Groovy and Grails Security: Denial of Service (DoS) Case 2

August 9, 2010

Denial of Service Case 2:

Scenario: For showing list of Clients with pagination (max 10 per page).
def list = {
if(!params.max) params.max = 10
[clientList: Client.list(params)]
}

Possible Attack: Changing the max value to 100000000 in the request

Result: Query result loads 100000000 client data and again occurs an out of memory error

Possible Solutions in Groovy and Grails:
def list = {
params.max = Math.min( params.max?.toInteger() ?: 0, 100)
[clientList: Client.list(params)]
}

at worst case it will load just 100 records.

Reference: The Definite Guide to Grails, 2nd Edition

1 Comment | Grails, Groovy, Security | Tagged: , , , , | Permalink
Posted by Md. Shahjalal

Groovy and Grails Security: Denial of Service (DoS) Case 1

August 9, 2010

Denial of Service:

Scenario: We have a client object with not null last name. A search query like following:
search = {
Client.findAll("from Client where lastName='"+ params.lastName +"'")
}

Possible Attack:
if param.lastName = ‘ or id > 0 send with request the query becomes:
search = {
Client.findAll("from Client where lastName='' or id > 0")
}

Result:
All the client from the database will be fetched and resulted out of memory error

Possible Solutions in Groovy and Grails:

search = {
Client.findAll("from Client where lastName= :lastName", [lastName: params.lastName)
}
or
search = {
Client.findAll("from Client where lastName= ?", [lastName: params.lastName)
}
or
Client.withCriteria {
eq('lastName', params.lastName)
}
or
Client.findAllByLastName(params.lastName)
Reference: Definite Guide to Grails, 2nd Edition

Leave a Comment » | Grails, Groovy, Security | Tagged: , , , | Permalink
Posted by Md. Shahjalal

Groovy and Grails: Sorting Problem of Customize Search Result

July 4, 2010

GSP tag g:sortableColumn is used for sorting list in Grails. A list by default shows all the rows stored in database. A user can sort the list ascending/descending order by clicking on that column header.

But the same thing do not works for a customized search result (Criteria Search). For example a search result fetch 6 of 10 rows from database. If you display the result by tag, clicking on the column header for sorting will display all the 10 sorted rows in place of 6. This is happened because search parameters are missing in result page. Lets see the example below: Suppose we have a Book Class, Saerch Cmd and a criteria search for this class


class Book {
Integer id
String name
Date entryDate
}

class BookController{
def search() {
def searchCmd = new BookSearchCmd()
return [searchCmd: searchCmd]
}

def result() {
def cmd = new BookSearchCmd()
bindData cmd: params

def crit = Book.createCriteria()
bookList = crit.list(params) {
if (cmd[id]) le(‘id’, cmd[id])
}
}

class BookSearchCmd{
Integer id
String name
Date entryDate
}

Now if the id parameter is 6 and there is 10 id 1..10 it will display 6 rows but when you try to sort the result using <g:sortableColumn> in result.gsp page it will display all 10 result as there is no params in the result page. In the code crit.list(params) works when it gets search paramter, otherwise it execute default list() method.

A easy way out of the problem is saving searchCmd in the session and re-use for sorting the customized search result while the request comes from result page (params.search indicates request from search page). Some minor modification of the above code can do it as following code:

class BookController{
def search() {
session.removeAttribute(“searchCmd”)
def searchCmd = new BookSearchCmd()
return [searchCmd: searchCmd]
}

def result() {
def searchCmd = session.getAttribute(“searchCmd”)
if (params.search || searchCmd==null) {
searchCmd = new BookSearchCmd()
bindData searchCmd: params
session.setAttribute(“searchCmd”, searchCmd)
}

def crit = Book.createCriteria()
bookList = crit.list(params) {
if (searchCmd[id]) le(‘id’, searchCmd[id])
}
}

By: Md. Shahjalal

Leave a Comment » | Grails, Groovy, GSP, Result, Search | Tagged: , , , , | Permalink
Posted by Md. Shahjalal

Groovy and Grails: Using Enum as dropdown or Combobox for int value

July 4, 2010

Sample Enum:
public enum FruitType {
Apple(1),
Orange(2);

final Integer id

FruitType(Integer id) {
this.id = id
}

}

In domain class you can define the type by:

Integer fruitType

Adding static contains:

static constraints = {fruitType(nullable: false, inList: [FruittType.Apple, FruitType.Orange])}

Now in GSP you can use this enum as drop-down by following code

<g:select name=”fruitType” from=”${FruitType?.values()}” value=”${fruitInstance?.fruitType}”  />

1 Comment | Grails, Groovy, GSP | Tagged: , , , | Permalink
Posted by Md. Shahjalal

Groovy and Grails: Using map as Dropdown or Combobox

June 24, 2010

Sample Map:

def fruitMap = [1 : 'Apple', 2 : 'Orange', 3 : 'Banana']

Now in GSP you can use this map as drop-down by following code

<g:select name=”fruit” from=”${fruitMap.entrySet()}” optionKey=”key” optionValue=”value” value=”${fruitInstance?.fruit}” noSelection=”['null': '']“/>

Leave a Comment » | Grails, Groovy, GSP | Tagged: , , | Permalink
Posted by Md. Shahjalal

Follow

Get every new post delivered to your Inbox.