Merge branch 'master' of github.com:moqui/moqui-runtime into sec-vuln…

…erabilities # Conflicts: # base-component/webroot/screen/webroot/js/WebrootVue.qvt.js
mkdecisiondev · Sep 7, 2023 · 50fdc06 · 50fdc06
2 parents a17a509 + 22ed1ad
commit 50fdc06
Show file tree

Hide file tree

Showing 14 changed files with 847 additions and 82 deletions.
diff --git a/base-component/tools/screen/System/LogViewer.xml b/base-component/tools/screen/System/LogViewer.xml
@@ -112,7 +112,7 @@ along with this software (see the LICENSE.md file). If not, see
             <container><label text="${messageInfo.message}" type="strong" style="text-${messageInfo.typeString}"/></container>
         </widgets></section-iterate>
 
-        <form-list name="LogMessageDocuments" list="documentList" paginate="true" paginate-always-show="true" skip-form="true">
+        <form-list name="LogMessageDocuments" list="documentList" paginate="true" paginate-always-show="true" skip-form="true" show-page-size="true">
             <row-actions>
                 <set field="levelStyle" from="'ERROR'.equals(level) ? 'text-danger' : ('WARN'.equals(level) ? 'text-warning' : ('INFO'.equals(level) ? 'text-success' : ''))"/>
             </row-actions>

diff --git a/base-component/tools/screen/System/Visit/VisitList.xml b/base-component/tools/screen/System/Visit/VisitList.xml
@@ -43,6 +43,10 @@ along with this software (see the LICENSE.md file). If not, see
                 <header-field show-order-by="true"><text-find size="20" default-operator="begins"/></header-field>
                 <default-field><display/></default-field>
             </field>
+            <field name="sessionId">
+                <header-field show-order-by="true"><text-find size="20" default-operator="begins"/></header-field>
+                <default-field><display/></default-field>
+            </field>
             <field name="userId">
                 <header-field show-order-by="true"><text-find size="20" default-operator="begins"/></header-field>
                 <default-field>
@@ -70,7 +74,7 @@ along with this software (see the LICENSE.md file). If not, see
             <field name="findButton"><header-field><submit text="Find"/></header-field></field>
 
             <form-list-column><field-ref name="visitId"/><field-ref name="fromDate"/></form-list-column>
-            <form-list-column><field-ref name="visitorId"/><field-ref name="userId"/></form-list-column>
+            <form-list-column><field-ref name="visitorId"/><field-ref name="sessionId"/><field-ref name="userId"/></form-list-column>
             <form-list-column><field-ref name="clientIpAddress"/><field-ref name="clientIpCountryGeoId"/></form-list-column>
             <form-list-column><field-ref name="serverIpAddress"/><field-ref name="initialRequest"/></form-list-column>
             <form-list-column><field-ref name="hitCount"/></form-list-column>

diff --git a/base-component/tools/screen/Tools/Entity/SqlScriptRunner.xml b/base-component/tools/screen/Tools/Entity/SqlScriptRunner.xml
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This software is in the public domain under CC0 1.0 Universal plus a 
+Grant of Patent License.
+
+To the extent possible under law, the author(s) have dedicated all
+copyright and related and neighboring rights to this software to the
+public domain worldwide. This software is distributed without any
+warranty.
+
+You should have received a copy of the CC0 Public Domain Dedication
+along with this software (see the LICENSE.md file). If not, see
+<http://creativecommons.org/publicdomain/zero/1.0/>.
+-->
+<screen xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/xml-screen-3.xsd"
+        default-menu-title="SQL Script Runner" begin-transaction="false"><!-- NOTE: begin tx is false so table meta data changes, etc can be done -->
+
+    <actions>
+        <if condition="!ec.user.hasPermission('SQL_RUNNER_WEB')">
+            <return error="true" message="User does not have permission to use the SQL Runner"/></if>
+        <if condition="!sri.getScreenUrlInfo().isPermitted(ec, null, org.moqui.context.ArtifactExecutionInfo.AUTHZA_ALL)">
+            <return error="true" message="User must be authorized for all actions on this screen"/></if>
+
+        <script><![CDATA[
+            import java.sql.Connection
+            import java.sql.ResultSet
+            import java.sql.SQLWarning
+            import org.moqui.context.ExecutionContext
+
+            ExecutionContext ec = context.ec
+
+            def rs = null
+            int limitInt = 1
+
+            // make sure SQL comes in secure parameter (body, etc no URL)
+            String sqlScript = ec.web.secureRequestParameters.get("sql")
+            if (sqlScript && groupName) {
+                sqlList = sqlScript.split(';')
+                messageList = []
+                Connection con = ec.entity.getConnection(groupName)
+                try {
+                    for (sql in sqlList) {
+                        try {
+                            stmt = con.createStatement()
+
+                            boolean isResultSet = stmt.execute(sql as String)
+
+                            SQLWarning w = stmt.getWarnings()
+                            for (int j = 0; j < 100 && w != null; j++) {
+                                ec.logger.warn(w.getMessage() as String)
+                                w = w.getNextWarning()
+                            }
+                            stmt.clearWarnings()
+
+                            if (isResultSet) {
+                                rs = stmt.getResultSet()
+                                try {
+                                    // do stuff with result set (like displaying it see SqlRunner.xml)
+                                } finally {
+                                    rs.close()
+                                }
+                            } else if ((rowsAffected = stmt.getUpdateCount()) != -1){
+                                messageList.add(ec.resource.expand('Query altered ${rowsAffected} rows.',''))
+                            }
+
+                        } catch (Exception e) {
+                            messageList.add(e.toString())
+                            ec.logger.log(200, "Error running SQL query in SqlRunner", e)
+                        } finally {
+                            if (stmt != null) { try { stmt.close() } catch (Exception e) { /* Ignore */ } }
+                        }
+                    }
+                } finally {
+                    if (con != null) { try { con.close() } catch (Exception e) { /* Ignore */ } }
+                }
+
+            }
+        ]]></script>
+    </actions>
+    <widgets>
+        <form-single name="SqlOptions" transition="." body-parameters="sql">
+            <field name="groupName"><default-field><drop-down no-current-selected-key="transactional">
+                <list-options list="ec.entity.getDatasourceGroupNames()"/></drop-down></default-field></field>
+            <field name="sql"><default-field title="SQL Script" tooltip="Semicolon separated sql statements"><text-area cols="120" rows="40"/></default-field></field>
+            <field name="submitButton"><default-field title="Run SQL"><submit/></default-field></field>
+        </form-single>
+        <section-iterate name="Messages" list="messageList" entry="message"><widgets>
+            <label text="${message}" type="p" style="text-info"/>
+        </widgets></section-iterate>
+    </widgets>
+</screen>