[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15331628#comment-15331628 ]
Peter Bacsko commented on OOZIE-2362: ------------------------------------- I assigned this to myself. I'm soon going to provide a patch where the query is generated with named parameters. > SQL injection in BulkJPAExecutor > -------------------------------- > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security > Affects Versions: 4.2.0 > Reporter: thierry accart > Assignee: Peter Bacsko > Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)