Details

    • Similar Issues:

      Description

      Hi,

      While going over the code I noticed that you use string construction for json requests to gerrit.

      This is highly risky as users may put special characters within the variables and alter the request to gain access to other functionality the user is authorized. For example message="\", something=\"xxx" will add 'something' to the json as own field.

      The code must be refactored to use jackson or any json serialization that handles proper escaping.

      Jackson support pojos and serialize into json, the pojo can be a simple map of Map<String, Object> if you do not want to have pojo per use case. Then use mapper.writeValueAsString(pojo) to construct json.

      @JsonInclude(JsonInclude.Include.NON_NULL)
      class C {
          @JsonProperty
          String property1;
          @JsonProperty
          String property2;
      };
      ObjectMapper mapper = new ObjectMapper();
      C c1 = new C();
      c1.property1 = "value1";
      String json = mapper.writeValueasString(c1); // request
      C c2 = mapper.readValue(json, C.class)       // response

       

        Attachments

          Activity

          Hide
          alonbl Alon Bar-Lev added a comment -

          there is no need to use custom serialization as the gerrit api is perfectly capable of doing everything.

          Show
          alonbl Alon Bar-Lev added a comment - there is no need to use custom serialization as the gerrit api is perfectly capable of doing everything.
          Hide
          lucamilanesio lucamilanesio added a comment -

          Yes, I agree in using the Gerrit API (REST Client API layer).

          Show
          lucamilanesio lucamilanesio added a comment - Yes, I agree in using the Gerrit API (REST Client API layer).

            People

            • Assignee:
              lucamilanesio lucamilanesio
              Reporter:
              alonbl Alon Bar-Lev
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: