[GitHub] [fineract] josemakara2 edited a comment on pull request #1671: Use prepared statements instead of string concatenated SQL everywhere (FINERACT-854)

[GitBox]

josemakara2 edited a comment on pull request #1671:
URL: https://github.com/apache/fineract/pull/1671#issuecomment-808913147


   The first one to fix here will be as shown in the screenshot. 
   It was reported in 29 API URLs 
   ```
   > High       SQL Injection
   Description  SQL injection may be possible.
   URL  https://localhost:8443/fineract-provider/api/v1/users
   Method       GET
   Parameter    Fineract-Platform-TenantId
   Attack       default%
   ```
   
   
![image](https://user-images.githubusercontent.com/21666131/112757532-d2d87680-9035-11eb-82d0-7335d4e9f7d8.png)
   
   The page results were successfully manipulated using the Boolean conditions 
[default%] and [%e%]
   - Condition 1: Data was returned for the original parameter.
   - Condition 2: No Data was returned for the manipulated parameter. %e%. 
Actually here it returned 2 rows whereas we expecting 1
   ```
   SELECT  
     t.id, 
     t.timezone_id AS timezoneId , 
     t.name,
     t.identifier
   FROM tenants t 
   LEFT JOIN tenant_server_connections ts ON t.oltp_Id = ts.id  
   WHERE t.identifier LIKE '%e%';
   ```
   
   Followed by application error in tomcat logs .. 
   `org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect 
result size: expected 1, actual 2
           at 
org.springframework.dao.support.DataAccessUtils.nullableSingleResult(DataAccessUtils.java:100)
           at 
org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:791)
           at 
org.apache.fineract.infrastructure.security.service.BasicAuthTenantDetailsServiceJdbc.loadTenantById(BasicAuthTenantDetailsServiceJdbc.java:143)
           at 
org.apache.fineract.infrastructure.security.filter.TenantAwareBasicAuthenticationFilter.doFilterInternal(TenantAwareBasicAuthenticationFilter.java:121)
           at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)`
   
   The vulnerability was detected by successfully restricting the data 
originally returned, by manipulating the parameter
   
   Fix:
   2 options
    1. Add `LIMIT 1` to the query
    2. Replace `like` with `=` in the `WHERE` clause 
   prefer no. 2 to be more perfomant
   
   A explain on this query shows it is doing full-table scan on `tenants`. 
   Requires fix either
    1. Index on column `identifier` or 
    2. Unique constraint on column `identifier`
   prefer no.  `ALTER TABLE tenants ADD UNIQUE (identifier);`
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org