[ https://issues.apache.org/jira/browse/OODT-927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15309098#comment-15309098 ]
ASF GitHub Bot commented on OODT-927: ------------------------------------- Github user chrismattmann commented on the pull request: https://github.com/apache/oodt/pull/39 +1 to merge @lewismc > Values passed to SQL commands should be sanitized in CAS > DataSourceIngestMapper.java > ------------------------------------------------------------------------------------ > > Key: OODT-927 > URL: https://issues.apache.org/jira/browse/OODT-927 > Project: OODT > Issue Type: Improvement > Components: catalog > Affects Versions: 0.12 > Reporter: Lewis John McGibbney > Assignee: Lewis John McGibbney > Priority: Critical > Fix For: 0.13 > > > Right now in > [DataSourceIngestMapper.java|https://github.com/apache/oodt/blob/91d0bafe71124906bd94baad746189caf35fb39c/catalog/src/main/java/org/apache/oodt/cas/catalog/mapping/DataSourceIngestMapper.java] > values passed to SQL commands are not sanitized. Applications that execute > SQL commands should neutralize any externally-provided values used in those > commands. Failure to do so could allow an attacker to include input that > changes the query so that unintended commands are executed, or sensitive data > is exposed. > This issue checks that method parameters are not used directly in > non-Hibernate SQL statements, and that parameter binding, rather than > concatenation is used in Hibernate statements. -- This message was sent by Atlassian JIRA (v6.3.4#6332)