thesmallstar commented on pull request #1671: URL: https://github.com/apache/fineract/pull/1671#issuecomment-814498180
> > ``` > SELECT > t.id, > t.timezone_id AS timezoneId , > t.name, > t.identifier > FROM tenants t > LEFT JOIN tenant_server_connections ts ON t.oltp_Id = ts.id > WHERE t.identifier LIKE '%e%'; > ``` > > Followed by application error in tomcat logs .. > `org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2 at org.springframework.dao.support.DataAccessUtils.nullableSingleResult(DataAccessUtils.java:100) at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:791) at org.apache.fineract.infrastructure.security.service.BasicAuthTenantDetailsServiceJdbc.loadTenantById(BasicAuthTenantDetailsServiceJdbc.java:143) at org.apache.fineract.infrastructure.security.filter.TenantAwareBasicAuthenticationFilter.doFilterInternal(TenantAwareBasicAuthenticationFilter.java:121) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)` > > The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter > > Fix: > 2 options > > 1. Add `LIMIT 1` to the query > 2. Replace `like` with `=` in the `WHERE` clause > prefer no. 2 to be more perfomant Yes here It makes sense to have =, I am not able to understand why was 'like' added in the first place, do you see any possible use-case we are breaking here? > > A explain on this query shows it is doing full-table scan on `tenants`. > Requires fix either > > 1. Index on column `identifier` or > 2. Unique constraint on column `identifier` > prefer no. `ALTER TABLE tenants ADD UNIQUE (identifier);` Wow this was a nice find! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
