From 1a0effda3ba9323aca89bb8df63bb0351c73459e Mon Sep 17 00:00:00 2001 From: Roly Rudy Gutierrez Pinto Date: Wed, 5 May 2021 17:55:20 -0400 Subject: [PATCH 1/3] PMCORE-1225 execute-query-blacklist.ini not working according to the documentation --- workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php index 6ebd17a96..8f3a550e7 100644 --- a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php +++ b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php @@ -121,8 +121,8 @@ class SqlBlacklist extends Parser //verify system tables $tables = $config['tables']; - $fn($this->statements, function ($table) use ($tables) { - if (in_array($table, $tables)) { + $fn($this->statements, function ($table) use ($tables, $notExecuteQuery) { + if (in_array($table, $tables) && $notExecuteQuery) { throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table])); } }); From c73454dc9eaa082c885d80c598954a4d9406ab58 Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Thu, 6 May 2021 11:42:01 -0400 Subject: [PATCH 2/3] PMCORE-3000 --- workflow/engine/src/ProcessMaker/Model/ProcessUser.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/workflow/engine/src/ProcessMaker/Model/ProcessUser.php b/workflow/engine/src/ProcessMaker/Model/ProcessUser.php index 5b741242b..59d79b927 100644 --- a/workflow/engine/src/ProcessMaker/Model/ProcessUser.php +++ b/workflow/engine/src/ProcessMaker/Model/ProcessUser.php @@ -38,11 +38,10 @@ class ProcessUser extends Model */ public function scopeProcessGroupSupervisor($query, $userUid) { - $query->where('PU_TYPE', 'GROUP_SUPERVISOR'); - $query->leftJoin('GROUP_USER', function ($leftJoin) use ($userUid) { - $leftJoin->on('PROCESS_USER.USR_UID', '=', 'GROUP_USER.GRP_UID') - ->where('GROUP_USER.USR_UID', $userUid); - }); + // Ge the groups related to the user, Todo, implement the field PROCESS_USER.GRP_ID + $groups = GroupUser::getGroups($userUid, 'GRP_UID'); + $query->where('PROCESS_USER.PU_TYPE', 'GROUP_SUPERVISOR'); + $query->whereIn('PROCESS_USER.USR_UID', $groups); $query->joinProcess(); return $query; From 41230e7d541bb50cf00d9f5db6a1f5143920c6f7 Mon Sep 17 00:00:00 2001 From: Roly Rudy Gutierrez Pinto Date: Fri, 7 May 2021 13:17:28 -0400 Subject: [PATCH 3/3] PMCORE-1225 The sentences DESCRIBE, EXPLAIN, SHOW, and BEGIN, now are supported. The EXEC and EXECUTE cannot be used within the black list and are removed from the documentation. --- .../engine/src/ProcessMaker/Validation/SqlBlacklist.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php index 8f3a550e7..b1fd7856e 100644 --- a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php +++ b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php @@ -100,6 +100,10 @@ class SqlBlacklist extends Parser $signed = get_class($statement); foreach (Parser::$STATEMENT_PARSERS as $key => $value) { if ($signed === $value && in_array(strtoupper($key), $config['statements'])) { + //SHOW statement is a special case, it does not require a table name + if (strtoupper($key) === 'SHOW') { + throw new Exception(G::loadTranslation('ID_INVALID_QUERY')); + } $notExecuteQuery = true; break; } @@ -116,6 +120,9 @@ class SqlBlacklist extends Parser if ($key === 'table' && is_string($value)) { $callback($value); } + if ($key === 'token' && is_string($value)) { + $callback($value); + } } };