[
https://issues.apache.org/jira/browse/KYLIN-2046?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15556649#comment-15556649
]
liyang commented on KYLIN-2046:
-------------------------------
While waiting for response from SourceClear, I dig into massageSql() a bit.
My view is
[SID-2787|https://www.sourceclear.com/registry/security/newsletter/java/sid-2787?mkt_tok=eyJpIjoiTVdGbU9XVmpZVFkzTm1NeiIsInQiOiJsOUEyQkNZOVF3ZHF3Q2t4T0QyRW15QzVHYVlmYldJYm9SUWpTOVp0SnNXR0tGZlFneWlVdGMzS001OVhqcTJRUkk2bStRd1N5UlwvNGdjc2xCbkJqUVVWZHpYTG4rS09VTHZxd3htV1ZQMEU9In0%3D]
is more likely a false alarm.
SQL injection is a kinda of code injection. Means to temper the original SQL
with other variables that are used to construct the SQL. So for SQL injection
to work, the foundation is an original SQL and some "other variables" that
attacker can exploit to temper the SQL construction.
Then look at massageSql(), the only input to the method is the original SQL.
There is no "other variable" pass into the method. All massageSql() does is
tailoring the original SQL. There is no other variable that participates in SQL
construction.
So massageSql() does not have the foundation and cannot be used for SQL
injection attack.
> Potential injected SQL attack vulnerability in QueryService
> -----------------------------------------------------------
>
> Key: KYLIN-2046
> URL: https://issues.apache.org/jira/browse/KYLIN-2046
> Project: Kylin
> Issue Type: Bug
> Reporter: Ted Yu
>
> {code}
> String correctedSql = QueryUtil.massageSql(sqlRequest);
> if (!correctedSql.equals(sqlRequest.getSql())) {
> ...
> return execute(correctedSql, sqlRequest);
> {code}
> massageSql() uses regex to detect malformed SQL.
> However, there may be SQL injection which is not detected by massageSql().
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
