[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor

Peter Bacsko (JIRA) Wed, 15 Jun 2016 09:06:43 -0700

    [ 
https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15331966#comment-15331966
 ]


Peter Bacsko commented on OOZIE-2362:
-------------------------------------

Examples:

{code}
*** Action query: SELECT a.id, a.actionNumber, a.errorCode, a.errorMessage, 
a.externalId, a.externalStatus, a.statusStr, a.createdTimestamp, 
a.nominalTimestamp, a.missingDependencies, c.id, c.appName, c.statusStr FROM 
CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND 
c.bundleId = :bundleId AND a.nominalTimestamp <= :endNominal AND 
a.nominalTimestamp >= :startNominal AND a.createdTimestamp <= :endCreated AND 
a.createdTimestamp >= :startCreated AND a.statusStr IN ('FAILED','KILLED')  
ORDER BY a.jobId, a.createdTimestamp
*** Count query: SELECT COUNT(a) FROM CoordinatorActionBean a, 
CoordinatorJobBean c WHERE a.jobId = c.id  AND c.bundleId IN 
('0000000-160615161217850-oozie-pbac-B')  AND a.nominalTimestamp <= :endNominal 
AND a.nominalTimestamp >= :startNominal AND a.createdTimestamp <= :endCreated 
AND a.createdTimestamp >= :startCreated AND a.statusStr IN ('FAILED','KILLED')  
{code}

vs

{code}
*** Action query: SELECT a.id, a.actionNumber, a.errorCode, a.errorMessage, 
a.externalId, a.externalStatus, a.statusStr, a.createdTimestamp, 
a.nominalTimestamp, a.missingDependencies, c.id, c.appName, c.statusStr FROM 
CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND 
c.bundleId = :bundleId AND c.appName IN (:param0, :param1)  AND a.statusStr IN 
(:status0)  ORDER BY a.jobId, a.createdTimestamp
*** count query: SELECT COUNT(a) FROM CoordinatorActionBean a, 
CoordinatorJobBean c WHERE a.jobId = c.id  AND c.bundleId IN (:count0)  AND 
c.appName IN (:param0, :param1)  AND a.statusStr IN (:status0)  
Param set - count0: 0000000-160615160306739-oozie-pbac-B
Param set - status0: KILLED
Param set - param0: Coord1
Param set - param1: Coord2
{code}

> SQL injection in BulkJPAExecutor
> --------------------------------
>
>                 Key: OOZIE-2362
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2362
>             Project: Oozie
>          Issue Type: Bug
>          Components: core, security
>    Affects Versions: 4.2.0
>            Reporter: thierry accart
>            Assignee: Peter Bacsko
>            Priority: Critical
>              Labels: patch
>             Fix For: trunk
>
>         Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch, 
> OOZIE-2362-001.patch
>
>
> In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is 
> a poosibility for SQL injection 
> (https://www.owasp.org/index.php/SQL_injection) : there is no validation of 
> content of string name before it's included in sql script, opening a 
> possibility for a malicious user to inject sql commands.
> A simple validation of strings using .matches(...) would fix problem.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (OOZIE-2362) SQL injection in BulkJPAExecutor

Reply via email to