release(26.04.11-03): cherry-pick #35553 security fix onto 26.04.11-02#35634
Closed
sfreudenthaler wants to merge 10 commits into
Closed
release(26.04.11-03): cherry-pick #35553 security fix onto 26.04.11-02#35634sfreudenthaler wants to merge 10 commits into
sfreudenthaler wants to merge 10 commits into
Conversation
Replaces the manually quoted IN-clause with bound parameters so caller-supplied bundle ids cannot break out of the SQL literal. Also guards against null/empty input (which previously NPE'd or produced invalid `IN ()` SQL), and corrects the catch-block logger to use this class and ERROR level (matching the sibling deletePublishAuditStatus method). Refs: dotCMS/private-issues#581
…erization Adds four integration tests for getPublishAuditStatuses(List<String>): - happy path returns the requested rows and excludes others - empty list returns an empty result without producing invalid `IN ()` SQL - null list returns an empty result without NPE - bundle ids containing SQL meta-characters (single quotes, OR 1=1, '; DROP TABLE; --, comment terminators, escaped quotes) are bound as parameters and produce no rows; the audit table remains intact Refs: dotCMS/private-issues#581
Co-authored-by: semgrep-code-dotcms-test[bot] <183154938+semgrep-code-dotcms-test[bot]@users.noreply.github.com>
…pply The "Apply suggestion" action on the Semgrep bot's review (commit f68ff49) appended the bot's suggested code on top of the existing parameterized fix instead of replacing it, leaving two `placeholders` declarations in the same method (compile error: "variable placeholders is already defined"). The bot's suggestion was functionally identical to the committed code; the existing parameterized fix is correct. Removing the duplicate block.
…blishingResource Adds WebResource.InitBuilder authentication checks to GET /api/auditPublishing/get and POST /api/auditPublishing/getAll. Both endpoints previously skipped WebResource.init entirely, so an unauthenticated caller could enumerate publish audit status for any bundle id (or list of ids) — the SQL injection in the underlying DB method was the worst-case shape, but even after parameterization the data exposure remains until the resource is gated. Both endpoints now require: - a backend (CMS) user, not a frontend user - the `publishing-queue` portlet permission - rejection when no user is present (no anonymous access) Addresses review feedback from @wezell.
…eTest The auth check throws com.dotcms.rest.exception.SecurityException (WebApplicationException subclass), not java.lang.SecurityException. @test(expected = ...) defaults to the imported class, so a no-arg import was matching the wrong type and the test errored even though the auth worked correctly.
…issing token Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![semgrep-code-dotcms-test[bot]](https://avatars.githubusercontent.com/u/1005263?s=60&v=4){kind=small}
dsolistorres
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Customer-targeted patched build for Lennox, who is currently pinned to
26.04.11-02and cannot upgrade through the26.04.28-xline.26.04.28-02introduced a host-resolution regression (URL mapping returns 404 at runtime when detail page uses custom Page content type (follow-up to #35149) #35268) that broke URL-mapped pages across Lennox's ~25 sites — they were rolled back to26.04.11-02on 2026-05-07.26.04.28-03cherry-picked the fix(publisher): parameterize getPublishAuditStatuses bundle-id query #35553 security fix onto26.04.28-02, so it still carries the regression and is unsafe for Lennox.26.04.11-02baseline that Lennox is already running.What's in this branch
v26.04.11-02+ 9 commits cherry-picked from #35553 (the same set that landed onrelease-26.04.28-03):Tip:
c1b78bd81d.Cherry-pick cleanliness
All 9 commits applied with no manual conflict resolution. One auto-merge in
PublisherQueueJob.javaresolved cleanly — the 26.04.11 baseline usescom.dotcms.repackage.com.google.common.collectimport paths instead of the direct Guava imports on the 26.04.28 line. Unrelated to the security fix.Cross-checked against
v26.04.28-03:AuditPublishingResource.java,PublishAuditAPIImpl.java, andAuditPublishingResourceTest.javaare byte-identical to 28-03 — the security fix landed exactly as it did there.Not in scope
main— this branch exists to produce a customer-specific image off the 26.04.11 line.Publishing release version [26.04.11-03]) is left to the release automation, mirroring how569fc6b9dfwas produced for26.04.28-03.Resulting image
Image will be tagged
26.04.11-03_<sha>(SHA-suffix convention). Once built, the infra-as-code repo will bumplennox/prod-2,lennox/staging-2, andlennox-dr/prod-2(already excluded from the current deploy wave) to that tag in a separate PR.Test plan
/api/auditPublishing/getand/api/auditPublishing/getAllreject anonymous callers (security fix in effect)🤖 Generated with Claude Code
refs: https://github.com/dotCMS/private-issues/issues/581