Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
(Java) V4 4.5.0, (Java) V4 4.6.0
-
None
Description
According to the JavaDoc of org.apache.olingo.server.api.uri.UriHelper.parseEntityId, this method parses Entity IDs. It is noted, that there must be a key present in the parameter entityid. However, in the implementation in UriHelperImpl that key is not required. That seems to be wrong and this might be bad for the user of the Olingo library:
The parameter entityId is probably coming via HTTP and can thus be anything. It might even be carefully selected by some attacker.
The current implementation just delegates parsing to the class Parser. Then it is checked how many resource parts are returned and of what type the first part is, but not whether there are any keys.
So you could do this, e.g. in an odata.bind:
entitysetname instead of entitysetname(23).
Maybe that is intentionally permitted, but I don't know OData enough to be absolutely sure.
If desirable, I could write a patch and a unit test for that.
