[
https://issues.apache.org/jira/browse/OODT-927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15308931#comment-15308931
]
ASF GitHub Bot commented on OODT-927:
-------------------------------------
Github user lewismc commented on the pull request:
https://github.com/apache/oodt/pull/39
Any comments folks?
> Values passed to SQL commands should be sanitized in CAS
> DataSourceIngestMapper.java
> ------------------------------------------------------------------------------------
>
> Key: OODT-927
> URL: https://issues.apache.org/jira/browse/OODT-927
> Project: OODT
> Issue Type: Improvement
> Components: catalog
> Affects Versions: 0.12
> Reporter: Lewis John McGibbney
> Assignee: Lewis John McGibbney
> Priority: Critical
> Fix For: 0.13
>
>
> Right now in
> [DataSourceIngestMapper.java|https://github.com/apache/oodt/blob/91d0bafe71124906bd94baad746189caf35fb39c/catalog/src/main/java/org/apache/oodt/cas/catalog/mapping/DataSourceIngestMapper.java]
> values passed to SQL commands are not sanitized. Applications that execute
> SQL commands should neutralize any externally-provided values used in those
> commands. Failure to do so could allow an attacker to include input that
> changes the query so that unintended commands are executed, or sensitive data
> is exposed.
> This issue checks that method parameters are not used directly in
> non-Hibernate SQL statements, and that parameter binding, rather than
> concatenation is used in Hibernate statements.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
