[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor

Hadoop QA (JIRA) Mon, 14 Dec 2015 21:54:06 -0800

    [ 
https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15057397#comment-15057397
 ]


Hadoop QA commented on OOZIE-2362:
----------------------------------

Testing JIRA OOZIE-2362

Cleaning local git workspace

----------------------------

{color:red}-1{color} Patch failed to apply to head of branch

----------------------------

> SQL injection in BulkJPAExecutor
> --------------------------------
>
>                 Key: OOZIE-2362
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2362
>             Project: Oozie
>          Issue Type: Bug
>          Components: core, security
>    Affects Versions: 4.2.0
>            Reporter: thierry accart
>            Priority: Critical
>              Labels: patch
>             Fix For: trunk
>
>         Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch
>
>
> In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is 
> a poosibility for SQL injection 
> (https://www.owasp.org/index.php/SQL_injection) : there is no validation of 
> content of string name before it's included in sql script, opening a 
> possibility for a malicious user to inject sql commands.
> A simple validation of strings using .matches(...) would fix problem.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor

Reply via email to