Merge lp://qastaging/~savoirfairelinux-openerp/knowledge-addons/cmis_read into lp://qastaging/knowledge-addons/7.0

test

l.377 osv.TransientModel should be orm.TransientModel
l.504 POSSIBLE SQL INJECTION: (with quotes in a filename) please use the library's code escapes, don't write your own

Flake8:
cmis_read/wizard/document_wizard.py:102:9: F841 local variable 'file_name' is assigned to but never used
cmis_read/wizard/document_wizard.py:115:5: E265 block comment should start with '# '
cmis_read/wizard/document_wizard.py:120:6: E111 indentation is not a multiple of four
cmis_read/wizard/document_wizard.py:120:6: E113 unexpected indentation
cmis_read/wizard/document_wizard.py:148:5: E265 block comment should start with '# '

@scaerter: thanks for comments

openerp.modules.loading: The transient model ir.attachment.dms (ir.attachment.dms) should not have explicit access rules!

l.504 : it is a cmis query

Injection is still possible. It is an entry point for malicious queries or accidental breaks.

l.471 Still severe bug and injection potential

Try:
filename = "sql%' OR '1' = '1' OR '%injection"

CMIS must provide a code escape function, otherwise use OpenERP's. It is important that you don't do this manually.

https://en.wikipedia.org/wiki/Sql_injection

There are also no unittests. The previous example would be a good thing to test.

In the log of a reading job, I get :

Traceback (most recent call last): File "/home/max/openerp/cmis/bzr/connector/connector/queue/worker.py", line 122, in run_job job.perform(session) File "/home/max/openerp/cmis/bzr/connector/connector/queue/job.py", line 472, in perform self.result = self.func(session, *self.args, **self.kwargs) File "/home/max/openerp/cmis/bzr/knowledge/cmis_read/wizard/document_wizard.py", line 169, in create_doc_from_dms data_attach, context=session.context) File "/home/max/openerp/cmis/bzr/knowledge/cmis_write/ir_attachment.py", line 77, in create user_login) File "/home/max/openerp/cmis/bzr/connector/connector/queue/job.py", line 653, in delay **kwargs) File "/home/max/openerp/cmis/bzr/connector/connector/queue/job.py", line 131, in enqueue_resolve_args description=description) File "/home/max/openerp/cmis/bzr/connector/connector/queue/job.py", line 115, in enqueue self.store(job) File "/home/max/openerp/cmis/bzr/connector/connector/queue/job.py", line 220, in store self.session.context) File "/home/max/openerp/cmis/bzr/addons/mail/mail_thread.py", line 252, in create thread_id = super(mail_thread, self).create(cr, uid, values, context=context_operation) File "/home/max/openerp/cmis/bzr/connector/connector/producer.py", line 42, in create record_id = create_original(self, cr, uid, vals, context=context) File "/opt/openerp/7.0/server/openerp/osv/orm.py", line 4486, in create upd2.append(self._columns[field]._symbol_set[1](vals[field])) File "/opt/openerp/7.0/server/openerp/osv/fields.py", line 232, in <lambda> self._symbol_f = self._symbol_set_char = lambda x: _symbol_set_char(self, x) File "/opt/openerp/7.0/server/openerp/osv/fields.py", line 224, in _symbol_set_char return u_symb[:self.size].encode('utf8') MemoryError

l.469,502: Queries are still not fully sanitized, any quotes or percent sizes in the input will result in unexpected behaviour. This is a security risk and a major bug potential.
I highly recommend you to add a function to sanitize input in the cmis module for queries and follow the documentation from http://wiki.alfresco.com/wiki/CMIS_Query_Language#Literals

Basic escaping:

    \\ represents \
    \' represents '

In addition to basic escaping, in LIKE expressions

    \% represents %
    \_ represents _

For better usability and security, your sanitize function should wrap the query function, the same way OE does, so that there is no way to call the query the wrong way.

Something along the lines of

safe_query(" SELECT cmis:name, cmis:createdBy, cmis:objectId, "
           "cmis:contentStreamLength FROM cmis:document "
           "WHERE cmis:name LIKE '%%%s%%'", filename)

def safe_query(query, *args):
    args = map(sanitize_input, args)
    return repo.query(query % args)

Make sure to make the these functions general purpose, not specific to this particular instance as it seems now (function name sanitize_input_filename_field sounds specific to filename, when it can be used on any query).

Finally, _make sure to put these functions in your topmost dependency (cmis) so any depending module can use it reliably.

@Sandy Carter:
'repo' is not defined.I change the way to do

Looking better

Hi,

It seems nice.

I left a few comments in the diff. I won't really block on them but you should have a look.

Thank you for your review, Guewen, I learned a few things.

This MP have been moved to MP to https://github.com/OCA/knowledge/pull/7