[
https://issues.apache.org/jira/browse/FINERACT-854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aleksandar Vidakovic updated FINERACT-854:
------------------------------------------
Fix Version/s: 3.0.0
> Use prepared statements instead of string concatenated SQL everywhere
> ---------------------------------------------------------------------
>
> Key: FINERACT-854
> URL: https://issues.apache.org/jira/browse/FINERACT-854
> Project: Apache Fineract
> Issue Type: Improvement
> Components: Security
> Reporter: Michael Vorburger
> Assignee: Joseph Makara
> Priority: Major
> Labels: beginner, scalability, security, technical
> Fix For: 1.9.0, 3.0.0
>
>
> The Fineract code base in many places creates SQL statements through String
> concatenation. This is prone to SQL injection. This is mitigated by the use
> of helpers utilities such as
> {{org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String)}}
> and
> {{org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String)}}
> but I opine that those are workarounds... the better solution, both for
> security and likely also helping with performance (at least a little bit,
> knowing how much would require measuring it...), would be to use JDBC
> prepared statements with '?' placeholders and passing all raw arguments,
> instead of embedding them in the query String.
> FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR
> for FINERACT-808 which makes a start; the goal of this issue is to use the
> new {{org.apache.fineract.infrastructure.security.utils.SQLBuilder}}
> everywhere, and eventually be able to get completely rid of
> {{ApiParameterHelper}} and {{SQLInjectionValidator}}.
> This issue should also include work to scan the code base for places where
> SQL Strings are concatenated without even using the existing helpers.
> FINERACT-853 could potentially help with that.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
