[ https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15331966#comment-15331966 ]
Peter Bacsko commented on OOZIE-2362: ------------------------------------- Examples: {code} *** Action query: SELECT a.id, a.actionNumber, a.errorCode, a.errorMessage, a.externalId, a.externalStatus, a.statusStr, a.createdTimestamp, a.nominalTimestamp, a.missingDependencies, c.id, c.appName, c.statusStr FROM CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND c.bundleId = :bundleId AND a.nominalTimestamp <= :endNominal AND a.nominalTimestamp >= :startNominal AND a.createdTimestamp <= :endCreated AND a.createdTimestamp >= :startCreated AND a.statusStr IN ('FAILED','KILLED') ORDER BY a.jobId, a.createdTimestamp *** Count query: SELECT COUNT(a) FROM CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND c.bundleId IN ('0000000-160615161217850-oozie-pbac-B') AND a.nominalTimestamp <= :endNominal AND a.nominalTimestamp >= :startNominal AND a.createdTimestamp <= :endCreated AND a.createdTimestamp >= :startCreated AND a.statusStr IN ('FAILED','KILLED') {code} vs {code} *** Action query: SELECT a.id, a.actionNumber, a.errorCode, a.errorMessage, a.externalId, a.externalStatus, a.statusStr, a.createdTimestamp, a.nominalTimestamp, a.missingDependencies, c.id, c.appName, c.statusStr FROM CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND c.bundleId = :bundleId AND c.appName IN (:param0, :param1) AND a.statusStr IN (:status0) ORDER BY a.jobId, a.createdTimestamp *** count query: SELECT COUNT(a) FROM CoordinatorActionBean a, CoordinatorJobBean c WHERE a.jobId = c.id AND c.bundleId IN (:count0) AND c.appName IN (:param0, :param1) AND a.statusStr IN (:status0) Param set - count0: 0000000-160615160306739-oozie-pbac-B Param set - status0: KILLED Param set - param0: Coord1 Param set - param1: Coord2 {code} > SQL injection in BulkJPAExecutor > -------------------------------- > > Key: OOZIE-2362 > URL: https://issues.apache.org/jira/browse/OOZIE-2362 > Project: Oozie > Issue Type: Bug > Components: core, security > Affects Versions: 4.2.0 > Reporter: thierry accart > Assignee: Peter Bacsko > Priority: Critical > Labels: patch > Fix For: trunk > > Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch, > OOZIE-2362-001.patch > > > In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is > a poosibility for SQL injection > (https://www.owasp.org/index.php/SQL_injection) : there is no validation of > content of string name before it's included in sql script, opening a > possibility for a malicious user to inject sql commands. > A simple validation of strings using .matches(...) would fix problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)