[
https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123439#comment-15123439
]
thierry accart commented on OOZIE-2362:
---------------------------------------
IMHO, the correct fix shall not build a sql query based on parameters : the
patch is a quick fix.
To make something correct, code shall never build sql query but should check
parameters, reject any request with incorrect parameters, or, if all parameters
are correct, use prepared statements (for example).
> SQL injection in BulkJPAExecutor
> --------------------------------
>
> Key: OOZIE-2362
> URL: https://issues.apache.org/jira/browse/OOZIE-2362
> Project: Oozie
> Issue Type: Bug
> Components: core, security
> Affects Versions: 4.2.0
> Reporter: thierry accart
> Priority: Critical
> Labels: patch
> Fix For: trunk
>
> Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch
>
>
> In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is
> a poosibility for SQL injection
> (https://www.owasp.org/index.php/SQL_injection) : there is no validation of
> content of string name before it's included in sql script, opening a
> possibility for a malicious user to inject sql commands.
> A simple validation of strings using .matches(...) would fix problem.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
