I checked the warnings at https://github.com/apache/ofbiz-framework/actions/runs/12549445963
we are up to date Jaques Le 30/12/2024 à 17:56, GitBox a écrit :
The GitHub Actions job "CodeQL" on ofbiz-framework.git has failed. Run started by GitHub user nmalin (triggered by nmalin). Head commit for run: 390a70356ab7d148bc7f647e50994d38ee15eb22 / Nicolas Malin <nicolas.ma...@nereide.fr> Improved: Improve validation method on service parameter (OFBIZ-13197) Since the Remote Code Execution (File Upload) Vulnerability fixed by OFBIZ-11948, the class GroovyBaseScript.groovy contains a dependency with a service definition 'createAnonFile' to control the security. This solution works but break the dependency between each component and the mandatory for a service to protect it himself. Normally a service can secure each parameter with element type-validate unfortunately, this element can call only method with one parameter. In your case the method to validate a file upload need to have the delegator. To solve it, we improve the element type-validate to analyze the method call for validate the attribute value and pass the delegator or dispatcher if it detected. Like this we can move the code present on GroovyBaseScript to the service definition and offer the possibility to create more complex validate method for custom site. Report URL: https://github.com/apache/ofbiz-framework/actions/runs/12549445963 With regards, GitHub Actions via GitBox
