Lewis John McGibbney created OODT-927:
-----------------------------------------
Summary: Values passed to SQL commands should be sanitized in CAS
DataSourceIngestMapper.java
Key: OODT-927
URL: https://issues.apache.org/jira/browse/OODT-927
Project: OODT
Issue Type: Improvement
Components: catalog
Affects Versions: 0.12
Reporter: Lewis John McGibbney
Assignee: Lewis John McGibbney
Priority: Critical
Fix For: 0.13
Right now in
[DataSourceIngestMapper.java|https://github.com/apache/oodt/blob/91d0bafe71124906bd94baad746189caf35fb39c/catalog/src/main/java/org/apache/oodt/cas/catalog/mapping/DataSourceIngestMapper.java]
values passed to SQL commands are not sanitized. Applications that execute
SQL commands should neutralize any externally-provided values used in those
commands. Failure to do so could allow an attacker to include input that
changes the query so that unintended commands are executed, or sensitive data
is exposed.
This issue checks that method parameters are not used directly in non-Hibernate
SQL statements, and that parameter binding, rather than concatenation is used
in Hibernate statements.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
