From 4b3d3ea18be11e957c5b36464083cc047f5dc727 Mon Sep 17 00:00:00 2001
From: Paul Hoadley <paulh@logicsquad.net>
Date: Sun, 19 Jun 2016 14:25:48 +0930
Subject: [PATCH] Adds proxy binding for AjaxProxy component. #768

When the proxy binding is not set, AjaxProxy uses its containing
component (so, in this case, the AjaxFlexibleFileUpload component) as
its server-side proxy object. This exposes all public methods of that
component to the client-side Javascript object. At that point, a
malicious user can fairly easily call some significant methods, such
as Application.terminate() to shut down the application instance.

Here we add a single-purpose Proxy object as an inner class of
AjaxFlexibleFileUpload which simply wraps the methods that we need to
call from the client.
---
 .../AjaxFlexibleFileUpload.wod                |  1 +
 .../er/ajax/AjaxFlexibleFileUpload.java       | 41 ++++++++++++++++++-
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/Frameworks/Ajax/Ajax/Components/AjaxFlexibleFileUpload.wo/AjaxFlexibleFileUpload.wod b/Frameworks/Ajax/Ajax/Components/AjaxFlexibleFileUpload.wo/AjaxFlexibleFileUpload.wod
index 0af920e2d10..07c15c7f1cf 100644
--- a/Frameworks/Ajax/Ajax/Components/AjaxFlexibleFileUpload.wo/AjaxFlexibleFileUpload.wod
+++ b/Frameworks/Ajax/Ajax/Components/AjaxFlexibleFileUpload.wo/AjaxFlexibleFileUpload.wod
@@ -1,6 +1,7 @@
 AjaxProxy : AjaxProxy {
   name = ajaxProxyName;
   proxyName = "wopage";
+  proxy = proxy;
 }
 
 SelectFileButtonWrapper : WOGenericContainer {
diff --git a/Frameworks/Ajax/Ajax/Sources/er/ajax/AjaxFlexibleFileUpload.java b/Frameworks/Ajax/Ajax/Sources/er/ajax/AjaxFlexibleFileUpload.java
index 44c9af1f749..e44e38a7889 100644
--- a/Frameworks/Ajax/Ajax/Sources/er/ajax/AjaxFlexibleFileUpload.java
+++ b/Frameworks/Ajax/Ajax/Sources/er/ajax/AjaxFlexibleFileUpload.java
@@ -100,7 +100,46 @@ public static interface Keys {
 		public static final String clearUploadProgressOnSuccess = "clearUploadProgressOnSuccess";
 		public static final String onClickBefore = "onClickBefore";
 	}
-	
+
+	/**
+	 * Wrapper class to expose only the methods we need to {@link AjaxProxy}.
+	 * 
+	 * @author paulh
+	 * @see <a href="https://github.com/wocommunity/wonder/issues/768">#768</a>
+	 */
+	public final class Proxy {
+		/**
+		 * Wrapper for {@link AjaxFlexibleFileUpload#uploadState()}.
+		 * 
+		 * @return see {@link AjaxFlexibleFileUpload#uploadState()}
+		 */
+		public NSDictionary<String, ?> uploadState() {
+			return AjaxFlexibleFileUpload.this.uploadState();
+		}
+
+		/**
+		 * Wrapper for {@link AjaxFlexibleFileUpload#cancelUpload()}.
+		 */
+		public void cancelUpload() {
+			AjaxFlexibleFileUpload.this.cancelUpload();
+			return;
+		}
+
+		/**
+		 * Wrapper for {@link AjaxFlexibleFileUpload#uploadState()}.
+		 * 
+		 * @return see {@link AjaxFlexibleFileUpload#uploadState()}
+		 */
+		public WOActionResults clearFileResults() {
+			return AjaxFlexibleFileUpload.this.clearFileResults();
+		}
+	}
+
+	/**
+	 * Proxy used for method access by {@link AjaxProxy}
+	 */
+	public final Proxy proxy = new Proxy();
+
 	private String _refreshTime;
 	private String _clearLabel;
 	private String _cancelLabel;