[jira] [Commented] (OODT-927) Values passed to SQL commands should be sanitized in CAS DataSourceIngestMapper.java

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OODT-927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15302959#comment-15302959
 ] 

ASF GitHub Bot commented on OODT-927:
-------------------------------------

GitHub user lewismc opened a pull request:

    https://github.com/apache/oodt/pull/39

    OODT-927 Values passed to SQL commands should be sanitized in CAS 
DataSourceIngestMapper.java

    Hi Folks,
    This PR 
     * uses prepared statements for SQL queries
     * sanitizes the variable inputs
     * implements try-with-resources if blocks for efficiency which were 
introduced in Java 7
     * makes commonly used strings static final string constants
     * uses @Override explicitly
     * adds a wee bit of formatting to core/pom.xml so that Tom's formatting 
job is not buggered.
    
    Generally speaking this cuts down on a alot of code, simplifies things and 
make it more modern across the concerned package.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/lewismc/oodt master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/oodt/pull/39.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #39
    
----
commit 1a1cdf1ac8e3dc48187f66923ffd6baa92ced3c3
Author: Lewis John McGibbney <lewis.mcgibb...@gmail.com>
Date:   2016-05-26T21:25:25Z

    OODT-927 Values passed to SQL commands should be sanitized in CAS 
DataSourceIngestMapper.java

----


> Values passed to SQL commands should be sanitized in CAS 
> DataSourceIngestMapper.java
> ------------------------------------------------------------------------------------
>
>                 Key: OODT-927
>                 URL: https://issues.apache.org/jira/browse/OODT-927
>             Project: OODT
>          Issue Type: Improvement
>          Components: catalog
>    Affects Versions: 0.12
>            Reporter: Lewis John McGibbney
>            Assignee: Lewis John McGibbney
>            Priority: Critical
>             Fix For: 0.13
>
>
> Right now in 
> [DataSourceIngestMapper.java|https://github.com/apache/oodt/blob/91d0bafe71124906bd94baad746189caf35fb39c/catalog/src/main/java/org/apache/oodt/cas/catalog/mapping/DataSourceIngestMapper.java]
>   values passed to SQL commands are not sanitized. Applications that execute 
> SQL commands should neutralize any externally-provided values used in those 
> commands. Failure to do so could allow an attacker to include input that 
> changes the query so that unintended commands are executed, or sensitive data 
> is exposed.
> This issue checks that method parameters are not used directly in 
> non-Hibernate SQL statements, and that parameter binding, rather than 
> concatenation is used in Hibernate statements.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)