[jira] [Created] (KYLIN-2046) Potential injected SQL attack vulnerability in QueryService

Ted Yu (JIRA) Fri, 23 Sep 2016 17:02:00 -0700

Ted Yu created KYLIN-2046:
-----------------------------

             Summary: Potential injected SQL attack vulnerability in 
QueryService
                 Key: KYLIN-2046
                 URL: https://issues.apache.org/jira/browse/KYLIN-2046
             Project: Kylin
          Issue Type: Bug
            Reporter: Ted Yu



{code}
        String correctedSql = QueryUtil.massageSql(sqlRequest);
        if (!correctedSql.equals(sqlRequest.getSql())) {
...
        return execute(correctedSql, sqlRequest);
{code}
massageSql() uses regex to detect malformed SQL.

However, there may be SQL injection which is not detected by massageSql().



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (KYLIN-2046) Potential injected SQL attack vulnerability in QueryService

Reply via email to