[
https://issues.apache.org/jira/browse/OLINGO-702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14588174#comment-14588174
]
Ramesh Reddy commented on OLINGO-702:
-------------------------------------
IMO, it is mainly service developer's responsibility to have such validations
and reject the queries, rather than being done at framework level. BTW, this is
could be valid query, and one could also write using the alias
{code}
http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq @p1?p1=1
{code}
> SQL Injection - Not validating 1=1 in filter query
> --------------------------------------------------
>
> Key: OLINGO-702
> URL: https://issues.apache.org/jira/browse/OLINGO-702
> Project: Olingo
> Issue Type: Bug
> Components: odata2-core, odata4-server
> Reporter: Prashanth
> Assignee: Christian Amend
> Labels: filter
>
> I am trying to make a request with the following filter query option in the
> URI :
> http://host:8080/odata/odata.svc/Employees?$filter = Id eq 9000 or 1 eq 1
> Above request is giving all the entities ( employees details ) but olingo
> need to reject this as it includes 1 eq 1.
> Following is my perception . Please correct me if i am wrong in any way :
> Whenever request URI includes filter query option , Olingo validates the
> filter expression . While validating the filter query, it is checking the
> data type of values . i.e in the above case , 9000 is the value for the
> property "Id". But if the left side operand is a literal, it should reject
> but failing to do so.
> What i am thinking here is that - Olingo should reject the request if the
> left side operand is a literal and not the valid property name.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
