SQL injection validator fix
Project: http://git-wip-us.apache.org/repos/asf/fineract/repo Commit: http://git-wip-us.apache.org/repos/asf/fineract/commit/749ec055 Tree: http://git-wip-us.apache.org/repos/asf/fineract/tree/749ec055 Diff: http://git-wip-us.apache.org/repos/asf/fineract/diff/749ec055 Branch: refs/heads/develop Commit: 749ec055e9755f75d93fad8bb2ab4b7d6966aa48 Parents: 87e0c59 Author: Konstantin Golub <[email protected]> Authored: Tue Oct 17 08:23:18 2017 -0300 Committer: Konstantin Golub <[email protected]> Committed: Tue Oct 17 08:23:18 2017 -0300 ---------------------------------------------------------------------- .../infrastructure/security/utils/SQLInjectionValidator.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/fineract/blob/749ec055/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java ---------------------------------------------------------------------- diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java index 60c2070..d03b2f4 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/utils/SQLInjectionValidator.java @@ -30,7 +30,7 @@ public class SQLInjectionValidator { private final static String[] COMMENTS = { "--", "({", "/*", "#" }; - private final static String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% ()0-9]*"; + private final static String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% ()0-9*\n\r]*"; public final static void validateSQLInput(final String sqlSearch) { String lowerCaseSQL = sqlSearch.toLowerCase(); @@ -115,9 +115,9 @@ public class SQLInjectionValidator { } } public final static void validateAdhocQuery(final String sqlSearch) { - String lowerCaseSQL = sqlSearch.toLowerCase(); + String lowerCaseSQL = sqlSearch.toLowerCase().trim(); for (String ddl : DDL_COMMANDS) { - if (lowerCaseSQL.contains(ddl)) { + if (lowerCaseSQL.startsWith(ddl)) { throw new SQLInjectionException(); } }
