[
https://issues.apache.org/jira/browse/OOZIE-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15335902#comment-15335902
]
Hadoop QA commented on OOZIE-2362:
----------------------------------
Testing JIRA OOZIE-2362
Cleaning local git workspace
----------------------------
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
. {color:green}+1{color} the patch does not introduce any @author tags
. {color:green}+1{color} the patch does not introduce any tabs
. {color:green}+1{color} the patch does not introduce any trailing spaces
. {color:red}-1{color} the patch contains 2 line(s) longer than 132
characters
. {color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
. {color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
. {color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
{color:green}+1 COMPILE{color}
. {color:green}+1{color} HEAD compiles
. {color:green}+1{color} patch compiles
. {color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
. {color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
. {color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
. Tests run: 1787
. Tests failed: 1
. Tests errors: 0
. The patch failed the following testcases:
.
testBundleStatusTransitWithLock(org.apache.oozie.service.TestStatusTransitService)
{color:green}+1 DISTRO{color}
. {color:green}+1{color} distro tarball builds with the patch
----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/oozie-trunk-precommit-build/3002/
> SQL injection in BulkJPAExecutor
> --------------------------------
>
> Key: OOZIE-2362
> URL: https://issues.apache.org/jira/browse/OOZIE-2362
> Project: Oozie
> Issue Type: Bug
> Components: core, security
> Affects Versions: 4.2.0
> Reporter: thierry accart
> Assignee: Peter Bacsko
> Priority: Critical
> Labels: patch
> Fix For: trunk
>
> Attachments: 0001-OOZIE-2362-SQL-injection-in-BulkJPAExecutor.patch,
> OOZIE-2362-001.patch, OOZIE-2362-002.patch
>
>
> In method inClause of org.apache.oozie.executor.jpa.BulkJPAExecutor there is
> a poosibility for SQL injection
> (https://www.owasp.org/index.php/SQL_injection) : there is no validation of
> content of string name before it's included in sql script, opening a
> possibility for a malicious user to inject sql commands.
> A simple validation of strings using .matches(...) would fix problem.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
