Hi Micheal,
>So the work that Manthan will be doing in https://issues.apache.org/jira/browse/FINERACT-854 hopefully will help to avoid that future Fineract developers craft queries by String concatenation, and address the possible SQL injection security vulnerability - >in a pragmatic way that normally we are able to easily achieve really soon (next 2-3 weeks already, I'm hoping). This is good! > What you are suggesting re. https://github.com/speedment/speedment looks > "interesting" purely from a technical framework PoV, but probably isn't > "required" for security (after FINERACT-854), but is more of a general new > approach / framework? But you don't have to ask if you can open JIRA > tickets, it's OK to just go ahead and create tickets. But it does of course > raise the question of what the value of adding yet another framework and > way of doing SQL queries in Fineract is... if you are interested in > innovating in this space, nobody should be able to stop you, it's open > source! If you asked me if I thought adding a new query framework was a top > priority for the project, my answer probably would be some polite variation > of "not so sure"... ;-) Hope this helps? Again, I think this isn't really > related to pentesting in FINERACT-969. > Yes. It is not related. It was in the middle of the discussion, I will concentrate on zap proxy. > I have started using Java Streams, most of the read is happening over the >> sql native calls because of complex relationship defined. >> >> Speedmentn streams are nice. >> >>> >>> >>>> FYI we have a GSoC student who is going to work on >>>> https://issues.apache.org/jira/browse/FINERACT-854 and >>>> https://issues.apache.org/jira/browse/FINERACT-853. I would expect >>>> that certain of the issues your work on FINERACT-969 will uncover will be >>>> fixed by FINERACT-854. >>>> >>>> If I were you, I would not wait for that work to complete, but instead >>>> go ahead, create JIRA bugs for everything you identify (best as sub-tasks >>>> under FINERACT-962, perhaps?) - and then later help us verify that the >>>> FINERACT-854 work actually fixed (some.. and which) of what you'll find. >>>> Makes sense? >>>> >>> Yes, glad to help >>> >> I will await after FINERACT-853. BR, Giorgio.
