[
https://issues.apache.org/jira/browse/OLINGO-702?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Prashanth updated OLINGO-702:
-----------------------------
Summary: SQL Injection - Not validating 1=1 in filter query (was: SQL
Injection - Not validating 1=1 in URI)
> SQL Injection - Not validating 1=1 in filter query
> --------------------------------------------------
>
> Key: OLINGO-702
> URL: https://issues.apache.org/jira/browse/OLINGO-702
> Project: Olingo
> Issue Type: Bug
> Components: odata2-core, odata4-server
> Reporter: Prashanth
> Labels: filter
>
> I am trying to make a request with the following filter query option in the
> URI :
> http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq 1
> Above request is giving all the entities ( employees details ) but olingo
> need to reject this as it includes 1 eq 1.
> Following is my perception . Please correct me if i am wrong in any way :
> Whenever request URI includes filter query option , Olingo validates the
> filter expression . While validating the filter query, it is checking the
> data type of values . i.e in the above case , 9000 is the value for the
> property "Id". But if the left side operand is a literal, it should reject
> but failing to do so.
> What i am thinking here is that - Olingo should reject the request if the
> left side operand is a literal and not the valid property name.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
