From 2661cf80beff4aad9233b4a728b37b35e6298bcb Mon Sep 17 00:00:00 2001 From: Konrad Kleine <193408+kwk@users.noreply.github.com> Date: Tue, 7 Aug 2018 15:40:55 +0200 Subject: [PATCH] Provide join lock down (#2211) This includes an extra-condition in the `ON` part of the table `JOINS` for areas, codebases and iterations to only join those tables filtered by their space ID. I'm not sure though if this really fixes the problem (see https://github.com/fabric8-services/fabric8-wit/issues/2210#issuecomment-410241026). ## TODO As of yesterday's (07.08.2018) discussion with @aslakknutsen we did experiments and found that in order to keep the rows in the search small, we have to establish a condition on the final SQL `WHERE` clause that limits the selection to work items from a particular space. At the moment, the current `/api/search` endpoint is so generic that it doesn't require a limitation by space on the root of the `WHERE` clause. That's why @aslakknutsen and I agreed to create a search endpoint under `/api/spaces//search` in order to automatically add the space ID to the query condition. This will be implemented in another PR and is tracked in https://github.com/openshiftio/openshift.io/issues/4124 See #2210. --- workitem/expression_compiler.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/workitem/expression_compiler.go b/workitem/expression_compiler.go index 824f1f9367..966758cf84 100644 --- a/workitem/expression_compiler.go +++ b/workitem/expression_compiler.go @@ -125,21 +125,21 @@ var DefaultTableJoins = func() TableJoinMap { "iteration": { TableName: "iterations", TableAlias: "iter", - On: JoinOnJSONField(SystemIteration, "iter.id"), + On: JoinOnJSONField(SystemIteration, "iter.id") + " AND " + Column("iter", "space_id") + "=" + Column(WorkItemStorage{}.TableName(), "space_id"), PrefixActivators: []string{"iteration."}, AllowedColumns: []string{"name", "created_at"}, }, "area": { TableName: "areas", TableAlias: "ar", - On: JoinOnJSONField(SystemArea, "ar.id"), + On: JoinOnJSONField(SystemArea, "ar.id") + " AND " + Column("ar", "space_id") + "=" + Column(WorkItemStorage{}.TableName(), "space_id"), PrefixActivators: []string{"area."}, AllowedColumns: []string{"name"}, }, "codebase": { TableName: "codebases", TableAlias: "cb", - On: JoinOnJSONField(SystemCodebase, "cb.id"), + On: JoinOnJSONField(SystemCodebase, "cb.id") + " AND " + Column("cb", "space_id") + "=" + Column(WorkItemStorage{}.TableName(), "space_id"), PrefixActivators: []string{"codebase."}, AllowedColumns: []string{"url"}, },