[midPoint-git] [Evolveum/midpoint] 4fa177: Fix guessable work item ID weakness (MID-5291)

mederly noreply at github.com
Thu Apr 18 10:37:16 CEST 2019 

  Branch: refs/heads/support-3.6
  Home:   https://github.com/Evolveum/midpoint
  Commit: 4fa1771a3dd071303b819a4d0595869cb5d18d1b
      https://github.com/Evolveum/midpoint/commit/4fa1771a3dd071303b819a4d0595869cb5d18d1b
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2019-04-18 (Thu, 18 Apr 2019)

  Changed paths:
    M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wf/WorkItemsPanel.java
    M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/PageWorkItem.java
    A gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/dto/ProtectedWorkItemId.java

  Log Message:
  -----------
  Fix guessable work item ID weakness (MID-5291)

In addition to the work item number we expect and check SHA256 hash
of some parts of the work item. The attacker does not know them,
so he is unable to create/guess the respective URL.


  Commit: 6320d50133752f1f0ed43b775d8ab15f27cd8908
      https://github.com/Evolveum/midpoint/commit/6320d50133752f1f0ed43b775d8ab15f27cd8908
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2019-04-18 (Thu, 18 Apr 2019)

  Changed paths:
    M infra/common/src/main/java/com/evolveum/midpoint/common/validator/Validator.java
    M infra/prism/src/main/java/com/evolveum/midpoint/prism/lex/dom/DomLexicalProcessor.java
    M infra/prism/src/main/java/com/evolveum/midpoint/prism/schema/SchemaToDomProcessor.java
    M infra/prism/src/test/java/com/evolveum/midpoint/prism/TestPrismParsingXml.java
    A infra/prism/src/test/resources/common/xml/user-jack-xxe.xml
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/SearchResultList.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/SearchResultMetadata.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java
    M infra/util/src/main/java/com/evolveum/midpoint/util/DOMUtil.java
    M model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelService.java
    M model/model-client/src/main/java/com/evolveum/midpoint/model/client/ModelClientUtil.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/OrgStructFunctionsImpl.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/orgstruct/TestOrgStruct.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
    M model/model-intest/src/test/resources/logback-test.xml
    A model/model-intest/src/test/resources/orgstruct/resource-dummy-orgtarget.xml
    A model/model-intest/src/test/resources/orgstruct/role-end-pirate.xml
    A model/model-intest/src/test/resources/security/role-read-org-exec.xml
    M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
    M repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
    M testing/story/src/test/java/com/evolveum/midpoint/testing/story/AbstractStoryTest.java
    M testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestNullAttribute.java
    R testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestUuid.java
    A testing/story/src/test/java/com/evolveum/midpoint/testing/story/uuid/AbstractUuidTest.java
    A testing/story/src/test/java/com/evolveum/midpoint/testing/story/uuid/TestUuidClient.java
    A testing/story/src/test/java/com/evolveum/midpoint/testing/story/uuid/TestUuidExtension.java
    A testing/story/src/test/resources/uuid/resource-opendj-client.xml
    A testing/story/src/test/resources/uuid/resource-opendj-extension.xml
    R testing/story/src/test/resources/uuid/resource-opendj.xml
    A testing/story/src/test/resources/uuid/role-employee.xml
    A testing/story/src/test/resources/uuid/system-configuration-client.xml
    A testing/story/src/test/resources/uuid/system-configuration-extension.xml
    R testing/story/src/test/resources/uuid/system-configuration.xml
    M testing/story/testng-integration.xml

  Log Message:
  -----------
  Merge remote-tracking branch 'origin/support-3.6' into support-3.6


Compare: https://github.com/Evolveum/midpoint/compare/dd00e848886f...6320d5013375

More information about the midPoint-svn mailing list