From 370badf9d327a1977199fddc274d89c7f22b2a4d Mon Sep 17 00:00:00 2001 From: Kamidu Sachith Date: Thu, 28 Jan 2016 18:58:24 +0530 Subject: [PATCH 1/2] Preventing infromation leakage --- .../mgt/core/dao/impl/AbstractDeviceDAOImpl.java | 15 +++++++++------ .../mgt/core/dao/impl/ApplicationDAOImpl.java | 5 +++-- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractDeviceDAOImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractDeviceDAOImpl.java index a41b2c8054..5b9fe78f4b 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractDeviceDAOImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractDeviceDAOImpl.java @@ -299,6 +299,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { public List getDevicesOfUser(String username, int tenantId) throws DeviceManagementDAOException { Connection conn; PreparedStatement stmt = null; + ResultSet rs = null; List devices = new ArrayList<>(); try { conn = this.getConnection(); @@ -311,7 +312,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { stmt = conn.prepareStatement(sql); stmt.setInt(1, tenantId); stmt.setString(2, username); - ResultSet rs = stmt.executeQuery(); + rs = stmt.executeQuery(); while (rs.next()) { Device device = DeviceManagementDAOUtil.loadDevice(rs); @@ -321,7 +322,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { throw new DeviceManagementDAOException("Error occurred while fetching the list of devices belongs to '" + username + "'", e); } finally { - DeviceManagementDAOUtil.cleanupResources(stmt, null); + DeviceManagementDAOUtil.cleanupResources(stmt, rs); } return devices; } @@ -594,6 +595,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { Connection conn; PreparedStatement stmt = null; List devices = new ArrayList<>(); + ResultSet rs = null; try { conn = this.getConnection(); String sql = "SELECT d1.ID AS DEVICE_ID, d1.DESCRIPTION, d1.NAME AS DEVICE_NAME, d1.DEVICE_TYPE, " + @@ -606,7 +608,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { stmt.setString(1, deviceName + "%"); stmt.setInt(2, tenantId); stmt.setInt(3, tenantId); - ResultSet rs = stmt.executeQuery(); + rs = stmt.executeQuery(); while (rs.next()) { Device device = DeviceManagementDAOUtil.loadDevice(rs); @@ -616,7 +618,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { throw new DeviceManagementDAOException("Error occurred while fetching the list of devices that matches " + "'" + deviceName + "'", e); } finally { - DeviceManagementDAOUtil.cleanupResources(stmt, null); + DeviceManagementDAOUtil.cleanupResources(stmt, rs); } return devices; } @@ -823,6 +825,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { throws DeviceManagementDAOException { Connection conn; PreparedStatement stmt = null; + ResultSet rs = null; List devices = new ArrayList<>(); try { conn = this.getConnection(); @@ -836,7 +839,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { stmt.setInt(1, tenantId); stmt.setString(2, status.toString()); stmt.setInt(3, tenantId); - ResultSet rs = stmt.executeQuery(); + rs = stmt.executeQuery(); while (rs.next()) { Device device = DeviceManagementDAOUtil.loadDevice(rs); @@ -846,7 +849,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO { throw new DeviceManagementDAOException("Error occurred while fetching the list of devices that matches to status " + "'" + status + "'", e); } finally { - DeviceManagementDAOUtil.cleanupResources(stmt, null); + DeviceManagementDAOUtil.cleanupResources(stmt, rs); } return devices; } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/ApplicationDAOImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/ApplicationDAOImpl.java index 290ddacf1f..e20f152933 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/ApplicationDAOImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/ApplicationDAOImpl.java @@ -234,6 +234,7 @@ public class ApplicationDAOImpl implements ApplicationDAO { PreparedStatement stmt = null; List applications = new ArrayList<>(); Application application; + ResultSet rs = null; try { conn = this.getConnection(); stmt = conn.prepareStatement("Select ID, NAME, APP_IDENTIFIER, PLATFORM, CATEGORY, VERSION, TYPE, " + @@ -244,7 +245,7 @@ public class ApplicationDAOImpl implements ApplicationDAO { "app.ID = APPMAP.APPLICATION_ID "); stmt.setInt(1, deviceId); - ResultSet rs = stmt.executeQuery(); + rs = stmt.executeQuery(); while (rs.next()) { application = loadApplication(rs); @@ -254,7 +255,7 @@ public class ApplicationDAOImpl implements ApplicationDAO { throw new DeviceManagementDAOException("SQL Error occurred while retrieving the list of Applications " + "installed in device id '" + deviceId, e); } finally { - DeviceManagementDAOUtil.cleanupResources(stmt, null); + DeviceManagementDAOUtil.cleanupResources(stmt, rs); } return applications; } From dda94437ee1a88f5328906606ea3da642c1c30f3 Mon Sep 17 00:00:00 2001 From: Kamidu Sachith Date: Thu, 28 Jan 2016 18:58:40 +0530 Subject: [PATCH 2/2] code clean up and refactoring --- .../oauth/validator/impl/ExternalOAuthValidator.java | 2 +- .../backend/oauth/validator/impl/LocalOAuthValidator.java | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java index 05f1579fa0..c3d246bb16 100755 --- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java +++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java @@ -79,7 +79,7 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{ boolean isValid = tokenValidationResponse.getValid(); String userName = null; String tenantDomain = null; - if(isValid){ + if (isValid) { userName = MultitenantUtils.getTenantAwareUsername( tokenValidationResponse.getAuthorizedUser()); tenantDomain = MultitenantUtils. diff --git a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java index 17243ed411..4182917f30 100755 --- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java +++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java @@ -44,17 +44,17 @@ public class LocalOAuthValidator implements OAuth2TokenValidator { accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE); accessToken.setIdentifier(token); validationRequest.setAccessToken(accessToken); - OAuth2TokenValidationResponseDTO tokenValidationResponse = OAuthAuthenticatorDataHolder.getInstance(). + OAuth2TokenValidationResponseDTO tokenValidationResponse = OAuthAuthenticatorDataHolder.getInstance(). getOAuth2TokenValidationService().findOAuthConsumerIfTokenIsValid(validationRequest).getAccessTokenValidationResponse(); boolean isValid = tokenValidationResponse.isValid(); String userName = null; String tenantDomain = null; - if(isValid){ + if (isValid) { userName = MultitenantUtils.getTenantAwareUsername( tokenValidationResponse.getAuthorizedUser()); tenantDomain = MultitenantUtils.getTenantDomain(tokenValidationResponse.getAuthorizedUser()); } - return new OAuthValidationResponse(userName,tenantDomain,isValid); + return new OAuthValidationResponse(userName, tenantDomain, isValid); } }