Michael Vorburger created FINERACT-854:
------------------------------------------
Summary: Use prepared statements instead of string concatenated
SQL everywhere
Key: FINERACT-854
URL: https://issues.apache.org/jira/browse/FINERACT-854
Project: Apache Fineract
Issue Type: Improvement
Reporter: Michael Vorburger
The Fineract code base in many places creates SQL statements through String
concatenation. This is prone to SQL injection. This is mitigated by the use of
helpers utilities such as
{{org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String)}}
and
{{org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String)}}
but I opine that those are workarounds... the better solution, both for
security and likely also helping with performance (at least a little bit,
knowing how much would require measuring it...), would be to use JDBC prepared
statements with '?' placeholders and passing all raw arguments, instead of
embedding them in the query String.
FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR
for FINERACT-808 which makes a start; the goal of this issue is to use the new
{{org.apache.fineract.infrastructure.security.utils.SQLBuilder}} everywhere,
and eventually be able to get completely rid of {{ApiParameterHelper}} and
{{SQLInjectionValidator}}.
This issue should also include work to scan the code base for places where SQL
Strings are concatenated without even using the existing helpers. FINERACT-853
could potentially help with that.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
