated list, SQL keyword, sortOrder injection/arbitrary value, blank orderBy, and all 8 valid columns. ## Checklist - [x] `:fineract-provider:compileJava` passes - [x] `:integration-tests:compileTestJava` passes - [x] spotless clean - [x] Follows the existing FINERACT-2650 pattern -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
